c04c541f...d341 | Grouped Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Target: win7_64_sp1 | exe
Classification: Trojan, Dropper, Ransomware

c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51cd341 (SHA256)

c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51c.exe

Windows Exe (x86-32)

Created at 2018-07-13 07:59:00

...

Notifications (1/1)

The operating system was rebooted during the analysis.

Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x948 Analysis Target High (Elevated) c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51c.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51c.exe" -
#2 0x9ec Child Process High (Elevated) vqbkvy~1:bin C:\Users\5P5NRG~1\AppData\Roaming\VQBKVY~1:bin C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51c.exe #1
#3 0x9f8 Child Process High (Elevated) vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet #2
#4 0xa14 Child Process High (Elevated) takeown.exe C:\Windows\system32\takeown.exe /F C:\Windows\servicing\TrustedInstaller.exe #2
#5 0xa3c Child Process High (Elevated) icacls.exe C:\Windows\system32\icacls.exe C:\Windows\servicing\TrustedInstaller.exe /reset #2
#6 0x4 Created Daemon System (Elevated) System - #2
#7 0x1d8 Created Daemon System (Elevated) services.exe C:\Windows\system32\services.exe #2
#8 0x250 Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch #7
#9 0x290 Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k RPCSS #7
#10 0x2c4 Child Process System (Elevated) svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted #7
#11 0x310 Child Process System (Elevated) svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted #7
#12 0x360 Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k netsvcs #7
#13 0x3fc Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k LocalService #7
#14 0x170 Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k NetworkService #7
#15 0x134 Child Process System (Elevated) spoolsv.exe C:\Windows\System32\spoolsv.exe #7
#16 0x41c Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork #7
#17 0x4ec Child Process Medium taskhost.exe "taskhost.exe" #7
#18 0x6c0 Child Process System (Elevated) taskhost.exe taskhost.exe $(Arg0) #7
#19 0xa34 Child Process System (Elevated) vssvc.exe C:\Windows\system32\vssvc.exe #7
#20 0xa64 Child Process System (Elevated) mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe #7
#21 0xabc Child Process System (Elevated) svchost.exe C:\Windows\System32\svchost.exe -k swprv #7
#22 0xad8 Child Process Medium v5hw0h~1:bin C:\Users\5P5NRG~1\AppData\Roaming\\V5HW0H~1:bin #20
#23 0xae8 Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation #7
#24 0xb30 Child Process System (Elevated) sppsvc.exe C:\Windows\system32\sppsvc.exe #7
#25 0xb3c Child Process Medium arp.exe C:\Windows\system32\arp.exe -a #22
#26 0xb6c Child Process Medium nslookup.exe C:\Windows\system32\nslookup.exe 192.168.0.1 #22
#27 0xb88 Child Process Medium nslookup.exe C:\Windows\system32\nslookup.exe 192.168.0.255 #22
#28 0xba4 Child Process Medium nslookup.exe C:\Windows\system32\nslookup.exe 224.0.0.22 #22
#29 0xbbc Child Process Medium nslookup.exe C:\Windows\system32\nslookup.exe 224.0.0.252 #22
#30 0xbd8 Child Process Medium nslookup.exe C:\Windows\system32\nslookup.exe 255.255.255.255 #22
#31 0xbf0 Child Process Medium net.exe C:\Windows\system32\net.exe view igmp.mcast.net #22
#32 0x86c Child Process System (Elevated) svchost.exe C:\Windows\System32\svchost.exe -k secsvcs #7
#33 0x87c Child Process High (Elevated) taskhost.exe "taskhost.exe" #7

Behavior Information - Grouped by Category

Process #1: c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51c.exe
387 0
»
Information Value
ID #1
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51c.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51c.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:29, Reason: Analysis Target
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:02:00
OS Process Information
»
Information Value
PID 0x948
Parent PID 0x564 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 94C
0x 958
0x 9E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory Readable True False False -
locale.nls 0x001b0000 0x00216fff Memory Mapped File Readable False False False -
oleaccrc.dll 0x00220000 0x00220fff Memory Mapped File Readable False False False -
private_0x0000000000230000 0x00230000 0x0026ffff Private Memory Readable, Writable True False False -
private_0x0000000000270000 0x00270000 0x0028afff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000290000 0x00290000 0x002a1fff Private Memory Readable, Writable True False False -
private_0x00000000002b0000 0x002b0000 0x0032ffff Private Memory Readable, Writable True False False -
private_0x0000000000330000 0x00330000 0x0036ffff Private Memory Readable, Writable True False False -
private_0x0000000000370000 0x00370000 0x003affff Private Memory Readable, Writable True False False -
rsaenh.dll 0x003b0000 0x003ebfff Memory Mapped File Readable False False False -
c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51c.exe 0x00400000 0x0042efff Memory Mapped File Readable, Writable, Executable True True False
...
private_0x0000000000500000 0x00500000 0x0050ffff Private Memory Readable, Writable True False False -
private_0x0000000000530000 0x00530000 0x0062ffff Private Memory Readable, Writable True False False -
private_0x0000000000630000 0x00630000 0x0072ffff Private Memory Readable, Writable True False False -
private_0x0000000000790000 0x00790000 0x0079ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000007a0000 0x007a0000 0x00927fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000930000 0x00930000 0x00ab0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000ac0000 0x00ac0000 0x01ebffff Pagefile Backed Memory Readable True False False -
private_0x0000000001ec0000 0x01ec0000 0x01fbffff Private Memory Readable, Writable True False False -
private_0x0000000002050000 0x02050000 0x0205ffff Private Memory Readable, Writable True False False -
private_0x0000000002060000 0x02060000 0x0225ffff Private Memory Readable, Writable True False False -
private_0x0000000002060000 0x02060000 0x0215ffff Private Memory Readable, Writable True False False -
private_0x0000000002250000 0x02250000 0x0225ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x02260000 0x0252efff Memory Mapped File Readable False False False -
wow64cpu.dll 0x75360000 0x75367fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x75370000 0x753cbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x753d0000 0x7540efff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x75680000 0x756bafff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x756c0000 0x756d5fff Memory Mapped File Readable, Writable, Executable False False False -
msimg32.dll 0x756e0000 0x756e4fff Memory Mapped File Readable, Writable, Executable False False False -
oledlg.dll 0x756f0000 0x7570bfff Memory Mapped File Readable, Writable, Executable False False False -
oleacc.dll 0x75710000 0x7574bfff Memory Mapped File Readable, Writable, Executable False False False -
winmm.dll 0x75750000 0x75781fff Memory Mapped File Readable, Writable, Executable False False False -
winspool.drv 0x75790000 0x757e0fff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x757f0000 0x75873fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75980000 0x7598bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75990000 0x759effff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75a30000 0x75a48fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x75a60000 0x75b7cfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75bb0000 0x75bf5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fd0000 0x760dffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x760e0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76180000 0x761d6fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x763c0000 0x763c9fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x763d0000 0x763dbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x763e0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76670000 0x7671bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76720000 0x767ebfff Memory Mapped File Readable, Writable, Executable False False False -
comdlg32.dll 0x767f0000 0x7686afff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76920000 0x77569fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x77570000 0x775cffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x775d0000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x776c0000 0x7781bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77820000 0x778affff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x77990000 0x77a2cfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000077a30000 0x77a30000 0x77b4efff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077b50000 0x77b50000 0x77c49fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77e30000 0x77faffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\5p5nrg~1\appdata\roaming\vqbkvynl9c 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\users\5p5nrg~1\appdata\roaming\vqbkvy~1 44.00 KB MD5: 4ebbc2b0ad7f9075ae9d6835d2a62b6e
SHA1: db1f81f5e209fed6df3255f6c820555cf17a839c
SHA256: eaab690ebd8ddf9ae452de1bc03b73c8154264dbd7a292334733b47a668ebf31 		False
...
c:\users\5p5nrg~1\appdata\roaming\vqbkvy~1:bin 178.00 KB MD5: 093d2634168cf168d59bfa49550a4010
SHA1: 8ba04fcf149265e2ed1ee63af73087ee09d729aa
SHA256: c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51cd341 		False
...
Host Behavior
File (18)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5P5NRG~1\AppData\Roaming\VQBKvYnL9c desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Create C:\Windows\system32\sc.exe desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Roaming\VQBKVY~1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51c.exe desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Roaming\VQBKVY~1:bin desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Roaming\VQBKvYnL9c type = file_attributes False 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Roaming\VQBKvYnL9c type = file_attributes True 1
Fn
Get Info C:\Windows\system32\sc.exe type = file_attributes True 1
Fn
Get Info C:\Windows\system32\sc.exe type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Roaming\VQBKVY~1 type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51c.exe type = file_attributes True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51c.exe type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Roaming\VQBKVY~1:bin type = file_attributes False 1
Fn
Read C:\Windows\system32\sc.exe size = 45056, size_out = 45056 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51c.exe size = 182272, size_out = 182272 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Roaming\VQBKVY~1 size = 45056 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Roaming\VQBKVY~1:bin size = 182272 True 1
Fn
Data
Delete C:\Users\5P5NRG~1\AppData\Roaming\VQBKvYnL9c - True 1
Fn
Registry (344)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Open Key HKEY_CURRENT_USER\Software - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value_name = EnableLUA, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value_name = EnableLUA, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming, type = REG_SZ True 1
Fn
Duplicate Key - - True 1
Fn
Duplicate Key - - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - False 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\5P5NRG~1\AppData\Roaming\VQBKVY~1:bin os_pid = 0x9ec, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Module (10)
»
Operation Module Additional Information Success Count Logfile
Load KERNEL32.dll base_address = 0x75fd0000 True 1
Fn
Load crypt32.dll base_address = 0x0 True 1
Fn
Get Handle c:\users\5p5nrgjn0js halpmcxz\desktop\c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51c.exe base_address = 0x400000 True 2
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51c.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51c.exe, size = 4096 True 1
Fn
Get Filename crypt32.dll process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51c.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51c.exe, size = 512 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringA, address_out = 0x7600b2b7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapValidate, address_out = 0x75ffb17b True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 1
Fn
Get Info type = Wow64 Directory, result_out = C:\Windows\SysWOW64 True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Mutex (2)
»
Operation Additional Information Success Count Logfile
Create - True 1
Fn
Release - True 1
Fn
Process #2: vqbkvy~1:bin
1471 0
»
Information Value
ID #2
File Name c:\users\5p5nrg~1\appdata\roaming\vqbkvy~1:bin
Command Line C:\Users\5P5NRG~1\AppData\Roaming\VQBKVY~1:bin C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51c.exe
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:45, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:01:44
OS Process Information
»
Information Value
PID 0x9ec
Parent PID 0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51c.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9F0
0x 9F4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory Readable True False False -
oleaccrc.dll 0x001b0000 0x001b0fff Memory Mapped File Readable False False False -
private_0x00000000001c0000 0x001c0000 0x001dafff Private Memory Readable, Writable, Executable True False False -
private_0x00000000001e0000 0x001e0000 0x001f1fff Private Memory Readable, Writable True False False -
private_0x0000000000200000 0x00200000 0x0027ffff Private Memory Readable, Writable True False False -
private_0x0000000000280000 0x00280000 0x002bffff Private Memory Readable, Writable True False False -
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000280000 0x00280000 0x00286fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000280000 0x00280000 0x00280fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000290000 0x00290000 0x00296fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000002b0000 0x002b0000 0x002bffff Private Memory Readable, Writable True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory Readable, Writable True False False -
vqbkvy~1 0x00400000 0x0042efff Memory Mapped File Readable, Writable, Executable True True False
...
locale.nls 0x00430000 0x00496fff Memory Mapped File Readable False False False -
private_0x00000000004a0000 0x004a0000 0x004dffff Private Memory Readable, Writable True False False -
private_0x0000000000500000 0x00500000 0x0050ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000510000 0x00510000 0x00697fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000006a0000 0x006a0000 0x00820fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000830000 0x00830000 0x01c2ffff Pagefile Backed Memory Readable True False False -
rsaenh.dll 0x01c30000 0x01c6bfff Memory Mapped File Readable False False False -
private_0x0000000001ca0000 0x01ca0000 0x01caffff Private Memory Readable, Writable True False False -
private_0x0000000001d70000 0x01d70000 0x01d7ffff Private Memory Readable, Writable True False False -
private_0x0000000001d80000 0x01d80000 0x01edffff Private Memory Readable, Writable True False False -
private_0x0000000001d80000 0x01d80000 0x01e7ffff Private Memory Readable, Writable True False False -
private_0x0000000001ed0000 0x01ed0000 0x01edffff Private Memory Readable, Writable True False False -
private_0x0000000001ee0000 0x01ee0000 0x01fdffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01fe0000 0x022aefff Memory Mapped File Readable False False False -
wow64cpu.dll 0x75360000 0x75367fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x75370000 0x753cbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x753d0000 0x7540efff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x75630000 0x75650fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x75660000 0x7569afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x756a0000 0x756b5fff Memory Mapped File Readable, Writable, Executable False False False -
msimg32.dll 0x756e0000 0x756e4fff Memory Mapped File Readable, Writable, Executable False False False -
oledlg.dll 0x756f0000 0x7570bfff Memory Mapped File Readable, Writable, Executable False False False -
oleacc.dll 0x75710000 0x7574bfff Memory Mapped File Readable, Writable, Executable False False False -
winmm.dll 0x75750000 0x75781fff Memory Mapped File Readable, Writable, Executable False False False -
winspool.drv 0x75790000 0x757e0fff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x757f0000 0x75873fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75980000 0x7598bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75990000 0x759effff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x75a20000 0x75a24fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75a30000 0x75a48fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x75a60000 0x75b7cfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75bb0000 0x75bf5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fd0000 0x760dffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x760e0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76180000 0x761d6fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x763c0000 0x763c9fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x763d0000 0x763dbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x763e0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76670000 0x7671bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76720000 0x767ebfff Memory Mapped File Readable, Writable, Executable False False False -
comdlg32.dll 0x767f0000 0x7686afff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76920000 0x77569fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x77570000 0x775cffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x775d0000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x776c0000 0x7781bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77820000 0x778affff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x77940000 0x77984fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x77990000 0x77a2cfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000077a30000 0x77a30000 0x77b4efff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077b50000 0x77b50000 0x77c49fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77e30000 0x77faffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\5p5nrg~1\appdata\local\temp\ebfa6.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe 178.00 KB MD5: 093d2634168cf168d59bfa49550a4010
SHA1: 8ba04fcf149265e2ed1ee63af73087ee09d729aa
SHA256: c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51cd341 		False
...
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe:0 101.68 KB MD5: 19e11cacd01fcb8c63ded05319074420
SHA1: a67260c827d36158e3c4a075fc6f2940570df8e5
SHA256: 7a5972525cc20679a682c738475d968a89e1453bbbf070a18e6216ed7801a3c2 		False
...
Host Behavior
File (20)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5P5NRG~1\AppData\Local\Temp\eBFA6.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Roaming\VQBKVY~1:bin desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\servicing\TrustedInstaller.exe desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 2
Fn
Create C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe:0 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Temp File C:\Users\5P5NRG~1\AppData\Local\Temp\eBFA6.tmp path = C:\Users\5P5NRG~1\AppData\Local\Temp, prefix = e True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\eBFA6.tmp type = file_attributes True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Roaming\VQBKVY~1:bin type = file_attributes True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Roaming\VQBKVY~1:bin type = size, size_out = 0 True 1
Fn
Get Info C:\Windows\servicing\TrustedInstaller.exe type = file_attributes True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe type = size, size_out = 0 True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe type = time True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe:0 type = file_attributes False 1
Fn
Read C:\Users\5P5NRG~1\AppData\Roaming\VQBKVY~1:bin size = 182272, size_out = 182272 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe size = 104120, size_out = 104120 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\eBFA6.tmp size = 26 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe size = 182272 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe:0 size = 104120 True 1
Fn
Data
Delete C:\Users\5P5NRG~1\AppData\Roaming\VQBKVY~1 - True 1
Fn
Registry (781)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value_name = EnableLUA, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value_name = EnableLUA, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value - value_name = RequiredPrivileges, data = 30947048, size = 406, type = REG_MULTI_SZ False 1
Fn
Write Value - value_name = ObjectName, data = 31037456, size = 12, type = REG_SZ False 1
Fn
Write Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet value_name = RequiredPrivileges, data = 30961296, size = 575, type = REG_MULTI_SZ True 1
Fn
Write Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet value_name = ObjectName, data = LocalSystem, size = 12, type = REG_SZ True 1
Fn
Duplicate Key - - True 5
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 5
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 5
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 5
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 5
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 5
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 4
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - False 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - False 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - False 2
Fn
Process (110)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\vssadmin.exe os_pid = 0x9f8, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create C:\Windows\system32\diskshadow.exe os_pid = 0x0, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE False 1
Fn
Create C:\Windows\system32\icacls.exe os_pid = 0xa3c, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Get filename System - False 1
Fn
Get filename c:\windows\system32\smss.exe file_name = \Device\HarddiskVolume1\Windows\System32\smss.exe True 1
Fn
Get filename c:\program files\windows sidebar\picture_pk.exe file_name = \Device\HarddiskVolume1\Program Files\Windows Sidebar\picture_pk.exe True 1
Fn
Get filename c:\windows\system32\wininit.exe file_name = \Device\HarddiskVolume1\Windows\System32\wininit.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Windows\System32\svchost.exe True 1
Fn
Get filename c:\windows\system32\winlogon.exe file_name = \Device\HarddiskVolume1\Windows\System32\winlogon.exe True 1
Fn
Get filename c:\windows\system32\services.exe file_name = \Device\HarddiskVolume1\Windows\System32\services.exe True 1
Fn
Get filename c:\windows\system32\lsass.exe file_name = \Device\HarddiskVolume1\Windows\System32\lsass.exe True 1
Fn
Get filename c:\windows\system32\lsm.exe file_name = \Device\HarddiskVolume1\Windows\System32\lsm.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Windows\System32\svchost.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Windows\System32\svchost.exe True 6
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Windows\System32\audiodg.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Windows\System32\spoolsv.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Windows\System32\taskhost.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Windows\System32\dwm.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Windows\System32\taskeng.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Windows\explorer.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files (x86)\Internet Explorer\transportationporval.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files (x86)\Microsoft Analysis Services\liverpool-brazil-kind-researchers.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\Internet Explorer\azerbaijan australia map.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files (x86)\Microsoft Analysis Services\seattleconvertible.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\Windows Portable Devices\camps_part_october.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files (x86)\Windows Portable Devices\fskaslidesoregon.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\Microsoft Synchronization Services\ny surge discounts.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\Internet Explorer\furniture-cg.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\Windows Journal\angry_region_seconds.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\Reference Assemblies\soviet-nutten-samples-configured.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files (x86)\Google\wishes_pixels_reflected_edgar.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files (x86)\Windows Photo Viewer\nyc-actor-fault-logistics.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\Reference Assemblies\duration_electricity_columbia_estate.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\Windows Photo Viewer\prominent.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files (x86)\Java\after practical kiss sir.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\Reference Assemblies\epson-pressing-camera.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\Microsoft Sync Framework\baptist-extraction.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\Common Files\challenged.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\MSBuild\rhode-jay.exe True 1
Fn
Get Info System type = PROCESS_SESSION_INFORMATION True 1
Fn
Get Info c:\windows\system32\smss.exe type = PROCESS_SESSION_INFORMATION True 1
Fn
Get Info c:\program files\windows sidebar\picture_pk.exe type = PROCESS_SESSION_INFORMATION True 1
Fn
Get Info c:\windows\system32\wininit.exe type = PROCESS_SESSION_INFORMATION True 1
Fn
Get Info c:\windows\system32\svchost.exe type = PROCESS_SESSION_INFORMATION True 1
Fn
Get Info c:\windows\system32\winlogon.exe type = PROCESS_SESSION_INFORMATION True 1
Fn
Get Info c:\windows\system32\services.exe type = PROCESS_SESSION_INFORMATION True 1
Fn
Get Info c:\windows\system32\lsass.exe type = PROCESS_SESSION_INFORMATION True 1
Fn
Get Info c:\windows\system32\lsm.exe type = PROCESS_SESSION_INFORMATION True 1
Fn
Get Info c:\windows\system32\svchost.exe type = PROCESS_SESSION_INFORMATION True 1
Fn
Get Info c:\windows\system32\svchost.exe type = PROCESS_SESSION_INFORMATION True 31
Fn
Open System desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open System desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Open c:\program files\windows sidebar\picture_pk.exe desired_access = PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_QUERY_LIMITED_INFORMATION False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_QUERY_LIMITED_INFORMATION False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Module (10)
»
Operation Module Additional Information Success Count Logfile
Load KERNEL32.dll base_address = 0x75fd0000 True 1
Fn
Load crypt32.dll base_address = 0x0 True 1
Fn
Load psapi.dll base_address = 0x0 True 1
Fn
Get Handle c:\users\5p5nrg~1\appdata\roaming\vqbkvy~1 base_address = 0x400000 True 2
Fn
Get Filename - process_name = c:\users\5p5nrg~1\appdata\roaming\vqbkvy~1:bin, file_name_orig = C:\Users\5P5NRG~1\AppData\Roaming\VQBKVY~1:bin, size = 4096 True 1
Fn
Get Filename crypt32.dll process_name = c:\users\5p5nrg~1\appdata\roaming\vqbkvy~1:bin, file_name_orig = C:\Users\5P5NRG~1\AppData\Roaming\VQBKVY~1:bin, size = 512 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringA, address_out = 0x7600b2b7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapValidate, address_out = 0x75ffb17b True 1
Fn
Service (489)
»
Operation Additional Information Success Count Logfile
Control service_name = TrustedInstaller False 1
Fn
Control service_name = clr_optimization_v4.0.30319_32 False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = AdobeFlashPlayerUpdateSvc False 1
Fn
Get Info service_name = AdobeFlashPlayerUpdateSvc True 1
Fn
Get Info service_name = AeLookupSvc False 1
Fn
Get Info service_name = AeLookupSvc True 1
Fn
Get Info service_name = ALG False 1
Fn
Get Info service_name = ALG True 1
Fn
Get Info service_name = AppIDSvc False 1
Fn
Get Info service_name = AppIDSvc True 1
Fn
Get Info service_name = Appinfo False 1
Fn
Get Info service_name = Appinfo True 1
Fn
Get Info service_name = AppMgmt False 1
Fn
Get Info service_name = AppMgmt True 1
Fn
Get Info service_name = aspnet_state False 1
Fn
Get Info service_name = aspnet_state True 1
Fn
Get Info service_name = AudioEndpointBuilder False 1
Fn
Get Info service_name = AudioEndpointBuilder True 1
Fn
Get Info service_name = AudioSrv False 1
Fn
Get Info service_name = AudioSrv True 1
Fn
Get Info service_name = AxInstSV False 1
Fn
Get Info service_name = AxInstSV True 1
Fn
Get Info service_name = BDESVC False 1
Fn
Get Info service_name = BDESVC True 1
Fn
Get Info service_name = BFE False 1
Fn
Get Info service_name = BFE True 1
Fn
Get Info service_name = BITS False 1
Fn
Get Info service_name = BITS True 1
Fn
Get Info service_name = Browser False 1
Fn
Get Info service_name = Browser True 1
Fn
Get Info service_name = bthserv False 1
Fn
Get Info service_name = bthserv True 1
Fn
Get Info service_name = CertPropSvc False 1
Fn
Get Info service_name = CertPropSvc True 1
Fn
Get Info service_name = clr_optimization_v2.0.50727_32 False 1
Fn
Get Info service_name = clr_optimization_v2.0.50727_32 True 1
Fn
Get Info service_name = clr_optimization_v2.0.50727_64 False 1
Fn
Get Info service_name = clr_optimization_v2.0.50727_64 True 1
Fn
Get Info service_name = clr_optimization_v4.0.30319_32 False 1
Fn
Get Info service_name = clr_optimization_v4.0.30319_32 True 1
Fn
Get Info service_name = clr_optimization_v4.0.30319_64 False 1
Fn
Get Info service_name = clr_optimization_v4.0.30319_64 True 1
Fn
Get Info service_name = COMSysApp False 1
Fn
Get Info service_name = COMSysApp True 1
Fn
Get Info service_name = CryptSvc False 1
Fn
Get Info service_name = CryptSvc True 1
Fn
Get Info service_name = CscService False 1
Fn
Get Info service_name = CscService True 1
Fn
Get Info service_name = DcomLaunch False 1
Fn
Get Info service_name = DcomLaunch True 1
Fn
Get Info service_name = defragsvc False 1
Fn
Get Info service_name = defragsvc True 1
Fn
Get Info service_name = Dhcp False 1
Fn
Get Info service_name = Dhcp True 1
Fn
Get Info service_name = Dnscache False 1
Fn
Get Info service_name = Dnscache True 1
Fn
Get Info service_name = dot3svc False 1
Fn
Get Info service_name = dot3svc True 1
Fn
Get Info service_name = DPS False 1
Fn
Get Info service_name = DPS True 1
Fn
Get Info service_name = EapHost False 1
Fn
Get Info service_name = EapHost True 1
Fn
Get Info service_name = EFS False 1
Fn
Get Info service_name = EFS True 1
Fn
Get Info service_name = ehRecvr False 1
Fn
Get Info service_name = ehRecvr True 1
Fn
Get Info service_name = ehSched False 1
Fn
Get Info service_name = ehSched True 1
Fn
Get Info service_name = eventlog False 1
Fn
Get Info service_name = eventlog True 1
Fn
Get Info service_name = EventSystem False 1
Fn
Get Info service_name = EventSystem True 1
Fn
Get Info service_name = Fax False 1
Fn
Get Info service_name = Fax True 1
Fn
Get Info service_name = fdPHost False 1
Fn
Get Info service_name = fdPHost True 1
Fn
Get Info service_name = FDResPub False 1
Fn
Get Info service_name = FDResPub True 1
Fn
Get Info service_name = FontCache False 1
Fn
Get Info service_name = FontCache True 1
Fn
Get Info service_name = FontCache3.0.0.0 False 1
Fn
Get Info service_name = FontCache3.0.0.0 True 1
Fn
Get Info service_name = gpsvc False 1
Fn
Get Info service_name = gpsvc True 1
Fn
Get Info service_name = gupdate False 1
Fn
Get Info service_name = gupdate True 1
Fn
Get Info service_name = gupdatem False 1
Fn
Get Info service_name = gupdatem True 1
Fn
Get Info service_name = hidserv False 1
Fn
Get Info service_name = hidserv True 1
Fn
Get Info service_name = hkmsvc False 1
Fn
Get Info service_name = hkmsvc True 1
Fn
Get Info service_name = HomeGroupListener False 1
Fn
Get Info service_name = HomeGroupListener True 1
Fn
Get Info service_name = HomeGroupProvider False 1
Fn
Get Info service_name = HomeGroupProvider True 1
Fn
Get Info service_name = idsvc False 1
Fn
Get Info service_name = idsvc True 1
Fn
Get Info service_name = IKEEXT False 1
Fn
Get Info service_name = IKEEXT True 1
Fn
Get Info service_name = IPBusEnum False 1
Fn
Get Info service_name = IPBusEnum True 1
Fn
Get Info service_name = iphlpsvc False 1
Fn
Get Info service_name = iphlpsvc True 1
Fn
Get Info service_name = KeyIso False 1
Fn
Get Info service_name = KeyIso True 1
Fn
Get Info service_name = KtmRm False 1
Fn
Get Info service_name = KtmRm True 1
Fn
Get Info service_name = LanmanServer False 1
Fn
Get Info service_name = LanmanServer True 1
Fn
Get Info service_name = LanmanWorkstation False 1
Fn
Get Info service_name = LanmanWorkstation True 1
Fn
Get Info service_name = lltdsvc False 1
Fn
Get Info service_name = lltdsvc True 1
Fn
Get Info service_name = lmhosts False 1
Fn
Get Info service_name = lmhosts True 1
Fn
Get Info service_name = Mcx2Svc False 1
Fn
Get Info service_name = Mcx2Svc True 1
Fn
Get Info service_name = Microsoft SharePoint Workspace Audit Service False 1
Fn
Get Info service_name = Microsoft SharePoint Workspace Audit Service True 1
Fn
Get Info service_name = MMCSS False 1
Fn
Get Info service_name = MMCSS True 1
Fn
Get Info service_name = MozillaMaintenance False 1
Fn
Get Info service_name = MozillaMaintenance True 1
Fn
Get Info service_name = MpsSvc False 1
Fn
Get Info service_name = MpsSvc True 1
Fn
Get Info service_name = MSDTC False 1
Fn
Get Info service_name = MSDTC True 1
Fn
Get Info service_name = MSiSCSI False 1
Fn
Get Info service_name = MSiSCSI True 1
Fn
Get Info service_name = msiserver False 1
Fn
Get Info service_name = msiserver True 1
Fn
Get Info service_name = napagent False 1
Fn
Get Info service_name = napagent True 1
Fn
Get Info service_name = Netlogon False 1
Fn
Get Info service_name = Netlogon True 1
Fn
Get Info service_name = Netman False 1
Fn
Get Info service_name = Netman True 1
Fn
Get Info service_name = NetMsmqActivator False 1
Fn
Get Info service_name = NetMsmqActivator True 1
Fn
Get Info service_name = NetPipeActivator False 1
Fn
Get Info service_name = NetPipeActivator True 1
Fn
Get Info service_name = netprofm False 1
Fn
Get Info service_name = netprofm True 1
Fn
Get Info service_name = NetTcpActivator False 1
Fn
Get Info service_name = NetTcpActivator True 1
Fn
Get Info service_name = NetTcpPortSharing False 1
Fn
Get Info service_name = NetTcpPortSharing True 1
Fn
Get Info service_name = NlaSvc False 1
Fn
Get Info service_name = NlaSvc True 1
Fn
Get Info service_name = nsi False 1
Fn
Get Info service_name = nsi True 1
Fn
Get Info service_name = ose64 False 1
Fn
Get Info service_name = ose64 True 1
Fn
Get Info service_name = osppsvc False 1
Fn
Get Info service_name = osppsvc True 1
Fn
Get Info service_name = p2pimsvc False 1
Fn
Get Info service_name = p2pimsvc True 1
Fn
Get Info service_name = p2psvc False 1
Fn
Get Info service_name = p2psvc True 1
Fn
Get Info service_name = PcaSvc False 1
Fn
Get Info service_name = PcaSvc True 1
Fn
Get Info service_name = PeerDistSvc False 1
Fn
Get Info service_name = PeerDistSvc True 1
Fn
Get Info service_name = PerfHost False 1
Fn
Get Info service_name = PerfHost True 1
Fn
Get Info service_name = pla False 1
Fn
Get Info service_name = pla True 1
Fn
Get Info service_name = PlugPlay False 1
Fn
Get Info service_name = PlugPlay True 1
Fn
Get Info service_name = PNRPAutoReg False 1
Fn
Get Info service_name = PNRPAutoReg True 1
Fn
Get Info service_name = PNRPsvc False 1
Fn
Get Info service_name = PNRPsvc True 1
Fn
Get Info service_name = PolicyAgent False 1
Fn
Get Info service_name = PolicyAgent True 1
Fn
Get Info service_name = Power False 1
Fn
Get Info service_name = Power True 1
Fn
Get Info service_name = ProfSvc False 1
Fn
Get Info service_name = ProfSvc True 1
Fn
Get Info service_name = ProtectedStorage False 1
Fn
Get Info service_name = ProtectedStorage True 1
Fn
Get Info service_name = QWAVE False 1
Fn
Get Info service_name = QWAVE True 1
Fn
Get Info service_name = RasAuto False 1
Fn
Get Info service_name = RasAuto True 1
Fn
Get Info service_name = RasMan False 1
Fn
Get Info service_name = RasMan True 1
Fn
Get Info service_name = RemoteAccess False 1
Fn
Get Info service_name = RemoteAccess True 1
Fn
Get Info service_name = RemoteRegistry False 1
Fn
Get Info service_name = RemoteRegistry True 1
Fn
Get Info service_name = RpcEptMapper False 1
Fn
Get Info service_name = RpcEptMapper True 1
Fn
Get Info service_name = RpcLocator False 1
Fn
Get Info service_name = RpcLocator True 1
Fn
Get Info service_name = RpcSs False 1
Fn
Get Info service_name = RpcSs True 1
Fn
Get Info service_name = SamSs False 1
Fn
Get Info service_name = SamSs True 1
Fn
Get Info service_name = SCardSvr False 1
Fn
Get Info service_name = SCardSvr True 1
Fn
Get Info service_name = Schedule False 1
Fn
Get Info service_name = Schedule True 1
Fn
Get Info service_name = SCPolicySvc False 1
Fn
Get Info service_name = SCPolicySvc True 1
Fn
Get Info service_name = SDRSVC False 1
Fn
Get Info service_name = SDRSVC True 1
Fn
Get Info service_name = seclogon False 1
Fn
Get Info service_name = seclogon True 1
Fn
Get Info service_name = SENS False 1
Fn
Get Info service_name = SENS True 1
Fn
Get Info service_name = SensrSvc False 1
Fn
Get Info service_name = SensrSvc True 1
Fn
Get Info service_name = SessionEnv False 1
Fn
Get Info service_name = SessionEnv True 1
Fn
Get Info service_name = SharedAccess False 1
Fn
Get Info service_name = SharedAccess True 1
Fn
Get Info service_name = ShellHWDetection False 1
Fn
Get Info service_name = ShellHWDetection True 1
Fn
Get Info service_name = SNMPTRAP False 1
Fn
Get Info service_name = SNMPTRAP True 1
Fn
Get Info service_name = Spooler False 1
Fn
Get Info service_name = Spooler True 1
Fn
Get Info service_name = sppsvc False 1
Fn
Get Info service_name = sppsvc True 1
Fn
Get Info service_name = sppuinotify False 1
Fn
Get Info service_name = sppuinotify True 1
Fn
Get Info service_name = SSDPSRV False 1
Fn
Get Info service_name = SSDPSRV True 1
Fn
Get Info service_name = SstpSvc False 1
Fn
Get Info service_name = SstpSvc True 1
Fn
Get Info service_name = stisvc False 1
Fn
Get Info service_name = stisvc True 1
Fn
Get Info service_name = StorSvc False 1
Fn
Get Info service_name = StorSvc True 1
Fn
Get Info service_name = swprv False 1
Fn
Get Info service_name = swprv True 1
Fn
Get Info service_name = SysMain False 1
Fn
Get Info service_name = SysMain True 1
Fn
Get Info service_name = TabletInputService False 1
Fn
Get Info service_name = TabletInputService True 1
Fn
Get Info service_name = TapiSrv False 1
Fn
Get Info service_name = TapiSrv True 1
Fn
Get Info service_name = TBS False 1
Fn
Get Info service_name = TBS True 1
Fn
Get Info service_name = TermService False 1
Fn
Get Info service_name = TermService True 1
Fn
Get Info service_name = Themes False 1
Fn
Get Info service_name = Themes True 1
Fn
Get Info service_name = THREADORDER False 1
Fn
Get Info service_name = THREADORDER True 1
Fn
Get Info service_name = TrkWks False 1
Fn
Get Info service_name = TrkWks True 1
Fn
Get Info service_name = TrustedInstaller False 1
Fn
Get Info service_name = TrustedInstaller True 1
Fn
Get Info service_name = UI0Detect False 1
Fn
Get Info service_name = UI0Detect True 1
Fn
Get Info service_name = UmRdpService False 1
Fn
Get Info service_name = UmRdpService True 1
Fn
Get Info service_name = upnphost False 1
Fn
Get Info service_name = upnphost True 1
Fn
Get Info service_name = UxSms False 1
Fn
Get Info service_name = UxSms True 1
Fn
Get Info service_name = VaultSvc False 1
Fn
Get Info service_name = VaultSvc True 1
Fn
Get Info service_name = vds False 1
Fn
Get Info service_name = vds True 1
Fn
Get Info service_name = VSS False 1
Fn
Get Info service_name = VSS True 1
Fn
Get Info service_name = W32Time False 1
Fn
Get Info service_name = W32Time True 1
Fn
Get Info service_name = wbengine False 1
Fn
Get Info service_name = wbengine True 1
Fn
Get Info service_name = WbioSrvc False 1
Fn
Get Info service_name = WbioSrvc True 1
Fn
Get Info service_name = wcncsvc False 1
Fn
Get Info service_name = wcncsvc True 1
Fn
Get Info service_name = WcsPlugInService False 1
Fn
Get Info service_name = WcsPlugInService True 1
Fn
Get Info service_name = WdiServiceHost False 1
Fn
Get Info service_name = WdiServiceHost True 1
Fn
Get Info service_name = WdiSystemHost False 1
Fn
Get Info service_name = WdiSystemHost True 1
Fn
Get Info service_name = WebClient False 1
Fn
Get Info service_name = WebClient True 1
Fn
Get Info service_name = Wecsvc False 1
Fn
Get Info service_name = Wecsvc True 1
Fn
Get Info service_name = wercplsupport False 1
Fn
Get Info service_name = wercplsupport True 1
Fn
Get Info service_name = WerSvc False 1
Fn
Get Info service_name = WerSvc True 1
Fn
Get Info service_name = WinDefend False 1
Fn
Get Info service_name = WinDefend True 1
Fn
Get Info service_name = WinHttpAutoProxySvc False 1
Fn
Get Info service_name = WinHttpAutoProxySvc True 1
Fn
Get Info service_name = Winmgmt False 1
Fn
Get Info service_name = Winmgmt True 1
Fn
Get Info service_name = WinRM False 1
Fn
Get Info service_name = WinRM True 1
Fn
Get Info service_name = Wlansvc False 1
Fn
Get Info service_name = Wlansvc True 1
Fn
Get Info service_name = wmiApSrv False 1
Fn
Get Info service_name = wmiApSrv True 1
Fn
Get Info service_name = WMPNetworkSvc False 1
Fn
Get Info service_name = WMPNetworkSvc True 1
Fn
Get Info service_name = WPCSvc False 1
Fn
Get Info service_name = WPCSvc True 1
Fn
Get Info service_name = WPDBusEnum False 1
Fn
Get Info service_name = WPDBusEnum True 1
Fn
Get Info service_name = wscsvc False 1
Fn
Get Info service_name = wscsvc True 1
Fn
Get Info service_name = WSearch False 1
Fn
Get Info service_name = WSearch True 1
Fn
Get Info service_name = wuauserv False 1
Fn
Get Info service_name = wuauserv True 1
Fn
Get Info service_name = wudfsvc False 1
Fn
Get Info service_name = wudfsvc True 1
Fn
Get Info service_name = WwanSvc False 1
Fn
Get Info service_name = WwanSvc True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Set Config service_name = TrustedInstaller True 1
Fn
Set Config service_name = clr_optimization_v4.0.30319_32 True 1
Fn
Start service_name = clr_optimization_v4.0.30319_32 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 1
Fn
Get Info type = Wow64 Directory, result_out = C:\Windows\SysWOW64 True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Mutex (6)
»
Operation Additional Information Success Count Logfile
Create - True 1
Fn
Create mutex_name = Global\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E} True 1
Fn
Open mutex_name = Global\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E} False 1
Fn
Release - True 1
Fn
Release mutex_name = Global\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E} True 1
Fn
Release mutex_name = Global\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E} False 1
Fn
Environment (3)
»
Operation Additional Information Success Count Logfile
Get Environment String name = COMPUTERNAME, result_out = XDUWTFONO True 1
Fn
Get Environment String name = USERNAME, result_out = 5p5NrGJn0jS HALPmcxz True 1
Fn
Get Environment String name = TEMP, result_out = C:\Users\5P5NRG~1\AppData\Local\Temp True 1
Fn
Process #3: vssadmin.exe
0 0
»
Information Value
ID #3
File Name c:\windows\system32\vssadmin.exe
Command Line C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:55, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:01:34
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9f8
Parent PID 0x9ec (c:\users\5p5nrg~1\appdata\roaming\vqbkvy~1:bin)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9FC
0x A0C
0x A10
0x A1C
0x A20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory Readable True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory Readable, Writable True False False -
locale.nls 0x00160000 0x001c6fff Memory Mapped File Readable False False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000250000 0x00250000 0x00251fff Pagefile Backed Memory Readable, Writable True False False -
vssadmin.exe.mui 0x00260000 0x0026cfff Memory Mapped File Readable, Writable False False False -
private_0x0000000000270000 0x00270000 0x00270fff Private Memory Readable, Writable True False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory Readable, Writable True False False -
private_0x0000000000290000 0x00290000 0x0029ffff Private Memory Readable, Writable True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000003a0000 0x003a0000 0x00527fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000530000 0x00530000 0x006b0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000006c0000 0x006c0000 0x01abffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001ac0000 0x01ac0000 0x01ac0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001ad0000 0x01ad0000 0x01ad0fff Pagefile Backed Memory Readable True False False -
private_0x0000000001bc0000 0x01bc0000 0x01c3ffff Private Memory Readable, Writable True False False -
private_0x0000000001d10000 0x01d10000 0x01d8ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01d90000 0x0205efff Memory Mapped File Readable False False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff8000 0x7fff8000 0x7fff8fff Private Memory Readable, Writable True False False -
vssadmin.exe 0xff9d0000 0xff9fcfff Memory Mapped File Readable, Writable, Executable False False False -
vsstrace.dll 0x7fefac50000 0x7fefac66fff Memory Mapped File Readable, Writable, Executable False False False -
vssapi.dll 0x7fefac70000 0x7fefae1ffff Memory Mapped File Readable, Writable, Executable False False False -
atl.dll 0x7fefb770000 0x7fefb788fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7fefd190000 0x7fefd1d6fff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7fefd490000 0x7fefd4a6fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7fefda90000 0x7fefda9efff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x7fefdb80000 0x7fefdb93fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7fefdf70000 0x7fefe172fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7fefef10000 0x7fefefa8fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7feffb10000 0x7feffbe6fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory Readable, Writable True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory Readable, Writable True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory Readable, Writable True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True False False -
Process #4: takeown.exe
0 0
»
Information Value
ID #4
File Name c:\windows\system32\takeown.exe
Command Line C:\Windows\system32\takeown.exe /F C:\Windows\servicing\TrustedInstaller.exe
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:59, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:01:30
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa14
Parent PID 0x9ec (c:\users\5p5nrg~1\appdata\roaming\vqbkvy~1:bin)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A18
0x A30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory Readable, Writable True False False -
takeown.exe.mui 0x000e0000 0x000e3fff Memory Mapped File Readable, Writable False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory Readable, Writable True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory Readable, Writable True False False -
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000004a0000 0x004a0000 0x00627fff Pagefile Backed Memory Readable True False False -
private_0x0000000000630000 0x00630000 0x0063ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000640000 0x00640000 0x007c0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000007d0000 0x007d0000 0x01bcffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01bd0000 0x01e9efff Memory Mapped File Readable False False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff8000 0x7fff8000 0x7fff8fff Private Memory Readable, Writable True False False -
takeown.exe 0xff9d0000 0xff9e2fff Memory Mapped File Readable, Writable, Executable False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File Readable, Writable, Executable False False False -
wkscli.dll 0x7fefbd90000 0x7fefbda4fff Memory Mapped File Readable, Writable, Executable False False False -
netutils.dll 0x7fefbdb0000 0x7fefbdbbfff Memory Mapped File Readable, Writable, Executable False False False -
netapi32.dll 0x7fefbdc0000 0x7fefbdd5fff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x7fefcb60000 0x7fefcb8cfff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x7fefcd60000 0x7fefcd6bfff Memory Mapped File Readable, Writable, Executable False False False -
srvcli.dll 0x7fefd990000 0x7fefd9b2fff Memory Mapped File Readable, Writable, Executable False False False -
secur32.dll 0x7fefda30000 0x7fefda3afff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x7fefda60000 0x7fefda84fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7feff650000 0x7feff69cfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x7feff720000 0x7feff727fff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x7feff730000 0x7feff781fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7feff980000 0x7feff9f0fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd7fff Private Memory Readable, Writable True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True False False -
Process #5: icacls.exe
0 0
»
Information Value
ID #5
File Name c:\windows\system32\icacls.exe
Command Line C:\Windows\system32\icacls.exe C:\Windows\servicing\TrustedInstaller.exe /reset
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:01:00, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:01:29
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa3c
Parent PID 0x9ec (c:\users\5p5nrg~1\appdata\roaming\vqbkvy~1:bin)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory Readable, Writable True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File Readable False False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory Readable, Writable True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory Readable, Writable True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory Readable, Writable True False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff7000 0x7fff7000 0x7fff7fff Private Memory Readable, Writable True False False -
icacls.exe 0xff1a0000 0xff1abfff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x7fefcb60000 0x7fefcb8cfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x7feff730000 0x7feff781fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory Readable, Writable True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True False False -
Process #6: System
0 0
»
Information Value
ID #6
File Name System
Command Line -
Initial Working Directory -
Monitor Start Time: 00:01:01, Reason: Created Daemon
Unmonitor End Time: 00:00:46, Reason: Terminated by Timeout
Monitor Duration 23:59:45
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x4
Parent PID 0xffffffffffffffff (Unknown)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 650
0x 18
0x 8FC
0x BC
0x 50
0x 7F0
0x 30
0x 7C
0x 43C
0x A0
0x 7D4
0x 60
0x 734
0x 6AC
0x 158
0x 7C4
0x 20
0x 1C
0x 94
0x 84
0x 658
0x 654
0x 644
0x 62C
0x 620
0x 610
0x 5A8
0x 584
0x 78
0x 4BC
0x 4B4
0x 24
0x 68
0x 45C
0x 98
0x 144
0x 3D0
0x D0
0x D4
0x 88
0x 80
0x 8C
0x 5C
0x 90
0x 308
0x B0
0x 9C
0x 288
0x 74
0x 124
0x 34
0x 100
0x 198
0x 4C
0x C4
0x 15C
0x 158
0x 150
0x 130
0x 138
0x 128
0x B8
0x 3C
0x 28
0x 38
0x 40
0x 48
0x 64
0x 110
0x 10C
0x C0
0x 44
0x 8
0x 0
0x AE4
0x B04
0x B0C
0x B10
0x F8
0x B14
0x B18
0x B20
0x B50
0x B00
0x B7C
0x BCC
0x 810
0x 81C
0x 770
0x 824
0x 690
0x CC
0x 450
0x 4F8
0x 5D8
0x 574
0x 844
0x 838
0x 834
0x 6FC
0x 864
0x 870
0x 54
0x 804
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x00032fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000040000 0x00040000 0x0005ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000060000 0x00060000 0x0007ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000080000 0x00080000 0x00080fff Pagefile Backed Memory Readable, Writable True False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77e30000 0x77faffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
pagefile_0x000007fff41d0000 0x7fff41d0000 0x7fff41fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fff46d0000 0x7fff46d0000 0x7fff46fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fff4bd0000 0x7fff4bd0000 0x7fff4bfffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fff50d0000 0x7fff50d0000 0x7fff50fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fff55d0000 0x7fff55d0000 0x7fff55fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fff5ad0000 0x7fff5ad0000 0x7fff5afffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fff5fd0000 0x7fff5fd0000 0x7fff5ffffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fff64d0000 0x7fff64d0000 0x7fff64fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fff69d0000 0x7fff69d0000 0x7fff69fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fff6ed0000 0x7fff6ed0000 0x7fff6efffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fff73d0000 0x7fff73d0000 0x7fff73fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fff78d0000 0x7fff78d0000 0x7fff78fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fff7dd0000 0x7fff7dd0000 0x7fff7dfffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fff82d0000 0x7fff82d0000 0x7fff82fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fff87d0000 0x7fff87d0000 0x7fff87fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fff8cd0000 0x7fff8cd0000 0x7fff8cfffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fff91d0000 0x7fff91d0000 0x7fff91fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fff96d0000 0x7fff96d0000 0x7fff96fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fff9bd0000 0x7fff9bd0000 0x7fff9bfffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fffa0d0000 0x7fffa0d0000 0x7fffa0fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fffa5d0000 0x7fffa5d0000 0x7fffa5fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fffaad0000 0x7fffaad0000 0x7fffaafffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fffafd0000 0x7fffafd0000 0x7fffaffffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fffb4d0000 0x7fffb4d0000 0x7fffb4fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fffb9d0000 0x7fffb9d0000 0x7fffb9fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fffbed0000 0x7fffbed0000 0x7fffbefffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fffc3d0000 0x7fffc3d0000 0x7fffc3fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fffc8d0000 0x7fffc8d0000 0x7fffc8fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fffcdd0000 0x7fffcdd0000 0x7fffcdfffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fffd2d0000 0x7fffd2d0000 0x7fffd2fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fffd7d0000 0x7fffd7d0000 0x7fffd7fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fffdcd0000 0x7fffdcd0000 0x7fffdcfffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fffe1d0000 0x7fffe1d0000 0x7fffe1fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fffe6d0000 0x7fffe6d0000 0x7fffe6fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007fffebd0000 0x7fffebd0000 0x7fffebfffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007ffff0d0000 0x7ffff0d0000 0x7ffff0fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007ffff5d0000 0x7ffff5d0000 0x7ffff5fffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000007ffffad0000 0x7ffffad0000 0x7ffffafffff Pagefile Backed Memory Readable, Writable True False False -
Process #7: services.exe
0 0
»
Information Value
ID #7
File Name c:\windows\system32\services.exe
Command Line C:\Windows\system32\services.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:01, Reason: Created Daemon
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:01:28
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1d8
Parent PID 0x178 (c:\windows\system32\wininit.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 578
0x 464
0x 350
0x 514
0x 500
0x 4F4
0x 454
0x 404
0x 284
0x 24C
0x 248
0x 238
0x 234
0x 228
0x 224
0x 220
0x 21C
0x B08
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File Readable False False False -
pagefile_0x0000000000140000 0x00140000 0x00141fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory Readable, Writable True False False -
private_0x0000000000160000 0x00160000 0x00160fff Private Memory Readable, Writable True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory Readable, Writable True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory Readable, Writable True False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory Readable, Writable True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory Readable, Writable True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000400000 0x00400000 0x00587fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000590000 0x00590000 0x00710fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000720000 0x00720000 0x007dffff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000007e0000 0x007e0000 0x00bd2fff Pagefile Backed Memory Readable True False False -
private_0x0000000000c40000 0x00c40000 0x00cbffff Private Memory Readable, Writable True False False -
private_0x0000000000d20000 0x00d20000 0x00d9ffff Private Memory Readable, Writable True False False -
private_0x0000000000db0000 0x00db0000 0x00deffff Private Memory Readable, Writable True False False -
private_0x0000000000df0000 0x00df0000 0x00e6ffff Private Memory Readable, Writable True False False -
private_0x0000000000e90000 0x00e90000 0x00f0ffff Private Memory Readable, Writable True False False -
private_0x0000000000f60000 0x00f60000 0x00fdffff Private Memory Readable, Writable True False False -
private_0x0000000001020000 0x01020000 0x0109ffff Private Memory Readable, Writable True False False -
private_0x00000000010e0000 0x010e0000 0x0115ffff Private Memory Readable, Writable True False False -
private_0x0000000001160000 0x01160000 0x011dffff Private Memory Readable, Writable True False False -
private_0x00000000011e0000 0x011e0000 0x0125ffff Private Memory Readable, Writable True False False -
private_0x00000000012b0000 0x012b0000 0x0132ffff Private Memory Readable, Writable True False False -
private_0x0000000001560000 0x01560000 0x015dffff Private Memory Readable, Writable True False False -
private_0x0000000001630000 0x01630000 0x016affff Private Memory Readable, Writable True False False -
private_0x0000000001750000 0x01750000 0x017cffff Private Memory Readable, Writable True False False -
private_0x0000000001800000 0x01800000 0x0187ffff Private Memory Readable, Writable True False False -
private_0x00000000018a0000 0x018a0000 0x0191ffff Private Memory Readable, Writable True False False -
private_0x0000000001960000 0x01960000 0x019dffff Private Memory Readable, Writable True False False -
private_0x00000000019e0000 0x019e0000 0x01adffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01ae0000 0x01daefff Memory Mapped File Readable False False False -
private_0x0000000001db0000 0x01db0000 0x01eaffff Private Memory Readable, Writable True False False -
private_0x0000000001eb0000 0x01eb0000 0x020affff Private Memory Readable, Writable True False False -
private_0x00000000020b0000 0x020b0000 0x022affff Private Memory Readable, Writable True False False -
private_0x00000000022b0000 0x022b0000 0x026affff Private Memory Readable, Writable True False False -
private_0x0000000002750000 0x02750000 0x027cffff Private Memory Readable, Writable True False False -
private_0x00000000027d0000 0x027d0000 0x0284ffff Private Memory Readable, Writable True False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
services.exe 0xff470000 0xff4c2fff Memory Mapped File Readable, Writable, Executable False False False -
wtsapi32.dll 0x7fefbef0000 0x7fefbf00fff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x7fefce30000 0x7fefce36fff Memory Mapped File Readable, Writable, Executable False False False -
ubpm.dll 0x7fefd050000 0x7fefd088fff Memory Mapped File Readable, Writable, Executable False False False -
credssp.dll 0x7fefd090000 0x7fefd099fff Memory Mapped File Readable, Writable, Executable False False False -
wship6.dll 0x7fefd420000 0x7fefd426fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x7fefd430000 0x7fefd484fff Memory Mapped File Readable, Writable, Executable False False False -
authz.dll 0x7fefd680000 0x7fefd6aefff Memory Mapped File Readable, Writable, Executable False False False -
srvcli.dll 0x7fefd990000 0x7fefd9b2fff Memory Mapped File Readable, Writable, Executable False False False -
scesrv.dll 0x7fefd9c0000 0x7fefda26fff Memory Mapped File Readable, Writable, Executable False False False -
secur32.dll 0x7fefda30000 0x7fefda3afff Memory Mapped File Readable, Writable, Executable False False False -
scext.dll 0x7fefda40000 0x7fefda58fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x7fefda60000 0x7fefda84fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7fefda90000 0x7fefda9efff Memory Mapped File Readable, Writable, Executable False False False -
winsta.dll 0x7fefdb40000 0x7fefdb7cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x7fefdb80000 0x7fefdb93fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x7fefdba0000 0x7fefdbaefff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7feff650000 0x7feff69cfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x7feff720000 0x7feff727fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000007fffff92000 0x7fffff92000 0x7fffff93fff Private Memory Readable, Writable True False False -
private_0x000007fffff94000 0x7fffff94000 0x7fffff95fff Private Memory Readable, Writable True False False -
private_0x000007fffff96000 0x7fffff96000 0x7fffff97fff Private Memory Readable, Writable True False False -
private_0x000007fffff98000 0x7fffff98000 0x7fffff99fff Private Memory Readable, Writable True False False -
private_0x000007fffff9a000 0x7fffff9a000 0x7fffff9bfff Private Memory Readable, Writable True False False -
private_0x000007fffff9c000 0x7fffff9c000 0x7fffff9dfff Private Memory Readable, Writable True False False -
private_0x000007fffff9e000 0x7fffff9e000 0x7fffff9ffff Private Memory Readable, Writable True False False -
private_0x000007fffffa0000 0x7fffffa0000 0x7fffffa1fff Private Memory Readable, Writable True False False -
private_0x000007fffffa2000 0x7fffffa2000 0x7fffffa3fff Private Memory Readable, Writable True False False -
private_0x000007fffffa4000 0x7fffffa4000 0x7fffffa5fff Private Memory Readable, Writable True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory Readable, Writable True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory Readable, Writable True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory Readable, Writable True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory Readable, Writable True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory Readable, Writable True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory Readable, Writable True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory Readable, Writable True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True False False -
Process #8: svchost.exe
0 0
»
Information Value
ID #8
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k DcomLaunch
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:01, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:01:28
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x250
Parent PID 0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeTcbPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 5EC
0x 394
0x 29C
0x 298
0x 280
0x 27C
0x 278
0x 274
0x 268
0x 260
0x 25C
0x 254
0x 830
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory Readable, Writable True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory Readable, Writable True False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory Readable, Writable True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory Readable, Writable True False False -
pagefile_0x00000000002b0000 0x002b0000 0x002b0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000002c0000 0x002c0000 0x002c0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000002d0000 0x002d0000 0x002d0fff Pagefile Backed Memory Readable True False False -
umpnpmgr.dll.mui 0x002e0000 0x002e3fff Memory Mapped File Readable, Writable False False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory Readable, Writable True False False -
private_0x0000000000470000 0x00470000 0x004effff Private Memory Readable, Writable True False False -
pagefile_0x00000000004f0000 0x004f0000 0x005affff Pagefile Backed Memory Readable True False False -
private_0x0000000000600000 0x00600000 0x0067ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x00730000 0x009fefff Memory Mapped File Readable False False False -
pagefile_0x0000000000a00000 0x00a00000 0x00b87fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000b90000 0x00b90000 0x00d10fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000d20000 0x00d20000 0x01112fff Pagefile Backed Memory Readable True False False -
private_0x0000000001150000 0x01150000 0x011cffff Private Memory Readable, Writable True False False -
private_0x0000000001200000 0x01200000 0x0127ffff Private Memory Readable, Writable True False False -
private_0x0000000001290000 0x01290000 0x0130ffff Private Memory Readable, Writable True False False -
private_0x0000000001310000 0x01310000 0x0140ffff Private Memory Readable, Writable True False False -
private_0x00000000014d0000 0x014d0000 0x0154ffff Private Memory Readable, Writable True False False -
private_0x0000000001550000 0x01550000 0x0164ffff Private Memory Readable, Writable True False False -
private_0x0000000001660000 0x01660000 0x016dffff Private Memory Readable, Writable True False False -
private_0x00000000016e0000 0x016e0000 0x0175ffff Private Memory Readable, Writable True False False -
private_0x0000000001800000 0x01800000 0x0187ffff Private Memory Readable, Writable True False False -
private_0x0000000001910000 0x01910000 0x0198ffff Private Memory Readable, Writable True False False -
private_0x0000000001ba0000 0x01ba0000 0x01c1ffff Private Memory Readable, Writable True False False -
private_0x0000000001dc0000 0x01dc0000 0x01e3ffff Private Memory Readable, Writable True False False -
private_0x0000000001ea0000 0x01ea0000 0x01f1ffff Private Memory Readable, Writable True False False -
private_0x0000000001f20000 0x01f20000 0x0201ffff Private Memory Readable, Writable True False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
svchost.exe 0xff470000 0xff47afff Memory Mapped File Readable, Writable, Executable False False False -
wmiutils.dll 0x7fef8640000 0x7fef8665fff Memory Mapped File Readable, Writable, Executable False False False -
wbemsvc.dll 0x7fef8760000 0x7fef8773fff Memory Mapped File Readable, Writable, Executable False False False -
wbemprox.dll 0x7fef8a40000 0x7fef8a4efff Memory Mapped File Readable, Writable, Executable False False False -
ntdsapi.dll 0x7fef8a50000 0x7fef8a76fff Memory Mapped File Readable, Writable, Executable False False False -
fastprox.dll 0x7fef8a80000 0x7fef8b61fff Memory Mapped File Readable, Writable, Executable False False False -
wmidcprv.dll 0x7fef8b70000 0x7fef8ba1fff Memory Mapped File Readable, Writable, Executable False False False -
wbemcomn.dll 0x7fef8cf0000 0x7fef8d75fff Memory Mapped File Readable, Writable, Executable False False False -
wtsapi32.dll 0x7fefbef0000 0x7fefbf00fff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x7fefcb60000 0x7fefcb8cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcss.dll 0x7fefce60000 0x7fefcee0fff Memory Mapped File Readable, Writable, Executable False False False -
umpo.dll 0x7fefcef0000 0x7fefcf1bfff Memory Mapped File Readable, Writable, Executable False False False -
gpapi.dll 0x7fefcf20000 0x7fefcf3afff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x7fefcf40000 0x7fefcf5dfff Memory Mapped File Readable, Writable, Executable False False False -
devrtl.dll 0x7fefcf60000 0x7fefcf71fff Memory Mapped File Readable, Writable, Executable False False False -
spinf.dll 0x7fefcf80000 0x7fefcf9efff Memory Mapped File Readable, Writable, Executable False False False -
umpnpmgr.dll 0x7fefcfa0000 0x7fefd006fff Memory Mapped File Readable, Writable, Executable False False False -
credssp.dll 0x7fefd090000 0x7fefd099fff Memory Mapped File Readable, Writable, Executable False False False -
pcwum.dll 0x7fefd0a0000 0x7fefd0acfff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7fefd190000 0x7fefd1d6fff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7fefd490000 0x7fefd4a6fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x7fefda60000 0x7fefda84fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7fefda90000 0x7fefda9efff Memory Mapped File Readable, Writable, Executable False False False -
winsta.dll 0x7fefdb40000 0x7fefdb7cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x7fefdb80000 0x7fefdb93fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x7fefdba0000 0x7fefdbaefff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x7fefdc40000 0x7fefdc4efff Memory Mapped File Readable, Writable, Executable False False False -
wintrust.dll 0x7fefdc50000 0x7fefdc89fff Memory Mapped File Readable, Writable, Executable False False False -
devobj.dll 0x7fefdc90000 0x7fefdca9fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x7fefdcb0000 0x7fefde16fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x7fefde20000 0x7fefde55fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7fefdf70000 0x7fefe172fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7fefef10000 0x7fefefa8fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7feff650000 0x7feff69cfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x7feff720000 0x7feff727fff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x7feff730000 0x7feff781fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7feffb10000 0x7feffbe6fff Memory Mapped File Readable, Writable, Executable False False False -
setupapi.dll 0x7feffbf0000 0x7feffdc6fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000007fffff9c000 0x7fffff9c000 0x7fffff9dfff Private Memory Readable, Writable True False False -
private_0x000007fffff9e000 0x7fffff9e000 0x7fffff9ffff Private Memory Readable, Writable True False False -
private_0x000007fffffa2000 0x7fffffa2000 0x7fffffa3fff Private Memory Readable, Writable True False False -
private_0x000007fffffa4000 0x7fffffa4000 0x7fffffa5fff Private Memory Readable, Writable True False False -
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory Readable, Writable True False False -
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory Readable, Writable True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory Readable, Writable True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory Readable, Writable True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory Readable, Writable True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory Readable, Writable True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory Readable, Writable True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory Readable, Writable True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory Readable, Writable True False False -
Process #9: svchost.exe
0 0
»
Information Value
ID #9
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k RPCSS
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:01, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:01:28
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x290
Parent PID 0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Network Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 2A4
0x 244
0x 748
0x 2BC
0x 2B8
0x 2B0
0x 2A8
0x 2A0
0x 294
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory Readable, Writable True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000100000 0x00100000 0x00100fff Pagefile Backed Memory Readable True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory Readable, Writable True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory Readable, Writable True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory Readable, Writable True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory Readable, Writable True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory Readable, Writable True False False -
private_0x0000000000530000 0x00530000 0x005affff Private Memory Readable, Writable True False False -
private_0x00000000005b0000 0x005b0000 0x0062ffff Private Memory Readable, Writable True False False -
private_0x0000000000630000 0x00630000 0x006affff Private Memory Readable, Writable True False False -
sortdefault.nls 0x006b0000 0x0097efff Memory Mapped File Readable False False False -
private_0x00000000009a0000 0x009a0000 0x00a1ffff Private Memory Readable, Writable True False False -
private_0x0000000000a30000 0x00a30000 0x00aaffff Private Memory Readable, Writable True False False -
private_0x0000000000b80000 0x00b80000 0x00bfffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000c00000 0x00c00000 0x00d87fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000d90000 0x00d90000 0x00f10fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000f20000 0x00f20000 0x00fdffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000fe0000 0x00fe0000 0x013d2fff Pagefile Backed Memory Readable True False False -
private_0x00000000013e0000 0x013e0000 0x014dffff Private Memory Readable, Writable True False False -
private_0x0000000001500000 0x01500000 0x0157ffff Private Memory Readable, Writable True False False -
private_0x0000000001630000 0x01630000 0x016affff Private Memory Readable, Writable True False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
svchost.exe 0xff470000 0xff47afff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x7fefb500000 0x7fefb552fff Memory Mapped File Readable, Writable, Executable False False False -
wtsapi32.dll 0x7fefbef0000 0x7fefbf00fff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x7fefcd60000 0x7fefcd6bfff Memory Mapped File Readable, Writable, Executable False False False -
firewallapi.dll 0x7fefcd70000 0x7fefce2afff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x7fefce30000 0x7fefce36fff Memory Mapped File Readable, Writable, Executable False False False -
rpcepmap.dll 0x7fefce40000 0x7fefce53fff Memory Mapped File Readable, Writable, Executable False False False -
rpcss.dll 0x7fefce60000 0x7fefcee0fff Memory Mapped File Readable, Writable, Executable False False False -
credssp.dll 0x7fefd090000 0x7fefd099fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7fefd190000 0x7fefd1d6fff Memory Mapped File Readable, Writable, Executable False False False -
wship6.dll 0x7fefd420000 0x7fefd426fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x7fefd430000 0x7fefd484fff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7fefd490000 0x7fefd4a6fff Memory Mapped File Readable, Writable, Executable False False False -
secur32.dll 0x7fefda30000 0x7fefda3afff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x7fefda60000 0x7fefda84fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7fefda90000 0x7fefda9efff Memory Mapped File Readable, Writable, Executable False False False -
winsta.dll 0x7fefdb40000 0x7fefdb7cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x7fefdb80000 0x7fefdb93fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7fefdf70000 0x7fefe172fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7fefef10000 0x7fefefa8fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7feff650000 0x7feff69cfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x7feff720000 0x7feff727fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7feffb10000 0x7feffbe6fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory Readable, Writable True False False -
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory Readable, Writable True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory Readable, Writable True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory Readable, Writable True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory Readable, Writable True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory Readable, Writable True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory Readable, Writable True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory Readable, Writable True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory Readable, Writable True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True False False -
Process #10: svchost.exe
0 0
»
Information Value
ID #10
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:01, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:01:28
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x2c4
Parent PID 0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Local Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9C8
0x 8E4
0x 874
0x 4B8
0x 47C
0x 794
0x 790
0x 4D4
0x 4CC
0x 4C8
0x 1CC
0x 174
0x 3B8
0x 3B0
0x 3A0
0x 2F8
0x 2F4
0x 2DC
0x 2D0
0x 2C8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory Readable, Writable True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory Readable, Writable True False False -
private_0x0000000000160000 0x00160000 0x00160fff Private Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x001affff Private Memory Readable, Writable True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False -
private_0x00000000001c0000 0x001c0000 0x001cffff Private Memory Readable, Writable True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory Readable, Writable True False False -
private_0x00000000002d0000 0x002d0000 0x002effff Private Memory Readable, Writable True False False -
private_0x00000000002f0000 0x002f0000 0x0030ffff Private Memory Readable, Writable True False False -
private_0x0000000000310000 0x00310000 0x0032ffff Private Memory Readable, Writable True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000430000 0x00430000 0x005b7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000005c0000 0x005c0000 0x00740fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000750000 0x00750000 0x0080ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000810000 0x00810000 0x00c02fff Pagefile Backed Memory Readable True False False -
services.exe 0x00c10000 0x00c62fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000c70000 0x00c70000 0x00c70fff Pagefile Backed Memory Readable True False False -
private_0x0000000000c80000 0x00c80000 0x00c80fff Private Memory Readable, Writable True False False -
private_0x0000000000c90000 0x00c90000 0x00d0ffff Private Memory Readable, Writable True False False -
private_0x0000000000d10000 0x00d10000 0x00d10fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000d20000 0x00d20000 0x00d20fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000d30000 0x00d30000 0x00d31fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000d40000 0x00d40000 0x00d40fff Pagefile Backed Memory Readable True False False -
winmgmtr.dll 0x00d50000 0x00d52fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000d90000 0x00d90000 0x00e0ffff Private Memory Readable, Writable True False False -
private_0x0000000000e10000 0x00e10000 0x00f0ffff Private Memory Readable, Writable True False False -
winlogon.exe 0x00f10000 0x00f71fff Memory Mapped File Readable, Writable, Executable False False False -
sortdefault.nls 0x01010000 0x012defff Memory Mapped File Readable False False False -
private_0x0000000001300000 0x01300000 0x0137ffff Private Memory Readable, Writable True False False -
private_0x0000000001380000 0x01380000 0x013fffff Private Memory Readable, Writable True False False -
private_0x0000000001430000 0x01430000 0x014affff Private Memory Readable, Writable True False False -
private_0x00000000014d0000 0x014d0000 0x014d7fff Private Memory Readable, Writable True False False -
private_0x0000000001540000 0x01540000 0x015bffff Private Memory Readable, Writable True False False -
private_0x0000000001680000 0x01680000 0x016fffff Private Memory Readable, Writable True False False -
private_0x0000000001700000 0x01700000 0x017fffff Private Memory Readable, Writable True False False -
private_0x0000000001870000 0x01870000 0x018effff Private Memory Readable, Writable True False False -
private_0x0000000001940000 0x01940000 0x019bffff Private Memory Readable, Writable True False False -
private_0x00000000019d0000 0x019d0000 0x01a4ffff Private Memory Readable, Writable True False False -
private_0x0000000001ae0000 0x01ae0000 0x01b5ffff Private Memory Readable, Writable True False False -
private_0x0000000001bb0000 0x01bb0000 0x01c2ffff Private Memory Readable, Writable True False False -
private_0x0000000001cc0000 0x01cc0000 0x01d3ffff Private Memory Readable, Writable True False False -
private_0x0000000001d40000 0x01d40000 0x01f3ffff Private Memory Readable, Writable True False False -
private_0x0000000001f60000 0x01f60000 0x01fdffff Private Memory Readable, Writable True False False -
private_0x00000000020a0000 0x020a0000 0x0211ffff Private Memory Readable, Writable True False False -
private_0x0000000002120000 0x02120000 0x0251ffff Private Memory Readable, Writable True False False -
private_0x0000000002540000 0x02540000 0x025bffff Private Memory Readable, Writable True False False -
private_0x00000000025d0000 0x025d0000 0x0264ffff Private Memory Readable, Writable True False False -
private_0x0000000002690000 0x02690000 0x0270ffff Private Memory Readable, Writable True False False -
private_0x0000000002710000 0x02710000 0x02b12fff Private Memory Readable, Writable True False False -
private_0x0000000002b20000 0x02b20000 0x0331ffff Private Memory Readable, Writable True False False -
private_0x00000000033e0000 0x033e0000 0x0345ffff Private Memory Readable, Writable True False False -
private_0x00000000034d0000 0x034d0000 0x0354ffff Private Memory Readable, Writable True False False -
private_0x00000000036a0000 0x036a0000 0x036affff Private Memory Readable, Writable True False False -
private_0x00000000038a0000 0x038a0000 0x038affff Private Memory Readable, Writable True False False -
winmgmtr.dll 0x74420000 0x74422fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
svchost.exe 0xff470000 0xff47afff Memory Mapped File Readable, Writable, Executable False False False -
winlogon.exe 0xff4e0000 0xff541fff Memory Mapped File Readable, Writable, Executable False False False -
audioses.dll 0x7fef6710000 0x7fef675efff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x7fef83d0000 0x7fef83d7fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc.dll 0x7fefb4b0000 0x7fefb4c7fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc6.dll 0x7fefb4d0000 0x7fefb4e0fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x7fefb500000 0x7fefb552fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcore6.dll 0x7fefb590000 0x7fefb5cafff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcore.dll 0x7fefb5d0000 0x7fefb620fff Memory Mapped File Readable, Writable, Executable False False False -
nrpsrv.dll 0x7fefb640000 0x7fefb647fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x7fefb650000 0x7fefb65afff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x7fefb660000 0x7fefb686fff Memory Mapped File Readable, Writable, Executable False False False -
lmhsvc.dll 0x7fefb690000 0x7fefb699fff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x7fefb7d0000 0x7fefb7e4fff Memory Mapped File Readable, Writable, Executable False False False -
avrt.dll 0x7fefbb30000 0x7fefbb38fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x7fefbb40000 0x7fefbb6bfff Memory Mapped File Readable, Writable, Executable False False False -
audiosrv.dll 0x7fefbb70000 0x7fefbc1bfff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x7fefbeb0000 0x7fefbec8fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x7fefbed0000 0x7fefbee4fff Memory Mapped File Readable, Writable, Executable False False False -
mmdevapi.dll 0x7fefc0b0000 0x7fefc0fafff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x7fefc520000 0x7fefc64bfff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x7fefcb60000 0x7fefcb8cfff Memory Mapped File Readable, Writable, Executable False False False -
wevtsvc.dll 0x7fefcbc0000 0x7fefcd55fff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x7fefcd60000 0x7fefcd6bfff Memory Mapped File Readable, Writable, Executable False False False -
firewallapi.dll 0x7fefcd70000 0x7fefce2afff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x7fefce30000 0x7fefce36fff Memory Mapped File Readable, Writable, Executable False False False -
gpapi.dll 0x7fefcf20000 0x7fefcf3afff Memory Mapped File Readable, Writable, Executable False False False -
credssp.dll 0x7fefd090000 0x7fefd099fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7fefd190000 0x7fefd1d6fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x7fefd2b0000 0x7fefd30afff Memory Mapped File Readable, Writable, Executable False False False -
wship6.dll 0x7fefd420000 0x7fefd426fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x7fefd430000 0x7fefd484fff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7fefd490000 0x7fefd4a6fff Memory Mapped File Readable, Writable, Executable False False False -
wevtapi.dll 0x7fefd6c0000 0x7fefd72cfff Memory Mapped File Readable, Writable, Executable False False False -
secur32.dll 0x7fefda30000 0x7fefda3afff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x7fefda60000 0x7fefda84fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7fefda90000 0x7fefda9efff Memory Mapped File Readable, Writable, Executable False False False -
winsta.dll 0x7fefdb40000 0x7fefdb7cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x7fefdb80000 0x7fefdb93fff Memory Mapped File Readable, Writable, Executable False False False -
devobj.dll 0x7fefdc90000 0x7fefdca9fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x7fefde20000 0x7fefde55fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7fefdf70000 0x7fefe172fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7fefef10000 0x7fefefa8fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7feff650000 0x7feff69cfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x7feff720000 0x7feff727fff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x7feff730000 0x7feff781fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7feff980000 0x7feff9f0fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7feffb10000 0x7feffbe6fff Memory Mapped File Readable, Writable, Executable False False False -
setupapi.dll 0x7feffbf0000 0x7feffdc6fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000007fffff94000 0x7fffff94000 0x7fffff95fff Private Memory Readable, Writable True False False -
private_0x000007fffff96000 0x7fffff96000 0x7fffff97fff Private Memory Readable, Writable True False False -
private_0x000007fffff98000 0x7fffff98000 0x7fffff99fff Private Memory Readable, Writable True False False -
private_0x000007fffff9a000 0x7fffff9a000 0x7fffff9bfff Private Memory Readable, Writable True False False -
private_0x000007fffff9c000 0x7fffff9c000 0x7fffff9dfff Private Memory Readable, Writable True False False -
private_0x000007fffff9e000 0x7fffff9e000 0x7fffff9ffff Private Memory Readable, Writable True False False -
private_0x000007fffffa0000 0x7fffffa0000 0x7fffffa1fff Private Memory Readable, Writable True False False -
private_0x000007fffffa2000 0x7fffffa2000 0x7fffffa3fff Private Memory Readable, Writable True False False -
private_0x000007fffffa4000 0x7fffffa4000 0x7fffffa5fff Private Memory Readable, Writable True False False -
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory Readable, Writable True False False -
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory Readable, Writable True False False -
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory Readable, Writable True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory Readable, Writable True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory Readable, Writable True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory Readable, Writable True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory Readable, Writable True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory Readable, Writable True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory Readable, Writable True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory Readable, Writable True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory Readable, Writable True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True False False -
Process #11: svchost.exe
0 0
»
Information Value
ID #11
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:01, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:01:28
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x310
Parent PID 0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeTcbPrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C0
0x 344
0x 5B4
0x 71C
0x 758
0x 740
0x 738
0x 5B8
0x 5B0
0x 14C
0x 3F8
0x 3E8
0x 3DC
0x 3D8
0x 3C8
0x 3C4
0x 38C
0x 388
0x 374
0x 370
0x 358
0x 354
0x 320
0x 314
0x 84C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory Readable, Writable True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File Readable False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000240000 0x00240000 0x00241fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000250000 0x00250000 0x00250fff Private Memory Readable, Writable True False False -
private_0x0000000000260000 0x00260000 0x00260fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000270000 0x00270000 0x00270fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000280000 0x00280000 0x00280fff Pagefile Backed Memory Readable True False False -
private_0x0000000000290000 0x00290000 0x00290fff Private Memory Readable, Writable True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000003a0000 0x003a0000 0x00527fff Pagefile Backed Memory Readable True False False -
private_0x0000000000530000 0x00530000 0x00530fff Private Memory Readable, Writable True False False -
private_0x0000000000540000 0x00540000 0x0054ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000550000 0x00550000 0x006d0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000006e0000 0x006e0000 0x0079ffff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000007a0000 0x007a0000 0x00b92fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000ba0000 0x00ba0000 0x00ba1fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000bb0000 0x00bb0000 0x00bb1fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000bc0000 0x00bc0000 0x00bc1fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000bd0000 0x00bd0000 0x00bd0fff Pagefile Backed Memory Readable True False False -
private_0x0000000000be0000 0x00be0000 0x00c5ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000c60000 0x00c60000 0x00c60fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000c70000 0x00c70000 0x00c7ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000c80000 0x00c80000 0x00c80fff Pagefile Backed Memory Readable True False False -
sysmain.dll.mui 0x00c90000 0x00c94fff Memory Mapped File Readable, Writable False False False -
private_0x0000000000ca0000 0x00ca0000 0x00d1ffff Private Memory Readable, Writable True False False -
private_0x0000000000d40000 0x00d40000 0x00dbffff Private Memory Readable, Writable True False False -
private_0x0000000000dc0000 0x00dc0000 0x00e3ffff Private Memory Readable, Writable True False False -
private_0x0000000000e60000 0x00e60000 0x00e6ffff Private Memory Readable, Writable True False False -
private_0x0000000000e70000 0x00e70000 0x00eeffff Private Memory Readable, Writable True False False -
private_0x0000000000f10000 0x00f10000 0x00f8ffff Private Memory Readable, Writable True False False -
private_0x0000000000fa0000 0x00fa0000 0x0101ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01050000 0x0131efff Memory Mapped File Readable False False False -
private_0x0000000001370000 0x01370000 0x013effff Private Memory Readable, Writable True False False -
private_0x0000000001480000 0x01480000 0x014fffff Private Memory Readable, Writable True False False -
private_0x0000000001540000 0x01540000 0x015bffff Private Memory Readable, Writable True False False -
private_0x0000000001600000 0x01600000 0x0167ffff Private Memory Readable, Writable True False False -
private_0x0000000001680000 0x01680000 0x016fffff Private Memory Readable, Writable True False False -
private_0x0000000001760000 0x01760000 0x0176ffff Private Memory Readable, Writable True False False -
private_0x0000000001780000 0x01780000 0x017fffff Private Memory Readable, Writable True False False -
private_0x0000000001820000 0x01820000 0x0189ffff Private Memory Readable, Writable True False False -
private_0x00000000018a0000 0x018a0000 0x0191ffff Private Memory Readable, Writable True False False -
private_0x0000000001950000 0x01950000 0x019cffff Private Memory Readable, Writable True False False -
private_0x00000000019f0000 0x019f0000 0x01a6ffff Private Memory Readable, Writable True False False -
private_0x0000000001ac0000 0x01ac0000 0x01b3ffff Private Memory Readable, Writable True False False -
private_0x0000000001b50000 0x01b50000 0x01b5ffff Private Memory Readable, Writable True False False -
private_0x0000000001b60000 0x01b60000 0x01c5ffff Private Memory Readable, Writable True False False -
private_0x0000000001c70000 0x01c70000 0x01c7ffff Private Memory Readable, Writable True False False -
private_0x0000000001c80000 0x01c80000 0x01d7ffff Private Memory Readable, Writable True False False -
private_0x0000000001dd0000 0x01dd0000 0x01e4ffff Private Memory Readable, Writable True False False -
private_0x0000000001e90000 0x01e90000 0x01f0ffff Private Memory Readable, Writable True False False -
private_0x0000000001f30000 0x01f30000 0x01faffff Private Memory Readable, Writable True False False -
private_0x0000000001fb0000 0x01fb0000 0x020affff Private Memory Readable, Writable True False False -
private_0x00000000020b0000 0x020b0000 0x021affff Private Memory Readable, Writable True False False -
private_0x00000000021d0000 0x021d0000 0x0224ffff Private Memory Readable, Writable True False False -
private_0x0000000002270000 0x02270000 0x0227ffff Private Memory Readable, Writable True False False -
private_0x0000000002300000 0x02300000 0x0230ffff Private Memory Readable, Writable True False False -
private_0x0000000002350000 0x02350000 0x0235ffff Private Memory Readable, Writable True False False -
private_0x0000000002420000 0x02420000 0x0249ffff Private Memory Readable, Writable True False False -
private_0x00000000024a0000 0x024a0000 0x0259ffff Private Memory Readable, Writable True False False -
private_0x00000000025f0000 0x025f0000 0x025fffff Private Memory Readable, Writable True False False -
private_0x0000000002600000 0x02600000 0x026fffff Private Memory Readable, Writable True False False -
private_0x0000000002700000 0x02700000 0x027fffff Private Memory Readable, Writable True False False -
private_0x0000000002800000 0x02800000 0x02ffffff Private Memory Readable, Writable True False False -
private_0x0000000003020000 0x03020000 0x0309ffff Private Memory Readable, Writable True False False -
private_0x00000000030a0000 0x030a0000 0x031d3fff Private Memory Readable, Writable True False False -
private_0x00000000032e0000 0x032e0000 0x0335ffff Private Memory Readable, Writable True False False -
private_0x0000000003870000 0x03870000 0x03a6ffff Private Memory Readable, Writable True False False -
private_0x0000000003a70000 0x03a70000 0x03e6ffff Private Memory Readable, Writable True False False -
private_0x0000000003e70000 0x03e70000 0x0466ffff Private Memory Readable, Writable True False False -
private_0x0000000004670000 0x04670000 0x0563ffff Private Memory Readable, Writable True False False -
private_0x0000000005640000 0x05640000 0x0660ffff Private Memory Readable, Writable True False False -
sfc.dll 0x74440000 0x74442fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
svchost.exe 0xff470000 0xff47afff Memory Mapped File Readable, Writable, Executable False False False -
cscobj.dll 0x7fef5cf0000 0x7fef5d2efff Memory Mapped File Readable, Writable, Executable False False False -
rasman.dll 0x7fef5e20000 0x7fef5e3bfff Memory Mapped File Readable, Writable, Executable False False False -
rasdlg.dll 0x7fef5e40000 0x7fef5f17fff Memory Mapped File Readable, Writable, Executable False False False -
netshell.dll 0x7fef60e0000 0x7fef636afff Memory Mapped File Readable, Writable, Executable False False False -
apphlpdm.dll 0x7fef6700000 0x7fef670bfff Memory Mapped File Readable, Writable, Executable False False False -
portabledeviceconnectapi.dll 0x7fef69d0000 0x7fef69e6fff Memory Mapped File Readable, Writable, Executable False False False -
portabledeviceapi.dll 0x7fef6b50000 0x7fef6c0cfff Memory Mapped File Readable, Writable, Executable False False False -
wpdbusenum.dll 0x7fef6c10000 0x7fef6c30fff Memory Mapped File Readable, Writable, Executable False False False -
rasapi32.dll 0x7fef7130000 0x7fef7191fff Memory Mapped File Readable, Writable, Executable False False False -
netman.dll 0x7fef71a0000 0x7fef71fbfff Memory Mapped File Readable, Writable, Executable False False False -
wer.dll 0x7fef7530000 0x7fef75abfff Memory Mapped File Readable, Writable, Executable False False False -
hnetcfg.dll 0x7fef86f0000 0x7fef875afff Memory Mapped File Readable, Writable, Executable False False False -
wbemsvc.dll 0x7fef8760000 0x7fef8773fff Memory Mapped File Readable, Writable, Executable False False False -
netcfgx.dll 0x7fef89b0000 0x7fef8a33fff Memory Mapped File Readable, Writable, Executable False False False -
wbemprox.dll 0x7fef8a40000 0x7fef8a4efff Memory Mapped File Readable, Writable, Executable False False False -
ntdsapi.dll 0x7fef8a50000 0x7fef8a76fff Memory Mapped File Readable, Writable, Executable False False False -
fastprox.dll 0x7fef8a80000 0x7fef8b61fff Memory Mapped File Readable, Writable, Executable False False False -
wbemcomn.dll 0x7fef8cf0000 0x7fef8d75fff Memory Mapped File Readable, Writable, Executable False False False -
trkwks.dll 0x7fef8dc0000 0x7fef8de1fff Memory Mapped File Readable, Writable, Executable False False False -
sysmain.dll 0x7fef8df0000 0x7fef8f9dfff Memory Mapped File Readable, Writable, Executable False False False -
sfc_os.dll 0x7fef8fa0000 0x7fef8faffff Memory Mapped File Readable, Writable, Executable False False False -
aepic.dll 0x7fef8fb0000 0x7fef8fc1fff Memory Mapped File Readable, Writable, Executable False False False -
pcasvc.dll 0x7fef8fd0000 0x7fef9001fff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x7fefa4f0000 0x7fefa546fff Memory Mapped File Readable, Writable, Executable False False False -
wdi.dll 0x7fefaa60000 0x7fefaa78fff Memory Mapped File Readable, Writable, Executable False False False -
mprapi.dll 0x7fefae80000 0x7fefaeb9fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x7fefb650000 0x7fefb65afff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x7fefb660000 0x7fefb686fff Memory Mapped File Readable, Writable, Executable False False False -
uxsms.dll 0x7fefb6a0000 0x7fefb6affff Memory Mapped File Readable, Writable, Executable False False False -
slc.dll 0x7fefb740000 0x7fefb74afff Memory Mapped File Readable, Writable, Executable False False False -
dsrole.dll 0x7fefb750000 0x7fefb75bfff Memory Mapped File Readable, Writable, Executable False False False -
atl.dll 0x7fefb770000 0x7fefb788fff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x7fefb7d0000 0x7fefb7e4fff Memory Mapped File Readable, Writable, Executable False False False -
mstask.dll 0x7fefb8c0000 0x7fefb8fcfff Memory Mapped File Readable, Writable, Executable False False False -
taskschd.dll 0x7fefb900000 0x7fefba26fff Memory Mapped File Readable, Writable, Executable False False False -
peerdist.dll 0x7fefba30000 0x7fefba5ffff Memory Mapped File Readable, Writable, Executable False False False -
cscsvc.dll 0x7fefba60000 0x7fefbb0bfff Memory Mapped File Readable, Writable, Executable False False False -
avrt.dll 0x7fefbb30000 0x7fefbb38fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x7fefbb40000 0x7fefbb6bfff Memory Mapped File Readable, Writable, Executable False False False -
audiosrv.dll 0x7fefbb70000 0x7fefbc1bfff Memory Mapped File Readable, Writable, Executable False False False -
rtutils.dll 0x7fefbc20000 0x7fefbc30fff Memory Mapped File Readable, Writable, Executable False False False -
wtsapi32.dll 0x7fefbef0000 0x7fefbf00fff Memory Mapped File Readable, Writable, Executable False False False -
xmllite.dll 0x7fefc050000 0x7fefc084fff Memory Mapped File Readable, Writable, Executable False False False -
mmdevapi.dll 0x7fefc0b0000 0x7fefc0fafff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x7fefc520000 0x7fefc64bfff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x7fefc670000 0x7fefc863fff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x7fefcb60000 0x7fefcb8cfff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x7fefcd60000 0x7fefcd6bfff Memory Mapped File Readable, Writable, Executable False False False -
gpapi.dll 0x7fefcf20000 0x7fefcf3afff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x7fefcf40000 0x7fefcf5dfff Memory Mapped File Readable, Writable, Executable False False False -
devrtl.dll 0x7fefcf60000 0x7fefcf71fff Memory Mapped File Readable, Writable, Executable False False False -
credssp.dll 0x7fefd090000 0x7fefd099fff Memory Mapped File Readable, Writable, Executable False False False -
pcwum.dll 0x7fefd0a0000 0x7fefd0acfff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7fefd190000 0x7fefd1d6fff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7fefd490000 0x7fefd4a6fff Memory Mapped File Readable, Writable, Executable False False False -
authz.dll 0x7fefd680000 0x7fefd6aefff Memory Mapped File Readable, Writable, Executable False False False -
wevtapi.dll 0x7fefd6c0000 0x7fefd72cfff Memory Mapped File Readable, Writable, Executable False False False -
secur32.dll 0x7fefda30000 0x7fefda3afff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x7fefda60000 0x7fefda84fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7fefda90000 0x7fefda9efff Memory Mapped File Readable, Writable, Executable False False False -
winsta.dll 0x7fefdb40000 0x7fefdb7cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x7fefdb80000 0x7fefdb93fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x7fefdba0000 0x7fefdbaefff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x7fefdc40000 0x7fefdc4efff Memory Mapped File Readable, Writable, Executable False False False -
wintrust.dll 0x7fefdc50000 0x7fefdc89fff Memory Mapped File Readable, Writable, Executable False False False -
devobj.dll 0x7fefdc90000 0x7fefdca9fff Memory Mapped File Readable, Writable, Executable False False False -
For performance reasons, the remaining 49 entries are omitted.
The remaining entries can be found in flog.txt.
Process #12: svchost.exe
0 0
»
Information Value
ID #12
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k netsvcs
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:01, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:01:28
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x360
Parent PID 0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 584
0x 4DC
0x 44C
0x 7AC
0x 7A4
0x 79C
0x 798
0x 76C
0x 668
0x 630
0x 628
0x 624
0x 618
0x 614
0x 600
0x 5F4
0x 5F0
0x 5E8
0x 5C0
0x 484
0x 42C
0x 408
0x 128
0x 154
0x 3CC
0x 39C
0x 368
0x 118
0x 11C
0x 3EC
0x 3E0
0x 390
0x 380
0x 37C
0x 378
0x 36C
0x 364
0x A74
0x A78
0x A7C
0x A80
0x A84
0x A88
0x A8C
0x A90
0x A94
0x A98
0x A9C
0x AA0
0x AA4
0x AA8
0x 5A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000e0000 0x000e0000 0x001dffff Private Memory Readable, Writable True False False -
locale.nls 0x001e0000 0x00246fff Memory Mapped File Readable False False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory Readable, Writable True False False -
private_0x0000000000350000 0x00350000 0x00350fff Private Memory Readable, Writable True False False -
private_0x0000000000360000 0x00360000 0x00360fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000370000 0x00370000 0x00370fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000380000 0x00380000 0x00380fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000390000 0x00390000 0x00390fff Private Memory Readable, Writable True False False -
pagefile_0x00000000003a0000 0x003a0000 0x003a1fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000003b0000 0x003b0000 0x003b0fff Pagefile Backed Memory Readable True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000003d0000 0x003d0000 0x00557fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000560000 0x00560000 0x006e0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000006f0000 0x006f0000 0x007affff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000007b0000 0x007b0000 0x00ba2fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000bb0000 0x00bb0000 0x00bb1fff Pagefile Backed Memory Readable True False False -
cversions.2.db 0x00bc0000 0x00bc3fff Memory Mapped File Readable True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db 0x00bd0000 0x00bfffff Memory Mapped File Readable True False False -
private_0x0000000000c00000 0x00c00000 0x00c0ffff Private Memory Readable, Writable True False False -
private_0x0000000000c10000 0x00c10000 0x00c8ffff Private Memory Readable, Writable True False False -
cversions.2.db 0x00c90000 0x00c93fff Memory Mapped File Readable True False False -
pagefile_0x0000000000ca0000 0x00ca0000 0x00ca0fff Pagefile Backed Memory Readable, Writable True False False -
firewallapi.dll.mui 0x00cb0000 0x00ccbfff Memory Mapped File Readable, Writable False False False -
pagefile_0x0000000000cd0000 0x00cd0000 0x00cd0fff Pagefile Backed Memory Readable True False False -
private_0x0000000000ce0000 0x00ce0000 0x00ceffff Private Memory Readable, Writable True False False -
private_0x0000000000cf0000 0x00cf0000 0x00d6ffff Private Memory Readable, Writable True False False -
private_0x0000000000d90000 0x00d90000 0x00e0ffff Private Memory Readable, Writable True False False -
private_0x0000000000e40000 0x00e40000 0x00ebffff Private Memory Readable, Writable True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x00ec0000 0x00f25fff Memory Mapped File Readable True False False -
private_0x0000000000f30000 0x00f30000 0x00faffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x00fb0000 0x0127efff Memory Mapped File Readable False False False -
private_0x00000000012b0000 0x012b0000 0x0132ffff Private Memory Readable, Writable True False False -
private_0x0000000001350000 0x01350000 0x013cffff Private Memory Readable, Writable True False False -
private_0x0000000001430000 0x01430000 0x014affff Private Memory Readable, Writable True False False -
private_0x00000000014c0000 0x014c0000 0x0153ffff Private Memory Readable, Writable True False False -
private_0x00000000015b0000 0x015b0000 0x0162ffff Private Memory Readable, Writable True False False -
private_0x0000000001630000 0x01630000 0x016affff Private Memory Readable, Writable True False False -
private_0x00000000016d0000 0x016d0000 0x0174ffff Private Memory Readable, Writable True False False -
private_0x0000000001760000 0x01760000 0x017dffff Private Memory Readable, Writable True False False -
private_0x0000000001840000 0x01840000 0x018bffff Private Memory Readable, Writable True False False -
private_0x0000000001960000 0x01960000 0x019dffff Private Memory Readable, Writable True False False -
private_0x00000000019e0000 0x019e0000 0x01adffff Private Memory Readable, Writable True False False -
private_0x0000000001b50000 0x01b50000 0x01bcffff Private Memory Readable, Writable True False False -
private_0x0000000001c40000 0x01c40000 0x01cbffff Private Memory Readable, Writable True False False -
private_0x0000000001cc0000 0x01cc0000 0x01d3ffff Private Memory Readable, Writable True False False -
private_0x0000000001d70000 0x01d70000 0x01deffff Private Memory Readable, Writable True False False -
private_0x0000000001e20000 0x01e20000 0x01e9ffff Private Memory Readable, Writable True False False -
private_0x0000000001ee0000 0x01ee0000 0x01f5ffff Private Memory Readable, Writable True False False -
private_0x0000000001f80000 0x01f80000 0x01f8ffff Private Memory Readable, Writable True False False -
private_0x0000000001f90000 0x01f90000 0x0200ffff Private Memory Readable, Writable True False False -
private_0x0000000002040000 0x02040000 0x020bffff Private Memory Readable, Writable True False False -
private_0x00000000020c0000 0x020c0000 0x0213ffff Private Memory Readable, Writable True False False -
private_0x0000000002160000 0x02160000 0x021dffff Private Memory Readable, Writable True False False -
private_0x0000000002210000 0x02210000 0x0228ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002290000 0x02290000 0x025d2fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000025e0000 0x025e0000 0x026dffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000002700000 0x02700000 0x0277ffff Private Memory Readable, Writable True False False -
private_0x00000000027f0000 0x027f0000 0x0286ffff Private Memory Readable, Writable True False False -
private_0x00000000028c0000 0x028c0000 0x0293ffff Private Memory Readable, Writable True False False -
private_0x0000000002940000 0x02940000 0x029bffff Private Memory Readable, Writable True False False -
private_0x00000000029f0000 0x029f0000 0x02a6ffff Private Memory Readable, Writable True False False -
private_0x0000000002a70000 0x02a70000 0x02aeffff Private Memory Readable, Writable True False False -
private_0x0000000002bc0000 0x02bc0000 0x02c3ffff Private Memory Readable, Writable True False False -
private_0x0000000002d20000 0x02d20000 0x02d9ffff Private Memory Readable, Writable True False False -
private_0x0000000002e30000 0x02e30000 0x02eaffff Private Memory Readable, Writable True False False -
private_0x0000000002eb0000 0x02eb0000 0x02faffff Private Memory Readable, Writable True False False -
private_0x0000000002fb0000 0x02fb0000 0x030affff Private Memory Readable, Writable True False False -
private_0x00000000030b0000 0x030b0000 0x0312ffff Private Memory Readable, Writable True False False -
private_0x0000000003130000 0x03130000 0x0313ffff Private Memory Readable, Writable True False False -
private_0x0000000003140000 0x03140000 0x0323ffff Private Memory Readable, Writable True False False -
private_0x00000000032d0000 0x032d0000 0x0334ffff Private Memory Readable, Writable True False False -
private_0x0000000003530000 0x03530000 0x035affff Private Memory Readable, Writable True False False -
private_0x00000000035b0000 0x035b0000 0x0362ffff Private Memory Readable, Writable True False False -
private_0x0000000003630000 0x03630000 0x036affff Private Memory Readable, Writable True False False -
private_0x00000000036f0000 0x036f0000 0x0376ffff Private Memory Readable, Writable True False False -
private_0x0000000003790000 0x03790000 0x0380ffff Private Memory Readable, Writable True False False -
private_0x0000000003810000 0x03810000 0x0390ffff Private Memory Readable, Writable True False False -
private_0x0000000003ba0000 0x03ba0000 0x03d9ffff Private Memory Readable, Writable True False False -
private_0x0000000003dc0000 0x03dc0000 0x03e3ffff Private Memory Readable, Writable True False False -
private_0x0000000003f00000 0x03f00000 0x03f7ffff Private Memory Readable, Writable True False False -
private_0x0000000003ff0000 0x03ff0000 0x0406ffff Private Memory Readable, Writable True False False -
private_0x0000000004160000 0x04160000 0x041dffff Private Memory Readable, Writable True False False -
private_0x0000000004330000 0x04330000 0x043affff Private Memory Readable, Writable True False False -
private_0x0000000004450000 0x04450000 0x044cffff Private Memory Readable, Writable True False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
svchost.exe 0xff470000 0xff47afff Memory Mapped File Readable, Writable, Executable False False False -
tcpipcfg.dll 0x7fef49c0000 0x7fef4a01fff Memory Mapped File Readable, Writable, Executable False False False -
rascfg.dll 0x7fef4a10000 0x7fef4a29fff Memory Mapped File Readable, Writable, Executable False False False -
npmproxy.dll 0x7fef7000000 0x7fef700bfff Memory Mapped File Readable, Writable, Executable False False False -
actxprxy.dll 0x7fef7f60000 0x7fef804dfff Memory Mapped File Readable, Writable, Executable False False False -
ndiscapcfg.dll 0x7fef8380000 0x7fef838efff Memory Mapped File Readable, Writable, Executable False False False -
appinfo.dll 0x7fef83a0000 0x7fef83b4fff Memory Mapped File Readable, Writable, Executable False False False -
tschannel.dll 0x7fef83c0000 0x7fef83c8fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x7fef83d0000 0x7fef83d7fff Memory Mapped File Readable, Writable, Executable False False False -
wbemess.dll 0x7fef83e0000 0x7fef845dfff Memory Mapped File Readable, Writable, Executable False False False -
ncobjapi.dll 0x7fef8460000 0x7fef8475fff Memory Mapped File Readable, Writable, Executable False False False -
wmiprvsd.dll 0x7fef8480000 0x7fef853bfff Memory Mapped File Readable, Writable, Executable False False False -
resutils.dll 0x7fef8540000 0x7fef8558fff Memory Mapped File Readable, Writable, Executable False False False -
clusapi.dll 0x7fef8560000 0x7fef85affff Memory Mapped File Readable, Writable, Executable False False False -
sscore.dll 0x7fef85b0000 0x7fef85b7fff Memory Mapped File Readable, Writable, Executable False False False -
repdrvfs.dll 0x7fef85c0000 0x7fef8632fff Memory Mapped File Readable, Writable, Executable False False False -
wmiutils.dll 0x7fef8640000 0x7fef8665fff Memory Mapped File Readable, Writable, Executable False False False -
netprofm.dll 0x7fef8670000 0x7fef86e3fff Memory Mapped File Readable, Writable, Executable False False False -
hnetcfg.dll 0x7fef86f0000 0x7fef875afff Memory Mapped File Readable, Writable, Executable False False False -
wbemsvc.dll 0x7fef8760000 0x7fef8773fff Memory Mapped File Readable, Writable, Executable False False False -
esscli.dll 0x7fef8780000 0x7fef87eefff Memory Mapped File Readable, Writable, Executable False False False -
wbemcore.dll 0x7fef87f0000 0x7fef891efff Memory Mapped File Readable, Writable, Executable False False False -
browser.dll 0x7fef8920000 0x7fef8944fff Memory Mapped File Readable, Writable, Executable False False False -
srvsvc.dll 0x7fef8950000 0x7fef898cfff Memory Mapped File Readable, Writable, Executable False False False -
nci.dll 0x7fef8990000 0x7fef89a9fff Memory Mapped File Readable, Writable, Executable False False False -
netcfgx.dll 0x7fef89b0000 0x7fef8a33fff Memory Mapped File Readable, Writable, Executable False False False -
wbemprox.dll 0x7fef8a40000 0x7fef8a4efff Memory Mapped File Readable, Writable, Executable False False False -
ntdsapi.dll 0x7fef8a50000 0x7fef8a76fff Memory Mapped File Readable, Writable, Executable False False False -
fastprox.dll 0x7fef8a80000 0x7fef8b61fff Memory Mapped File Readable, Writable, Executable False False False -
wdscore.dll 0x7fef8bb0000 0x7fef8bf6fff Memory Mapped File Readable, Writable, Executable False False False -
sqmapi.dll 0x7fef8c00000 0x7fef8c41fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpsvc.dll 0x7fef8c50000 0x7fef8ce1fff Memory Mapped File Readable, Writable, Executable False False False -
wbemcomn.dll 0x7fef8cf0000 0x7fef8d75fff Memory Mapped File Readable, Writable, Executable False False False -
wmisvc.dll 0x7fef8d80000 0x7fef8dbffff Memory Mapped File Readable, Writable, Executable False False False -
vsstrace.dll 0x7fefac50000 0x7fefac66fff Memory Mapped File Readable, Writable, Executable False False False -
vssapi.dll 0x7fefac70000 0x7fefae1ffff Memory Mapped File Readable, Writable, Executable False False False -
mprapi.dll 0x7fefae80000 0x7fefaeb9fff Memory Mapped File Readable, Writable, Executable False False False -
taskcomp.dll 0x7fefb210000 0x7fefb286fff Memory Mapped File Readable, Writable, Executable False False False -
ktmw32.dll 0x7fefb290000 0x7fefb299fff Memory Mapped File Readable, Writable, Executable False False False -
schedsvc.dll 0x7fefb2a0000 0x7fefb3b1fff Memory Mapped File Readable, Writable, Executable False False False -
wiarpc.dll 0x7fefb3c0000 0x7fefb3cefff Memory Mapped File Readable, Writable, Executable False False False -
fvecerts.dll 0x7fefb3d0000 0x7fefb3d8fff Memory Mapped File Readable, Writable, Executable False False False -
tbs.dll 0x7fefb3e0000 0x7fefb3e8fff Memory Mapped File Readable, Writable, Executable False False False -
fveapi.dll 0x7fefb3f0000 0x7fefb445fff Memory Mapped File Readable, Writable, Executable False False False -
shsvcs.dll 0x7fefb450000 0x7fefb4adfff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc.dll 0x7fefb4b0000 0x7fefb4c7fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc6.dll 0x7fefb4d0000 0x7fefb4e0fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x7fefb500000 0x7fefb552fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x7fefb650000 0x7fefb65afff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x7fefb660000 0x7fefb686fff Memory Mapped File Readable, Writable, Executable False False False -
sens.dll 0x7fefb6b0000 0x7fefb6c3fff Memory Mapped File Readable, Writable, Executable False False False -
es.dll 0x7fefb6d0000 0x7fefb736fff Memory Mapped File Readable, Writable, Executable False False False -
slc.dll 0x7fefb740000 0x7fefb74afff Memory Mapped File Readable, Writable, Executable False False False -
dsrole.dll 0x7fefb750000 0x7fefb75bfff Memory Mapped File Readable, Writable, Executable False False False -
For performance reasons, the remaining 138 entries are omitted.
The remaining entries can be found in flog.txt.
Process #13: svchost.exe
0 0
»
Information Value
ID #13
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k LocalService
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:01, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:01:28
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x3fc
Parent PID 0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Local Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9BC
0x 7BC
0x 7A8
0x 78C
0x 77C
0x 768
0x 724
0x 710
0x 544
0x 528
0x 150
0x 130
0x 12C
0x 120
0x F0
0x C8
0x 49C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory Readable, Writable True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory Readable, Writable True False False -
private_0x0000000000160000 0x00160000 0x00160fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000170000 0x00170000 0x00170fff Pagefile Backed Memory Readable True False False -
private_0x0000000000180000 0x00180000 0x0018ffff Private Memory Readable, Writable True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory Readable, Writable True False False -
es.dll 0x00290000 0x002a0fff Memory Mapped File Readable False False False -
stdole2.tlb 0x002b0000 0x002b3fff Memory Mapped File Readable False False False -
pagefile_0x00000000002c0000 0x002c0000 0x002c1fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000002d0000 0x002d0000 0x002d0fff Pagefile Backed Memory Readable True False False -
private_0x00000000002e0000 0x002e0000 0x002e0fff Private Memory Readable, Writable True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000410000 0x00410000 0x00597fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000005a0000 0x005a0000 0x00720fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000730000 0x00730000 0x007effff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000007f0000 0x007f0000 0x00be2fff Pagefile Backed Memory Readable True False False -
private_0x0000000000c00000 0x00c00000 0x00c7ffff Private Memory Readable, Writable True False False -
private_0x0000000000c90000 0x00c90000 0x00c9ffff Private Memory Readable, Writable True False False -
private_0x0000000000ca0000 0x00ca0000 0x00d1ffff Private Memory Readable, Writable True False False -
private_0x0000000000d50000 0x00d50000 0x00dcffff Private Memory Readable, Writable True False False -
private_0x0000000000e20000 0x00e20000 0x00e9ffff Private Memory Readable, Writable True False False -
private_0x0000000000f00000 0x00f00000 0x00f7ffff Private Memory Readable, Writable True False False -
private_0x0000000000f80000 0x00f80000 0x0107ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x010d0000 0x0139efff Memory Mapped File Readable False False False -
private_0x0000000001410000 0x01410000 0x0148ffff Private Memory Readable, Writable True False False -
private_0x0000000001490000 0x01490000 0x0158ffff Private Memory Readable, Writable True False False -
private_0x00000000015f0000 0x015f0000 0x0166ffff Private Memory Readable, Writable True False False -
private_0x0000000001670000 0x01670000 0x016effff Private Memory Readable, Writable True False False -
private_0x0000000001740000 0x01740000 0x017bffff Private Memory Readable, Writable True False False -
private_0x00000000017f0000 0x017f0000 0x0186ffff Private Memory Readable, Writable True False False -
private_0x0000000001870000 0x01870000 0x018effff Private Memory Readable, Writable True False False -
private_0x0000000001950000 0x01950000 0x019cffff Private Memory Readable, Writable True False False -
private_0x0000000001a50000 0x01a50000 0x01acffff Private Memory Readable, Writable True False False -
private_0x0000000001ae0000 0x01ae0000 0x01aeffff Private Memory Readable, Writable True False False -
private_0x0000000001b30000 0x01b30000 0x01baffff Private Memory Readable, Writable True False False -
private_0x0000000001bb0000 0x01bb0000 0x01caffff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x01cb0000 0x01d6ffff Memory Mapped File Readable, Writable False False False -
private_0x0000000001d80000 0x01d80000 0x01dfffff Private Memory Readable, Writable True False False -
private_0x0000000001ee0000 0x01ee0000 0x01f5ffff Private Memory Readable, Writable True False False -
private_0x0000000002000000 0x02000000 0x0207ffff Private Memory Readable, Writable True False False -
private_0x00000000020e0000 0x020e0000 0x020effff Private Memory Readable, Writable True False False -
private_0x00000000020f0000 0x020f0000 0x022effff Private Memory Readable, Writable True False False -
sfc.dll 0x74440000 0x74442fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
svchost.exe 0xff470000 0xff47afff Memory Mapped File Readable, Writable, Executable False False False -
perftrack.dll 0x7fef69f0000 0x7fef6ac7fff Memory Mapped File Readable, Writable, Executable False False False -
npmproxy.dll 0x7fef7000000 0x7fef700bfff Memory Mapped File Readable, Writable, Executable False False False -
wer.dll 0x7fef7530000 0x7fef75abfff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x7fef83d0000 0x7fef83d7fff Memory Mapped File Readable, Writable, Executable False False False -
netprofm.dll 0x7fef8670000 0x7fef86e3fff Memory Mapped File Readable, Writable, Executable False False False -
sfc_os.dll 0x7fef8fa0000 0x7fef8faffff Memory Mapped File Readable, Writable, Executable False False False -
aepic.dll 0x7fef8fb0000 0x7fef8fc1fff Memory Mapped File Readable, Writable, Executable False False False -
wdi.dll 0x7fefaa60000 0x7fefaa78fff Memory Mapped File Readable, Writable, Executable False False False -
webio.dll 0x7fefaac0000 0x7fefab23fff Memory Mapped File Readable, Writable, Executable False False False -
winhttp.dll 0x7fefab30000 0x7fefaba0fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc.dll 0x7fefb4b0000 0x7fefb4c7fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc6.dll 0x7fefb4d0000 0x7fefb4e0fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x7fefb500000 0x7fefb552fff Memory Mapped File Readable, Writable, Executable False False False -
nsisvc.dll 0x7fefb630000 0x7fefb639fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x7fefb650000 0x7fefb65afff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x7fefb660000 0x7fefb686fff Memory Mapped File Readable, Writable, Executable False False False -
es.dll 0x7fefb6d0000 0x7fefb736fff Memory Mapped File Readable, Writable, Executable False False False -
dsrole.dll 0x7fefb750000 0x7fefb75bfff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x7fefb7d0000 0x7fefb7e4fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x7fefbeb0000 0x7fefbec8fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x7fefbed0000 0x7fefbee4fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x7fefbf10000 0x7fefbf1afff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x7fefc090000 0x7fefc0a7fff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x7fefcd60000 0x7fefcd6bfff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x7fefce30000 0x7fefce36fff Memory Mapped File Readable, Writable, Executable False False False -
gpapi.dll 0x7fefcf20000 0x7fefcf3afff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x7fefcf40000 0x7fefcf5dfff Memory Mapped File Readable, Writable, Executable False False False -
credssp.dll 0x7fefd090000 0x7fefd099fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7fefd190000 0x7fefd1d6fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x7fefd2b0000 0x7fefd30afff Memory Mapped File Readable, Writable, Executable False False False -
wship6.dll 0x7fefd420000 0x7fefd426fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x7fefd430000 0x7fefd484fff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7fefd490000 0x7fefd4a6fff Memory Mapped File Readable, Writable, Executable False False False -
secur32.dll 0x7fefda30000 0x7fefda3afff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x7fefda60000 0x7fefda84fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7fefda90000 0x7fefda9efff Memory Mapped File Readable, Writable, Executable False False False -
sxs.dll 0x7fefdaa0000 0x7fefdb30fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x7fefdb80000 0x7fefdb93fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x7fefdba0000 0x7fefdbaefff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7fefdf70000 0x7fefe172fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7fefef10000 0x7fefefa8fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7feff650000 0x7feff69cfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x7feff720000 0x7feff727fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7feff980000 0x7feff9f0fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7feffb10000 0x7feffbe6fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000007fffff9c000 0x7fffff9c000 0x7fffff9dfff Private Memory Readable, Writable True False False -
private_0x000007fffff9e000 0x7fffff9e000 0x7fffff9ffff Private Memory Readable, Writable True False False -
private_0x000007fffffa0000 0x7fffffa0000 0x7fffffa1fff Private Memory Readable, Writable True False False -
private_0x000007fffffa2000 0x7fffffa2000 0x7fffffa3fff Private Memory Readable, Writable True False False -
private_0x000007fffffa4000 0x7fffffa4000 0x7fffffa5fff Private Memory Readable, Writable True False False -
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory Readable, Writable True False False -
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory Readable, Writable True False False -
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory Readable, Writable True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory Readable, Writable True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory Readable, Writable True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory Readable, Writable True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory Readable, Writable True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory Readable, Writable True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory Readable, Writable True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory Readable, Writable True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory Readable, Writable True False False -
Process #14: svchost.exe
0 0
»
Information Value
ID #14
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k NetworkService
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:01, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:01:28
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x170
Parent PID 0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Network Service
Enabled Privileges SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9C0
0x 8BC
0x 808
0x 688
0x 784
0x 55C
0x 550
0x 540
0x 52C
0x 518
0x 4C4
0x 308
0x 2AC
0x 28C
0x 264
0x 138
0x 218
0x 124
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000050000 0x00050000 0x00051fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory Readable, Writable True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory Readable, Writable True False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory Readable, Writable True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File Readable False False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000280000 0x00280000 0x00280fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory Readable True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000003a0000 0x003a0000 0x00527fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000530000 0x00530000 0x00530fff Pagefile Backed Memory Readable True False False -
private_0x0000000000540000 0x00540000 0x00559fff Private Memory Readable, Writable True False False -
private_0x0000000000560000 0x00560000 0x0056ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000570000 0x00570000 0x006f0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000700000 0x00700000 0x007bffff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000007c0000 0x007c0000 0x00bb2fff Pagefile Backed Memory Readable True False False -
private_0x0000000000bc0000 0x00bc0000 0x00c3ffff Private Memory Readable, Writable True False False -
private_0x0000000000c40000 0x00c40000 0x00cbffff Private Memory Readable, Writable True False False -
private_0x0000000000cc0000 0x00cc0000 0x00cc0fff Private Memory Readable, Writable True False False -
private_0x0000000000cd0000 0x00cd0000 0x00cd0fff Private Memory Readable, Writable True False False -
private_0x0000000000ce0000 0x00ce0000 0x00ceffff Private Memory Readable, Writable True False False -
private_0x0000000000cf0000 0x00cf0000 0x00cfffff Private Memory Readable, Writable True False False -
private_0x0000000000d00000 0x00d00000 0x00d0ffff Private Memory Readable, Writable True False False -
private_0x0000000000d10000 0x00d10000 0x00d1ffff Private Memory Readable, Writable True False False -
private_0x0000000000d20000 0x00d20000 0x00d9ffff Private Memory Readable, Writable True False False -
private_0x0000000000da0000 0x00da0000 0x00e1ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000e20000 0x00e20000 0x00e2ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000e30000 0x00e30000 0x00e3ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000e40000 0x00e40000 0x00e4ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000e50000 0x00e50000 0x00e5ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000e60000 0x00e60000 0x00e6ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000e70000 0x00e70000 0x00e7ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000e80000 0x00e80000 0x00e80fff Private Memory Readable, Writable True False False -
private_0x0000000000e90000 0x00e90000 0x00e91fff Private Memory Readable, Writable True False False -
private_0x0000000000ea0000 0x00ea0000 0x00ea4fff Private Memory Readable, Writable True False False -
private_0x0000000000eb0000 0x00eb0000 0x00f2ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000f30000 0x00f30000 0x00f3ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000f40000 0x00f40000 0x00f4ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000f50000 0x00f50000 0x00f5ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000f60000 0x00f60000 0x00f6ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000f70000 0x00f70000 0x00f7ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000f80000 0x00f80000 0x00f8ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000f90000 0x00f90000 0x00f90fff Private Memory Readable, Writable True False False -
private_0x0000000000fa0000 0x00fa0000 0x00faffff Private Memory Readable, Writable True False False -
private_0x0000000000fb0000 0x00fb0000 0x0102ffff Private Memory Readable, Writable True False False -
private_0x0000000001030000 0x01030000 0x01030fff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01040000 0x0130efff Memory Mapped File Readable False False False -
private_0x0000000001310000 0x01310000 0x0138ffff Private Memory Readable, Writable True False False -
catdb 0x01390000 0x0139ffff Memory Mapped File Readable, Writable False False False -
catdb 0x013a0000 0x013affff Memory Mapped File Readable, Writable False False False -
catdb 0x013b0000 0x013bffff Memory Mapped File Readable, Writable False False False -
catdb 0x013c0000 0x013cffff Memory Mapped File Readable, Writable False False False -
catdb 0x013d0000 0x013dffff Memory Mapped File Readable, Writable False False False -
catdb 0x013e0000 0x013effff Memory Mapped File Readable, Writable False False False -
catdb 0x013f0000 0x013fffff Memory Mapped File Readable, Writable False False False -
catdb 0x01400000 0x0140ffff Memory Mapped File Readable, Writable False False False -
private_0x0000000001410000 0x01410000 0x0148ffff Private Memory Readable, Writable True False False -
catdb 0x01490000 0x0149ffff Memory Mapped File Readable, Writable False False False -
catdb 0x014a0000 0x014affff Memory Mapped File Readable, Writable False False False -
catdb 0x014b0000 0x014bffff Memory Mapped File Readable, Writable False False False -
catdb 0x014c0000 0x014cffff Memory Mapped File Readable, Writable False False False -
catdb 0x014d0000 0x014dffff Memory Mapped File Readable, Writable False False False -
catdb 0x014e0000 0x014effff Memory Mapped File Readable, Writable False False False -
private_0x00000000014f0000 0x014f0000 0x0156ffff Private Memory Readable, Writable True False False -
private_0x0000000001570000 0x01570000 0x015effff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x015f0000 0x016affff Memory Mapped File Readable, Writable False False False -
private_0x00000000016b0000 0x016b0000 0x016bffff Private Memory Readable, Writable True False False -
private_0x00000000016c0000 0x016c0000 0x016cffff Private Memory Readable, Writable True False False -
private_0x00000000016d0000 0x016d0000 0x016dffff Private Memory Readable, Writable True False False -
private_0x00000000016e0000 0x016e0000 0x016effff Private Memory Readable, Writable True False False -
private_0x00000000016f0000 0x016f0000 0x016fffff Private Memory Readable, Writable True False False -
private_0x0000000001700000 0x01700000 0x01700fff Private Memory Readable, Writable True False False -
private_0x0000000001710000 0x01710000 0x01710fff Private Memory Readable, Writable True False False -
private_0x0000000001720000 0x01720000 0x0172ffff Private Memory Readable, Writable True False False -
private_0x0000000001740000 0x01740000 0x0174ffff Private Memory Readable, Writable True False False -
private_0x0000000001760000 0x01760000 0x0185ffff Private Memory Readable, Writable True False False -
private_0x0000000001930000 0x01930000 0x019affff Private Memory Readable, Writable True False False -
private_0x00000000019d0000 0x019d0000 0x01a4ffff Private Memory Readable, Writable True False False -
private_0x0000000001a70000 0x01a70000 0x01aeffff Private Memory Readable, Writable True False False -
private_0x0000000001b20000 0x01b20000 0x01b9ffff Private Memory Readable, Writable True False False -
private_0x0000000001bb0000 0x01bb0000 0x01caffff Private Memory Readable, Writable True False False -
private_0x0000000001d00000 0x01d00000 0x01d0ffff Private Memory Readable, Writable True False False -
private_0x0000000001d80000 0x01d80000 0x01d8ffff Private Memory Readable, Writable True False False -
private_0x0000000001d90000 0x01d90000 0x01e8ffff Private Memory Readable, Writable True False False -
private_0x0000000001f40000 0x01f40000 0x01fbffff Private Memory Readable, Writable True False False -
private_0x0000000002000000 0x02000000 0x0207ffff Private Memory Readable, Writable True False False -
private_0x0000000002080000 0x02080000 0x0217ffff Private Memory Readable, Writable True False False -
private_0x0000000002260000 0x02260000 0x022dffff Private Memory Readable, Writable True False False -
private_0x00000000022e0000 0x022e0000 0x023dffff Private Memory Readable, Writable True False False -
private_0x00000000023e0000 0x023e0000 0x024dffff Private Memory Readable, Writable True False False -
private_0x00000000024e0000 0x024e0000 0x034dffff Private Memory Readable, Writable True False False -
private_0x00000000035b0000 0x035b0000 0x0362ffff Private Memory Readable, Writable True False False -
private_0x0000000003640000 0x03640000 0x036bffff Private Memory Readable, Writable True False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x77e10000 0x77e16fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
svchost.exe 0xff470000 0xff47afff Memory Mapped File Readable, Writable, Executable False False False -
esent.dll 0x7fef4740000 0x7fef49b9fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x7fef83d0000 0x7fef83d7fff Memory Mapped File Readable, Writable, Executable False False False -
ssdpapi.dll 0x7fefaa80000 0x7fefaa90fff Memory Mapped File Readable, Writable, Executable False False False -
webio.dll 0x7fefaac0000 0x7fefab23fff Memory Mapped File Readable, Writable, Executable False False False -
winhttp.dll 0x7fefab30000 0x7fefaba0fff Memory Mapped File Readable, Writable, Executable False False False -
ncsi.dll 0x7fefabb0000 0x7fefabe7fff Memory Mapped File Readable, Writable, Executable False False False -
nlasvc.dll 0x7fefabf0000 0x7fefac3dfff Memory Mapped File Readable, Writable, Executable False False False -
vsstrace.dll 0x7fefac50000 0x7fefac66fff Memory Mapped File Readable, Writable, Executable False False False -
vssapi.dll 0x7fefac70000 0x7fefae1ffff Memory Mapped File Readable, Writable, Executable False False False -
cryptsvc.dll 0x7fefae50000 0x7fefae7ffff Memory Mapped File Readable, Writable, Executable False False False -
wkssvc.dll 0x7fefaf40000 0x7fefaf5ffff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc.dll 0x7fefb4b0000 0x7fefb4c7fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc6.dll 0x7fefb4d0000 0x7fefb4e0fff Memory Mapped File Readable, Writable, Executable False False False -
dnsext.dll 0x7fefb4f0000 0x7fefb4f6fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x7fefb500000 0x7fefb552fff Memory Mapped File Readable, Writable, Executable False False False -
dnsrslvr.dll 0x7fefb560000 0x7fefb58ffff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x7fefb650000 0x7fefb65afff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x7fefb660000 0x7fefb686fff Memory Mapped File Readable, Writable, Executable False False False -
es.dll 0x7fefb6d0000 0x7fefb736fff Memory Mapped File Readable, Writable, Executable False False False -
atl.dll 0x7fefb770000 0x7fefb788fff Memory Mapped File Readable, Writable, Executable False False False -
samcli.dll 0x7fefbd70000 0x7fefbd83fff Memory Mapped File Readable, Writable, Executable False False False -
wkscli.dll 0x7fefbd90000 0x7fefbda4fff Memory Mapped File Readable, Writable, Executable False False False -
netutils.dll 0x7fefbdb0000 0x7fefbdbbfff Memory Mapped File Readable, Writable, Executable False False False -
wtsapi32.dll 0x7fefbef0000 0x7fefbf00fff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x7fefc520000 0x7fefc64bfff Memory Mapped File Readable, Writable, Executable False False False -
samlib.dll 0x7fefc650000 0x7fefc66cfff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x7fefce30000 0x7fefce36fff Memory Mapped File Readable, Writable, Executable False False False -
gpapi.dll 0x7fefcf20000 0x7fefcf3afff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x7fefcf40000 0x7fefcf5dfff Memory Mapped File Readable, Writable, Executable False False False -
credssp.dll 0x7fefd090000 0x7fefd099fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x7fefd0d0000 0x7fefd11bfff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7fefd190000 0x7fefd1d6fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x7fefd2b0000 0x7fefd30afff Memory Mapped File Readable, Writable, Executable False False False -
wship6.dll 0x7fefd420000 0x7fefd426fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x7fefd430000 0x7fefd484fff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7fefd490000 0x7fefd4a6fff Memory Mapped File Readable, Writable, Executable False False False -
netjoin.dll 0x7fefd5a0000 0x7fefd5d1fff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x7fefd600000 0x7fefd621fff Memory Mapped File Readable, Writable, Executable False False False -
wevtapi.dll 0x7fefd6c0000 0x7fefd72cfff Memory Mapped File Readable, Writable, Executable False False False -
secur32.dll 0x7fefda30000 0x7fefda3afff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x7fefda60000 0x7fefda84fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7fefda90000 0x7fefda9efff Memory Mapped File Readable, Writable, Executable False False False -
winsta.dll 0x7fefdb40000 0x7fefdb7cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x7fefdb80000 0x7fefdb93fff Memory Mapped File Readable, Writable, Executable False False False -
For performance reasons, the remaining 41 entries are omitted.
The remaining entries can be found in flog.txt.
Process #15: spoolsv.exe
0 0
»
Information Value
ID #15
File Name c:\windows\system32\spoolsv.exe
Command Line C:\Windows\System32\spoolsv.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:01, Reason: Child Process
Unmonitor End Time: 00:02:03, Reason: Self Terminated
Monitor Duration 00:01:02
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x134
Parent PID 0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeTcbPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege
Thread IDs
0x 9D4
0x 75C
0x 6D8
0x 6D4
0x 6BC
0x 68C
0x 674
0x 664
0x 65C
0x 418
0x 414
0x 410
0x 40C
0x 35C
0x 214
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000050000 0x00050000 0x00051fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory Readable, Writable True False False -
private_0x0000000000070000 0x00070000 0x000affff Private Memory Readable, Writable True False False -
locale.nls 0x000b0000 0x00116fff Memory Mapped File Readable False False False -
private_0x0000000000120000 0x00120000 0x00120fff Private Memory Readable, Writable True False False -
private_0x0000000000130000 0x00130000 0x00130fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000140000 0x00140000 0x00140fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000150000 0x00150000 0x00150fff Pagefile Backed Memory Readable True False False -
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory Readable, Writable True False False -
msxml6r.dll 0x00260000 0x00260fff Memory Mapped File Readable False False False -
private_0x0000000000270000 0x00270000 0x0028ffff Private Memory - True False False -
private_0x0000000000290000 0x00290000 0x0029ffff Private Memory Readable, Writable True False False -
private_0x00000000002b0000 0x002b0000 0x002bffff Private Memory Readable, Writable True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory Readable, Writable True False False -
pagefile_0x00000000003c0000 0x003c0000 0x00547fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000550000 0x00550000 0x006d0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000006e0000 0x006e0000 0x01adffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001ae0000 0x01ae0000 0x01ed2fff Pagefile Backed Memory Readable True False False -
private_0x0000000001ef0000 0x01ef0000 0x01f6ffff Private Memory Readable, Writable True False False -
private_0x0000000001f80000 0x01f80000 0x01ffffff Private Memory Readable, Writable True False False -
private_0x0000000002010000 0x02010000 0x0204ffff Private Memory Readable, Writable True False False -
private_0x0000000002050000 0x02050000 0x0208ffff Private Memory Readable, Writable True False False -
private_0x00000000020d0000 0x020d0000 0x020dffff Private Memory Readable, Writable True False False -
private_0x00000000020f0000 0x020f0000 0x0212ffff Private Memory Readable, Writable True False False -
private_0x0000000002170000 0x02170000 0x021effff Private Memory Readable, Writable True False False -
private_0x0000000002200000 0x02200000 0x0223ffff Private Memory Readable, Writable True False False -
private_0x0000000002240000 0x02240000 0x0227ffff Private Memory Readable, Writable True False False -
private_0x0000000002290000 0x02290000 0x0229ffff Private Memory Readable, Writable True False False -
private_0x00000000022c0000 0x022c0000 0x022fffff Private Memory Readable, Writable True False False -
private_0x0000000002320000 0x02320000 0x0239ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x023e0000 0x026aefff Memory Mapped File Readable False False False -
private_0x00000000026e0000 0x026e0000 0x0275ffff Private Memory Readable, Writable True False False -
private_0x0000000002760000 0x02760000 0x02860fff Private Memory Readable, Writable True False False -
private_0x0000000002870000 0x02870000 0x0296ffff Private Memory Readable, Writable True False False -
private_0x0000000002980000 0x02980000 0x029fffff Private Memory Readable, Writable True False False -
private_0x0000000002a10000 0x02a10000 0x02a4ffff Private Memory Readable, Writable True False False -
private_0x0000000002a70000 0x02a70000 0x02aeffff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x02af0000 0x02baffff Memory Mapped File Readable, Writable False False False -
private_0x0000000002bb0000 0x02bb0000 0x02faffff Private Memory Readable, Writable True False False -
private_0x0000000002fc0000 0x02fc0000 0x02ffffff Private Memory Readable, Writable True False False -
private_0x0000000003020000 0x03020000 0x0305ffff Private Memory Readable, Writable True False False -
private_0x00000000030e0000 0x030e0000 0x0311ffff Private Memory Readable, Writable True False False -
private_0x0000000003160000 0x03160000 0x0319ffff Private Memory Readable, Writable True False False -
private_0x0000000003230000 0x03230000 0x0326ffff Private Memory Readable, Writable True False False -
private_0x0000000003300000 0x03300000 0x033fffff Private Memory Readable, Writable True False False -
private_0x0000000003420000 0x03420000 0x0345ffff Private Memory Readable, Writable True False False -
private_0x00000000034a0000 0x034a0000 0x034dffff Private Memory Readable, Writable True False False -
private_0x00000000035e0000 0x035e0000 0x035effff Private Memory Readable, Writable True False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
spoolsv.exe 0xffc30000 0xffcbbfff Memory Mapped File Readable, Writable, Executable False False False -
win32spl.dll 0x7fef6f30000 0x7fef6fecfff Memory Mapped File Readable, Writable, Executable False False False -
winprint.dll 0x7fef6ff0000 0x7fef6ffdfff Memory Mapped File Readable, Writable, Executable False False False -
inetpp.dll 0x7fef7040000 0x7fef706cfff Memory Mapped File Readable, Writable, Executable False False False -
fdpnp.dll 0x7fef78b0000 0x7fef78bffff Memory Mapped File Readable, Writable, Executable False False False -
fundisc.dll 0x7fef78c0000 0x7fef78f2fff Memory Mapped File Readable, Writable, Executable False False False -
webservices.dll 0x7fef7900000 0x7fef7a1efff Memory Mapped File Readable, Writable, Executable False False False -
wsdapi.dll 0x7fef7a20000 0x7fef7ab0fff Memory Mapped File Readable, Writable, Executable False False False -
wsdmon.dll 0x7fef7ac0000 0x7fef7af9fff Memory Mapped File Readable, Writable, Executable False False False -
wls0wndh.dll 0x7fef7b00000 0x7fef7b06fff Memory Mapped File Readable, Writable, Executable False False False -
usbmon.dll 0x7fef7b10000 0x7fef7b1efff Memory Mapped File Readable, Writable, Executable False False False -
msxml6.dll 0x7fef7b20000 0x7fef7d11fff Memory Mapped File Readable, Writable, Executable False False False -
wsnmp32.dll 0x7fef7d20000 0x7fef7d33fff Memory Mapped File Readable, Writable, Executable False False False -
snmpapi.dll 0x7fef7d40000 0x7fef7d4afff Memory Mapped File Readable, Writable, Executable False False False -
tcpmon.dll 0x7fef7d50000 0x7fef7d83fff Memory Mapped File Readable, Writable, Executable False False False -
fxsmon.dll 0x7fef7d90000 0x7fef7d9dfff Memory Mapped File Readable, Writable, Executable False False False -
printisolationproxy.dll 0x7fef7da0000 0x7fef7daffff Memory Mapped File Readable, Writable, Executable False False False -
winspool.drv 0x7fef7db0000 0x7fef7e20fff Memory Mapped File Readable, Writable, Executable False False False -
spoolss.dll 0x7fef7e30000 0x7fef7e41fff Memory Mapped File Readable, Writable, Executable False False False -
localspl.dll 0x7fef7e50000 0x7fef7f3dfff Memory Mapped File Readable, Writable, Executable False False False -
umb.dll 0x7fef7f40000 0x7fef7f52fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x7fef83d0000 0x7fef83d7fff Memory Mapped File Readable, Writable, Executable False False False -
cscapi.dll 0x7fef9100000 0x7fef910efff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x7fefb500000 0x7fefb552fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x7fefb650000 0x7fefb65afff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x7fefb660000 0x7fefb686fff Memory Mapped File Readable, Writable, Executable False False False -
slc.dll 0x7fefb740000 0x7fefb74afff Memory Mapped File Readable, Writable, Executable False False False -
dsrole.dll 0x7fefb750000 0x7fefb75bfff Memory Mapped File Readable, Writable, Executable False False False -
atl.dll 0x7fefb770000 0x7fefb788fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x7fefbb40000 0x7fefbb6bfff Memory Mapped File Readable, Writable, Executable False False False -
netutils.dll 0x7fefbdb0000 0x7fefbdbbfff Memory Mapped File Readable, Writable, Executable False False False -
wtsapi32.dll 0x7fefbef0000 0x7fefbf00fff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x7fefcd60000 0x7fefcd6bfff Memory Mapped File Readable, Writable, Executable False False False -
firewallapi.dll 0x7fefcd70000 0x7fefce2afff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x7fefce30000 0x7fefce36fff Memory Mapped File Readable, Writable, Executable False False False -
gpapi.dll 0x7fefcf20000 0x7fefcf3afff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x7fefcf40000 0x7fefcf5dfff Memory Mapped File Readable, Writable, Executable False False False -
devrtl.dll 0x7fefcf60000 0x7fefcf71fff Memory Mapped File Readable, Writable, Executable False False False -
spinf.dll 0x7fefcf80000 0x7fefcf9efff Memory Mapped File Readable, Writable, Executable False False False -
credssp.dll 0x7fefd090000 0x7fefd099fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7fefd190000 0x7fefd1d6fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x7fefd2b0000 0x7fefd30afff Memory Mapped File Readable, Writable, Executable False False False -
wship6.dll 0x7fefd420000 0x7fefd426fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x7fefd430000 0x7fefd484fff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7fefd490000 0x7fefd4a6fff Memory Mapped File Readable, Writable, Executable False False False -
srvcli.dll 0x7fefd990000 0x7fefd9b2fff Memory Mapped File Readable, Writable, Executable False False False -
secur32.dll 0x7fefda30000 0x7fefda3afff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x7fefda60000 0x7fefda84fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7fefda90000 0x7fefda9efff Memory Mapped File Readable, Writable, Executable False False False -
winsta.dll 0x7fefdb40000 0x7fefdb7cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x7fefdb80000 0x7fefdb93fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x7fefdba0000 0x7fefdbaefff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x7fefdc40000 0x7fefdc4efff Memory Mapped File Readable, Writable, Executable False False False -
wintrust.dll 0x7fefdc50000 0x7fefdc89fff Memory Mapped File Readable, Writable, Executable False False False -
devobj.dll 0x7fefdc90000 0x7fefdca9fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x7fefdcb0000 0x7fefde16fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x7fefde20000 0x7fefde55fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7fefdf70000 0x7fefe172fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7fefef10000 0x7fefefa8fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7feff650000 0x7feff69cfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x7feff720000 0x7feff727fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7feff980000 0x7feff9f0fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7feffb10000 0x7feffbe6fff Memory Mapped File Readable, Writable, Executable False False False -
setupapi.dll 0x7feffbf0000 0x7feffdc6fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000007fffff9c000 0x7fffff9c000 0x7fffff9dfff Private Memory Readable, Writable True False False -
private_0x000007fffff9e000 0x7fffff9e000 0x7fffff9ffff Private Memory Readable, Writable True False False -
private_0x000007fffffa0000 0x7fffffa0000 0x7fffffa1fff Private Memory Readable, Writable True False False -
private_0x000007fffffa2000 0x7fffffa2000 0x7fffffa3fff Private Memory Readable, Writable True False False -
private_0x000007fffffa4000 0x7fffffa4000 0x7fffffa5fff Private Memory Readable, Writable True False False -
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory Readable, Writable True False False -
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory Readable, Writable True False False -
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory Readable, Writable True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory Readable, Writable True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory Readable, Writable True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory Readable, Writable True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory Readable, Writable True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory Readable, Writable True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory Readable, Writable True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory Readable, Writable True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True False False -
Process #16: svchost.exe
0 0
»
Information Value
ID #16
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:01, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:01:28
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x41c
Parent PID 0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Local Service
Enabled Privileges SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9DC
0x 828
0x 348
0x 778
0x 774
0x 744
0x 520
0x 510
0x 50C
0x 508
0x 504
0x 4E0
0x 4A4
0x 488
0x 480
0x 468
0x 448
0x 444
0x 438
0x 434
0x 428
0x 420
0x 348
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory Readable, Writable True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False -
firewallapi.dll.mui 0x000f0000 0x0010bfff Memory Mapped File Readable, Writable False False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory Readable True False False -
private_0x0000000000140000 0x00140000 0x00147fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000150000 0x00150000 0x00150fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000160000 0x00160000 0x00160fff Pagefile Backed Memory Readable True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory Readable, Writable True False False -
private_0x00000000001f0000 0x001f0000 0x001f2fff Private Memory Readable, Writable True False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory Readable, Writable True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory Readable, Writable True False False -
private_0x00000000002a0000 0x002a0000 0x002affff Private Memory Readable, Writable True False False -
pagefile_0x00000000002b0000 0x002b0000 0x0036ffff Pagefile Backed Memory Readable True False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory Readable, Writable True False False -
private_0x0000000000490000 0x00490000 0x0058ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000590000 0x00590000 0x00717fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000720000 0x00720000 0x008a0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000008b0000 0x008b0000 0x00ca2fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000cb0000 0x00cb0000 0x00cb1fff Pagefile Backed Memory Readable True False False -
private_0x0000000000cc0000 0x00cc0000 0x00d3ffff Private Memory Readable, Writable True False False -
private_0x0000000000d60000 0x00d60000 0x00ddffff Private Memory Readable, Writable True False False -
private_0x0000000000de0000 0x00de0000 0x00e5ffff Private Memory Readable, Writable True False False -
private_0x0000000000e80000 0x00e80000 0x00efffff Private Memory Readable, Writable True False False -
private_0x0000000000f10000 0x00f10000 0x00f8ffff Private Memory Readable, Writable True False False -
private_0x0000000000fa0000 0x00fa0000 0x0101ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01040000 0x0130efff Memory Mapped File Readable False False False -
private_0x0000000001350000 0x01350000 0x013cffff Private Memory Readable, Writable True False False -
private_0x0000000001420000 0x01420000 0x0149ffff Private Memory Readable, Writable True False False -
private_0x00000000014c0000 0x014c0000 0x0153ffff Private Memory Readable, Writable True False False -
private_0x0000000001560000 0x01560000 0x015dffff Private Memory Readable, Writable True False False -
private_0x00000000016a0000 0x016a0000 0x0171ffff Private Memory Readable, Writable True False False -
private_0x0000000001720000 0x01720000 0x0179ffff Private Memory Readable, Writable True False False -
private_0x00000000017d0000 0x017d0000 0x0184ffff Private Memory Readable, Writable True False False -
private_0x00000000018b0000 0x018b0000 0x0192ffff Private Memory Readable, Writable True False False -
private_0x0000000001950000 0x01950000 0x019cffff Private Memory Readable, Writable True False False -
private_0x0000000001a00000 0x01a00000 0x01a7ffff Private Memory Readable, Writable True False False -
private_0x0000000001ab0000 0x01ab0000 0x01b2ffff Private Memory Readable, Writable True False False -
private_0x0000000001be0000 0x01be0000 0x01c5ffff Private Memory Readable, Writable True False False -
private_0x0000000001c60000 0x01c60000 0x01d5ffff Private Memory Readable, Writable True False False -
private_0x0000000001df0000 0x01df0000 0x01eeffff Private Memory Readable, Writable True False False -
private_0x0000000001f00000 0x01f00000 0x01f7ffff Private Memory Readable, Writable True False False -
private_0x0000000002070000 0x02070000 0x020effff Private Memory Readable, Writable True False False -
private_0x0000000002170000 0x02170000 0x021effff Private Memory Readable, Writable True False False -
private_0x0000000002290000 0x02290000 0x023affff Private Memory Readable, Writable True False False -
private_0x00000000023b0000 0x023b0000 0x025b0fff Private Memory Readable, Writable True False False -
private_0x0000000002600000 0x02600000 0x0267ffff Private Memory Readable, Writable True False False -
private_0x0000000002680000 0x02680000 0x0287ffff Private Memory Readable, Writable True False False -
private_0x0000000002880000 0x02880000 0x02a7ffff Private Memory Readable, Writable True False False -
private_0x0000000002a80000 0x02a80000 0x02e1ffff Private Memory Readable, Writable True False False -
private_0x0000000002e20000 0x02e20000 0x0301ffff Private Memory Readable, Writable True False False -
private_0x0000000003020000 0x03020000 0x0341ffff Private Memory Readable, Writable True False False -
private_0x0000000003540000 0x03540000 0x036eafff Private Memory Readable, Writable True False False -
private_0x0000000003a40000 0x03a40000 0x03e78fff Private Memory Readable, Writable True False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
svchost.exe 0xff470000 0xff47afff Memory Mapped File Readable, Writable, Executable False False False -
wdiasqmmodule.dll 0x7fef6760000 0x7fef676cfff Memory Mapped File Readable, Writable, Executable False False False -
radardt.dll 0x7fef6770000 0x7fef678cfff Memory Mapped File Readable, Writable, Executable False False False -
pnpts.dll 0x7fef6790000 0x7fef6797fff Memory Mapped File Readable, Writable, Executable False False False -
diagperf.dll 0x7fef6c40000 0x7fef6d89fff Memory Mapped File Readable, Writable, Executable False False False -
npmproxy.dll 0x7fef7000000 0x7fef700bfff Memory Mapped File Readable, Writable, Executable False False False -
netprofm.dll 0x7fef8670000 0x7fef86e3fff Memory Mapped File Readable, Writable, Executable False False False -
wdi.dll 0x7fefaa60000 0x7fefaa78fff Memory Mapped File Readable, Writable, Executable False False False -
wfapigp.dll 0x7fefac40000 0x7fefac49fff Memory Mapped File Readable, Writable, Executable False False False -
dps.dll 0x7fefae20000 0x7fefae4bfff Memory Mapped File Readable, Writable, Executable False False False -
mpssvc.dll 0x7fefaf60000 0x7fefb02dfff Memory Mapped File Readable, Writable, Executable False False False -
bfe.dll 0x7fefb040000 0x7fefb0effff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc.dll 0x7fefb4b0000 0x7fefb4c7fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc6.dll 0x7fefb4d0000 0x7fefb4e0fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x7fefb500000 0x7fefb552fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x7fefb650000 0x7fefb65afff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x7fefb660000 0x7fefb686fff Memory Mapped File Readable, Writable, Executable False False False -
slc.dll 0x7fefb740000 0x7fefb74afff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x7fefb7d0000 0x7fefb7e4fff Memory Mapped File Readable, Writable, Executable False False False -
taskschd.dll 0x7fefb900000 0x7fefba26fff Memory Mapped File Readable, Writable, Executable False False False -
wtsapi32.dll 0x7fefbef0000 0x7fefbf00fff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x7fefcb60000 0x7fefcb8cfff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x7fefcd60000 0x7fefcd6bfff Memory Mapped File Readable, Writable, Executable False False False -
firewallapi.dll 0x7fefcd70000 0x7fefce2afff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x7fefce30000 0x7fefce36fff Memory Mapped File Readable, Writable, Executable False False False -
gpapi.dll 0x7fefcf20000 0x7fefcf3afff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x7fefcf40000 0x7fefcf5dfff Memory Mapped File Readable, Writable, Executable False False False -
credssp.dll 0x7fefd090000 0x7fefd099fff Memory Mapped File Readable, Writable, Executable False False False -
pcwum.dll 0x7fefd0a0000 0x7fefd0acfff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7fefd190000 0x7fefd1d6fff Memory Mapped File Readable, Writable, Executable False False False -
wship6.dll 0x7fefd420000 0x7fefd426fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x7fefd430000 0x7fefd484fff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7fefd490000 0x7fefd4a6fff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x7fefd600000 0x7fefd621fff Memory Mapped File Readable, Writable, Executable False False False -
authz.dll 0x7fefd680000 0x7fefd6aefff Memory Mapped File Readable, Writable, Executable False False False -
secur32.dll 0x7fefda30000 0x7fefda3afff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x7fefda60000 0x7fefda84fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7fefda90000 0x7fefda9efff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x7fefdb80000 0x7fefdb93fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x7fefdba0000 0x7fefdbaefff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x7fefde20000 0x7fefde55fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7fefdf70000 0x7fefe172fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7fefef10000 0x7fefefa8fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7feff650000 0x7feff69cfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x7feff720000 0x7feff727fff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x7feff730000 0x7feff781fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7feff980000 0x7feff9f0fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7feffb10000 0x7feffbe6fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000007fffff8c000 0x7fffff8c000 0x7fffff8dfff Private Memory Readable, Writable True False False -
private_0x000007fffff8e000 0x7fffff8e000 0x7fffff8ffff Private Memory Readable, Writable True False False -
private_0x000007fffff90000 0x7fffff90000 0x7fffff91fff Private Memory Readable, Writable True False False -
private_0x000007fffff96000 0x7fffff96000 0x7fffff97fff Private Memory Readable, Writable True False False -
private_0x000007fffff98000 0x7fffff98000 0x7fffff99fff Private Memory Readable, Writable True False False -
private_0x000007fffff9a000 0x7fffff9a000 0x7fffff9bfff Private Memory Readable, Writable True False False -
private_0x000007fffff9c000 0x7fffff9c000 0x7fffff9dfff Private Memory Readable, Writable True False False -
private_0x000007fffff9e000 0x7fffff9e000 0x7fffff9ffff Private Memory Readable, Writable True False False -
private_0x000007fffffa0000 0x7fffffa0000 0x7fffffa1fff Private Memory Readable, Writable True False False -
private_0x000007fffffa2000 0x7fffffa2000 0x7fffffa3fff Private Memory Readable, Writable True False False -
private_0x000007fffffa4000 0x7fffffa4000 0x7fffffa5fff Private Memory Readable, Writable True False False -
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory Readable, Writable True False False -
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory Readable, Writable True False False -
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory Readable, Writable True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory Readable, Writable True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory Readable, Writable True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory Readable, Writable True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory Readable, Writable True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory Readable, Writable True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory Readable, Writable True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory Readable, Writable True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory Readable, Writable True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory Readable, Writable True False False -
For performance reasons, the remaining 2 entries are omitted.
The remaining entries can be found in flog.txt.
Process #17: taskhost.exe
0 0
»
Information Value
ID #17
File Name c:\windows\system32\taskhost.exe
Command Line "taskhost.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:01, Reason: Child Process
Unmonitor End Time: 00:01:38, Reason: Self Terminated
Monitor Duration 00:00:37
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x4ec
Parent PID 0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9CC
0x 5D0
0x 7F4
0x 7E0
0x 7DC
0x 7D8
0x 7D0
0x 538
0x 524
0x 4FC
0x 4F0
0x B60
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00040000 0x000a6fff Memory Mapped File Readable False False False -
private_0x00000000000b0000 0x000b0000 0x001affff Private Memory Readable, Writable True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b6fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000001d0000 0x001d0000 0x001d0fff Private Memory Readable, Writable True False False -
private_0x00000000001e0000 0x001e0000 0x001e0fff Private Memory Readable, Writable True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000270000 0x00270000 0x00270fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000280000 0x00280000 0x00280fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000290000 0x00290000 0x00291fff Pagefile Backed Memory Readable, Writable True False False -
msutb.dll.mui 0x002a0000 0x002a1fff Memory Mapped File Readable, Writable False False False -
private_0x00000000002b0000 0x002b0000 0x002effff Private Memory Readable, Writable True False False -
private_0x00000000002f0000 0x002f0000 0x0036ffff Private Memory Readable, Writable True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000470000 0x00470000 0x005f7fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000600000 0x00600000 0x00780fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000790000 0x00790000 0x01b8ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001b90000 0x01b90000 0x01f82fff Pagefile Backed Memory Readable True False False -
private_0x0000000001f90000 0x01f90000 0x01f90fff Private Memory Readable, Writable True False False -
private_0x0000000001fa0000 0x01fa0000 0x01fa0fff Private Memory Readable, Writable True False False -
private_0x0000000001fb0000 0x01fb0000 0x0202ffff Private Memory Readable, Writable True False False -
private_0x00000000020e0000 0x020e0000 0x0215ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002160000 0x02160000 0x0223efff Pagefile Backed Memory Readable True False False -
private_0x00000000022a0000 0x022a0000 0x0231ffff Private Memory Readable, Writable True False False -
private_0x0000000002340000 0x02340000 0x023bffff Private Memory Readable, Writable True False False -
private_0x00000000023d0000 0x023d0000 0x0244ffff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x02450000 0x0250ffff Memory Mapped File Readable, Writable False False False -
private_0x0000000002590000 0x02590000 0x0260ffff Private Memory Readable, Writable True False False -
private_0x0000000002620000 0x02620000 0x0269ffff Private Memory Readable, Writable True False False -
private_0x0000000002790000 0x02790000 0x0280ffff Private Memory Readable, Writable True False False -
private_0x0000000002870000 0x02870000 0x028effff Private Memory Readable, Writable True False False -
private_0x0000000002920000 0x02920000 0x0299ffff Private Memory Readable, Writable True False False -
private_0x0000000002a70000 0x02a70000 0x02aeffff Private Memory Readable, Writable True False False -
private_0x0000000002b50000 0x02b50000 0x02b5ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x02b60000 0x02e2efff Memory Mapped File Readable False False False -
private_0x0000000002ee0000 0x02ee0000 0x02f5ffff Private Memory Readable, Writable True False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
taskhost.exe 0xff440000 0xff453fff Memory Mapped File Readable, Writable, Executable False False False -
winmm.dll 0x7fef6b10000 0x7fef6b4afff Memory Mapped File Readable, Writable, Executable False False False -
npmproxy.dll 0x7fef7000000 0x7fef700bfff Memory Mapped File Readable, Writable, Executable False False False -
dimsjob.dll 0x7fef7010000 0x7fef701dfff Memory Mapped File Readable, Writable, Executable False False False -
netprofm.dll 0x7fef8670000 0x7fef86e3fff Memory Mapped File Readable, Writable, Executable False False False -
msutb.dll 0x7fef9010000 0x7fef904cfff Memory Mapped File Readable, Writable, Executable False False False -
msctfmonitor.dll 0x7fef9050000 0x7fef905afff Memory Mapped File Readable, Writable, Executable False False False -
hotstartuseragent.dll 0x7fef9060000 0x7fef906afff Memory Mapped File Readable, Writable, Executable False False False -
playsndsrv.dll 0x7fefaa40000 0x7fefaa57fff Memory Mapped File Readable, Writable, Executable False False False -
slc.dll 0x7fefb740000 0x7fefb74afff Memory Mapped File Readable, Writable, Executable False False False -
dsrole.dll 0x7fefb750000 0x7fefb75bfff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x7fefb7d0000 0x7fefb7e4fff Memory Mapped File Readable, Writable, Executable False False False -
taskschd.dll 0x7fefb900000 0x7fefba26fff Memory Mapped File Readable, Writable, Executable False False False -
wtsapi32.dll 0x7fefbef0000 0x7fefbf00fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x7fefc090000 0x7fefc0a7fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x7fefc4c0000 0x7fefc515fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7fefd190000 0x7fefd1d6fff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7fefd490000 0x7fefd4a6fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x7fefda60000 0x7fefda84fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7fefda90000 0x7fefda9efff Memory Mapped File Readable, Writable, Executable False False False -
winsta.dll 0x7fefdb40000 0x7fefdb7cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x7fefdb80000 0x7fefdb93fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7fefdf70000 0x7fefe172fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7fefef10000 0x7fefefa8fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x7feff720000 0x7feff727fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7feff980000 0x7feff9f0fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7feffb10000 0x7feffbe6fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory Readable, Writable True False False -
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory Readable, Writable True False False -
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory Readable, Writable True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory Readable, Writable True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory Readable, Writable True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory Readable, Writable True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory Readable, Writable True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory Readable, Writable True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory Readable, Writable True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory Readable, Writable True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory Readable, Writable True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory Readable, Writable True False False -
Process #18: taskhost.exe
0 0
»
Information Value
ID #18
File Name c:\windows\system32\taskhost.exe
Command Line taskhost.exe $(Arg0)
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:01, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:01:28
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x6c0
Parent PID 0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Local Service
Enabled Privileges SeChangeNotifyPrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9B8
0x 750
0x 73C
0x 760
0x 730
0x 6F4
0x 788
0x 490
0x 4A8
0x 4A0
0x 498
0x 4AC
0x B64
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00040000 0x000a6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000b0000 0x000b0000 0x0016ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000170000 0x00170000 0x00171fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory Readable, Writable True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory Readable, Writable True False False -
private_0x0000000000210000 0x00210000 0x00210fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000220000 0x00220000 0x00220fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000230000 0x00230000 0x00230fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000240000 0x00240000 0x00240fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000250000 0x00250000 0x00250fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000260000 0x00260000 0x0026ffff Pagefile Backed Memory Readable, Writable True False False -
msxml6r.dll 0x00270000 0x00270fff Memory Mapped File Readable False False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory Readable, Writable True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory Readable, Writable True False False -
private_0x0000000000480000 0x00480000 0x004fffff Private Memory Readable, Writable True False False -
private_0x0000000000500000 0x00500000 0x0051ffff Private Memory - True False False -
pagefile_0x0000000000520000 0x00520000 0x00521fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000540000 0x00540000 0x00541fff Pagefile Backed Memory Readable True False False -
private_0x0000000000550000 0x00550000 0x0055ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000560000 0x00560000 0x006e7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000006f0000 0x006f0000 0x00870fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000880000 0x00880000 0x00c72fff Pagefile Backed Memory Readable True False False -
kernelbase.dll.mui 0x00c80000 0x00d3ffff Memory Mapped File Readable, Writable False False False -
pagefile_0x0000000000d60000 0x00d60000 0x00d60fff Pagefile Backed Memory Readable True False False -
winsatapi.dll.mui 0x00d70000 0x00d71fff Memory Mapped File Readable, Writable False False False -
private_0x0000000000d80000 0x00d80000 0x00dfffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000e00000 0x00e00000 0x00e00fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000e10000 0x00e10000 0x00e1ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000e20000 0x00e20000 0x00e20fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000e30000 0x00e30000 0x00eaffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000eb0000 0x00eb0000 0x00ebffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000ec0000 0x00ec0000 0x00ec0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000ed0000 0x00ed0000 0x00edffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000f20000 0x00f20000 0x00f9ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000fa0000 0x00fa0000 0x01029fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000001030000 0x01030000 0x010affff Private Memory Readable, Writable True False False -
private_0x0000000001170000 0x01170000 0x011effff Private Memory Readable, Writable True False False -
private_0x0000000001200000 0x01200000 0x0127ffff Private Memory Readable, Writable True False False -
private_0x0000000001280000 0x01280000 0x012fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000001300000 0x01300000 0x015cbfff Pagefile Backed Memory Readable, Writable True False False -
sortdefault.nls 0x015d0000 0x0189efff Memory Mapped File Readable False False False -
private_0x00000000018a0000 0x018a0000 0x0199ffff Private Memory Readable, Writable True False False -
private_0x00000000019c0000 0x019c0000 0x01a3ffff Private Memory Readable, Writable True False False -
private_0x0000000001a50000 0x01a50000 0x01acffff Private Memory Readable, Writable True False False -
pagefile_0x0000000001ad0000 0x01ad0000 0x01b59fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000001ba0000 0x01ba0000 0x01c1ffff Private Memory Readable, Writable True False False -
private_0x0000000001c90000 0x01c90000 0x01d0ffff Private Memory Readable, Writable True False False -
private_0x0000000001d10000 0x01d10000 0x0210ffff Private Memory Readable, Writable True False False -
private_0x0000000002160000 0x02160000 0x021dffff Private Memory Readable, Writable True False False -
private_0x00000000021e0000 0x021e0000 0x022dffff Private Memory Readable, Writable True False False -
private_0x0000000002400000 0x02400000 0x0247ffff Private Memory Readable, Writable True False False -
private_0x0000000002490000 0x02490000 0x0250ffff Private Memory Readable, Writable True False False -
private_0x0000000002550000 0x02550000 0x0255ffff Private Memory Readable, Writable True False False -
private_0x0000000002560000 0x02560000 0x0275ffff Private Memory Readable, Writable True False False -
private_0x00000000027c0000 0x027c0000 0x0283ffff Private Memory Readable, Writable True False False -
private_0x0000000002890000 0x02890000 0x0290ffff Private Memory Readable, Writable True False False -
private_0x0000000002910000 0x02910000 0x0298ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002990000 0x02990000 0x02c5bfff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000002d50000 0x02d50000 0x02dcffff Private Memory Readable, Writable True False False -
private_0x0000000002e00000 0x02e00000 0x02e7ffff Private Memory Readable, Writable True False False -
private_0x0000000002e90000 0x02e90000 0x02f0ffff Private Memory Readable, Writable True False False -
sfc.dll 0x74440000 0x74442fff Memory Mapped File Readable, Writable, Executable False False False -
msvcr90.dll 0x74560000 0x74602fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
taskhost.exe 0xff440000 0xff453fff Memory Mapped File Readable, Writable, Executable False False False -
msoxmlmf.dll 0x7fef4a30000 0x7fef4a40fff Memory Mapped File Readable, Writable, Executable False False False -
winsatapi.dll 0x7fef4a50000 0x7fef4ad4fff Memory Mapped File Readable, Writable, Executable False False False -
sqlceqp30.dll 0x7fef4ae0000 0x7fef4bb0fff Memory Mapped File Readable, Writable, Executable False False False -
sqlcese30.dll 0x7fef4bc0000 0x7fef4c33fff Memory Mapped File Readable, Writable, Executable False False False -
msxml6.dll 0x7fef7b20000 0x7fef7d11fff Memory Mapped File Readable, Writable, Executable False False False -
sqlceoledb30.dll 0x7fef8150000 0x7fef8182fff Memory Mapped File Readable, Writable, Executable False False False -
racengn.dll 0x7fef8190000 0x7fef830ffff Memory Mapped File Readable, Writable, Executable False False False -
sqmapi.dll 0x7fef8c00000 0x7fef8c41fff Memory Mapped File Readable, Writable, Executable False False False -
sfc_os.dll 0x7fef8fa0000 0x7fef8faffff Memory Mapped File Readable, Writable, Executable False False False -
aepic.dll 0x7fef8fb0000 0x7fef8fc1fff Memory Mapped File Readable, Writable, Executable False False False -
dxgi.dll 0x7fefa720000 0x7fefa7c6fff Memory Mapped File Readable, Writable, Executable False False False -
taskschd.dll 0x7fefb900000 0x7fefba26fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x7fefbb40000 0x7fefbb6bfff Memory Mapped File Readable, Writable, Executable False False False -
xmllite.dll 0x7fefc050000 0x7fefc084fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x7fefc090000 0x7fefc0a7fff Memory Mapped File Readable, Writable, Executable False False False -
gdiplus.dll 0x7fefc2a0000 0x7fefc4b4fff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x7fefc520000 0x7fefc64bfff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x7fefc670000 0x7fefc863fff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x7fefcb60000 0x7fefcb8cfff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x7fefcd60000 0x7fefcd6bfff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7fefd190000 0x7fefd1d6fff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7fefd490000 0x7fefd4a6fff Memory Mapped File Readable, Writable, Executable False False False -
wevtapi.dll 0x7fefd6c0000 0x7fefd72cfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x7fefda60000 0x7fefda84fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7fefda90000 0x7fefda9efff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x7fefdb80000 0x7fefdb93fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x7fefdba0000 0x7fefdbaefff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x7fefdc40000 0x7fefdc4efff Memory Mapped File Readable, Writable, Executable False False False -
wintrust.dll 0x7fefdc50000 0x7fefdc89fff Memory Mapped File Readable, Writable, Executable False False False -
devobj.dll 0x7fefdc90000 0x7fefdca9fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x7fefdcb0000 0x7fefde16fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x7fefde20000 0x7fefde55fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7fefdf70000 0x7fefe172fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x7fefe180000 0x7fefef07fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7fefef10000 0x7fefefa8fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x7feff730000 0x7feff781fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7feff980000 0x7feff9f0fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7feffb10000 0x7feffbe6fff Memory Mapped File Readable, Writable, Executable False False False -
setupapi.dll 0x7feffbf0000 0x7feffdc6fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000007fffffa2000 0x7fffffa2000 0x7fffffa3fff Private Memory Readable, Writable True False False -
private_0x000007fffffa4000 0x7fffffa4000 0x7fffffa5fff Private Memory Readable, Writable True False False -
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory Readable, Writable True False False -
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory Readable, Writable True False False -
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory Readable, Writable True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory Readable, Writable True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory Readable, Writable True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory Readable, Writable True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory Readable, Writable True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory Readable, Writable True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory Readable, Writable True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory Readable, Writable True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True False False -
Process #19: vssvc.exe
0 0
»
Information Value
ID #19
File Name c:\windows\system32\vssvc.exe
Command Line C:\Windows\system32\vssvc.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:01, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:01:28
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa34
Parent PID 0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x A5C
0x A58
0x A54
0x A50
0x A38
0x A60
0x A6C
0x A70
0x B98
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory Readable, Writable True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000250000 0x00250000 0x0030ffff Pagefile Backed Memory Readable True False False -
vssvc.exe.mui 0x00310000 0x00320fff Memory Mapped File Readable, Writable False False False -
private_0x0000000000330000 0x00330000 0x00330fff Private Memory Readable, Writable True False False -
private_0x0000000000340000 0x00340000 0x00340fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000350000 0x00350000 0x00350fff Pagefile Backed Memory Readable True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000005f0000 0x005f0000 0x005f0fff Pagefile Backed Memory Readable True False False -
private_0x0000000000600000 0x00600000 0x0060ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000610000 0x00610000 0x00790fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000007a0000 0x007a0000 0x00b92fff Pagefile Backed Memory Readable True False False -
private_0x0000000000c00000 0x00c00000 0x00c7ffff Private Memory Readable, Writable True False False -
private_0x0000000000d00000 0x00d00000 0x00d7ffff Private Memory Readable, Writable True False False -
private_0x0000000000d90000 0x00d90000 0x00e0ffff Private Memory Readable, Writable True False False -
private_0x0000000000ee0000 0x00ee0000 0x00f5ffff Private Memory Readable, Writable True False False -
private_0x0000000000fc0000 0x00fc0000 0x0103ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01040000 0x0130efff Memory Mapped File Readable False False False -
private_0x0000000001320000 0x01320000 0x0139ffff Private Memory Readable, Writable True False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
vssvc.exe 0xff060000 0xff1eafff Memory Mapped File Readable, Writable, Executable False False False -
catsrvut.dll 0x7fef4620000 0x7fef46a4fff Memory Mapped File Readable, Writable, Executable False False False -
vss_ps.dll 0x7fef8320000 0x7fef8333fff Memory Mapped File Readable, Writable, Executable False False False -
xolehlp.dll 0x7fef8340000 0x7fef8353fff Memory Mapped File Readable, Writable, Executable False False False -
mfcsubs.dll 0x7fef8360000 0x7fef836bfff Memory Mapped File Readable, Writable, Executable False False False -
virtdisk.dll 0x7fef8370000 0x7fef8379fff Memory Mapped File Readable, Writable, Executable False False False -
fltlib.dll 0x7fef8390000 0x7fef8398fff Memory Mapped File Readable, Writable, Executable False False False -
resutils.dll 0x7fef8540000 0x7fef8558fff Memory Mapped File Readable, Writable, Executable False False False -
clusapi.dll 0x7fef8560000 0x7fef85affff Memory Mapped File Readable, Writable, Executable False False False -
vsstrace.dll 0x7fefac50000 0x7fefac66fff Memory Mapped File Readable, Writable, Executable False False False -
vssapi.dll 0x7fefac70000 0x7fefae1ffff Memory Mapped File Readable, Writable, Executable False False False -
es.dll 0x7fefb6d0000 0x7fefb736fff Memory Mapped File Readable, Writable, Executable False False False -
atl.dll 0x7fefb770000 0x7fefb788fff Memory Mapped File Readable, Writable, Executable False False False -
samcli.dll 0x7fefbd70000 0x7fefbd83fff Memory Mapped File Readable, Writable, Executable False False False -
wkscli.dll 0x7fefbd90000 0x7fefbda4fff Memory Mapped File Readable, Writable, Executable False False False -
netutils.dll 0x7fefbdb0000 0x7fefbdbbfff Memory Mapped File Readable, Writable, Executable False False False -
netapi32.dll 0x7fefbdc0000 0x7fefbdd5fff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x7fefc520000 0x7fefc64bfff Memory Mapped File Readable, Writable, Executable False False False -
samlib.dll 0x7fefc650000 0x7fefc66cfff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x7fefcd60000 0x7fefcd6bfff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7fefd190000 0x7fefd1d6fff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7fefd490000 0x7fefd4a6fff Memory Mapped File Readable, Writable, Executable False False False -
authz.dll 0x7fefd680000 0x7fefd6aefff Memory Mapped File Readable, Writable, Executable False False False -
cryptdll.dll 0x7fefd730000 0x7fefd743fff Memory Mapped File Readable, Writable, Executable False False False -
srvcli.dll 0x7fefd990000 0x7fefd9b2fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7fefda90000 0x7fefda9efff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x7fefdb80000 0x7fefdb93fff Memory Mapped File Readable, Writable, Executable False False False -
devobj.dll 0x7fefdc90000 0x7fefdca9fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x7fefde20000 0x7fefde55fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7fefdf70000 0x7fefe172fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7fefef10000 0x7fefefa8fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7feff980000 0x7feff9f0fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7feffb10000 0x7feffbe6fff Memory Mapped File Readable, Writable, Executable False False False -
setupapi.dll 0x7feffbf0000 0x7feffdc6fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory Readable, Writable True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory Readable, Writable True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory Readable, Writable True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory Readable, Writable True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory Readable, Writable True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory Readable, Writable True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory Readable, Writable True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True False False -
Process #20: mscorsvw.exe
2570 0
»
Information Value
ID #20
File Name c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
Command Line C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:04, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:01:25
OS Process Information
»
Information Value
PID 0xa64
Parent PID 0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable True
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x A68
0x AAC
0x AB0
0x AB4
0x AB8
0x AE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory Readable True False False -
oleaccrc.dll 0x001b0000 0x001b0fff Memory Mapped File Readable False False False -
private_0x00000000001c0000 0x001c0000 0x001dafff Private Memory Readable, Writable, Executable True False False -
private_0x00000000001e0000 0x001e0000 0x0025ffff Private Memory Readable, Writable True False False -
private_0x0000000000260000 0x00260000 0x00271fff Private Memory Readable, Writable True False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000280000 0x00280000 0x00280fff Pagefile Backed Memory Readable True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory Readable, Writable True False False -
locale.nls 0x00390000 0x003f6fff Memory Mapped File Readable False False False -
mscorsvw.exe 0x00400000 0x0042efff Memory Mapped File Readable, Writable, Executable True True False
...
pagefile_0x0000000000430000 0x00430000 0x004effff Pagefile Backed Memory Readable True False False -
private_0x00000000004f0000 0x004f0000 0x0052ffff Private Memory Readable, Writable True False False -
private_0x0000000000530000 0x00530000 0x0053ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000530000 0x00530000 0x00536fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000530000 0x00530000 0x00530fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000540000 0x00540000 0x00546fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000540000 0x00540000 0x00540fff Pagefile Backed Memory Readable True False False -
private_0x0000000000560000 0x00560000 0x0056ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000570000 0x00570000 0x006f7fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000700000 0x00700000 0x00880fff Pagefile Backed Memory Readable True False False -
rsaenh.dll 0x00890000 0x008cbfff Memory Mapped File Readable False False False -
private_0x0000000000890000 0x00890000 0x008cffff Private Memory Readable, Writable True False False -
private_0x00000000008d0000 0x008d0000 0x0090ffff Private Memory Readable, Writable True False False -
private_0x0000000000910000 0x00910000 0x0094ffff Private Memory Readable, Writable True False False -
private_0x0000000000980000 0x00980000 0x0098ffff Private Memory Readable, Writable True False False -
private_0x0000000000990000 0x00990000 0x00adffff Private Memory Readable, Writable True False False -
private_0x0000000000990000 0x00990000 0x00abffff Private Memory Readable, Writable True False False -
private_0x0000000000990000 0x00990000 0x00a8ffff Private Memory Readable, Writable True False False -
private_0x0000000000ab0000 0x00ab0000 0x00abffff Private Memory Readable, Writable True False False -
private_0x0000000000ad0000 0x00ad0000 0x00adffff Private Memory Readable, Writable True False False -
private_0x0000000000ae0000 0x00ae0000 0x00b1ffff Private Memory Readable, Writable True False False -
private_0x0000000000b40000 0x00b40000 0x00b4ffff Private Memory Readable, Writable True False False -
private_0x0000000000b50000 0x00b50000 0x00c4ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x00c50000 0x00f1efff Memory Mapped File Readable False False False -
private_0x0000000000f20000 0x00f20000 0x0101ffff Private Memory Readable, Writable True False False -
private_0x0000000001020000 0x01020000 0x0111ffff Private Memory Readable, Writable True False False -
private_0x0000000001120000 0x01120000 0x0121ffff Private Memory Readable, Writable True False False -
private_0x0000000001220000 0x01220000 0x0131ffff Private Memory Readable, Writable True False False -
private_0x0000000001320000 0x01320000 0x01585fff Private Memory Readable, Writable True False False -
private_0x0000000001320000 0x01320000 0x01707fff Private Memory Readable, Writable True False False -
wow64cpu.dll 0x75360000 0x75367fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x75370000 0x753cbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x753d0000 0x7540efff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x75650000 0x7565afff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x75660000 0x7569afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x756a0000 0x756b5fff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x756c0000 0x756d6fff Memory Mapped File Readable, Writable, Executable False False False -
msimg32.dll 0x756e0000 0x756e4fff Memory Mapped File Readable, Writable, Executable False False False -
oledlg.dll 0x756f0000 0x7570bfff Memory Mapped File Readable, Writable, Executable False False False -
oleacc.dll 0x75710000 0x7574bfff Memory Mapped File Readable, Writable, Executable False False False -
winmm.dll 0x75750000 0x75781fff Memory Mapped File Readable, Writable, Executable False False False -
winspool.drv 0x75790000 0x757e0fff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x757f0000 0x75873fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75980000 0x7598bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75990000 0x759effff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x75a20000 0x75a24fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75a30000 0x75a48fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x75a60000 0x75b7cfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75bb0000 0x75bf5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fd0000 0x760dffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x760e0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76180000 0x761d6fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x763c0000 0x763c9fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x763d0000 0x763dbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x763e0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76670000 0x7671bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76720000 0x767ebfff Memory Mapped File Readable, Writable, Executable False False False -
comdlg32.dll 0x767f0000 0x7686afff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76920000 0x77569fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x77570000 0x775cffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x775d0000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x776c0000 0x7781bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77820000 0x778affff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x77990000 0x77a2cfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000077a30000 0x77a30000 0x77b4efff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077b50000 0x77b50000 0x77c49fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77e30000 0x77faffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\v5hw0he6ztja4 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\users\5p5nrg~1\appdata\roaming\v5hw0h~1:bin 178.00 KB MD5: 093d2634168cf168d59bfa49550a4010
SHA1: 8ba04fcf149265e2ed1ee63af73087ee09d729aa
SHA256: c04c541f066a2b089bdc261616894a2f6bd49fca2e29350698175d9fc51cd341 		False
...
c:\users\5p5nrg~1\appdata\roaming\v5hw0h~1 17.50 KB MD5: d6a9fe571146099d6d75a8e4e7871506
SHA1: 68dba140959ed155f720060c5466f5fd90a176f6
SHA256: f63d1a87e8d264321bd2ef30b017758ef77cf741849f3f7f214bb169c0c9a461 		False
...
c:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\excellr.cab.readme_txt 1.14 KB MD5: d23291fe8ae1839d2478c06bcb4296b5
SHA1: 13b08ec8cbf20dcb67d3c0d674e8732e8488373e
SHA256: a0d12074fbabd66d945010e4460a42cfe0b8d9f5d261de9b9acb2da9c15ea851 		False
...
c:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\excelmui.msi.readme_txt 1.14 KB MD5: fc2e77867d9ae083952a8b2e726ea963
SHA1: f5b0145a25ec9a4fd9effbb651b079574713623a
SHA256: 76d315b4391bf1846c3fa4734f1054eb30e607791c910f7a4be8bc3563d61b0f 		False
...
c:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\excelmui.xml.readme_txt 1.14 KB MD5: ae98d03696f4eb9149386dbf797837c7
SHA1: f9e3c93cb5ca064ec4e0b791a1c8037ea5afca14
SHA256: c91379f00177c6dfb0103532b42bd2ba284264de018ab943f1e7b5c39ff35140 		False
...
c:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\setup.xml.readme_txt 1.14 KB MD5: d7d8efe1ea8d06f1aa2bb9276c23af00
SHA1: 5ed05a18c4234a8f1dca5a5f7621c41cbecccb7f
SHA256: 16f3a0fba4967fde9427409f350bf33e6cbf18b60884e5cfb6c3ea3bed74ac37 		False
...
c:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\powerpointmui.msi.readme_txt 1.14 KB MD5: ca94f50d895e4ec4be00c7d18aed7226
SHA1: 7fb156908e3871098c0b750678a5377aa9f1d681
SHA256: 92cce02899649e84cf20b3ed022a7b134eb368b66e7cdfbd34e9144bdc835fb4 		False
...
c:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\powerpointmui.xml.readme_txt 1.14 KB MD5: 2c227f16dde154d4da598293098893b7
SHA1: 4ba2ffb7782182d57302468fbe161b0139fe411d
SHA256: c5b6f0a8db7328caa19406cc99c60fdac52efa61b0bfd4dccce75c28a4dcb4ec 		False
...
c:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\pptlr.cab.readme_txt 1.14 KB MD5: 7f0d9e1ed833eba61cf09aa5a3e3ed1a
SHA1: 2652bbe07fb99b091fb68644400b3ef5854cff32
SHA256: 85d9bcf960714ec8ce8571efcd2e4faf98ced542775e733432d35b838cdd9b59 		False
...
c:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\setup.xml.readme_txt 1.14 KB MD5: c54c1f7d13ae3277cbc19e5697622e53
SHA1: 361946299957ee5229c0671d813f8b1b37a995ae
SHA256: 71ff862a89f0af6ce58e46564e7fb3981be7179ddb4d66d429db8adeb4d05f80 		False
...
c:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\publishermui.msi.readme_txt 1.14 KB MD5: 2e2781b95b37a7e2a8b8a19c1d204290
SHA1: d5bbc45d4ddc9039979fd09ef14365acda07d0b9
SHA256: 900e4dabe9cd916abfe6326274b1a888939aa63fe52d577224261ed9a3328186 		False
...
c:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\publishermui.xml.readme_txt 1.14 KB MD5: 06168d1f6816c8e436a7edc21e9b879d
SHA1: d9f69c952456fc14798319ac2db9d34d79172f5f
SHA256: 07e5a1143da75b091c7396f39f48caa5477eb2e400e3b838a5fb5347008d1cd0 		False
...
c:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\publr.cab.readme_txt 1.14 KB MD5: 09df57e77262ce4f697029e649b2cee3
SHA1: c727e22a5635ed86b28dc6493ae3cac19330652b
SHA256: 63777c81f1006a3bc052bbcfae6301b7fdbbacb2320489300f2cce90a7b9cd05 		False
...
c:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\setup.xml.readme_txt 1.14 KB MD5: d1dadb0bb2ad700415f1a17f61d2cb84
SHA1: 36491328e907694b1b0baf1b6aa5da6129db6bf9
SHA256: 486eb967d80a1e1961501ca1a96f1117b8a45b01d13a6c31e290e19582e3f222 		False
...
c:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\outlklr.cab.readme_txt 1.14 KB MD5: 6ff41b4c62185a4be52ab9f2c499a5ea
SHA1: 3b58f69b442f05cc3e142238e9b20f680f718804
SHA256: 25858b50163910ec99faef7c5c8e18be735770f66f11f382d67a000de39f7db1 		False
...
c:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\outlookmui.msi.readme_txt 1.14 KB MD5: 56f928473cf3e0144e3b46a62d2a8c45
SHA1: 803dfe6210f299355823b0eb59a29416ee0c5409
SHA256: e127cb1b5ed4a4a5d5970e8c5ffcff9f4567e0f0386f7b838e99e28a2e034672 		False
...
c:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\outlookmui.xml.readme_txt 1.14 KB MD5: 086373bb3091fccb4867c68e4f70633d
SHA1: 0f116572acfeb41ad09e0e1765e9825c23d0dc9d
SHA256: accdc67ba3f2ff2f0acfb799ab2cb0eb39e78095433baa8ba97322ce1c174540 		False
...
c:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\setup.xml.readme_txt 1.14 KB MD5: 94718ba752042e550be3138afcc50747
SHA1: a0831896aac93ceffc27bf94a260c771c1b1d9b8
SHA256: 700360eb35161725defd1f21cf74677cdcb687e3c4a7ceca4d44a22865723cb8 		False
...
c:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\setup.xml.readme_txt 1.14 KB MD5: 5063cf6b74fe60d979d8d0b3bc39b103
SHA1: 0ccc5b46f08cbcc5f9ee7c655e94e3e6b415fb30
SHA256: 6895b6bae4b6c87941cbc8a1774f9d9511a1814065943591230e967d396cc4cb 		False
...
c:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\wordlr.cab.readme_txt 1.14 KB MD5: ca0a3ccdcbdf897c1c38150c73967fbf
SHA1: 3a3472d9de446afcd3054434723a27ca8ad8f1f0
SHA256: c1f902e928f4e2e51ada19ac202cb593c6a8db76800d74a1d07a2a9fe6e1065f 		False
...
c:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\wordmui.msi.readme_txt 1.14 KB MD5: c25873aa86f865005bda6780b3cb1d2a
SHA1: 97ada28037075bcf81b462070b454954fcfba24a
SHA256: 5ba9996ab77135a88d8dc5181746266675f9ad19ac9813d7bfdb5a61faf4df81 		False
...
c:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\wordmui.xml.readme_txt 1.14 KB MD5: 9c7c5b7cc2f5a423e62a8e94e0a8525d
SHA1: f75aec3db1fbd5aff741130e051d91f5ae8b27a9
SHA256: 04f8ec88f6abe723bec26139fd5d9551e11c1efbf11921352673cd1e443ff1ff 		False
...
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proofing.msi.readme_txt 1.14 KB MD5: 5bb60c144e11eb9799a85d38c48cbeb5
SHA1: e40a71bf78fc0cb50f0883dc1dcd87f8d94d1858
SHA256: 63f6eac251e8413d556680be6f834a189d631622ca2f6f15e339b79792c443e6 		False
...
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proofing.xml.readme_txt 1.14 KB MD5: 7faca9abbdf671254cf1731ad73680ac
SHA1: 71aade8f1eec1467bcf7457acf58b7d2caa4fa5d
SHA256: c93a14b9aee2ddad31e62620c71128916e44d77756e1988e32dec44cf0472919 		False
...
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\setup.xml.readme_txt 1.14 KB MD5: 1b7e353f7ba28b42a113dde8a44a32df
SHA1: 35d1b17dbd5e858af6299fc67dd4443b1685e6ac
SHA256: 8189623b3139bf8c1b4dccefc3224efdb559bf4d0c977db1d1ba47f255b2b773 		False
...
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.en\proof.cab.readme_txt 1.14 KB MD5: 7fb576b9ef94921a82ae6d249811fd85
SHA1: f2b25f6edbdcfb4ad6b71adcd7866bdcd3b1c889
SHA256: 556f6c9ac2d73d863ef096f13e6caa7c14780035cadaf7bc8cf6bf39f0b864c9 		False
...
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.en\proof.msi.readme_txt 1.14 KB MD5: 659b4b3e1456baef728192341b11bc43
SHA1: 4984434e30dced35f32dbac0f92023da15b82c04
SHA256: 1c5fe3ac1c317b39bb5f78bc13333146313ad00bcabc5e0424c468d367ad49bc 		False
...
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.en\proof.xml.readme_txt 1.14 KB MD5: bc73d3655973b9d9ae08309344184b8e
SHA1: 1e6d20820f1c87e6e95bb1e16e97eca5806118ca
SHA256: adcb4f140796c13480d57b88afa429c35b3473e1e5a51d75391a25c91f6f539e 		False
...
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.es\proof.cab.readme_txt 1.14 KB MD5: c66322760f7f25a1767b2bcf78b3ea6d
SHA1: 2a7f52c22ae27b0a26dc451188c87e11f0012098
SHA256: 8c871070485bd61a3e0806321e0af8fc9ecb637d1c4dc0fc90dee2cf8073f6cf 		False
...
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.es\proof.msi.readme_txt 1.14 KB MD5: 3e9f84c854625f34018b7314722b7dd6
SHA1: 2780ab6aeb3737465f094b5df7caa67dff23292b
SHA256: a42a19f6c5ac29d0597b27418e545a85d373057e896df8bebedc59e4fb3532bd 		False
...
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.es\proof.xml.readme_txt 1.14 KB MD5: 26f363582b04ffcdfad0b117d5e7caac
SHA1: 4f5719249d74938949112b72cffaabe847dc30af
SHA256: f2a89fc17f1e1a8f7402894758231f9f89ea4310218e69802da5a8a6cf7d4c9a 		False
...
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.fr\proof.cab.readme_txt 1.14 KB MD5: e42b9d851970a83f12d54cbd1460e356
SHA1: 6465d2c39e378b573148807f23171d011869f17f
SHA256: 35d761c59cc5c5170c169db08aca5cfd1495df3f4bd1680e1d222bc52d9507d7 		False
...
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.fr\proof.msi.readme_txt 1.14 KB MD5: d767e0b5c07621f6b77ded6fdbd705e4
SHA1: f9d80ec8e0a5aa3ab5d967cacb027509a1727398
SHA256: 6820e3a271cd6634c02dca8fca397735bd311a9e6272c99d72c8d9c7dfceabd3 		False
...
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.fr\proof.xml.readme_txt 1.14 KB MD5: 3937585cd3846e6a4f87fd60d0ee616c
SHA1: b5355742676e7d808e002f934ea8b6cd740d9608
SHA256: 103cf63c6aa575cceec876d22f7b692d8c53aeccbb189dd57fa6034f434415c2 		False
...
c:\msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\office32mui.msi.readme_txt 1.14 KB MD5: 6f5b00b54ebf274ba9e8c5bcd4f76cc9
SHA1: 8b2f8d4f79e8f97088cf05667f4f06379eb130aa
SHA256: 1645e380d5269c2f499db858ddcaeadd864a28d6aa488da86e9cb8d5e1269e2b 		False
...
c:\msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\office32mui.xml.readme_txt 1.14 KB MD5: 2c7c00e180f99944c4b0c967e74c88fd
SHA1: 1f1526e327a4c545dd1dfbd96f96bcff88df184c
SHA256: 78e32cc68edd0e2eda6b1446a398d54eed4480e4a5981e57ad5bd8e04210c2d0 		False
...
c:\msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\owow32lr.cab.readme_txt 1.14 KB MD5: 3c0f7a2b31af211ca2a289404f9ab135
SHA1: c210783a7af3d31f3ecb3b12049492e1f6020c6d
SHA256: c4e0709cead19e0c8b34c29712f5fa6ac6803cf70b30ab1638fec38ed516feb9 		False
...
c:\msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\setup.xml.readme_txt 1.14 KB MD5: 7c006a249adb42c6aa2a4299a87d8f5d
SHA1: 0ec52d59aa98aa530ff17dce6e4ba9ab3d988a61
SHA256: 5f3cf733739616a6e906901199a5cb138fe4e0145fa27dbfc9f37e6d9aea2cba 		False
...
c:\msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\inflr.cab.readme_txt 1.14 KB MD5: b98aa6ad01cd85805f67d71713287afe
SHA1: a8305fa16e4498b3e515a3119e4a4fe5b93bffe1
SHA256: 5f42b074fa11d9277dfef0fd7d8fcfc2820aa4c4a2ed9957544bf01525f3a1e4 		False
...
c:\msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\infopathmui.msi.readme_txt 1.14 KB MD5: e480b75c232cda28257634f70ca8d0b3
SHA1: 152e1aff8c3896f144eb9e2be5ab1794a70f3f4c
SHA256: f556c20eef8ac692736a204e800fdd1142de848dec0a7577051df437b7f1bb13 		False
...
c:\msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\infopathmui.xml.readme_txt 1.14 KB MD5: 7b1bf8df15c178958fa673145bb9f39a
SHA1: 6d9a12f987d2ba865644dab29e648bef5aea2374
SHA256: 42cb746388dde612aa0daca51a6effd5e7c0a7a99d07757abeb11b6b0b9eca2d 		False
...
c:\msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\setup.xml.readme_txt 1.14 KB MD5: 3e82eaa6097eaf8e6f4087e2ea40442a
SHA1: dbe6802f47332d5ba40d881815db2d91fee34bc9
SHA256: e4eb36a66405c93168a0b05280275e3d89ae07e039f3c4ed987268c72f2f3728 		False
...
c:\msocache\all users\{90140000-0054-0409-1000-0000000ff1ce}-c\setup.xml.readme_txt 1.14 KB MD5: 0bc0492de07d5409b7beef24cd63f1f8
SHA1: 0d25c8d5636c74292450876b581541c1a4e02c65
SHA256: 186e24f5fdc77f244b43c2698fb35daff295959f5cb3166f2f2538e80872c5d8 		False
...
c:\msocache\all users\{90140000-0054-0409-1000-0000000ff1ce}-c\visiolr.cab.readme_txt 1.14 KB MD5: 41d3917d489b1b59223e16f695357218
SHA1: dbf8db7ea883647f7eeadfbbdecf88599ec322c3
SHA256: d836d46fd56fef8febcf1729999e9603c0d91c4ea599225cfefd7596ecb525e5 		False
...
c:\msocache\all users\{90140000-0054-0409-1000-0000000ff1ce}-c\visiomui.msi.readme_txt 1.14 KB MD5: c8fe7dd3a48816ae1ef5b6140e83837e
SHA1: 45952cb0a84509b5eb5fa08144b788b8d01e7b4c
SHA256: c3579174161a08e0c954f0ff8cd5fc38d8a77a63050780beee23bad67da0b0dd 		False
...
c:\msocache\all users\{90140000-0054-0409-1000-0000000ff1ce}-c\visiomui.xml.readme_txt 1.14 KB MD5: bfb894c0dbcbdc656bccd586eedba655
SHA1: c1c9f22a06d36aab1eb38b6dac529031cd455218
SHA256: b669ffa1126db4d89fc046567de402f1ce05ddb9a8a09ab9e36498d19c15907b 		False
...
c:\msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\onenotemui.msi.readme_txt 1.14 KB MD5: 90657b5945963181634d2065ccff14f3
SHA1: 221ed4a51e562947dc7426ee5525c9ba691546bc
SHA256: 5622b5ef3230d9b8c0ae7cbd0089138da8f6d9e07706e5a2921a0979d81c46e9 		False
...
c:\msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\onenotemui.xml.readme_txt 1.14 KB MD5: 8bf14dabed668e5ffec9ceeabd8fb1aa
SHA1: 2a9427942fd95cb8cbe264cd764bfa35fd43daa9
SHA256: d335b6fe1d708efc0528a3f89448c85a59e5b02a6b93ceeb7f7643c2855a5410 		False
...
c:\msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\onotelr.cab.readme_txt 1.14 KB MD5: 8268aa9cd9176f472b7d17e0cb4c2791
SHA1: c6ebed531ead62b01495dc31d448faed819965df
SHA256: f03a28bb6e520e254413011a1d467e6fece5cbd52162e1bbdf3752523e8a7deb 		False
...
c:\msocache\all users\{90140000-00a1-0409-1000-0000000ff1ce}-c\setup.xml.readme_txt 1.14 KB MD5: 31b8cf444574e57e1e0f8d6b16aca11e
SHA1: b26eab4194196084a785440f43f72cf38b1f2f97
SHA256: 252c24efeea20ad8b9014e8a41d43cfa8cda7e33ebbf4022514c9c882fbbbdfa 		False
...
c:\msocache\all users\{90140000-00b4-0409-1000-0000000ff1ce}-c\projectmui.msi.readme_txt 1.14 KB MD5: d3c07e4f6f6ae99737e6c1b2e6d72675
SHA1: 4b87463a1dbe992249e13e993740242e215a242d
SHA256: a3019fc1f759f283ff225a3b8916183bf334ac6b5722559ea4015ad879d01e76 		False
...
c:\msocache\all users\{90140000-00b4-0409-1000-0000000ff1ce}-c\projectmui.xml.readme_txt 1.14 KB MD5: 313b34769116eaeef9a5080708871452
SHA1: ab6b891d6de014610346ab592bae32de3717b9b9
SHA256: 0ddfbe35baabe01e96a2ef1c37df3760e50b09aeb146aae8eafbb0c579b5f463 		False
...
c:\msocache\all users\{90140000-00b4-0409-1000-0000000ff1ce}-c\projlr.cab.readme_txt 1.14 KB MD5: ad69bc138979fce1badba138a9f14cf4
SHA1: ec8411f40d2865199956c2820ca908f40a853baa
SHA256: 7070f416a4578d62ad3d8804e446179e3a0d932cc4b763659d0c588967bd6ce4 		False
...
c:\msocache\all users\{90140000-00b4-0409-1000-0000000ff1ce}-c\setup.xml.readme_txt 1.14 KB MD5: 592cec83ca9fa68e91ec482f3a9aec73
SHA1: 92f8879825c9be1aaf92c030c1ef4fc288fc28e8
SHA256: dc6fc67e8ac4ef16a509d865c8a4bbfa9cc4b3291a0ce9f990970796e1800f6c 		False
...
c:\msocache\all users\{90140000-00ba-0409-1000-0000000ff1ce}-c\groovelr.cab.readme_txt 1.14 KB MD5: 7dd4d54cb4359a4a9d09478e89a87df7
SHA1: 8a6c4b6d443f024b29a5e526924d6fa1d3356e15
SHA256: c5185d669b96f7cc15a820eaaf6370f7f70149edddddab9d5ea973bde08ac2ab 		False
...
c:\msocache\all users\{90140000-00ba-0409-1000-0000000ff1ce}-c\groovemui.msi.readme_txt 1.14 KB MD5: 8335f6d1f9815bd0aeb92172e2279edc
SHA1: e8ac5c59763f877cbcedb20d1fbe971e0eba3e56
SHA256: 70c07da37f0a383166c7b90c361e0471315ab191d22f34b355c1fdc962040ab9 		False
...
c:\msocache\all users\{90140000-00ba-0409-1000-0000000ff1ce}-c\groovemui.xml.readme_txt 1.14 KB MD5: e6a01288565ad166df16ad609cdf83d2
SHA1: 4b9f83df0d905516c04eb2a99d9a93bdf3b3d889
SHA256: c4d616e0223f37e6b4aad632cc0a1934d53575b910b690b1c551ca04a547e4c3 		False
...
c:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\excellr.cab.locked 10.00 MB MD5: 1011371b8bd0620ece647ed07d002021
SHA1: edf5e9c91ffcd26d3ba6c741ee4af2d3baa85934
SHA256: b57a12d8da53f9e90d01bc1d66f2cb36ef72f3896fa3de5b7775dabbb94ce36c 		False
...
c:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\excelmui.msi.locked 2.39 MB MD5: abb11ceec65e899b02a7160e459d1e8d
SHA1: fe098585bb813572c65ac411bc238820b6ef9eb1
SHA256: 54fac46d09dc463956a4ca92c9f7ca48666186180683a3ad1d674201877b162e 		False
...
c:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\excelmui.xml.locked 1.53 KB MD5: 120d748dfc78fb485e736ce2583a8765
SHA1: 61607eea12dfca24ce901e42d55bcc29a1c868c4
SHA256: 88a630153ae60c364446f625892f74eabd8d0b81df52cd3171655709866270ab 		False
...
c:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\setup.xml.locked 2.24 KB MD5: ce9dbb5d78b692d1e54fbf5c2af904df
SHA1: 8e2bde313e4b1cbec31e8f770f2b279de46bb66c
SHA256: 025a6bad72864e2fb8eb714b00124e1d49aed6498e599b5d5b2d9fdfd49dcfd2 		False
...
c:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\powerpointmui.msi.locked 2.39 MB MD5: b9873578bb1bca6a856d8658760b8001
SHA1: 73f9d1fefa1da2ac52fc91c23813793134a99282
SHA256: 735b9844536c2c8fb78d884032aa4d7c0d2bec5c05343db1804d1e847f582068 		False
...
c:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\powerpointmui.xml.locked 1.42 KB MD5: f986071de349953c3e451e15003eed1d
SHA1: ecfe400ba14481691d76520b30279e43b0d301c9
SHA256: 3fdd81d1a0b170351f0083aadd057ff97a98f8d607b14842baf30d8a94ffac8e 		False
...
c:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\pptlr.cab.locked 10.00 MB MD5: d33dba0388975e348dcb92e296fb20ab
SHA1: 3a786e08775d0dd46ad0889b0430f5a8355b1f4d
SHA256: 4f54c412e24df2918d161159635dd0aa8caa5fc2300a8b26fdcb5c2f06d80d2c 		False
...
c:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\setup.xml.locked 1.84 KB MD5: feb56261ec9f1d5b6f50a75f529f0e80
SHA1: 03edfff8d28b1e2d24defbe1e6505064e4ccfca8
SHA256: 320f9bf0cd999855baceb9fd9f0d9f3d3edcd3d542474ef1f7545f29ac6fbe68 		False
...
Host Behavior
File (616)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\\V5Hw0He6ZTJa4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Create C:\Windows\system32\nbtstat.exe desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Roaming\\V5HW0H~1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Create C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Roaming\\V5HW0H~1:bin desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Create C:\$Recycle.Bin desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\BCD desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\cs-CZ desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\cs-CZ\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\da-DK desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\da-DK\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\de-DE desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\de-DE\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\el-GR desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\el-GR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\en-US desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\en-US\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\en-US\memtest.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\es-ES desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\es-ES\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\fi-FI desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\fi-FI\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\Fonts\chs_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\cht_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\jpn_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\kor_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\wgl4_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\fr-FR desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\fr-FR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\hu-HU desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\hu-HU\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\it-IT desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\it-IT\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\ja-JP desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\ja-JP\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\ko-KR desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\ko-KR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\nb-NO desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\nb-NO\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\nl-NL desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\nl-NL\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\pl-PL desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\pl-PL\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\pt-BR desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\pt-BR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\pt-PT desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\pt-PT\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\ru-RU desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\ru-RU\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\sv-SE desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\sv-SE\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\tr-TR desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\tr-TR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\zh-CN desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\zh-CN\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\zh-HK desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\zh-HK\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\zh-TW desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\zh-TW\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Config.Msi desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Documents and Settings desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\MSOCache desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\\V5Hw0He6ZTJa4 type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\\V5Hw0He6ZTJa4 type = file_attributes True 1
Fn
Get Info C:\Windows\system32\nbtstat.exe type = file_attributes True 1
Fn
Get Info C:\Windows\system32\nbtstat.exe type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Roaming\\V5HW0H~1 type = file_attributes False 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe type = file_attributes True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Roaming\\V5HW0H~1:bin type = file_attributes False 1
Fn
Get Info C:\bootmgr type = file_attributes True 2
Fn
Get Info C:\BOOTSECT.BAK type = file_attributes True 2
Fn
Get Info C:\hiberfil.sys type = file_attributes False 1
Fn
Get Info C:\pagefile.sys type = file_attributes False 1
Fn
Get Info C:\$Recycle.Bin type = file_attributes True 1
Fn
Get Info C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000 type = file_attributes True 1
Fn
Get Info C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000\desktop.ini type = file_attributes True 2
Fn
Get Info C:\Boot type = file_attributes True 1
Fn
Get Info C:\Boot\BCD type = file_attributes True 3
Fn
Get Info C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000 type = file_type False 4
Fn
Get Info C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000 type = file_type True 3
Fn
Get Info - type = file_type True 37
Fn
Get Info - type = file_type False 2
Fn
Get Info - type = file_type True 60
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml.readme_txt type = file_attributes False 1
Fn
Move C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml True 1
Fn
Read C:\Windows\system32\nbtstat.exe size = 17920, size_out = 17920 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe size = 182272, size_out = 182272 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab size = 10485760, size_out = 10485760 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab size = 6487227, size_out = 6487227 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi size = 2506240, size_out = 2506240 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml size = 1565, size_out = 1565 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml size = 2296, size_out = 2296 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi size = 2503680, size_out = 2503680 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml size = 1450, size_out = 1450 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab size = 10485760, size_out = 10485760 True 6
Fn
Read C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab size = 7447184, size_out = 7447184 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml size = 1886, size_out = 1886 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi size = 2513920, size_out = 2513920 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml size = 1450, size_out = 1450 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab size = 9958388, size_out = 9958388 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml size = 1608, size_out = 1608 True 1
Fn
Read C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab size = 10485760, size_out = 10485760 True 1
Fn
Read C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab size = 4333516, size_out = 4333516 True 1
Fn
Read C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi size = 2865664, size_out = 2865664 True 1
Fn
Read C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml size = 3186, size_out = 3186 True 1
Fn
Read C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml size = 4207, size_out = 4207 True 1
Fn
Read C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml size = 2424, size_out = 2424 True 1
Fn
Read C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab size = 10485760, size_out = 10485760 True 4
Fn
Read C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab size = 1863101, size_out = 1863101 True 1
Fn
Read C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi size = 2522624, size_out = 2522624 True 1
Fn
Read C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml size = 1800, size_out = 1800 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi size = 868864, size_out = 868864 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml size = 811, size_out = 811 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml size = 5884, size_out = 5884 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab size = 10485760, size_out = 10485760 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab size = 996845, size_out = 996845 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi size = 875520, size_out = 875520 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml size = 1347, size_out = 1347 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab size = 10485760, size_out = 10485760 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab size = 3156714, size_out = 3156714 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi size = 881152, size_out = 881152 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml size = 1457, size_out = 1457 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab size = 10485760, size_out = 10485760 True 2
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab size = 93012, size_out = 93012 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi size = 885760, size_out = 885760 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml size = 1458, size_out = 1458 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi size = 873984, size_out = 873984 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml size = 1383, size_out = 1383 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab size = 2928955, size_out = 2928955 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml size = 2362, size_out = 2362 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab size = 10485760, size_out = 10485760 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab size = 8389124, size_out = 8389124 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi size = 3124224, size_out = 3124224 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml size = 1231, size_out = 1231 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml size = 1852, size_out = 1852 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml size = 6241, size_out = 6241 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab size = 10485760, size_out = 10485760 True 4
Fn
Read C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab size = 8880349, size_out = 8880349 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi size = 2797568, size_out = 2797568 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml size = 9503, size_out = 9503 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi size = 2503680, size_out = 2503680 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml size = 1606, size_out = 1606 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab size = 10485760, size_out = 10485760 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab size = 6970872, size_out = 6970872 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml size = 1988, size_out = 1988 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi size = 2511872, size_out = 2511872 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml size = 1452, size_out = 1452 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab size = 8265165, size_out = 8265165 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml size = 1872, size_out = 1872 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab size = 4095519, size_out = 4095519 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.msi size = 2507776, size_out = 2507776 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml size = 913, size_out = 913 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml size = 1452, size_out = 1452 True 1
Fn
Write C:\Users\5P5NRG~1\AppData\Roaming\\V5HW0H~1 size = 17920 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Roaming\\V5HW0H~1:bin size = 182272 True 1
Fn
Data
Write C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab.readme_txt size = 970 True 1
Fn
Data
Write C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi.readme_txt size = 970 True 1
Fn
Data
Write C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml.readme_txt size = 970 True 1
Fn
Data
Write C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 970 True 1
Fn
Data
Write C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi.readme_txt size = 970 True 1
Fn
Data
Write C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml.readme_txt size = 970 True 1
Fn
Data
Write C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab.readme_txt size = 970 True 1
Fn
Data
Write C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 970 True 1
Fn
Data
Write C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi.readme_txt size = 970 True 1
Fn
Data
Write C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml.readme_txt size = 970 True 1
Fn
Data
Write C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.msi.readme_txt size = 970 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml.readme_txt size = 970 True 1
Fn
Delete C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\\V5Hw0He6ZTJa4 - True 1
Fn
Registry (213)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value_name = EnableLUA, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value_name = EnableLUA, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Duplicate Key - - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - False 1
Fn
Process (197)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\5P5NRG~1\AppData\Roaming\\V5HW0H~1:bin os_pid = 0xad8, show_window = SW_HIDE True 1
Fn
Get filename System - False 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\smss.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Windows Sidebar\picture_pk.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\csrss.exe True 5
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\wininit.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\svchost.exe True 18
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\winlogon.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\services.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\lsass.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\lsm.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\audiodg.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\spoolsv.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\taskhost.exe True 4
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\dwm.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\taskeng.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\explorer.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files (x86)\Internet Explorer\transportationporval.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files (x86)\Microsoft Analysis Services\liverpool-brazil-kind-researchers.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Internet Explorer\azerbaijan australia map.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files (x86)\Microsoft Analysis Services\seattleconvertible.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Windows Portable Devices\camps_part_october.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files (x86)\Windows Portable Devices\fskaslidesoregon.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Microsoft Synchronization Services\ny surge discounts.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Internet Explorer\furniture-cg.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Windows Journal\angry_region_seconds.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Reference Assemblies\soviet-nutten-samples-configured.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files (x86)\Google\wishes_pixels_reflected_edgar.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files (x86)\Windows Photo Viewer\nyc-actor-fault-logistics.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Reference Assemblies\duration_electricity_columbia_estate.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Windows Photo Viewer\prominent.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files (x86)\Java\after practical kiss sir.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Reference Assemblies\epson-pressing-camera.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Microsoft Sync Framework\baptist-extraction.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Common Files\challenged.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\MSBuild\rhode-jay.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\conhost.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\VSSVC.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe True 2
Fn
Get Info System type = PROCESS_SESSION_INFORMATION True 95
Fn
Open System desired_access = PROCESS_QUERY_INFORMATION False 2
Fn
Open System desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 2
Fn
Memory (7)
»
Operation Process Additional Information Success Count Logfile
Get Info System address = 0xff2a3000, allocation_type = MEM_COMMIT, size_out = 2046 True 1
Fn
Get Info System address = 0xff2a4000, allocation_type = MEM_COMMIT, size_out = 2046 True 1
Fn
Get Info System address = 0xff2a5000, allocation_type = MEM_RESERVE, size_out = 2046 True 1
Fn
Get Info System address = 0xff2a7000, allocation_type = MEM_RELEASE, size_out = 2046 True 1
Fn
Get Info System address = 0xff2af000, allocation_type = MEM_COMMIT, MEM_TOP_DOWN, size_out = 0 True 1
Fn
Get Info System address = 0xff3b0000, allocation_type = MEM_COMMIT, size_out = 2046 True 1
Fn
Get Info System address = 0x60 True 1
Fn
Module (87)
»
Operation Module Additional Information Success Count Logfile
Load KERNEL32.dll base_address = 0x75fd0000 True 1
Fn
Load crypt32.dll base_address = 0x0 True 1
Fn
Load psapi.dll base_address = 0x0 True 1
Fn
Get Handle c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe base_address = 0x400000 True 2
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe, size = 4096 True 1
Fn
Get Filename crypt32.dll process_name = c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe, size = 512 True 1
Fn
Get Filename psapi.dll process_name = c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe, size = 512 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringA, address_out = 0x7600b2b7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapValidate, address_out = 0x75ffb17b True 1
Fn
Map - process_name = c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe, desired_access = FILE_MAP_READ True 18
Fn
Map - process_name = c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe, desired_access = FILE_MAP_READ False 59
Fn
Service (480)
»
Operation Additional Information Success Count Logfile
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = AdobeFlashPlayerUpdateSvc False 1
Fn
Get Info service_name = AdobeFlashPlayerUpdateSvc True 1
Fn
Get Info service_name = AeLookupSvc False 1
Fn
Get Info service_name = AeLookupSvc True 1
Fn
Get Info service_name = ALG False 1
Fn
Get Info service_name = ALG True 1
Fn
Get Info service_name = AppIDSvc False 1
Fn
Get Info service_name = AppIDSvc True 1
Fn
Get Info service_name = Appinfo False 1
Fn
Get Info service_name = Appinfo True 1
Fn
Get Info service_name = AppMgmt False 1
Fn
Get Info service_name = AppMgmt True 1
Fn
Get Info service_name = aspnet_state False 1
Fn
Get Info service_name = aspnet_state True 1
Fn
Get Info service_name = AudioEndpointBuilder False 1
Fn
Get Info service_name = AudioEndpointBuilder True 1
Fn
Get Info service_name = AudioSrv False 1
Fn
Get Info service_name = AudioSrv True 1
Fn
Get Info service_name = AxInstSV False 1
Fn
Get Info service_name = AxInstSV True 1
Fn
Get Info service_name = BDESVC False 1
Fn
Get Info service_name = BDESVC True 1
Fn
Get Info service_name = BFE False 1
Fn
Get Info service_name = BFE True 1
Fn
Get Info service_name = BITS False 1
Fn
Get Info service_name = BITS True 1
Fn
Get Info service_name = Browser False 1
Fn
Get Info service_name = Browser True 1
Fn
Get Info service_name = bthserv False 1
Fn
Get Info service_name = bthserv True 1
Fn
Get Info service_name = CertPropSvc False 1
Fn
Get Info service_name = CertPropSvc True 1
Fn
Get Info service_name = clr_optimization_v2.0.50727_32 False 1
Fn
Get Info service_name = clr_optimization_v2.0.50727_32 True 1
Fn
Get Info service_name = clr_optimization_v2.0.50727_64 False 1
Fn
Get Info service_name = clr_optimization_v2.0.50727_64 True 1
Fn
Get Info service_name = clr_optimization_v4.0.30319_32 False 1
Fn
Get Info service_name = clr_optimization_v4.0.30319_32 True 1
Fn
Get Info service_name = clr_optimization_v4.0.30319_64 False 1
Fn
Get Info service_name = clr_optimization_v4.0.30319_64 True 1
Fn
Get Info service_name = COMSysApp False 1
Fn
Get Info service_name = COMSysApp True 1
Fn
Get Info service_name = CryptSvc False 1
Fn
Get Info service_name = CryptSvc True 1
Fn
Get Info service_name = CscService False 1
Fn
Get Info service_name = CscService True 1
Fn
Get Info service_name = DcomLaunch False 1
Fn
Get Info service_name = DcomLaunch True 1
Fn
Get Info service_name = defragsvc False 1
Fn
Get Info service_name = defragsvc True 1
Fn
Get Info service_name = Dhcp False 1
Fn
Get Info service_name = Dhcp True 1
Fn
Get Info service_name = Dnscache False 1
Fn
Get Info service_name = Dnscache True 1
Fn
Get Info service_name = dot3svc False 1
Fn
Get Info service_name = dot3svc True 1
Fn
Get Info service_name = DPS False 1
Fn
Get Info service_name = DPS True 1
Fn
Get Info service_name = EapHost False 1
Fn
Get Info service_name = EapHost True 1
Fn
Get Info service_name = EFS False 1
Fn
Get Info service_name = EFS True 1
Fn
Get Info service_name = ehRecvr False 1
Fn
Get Info service_name = ehRecvr True 1
Fn
Get Info service_name = ehSched False 1
Fn
Get Info service_name = ehSched True 1
Fn
Get Info service_name = eventlog False 1
Fn
Get Info service_name = eventlog True 1
Fn
Get Info service_name = EventSystem False 1
Fn
Get Info service_name = EventSystem True 1
Fn
Get Info service_name = Fax False 1
Fn
Get Info service_name = Fax True 1
Fn
Get Info service_name = fdPHost False 1
Fn
Get Info service_name = fdPHost True 1
Fn
Get Info service_name = FDResPub False 1
Fn
Get Info service_name = FDResPub True 1
Fn
Get Info service_name = FontCache False 1
Fn
Get Info service_name = FontCache True 1
Fn
Get Info service_name = FontCache3.0.0.0 False 1
Fn
Get Info service_name = FontCache3.0.0.0 True 1
Fn
Get Info service_name = gpsvc False 1
Fn
Get Info service_name = gpsvc True 1
Fn
Get Info service_name = gupdate False 1
Fn
Get Info service_name = gupdate True 1
Fn
Get Info service_name = gupdatem False 1
Fn
Get Info service_name = gupdatem True 1
Fn
Get Info service_name = hidserv False 1
Fn
Get Info service_name = hidserv True 1
Fn
Get Info service_name = hkmsvc False 1
Fn
Get Info service_name = hkmsvc True 1
Fn
Get Info service_name = HomeGroupListener False 1
Fn
Get Info service_name = HomeGroupListener True 1
Fn
Get Info service_name = HomeGroupProvider False 1
Fn
Get Info service_name = HomeGroupProvider True 1
Fn
Get Info service_name = idsvc False 1
Fn
Get Info service_name = idsvc True 1
Fn
Get Info service_name = IKEEXT False 1
Fn
Get Info service_name = IKEEXT True 1
Fn
Get Info service_name = IPBusEnum False 1
Fn
Get Info service_name = IPBusEnum True 1
Fn
Get Info service_name = iphlpsvc False 1
Fn
Get Info service_name = iphlpsvc True 1
Fn
Get Info service_name = KeyIso False 1
Fn
Get Info service_name = KeyIso True 1
Fn
Get Info service_name = KtmRm False 1
Fn
Get Info service_name = KtmRm True 1
Fn
Get Info service_name = LanmanServer False 1
Fn
Get Info service_name = LanmanServer True 1
Fn
Get Info service_name = LanmanWorkstation False 1
Fn
Get Info service_name = LanmanWorkstation True 1
Fn
Get Info service_name = lltdsvc False 1
Fn
Get Info service_name = lltdsvc True 1
Fn
Get Info service_name = lmhosts False 1
Fn
Get Info service_name = lmhosts True 1
Fn
Get Info service_name = Mcx2Svc False 1
Fn
Get Info service_name = Mcx2Svc True 1
Fn
Get Info service_name = Microsoft SharePoint Workspace Audit Service False 1
Fn
Get Info service_name = Microsoft SharePoint Workspace Audit Service True 1
Fn
Get Info service_name = MMCSS False 1
Fn
Get Info service_name = MMCSS True 1
Fn
Get Info service_name = MozillaMaintenance False 1
Fn
Get Info service_name = MozillaMaintenance True 1
Fn
Get Info service_name = MpsSvc False 1
Fn
Get Info service_name = MpsSvc True 1
Fn
Get Info service_name = MSDTC False 1
Fn
Get Info service_name = MSDTC True 1
Fn
Get Info service_name = MSiSCSI False 1
Fn
Get Info service_name = MSiSCSI True 1
Fn
Get Info service_name = msiserver False 1
Fn
Get Info service_name = msiserver True 1
Fn
Get Info service_name = napagent False 1
Fn
Get Info service_name = napagent True 1
Fn
Get Info service_name = Netlogon False 1
Fn
Get Info service_name = Netlogon True 1
Fn
Get Info service_name = Netman False 1
Fn
Get Info service_name = Netman True 1
Fn
Get Info service_name = NetMsmqActivator False 1
Fn
Get Info service_name = NetMsmqActivator True 1
Fn
Get Info service_name = NetPipeActivator False 1
Fn
Get Info service_name = NetPipeActivator True 1
Fn
Get Info service_name = netprofm False 1
Fn
Get Info service_name = netprofm True 1
Fn
Get Info service_name = NetTcpActivator False 1
Fn
Get Info service_name = NetTcpActivator True 1
Fn
Get Info service_name = NetTcpPortSharing False 1
Fn
Get Info service_name = NetTcpPortSharing True 1
Fn
Get Info service_name = NlaSvc False 1
Fn
Get Info service_name = NlaSvc True 1
Fn
Get Info service_name = nsi False 1
Fn
Get Info service_name = nsi True 1
Fn
Get Info service_name = ose64 False 1
Fn
Get Info service_name = ose64 True 1
Fn
Get Info service_name = osppsvc False 1
Fn
Get Info service_name = osppsvc True 1
Fn
Get Info service_name = p2pimsvc False 1
Fn
Get Info service_name = p2pimsvc True 1
Fn
Get Info service_name = p2psvc False 1
Fn
Get Info service_name = p2psvc True 1
Fn
Get Info service_name = PcaSvc False 1
Fn
Get Info service_name = PcaSvc True 1
Fn
Get Info service_name = PeerDistSvc False 1
Fn
Get Info service_name = PeerDistSvc True 1
Fn
Get Info service_name = PerfHost False 1
Fn
Get Info service_name = PerfHost True 1
Fn
Get Info service_name = pla False 1
Fn
Get Info service_name = pla True 1
Fn
Get Info service_name = PlugPlay False 1
Fn
Get Info service_name = PlugPlay True 1
Fn
Get Info service_name = PNRPAutoReg False 1
Fn
Get Info service_name = PNRPAutoReg True 1
Fn
Get Info service_name = PNRPsvc False 1
Fn
Get Info service_name = PNRPsvc True 1
Fn
Get Info service_name = PolicyAgent False 1
Fn
Get Info service_name = PolicyAgent True 1
Fn
Get Info service_name = Power False 1
Fn
Get Info service_name = Power True 1
Fn
Get Info service_name = ProfSvc False 1
Fn
Get Info service_name = ProfSvc True 1
Fn
Get Info service_name = ProtectedStorage False 1
Fn
Get Info service_name = ProtectedStorage True 1
Fn
Get Info service_name = QWAVE False 1
Fn
Get Info service_name = QWAVE True 1
Fn
Get Info service_name = RasAuto False 1
Fn
Get Info service_name = RasAuto True 1
Fn
Get Info service_name = RasMan False 1
Fn
Get Info service_name = RasMan True 1
Fn
Get Info service_name = RemoteAccess False 1
Fn
Get Info service_name = RemoteAccess True 1
Fn
Get Info service_name = RemoteRegistry False 1
Fn
Get Info service_name = RemoteRegistry True 1
Fn
Get Info service_name = RpcEptMapper False 1
Fn
Get Info service_name = RpcEptMapper True 1
Fn
Get Info service_name = RpcLocator False 1
Fn
Get Info service_name = RpcLocator True 1
Fn
Get Info service_name = RpcSs False 1
Fn
Get Info service_name = RpcSs True 1
Fn
Get Info service_name = SamSs False 1
Fn
Get Info service_name = SamSs True 1
Fn
Get Info service_name = SCardSvr False 1
Fn
Get Info service_name = SCardSvr True 1
Fn
Get Info service_name = Schedule False 1
Fn
Get Info service_name = Schedule True 1
Fn
Get Info service_name = SCPolicySvc False 1
Fn
Get Info service_name = SCPolicySvc True 1
Fn
Get Info service_name = SDRSVC False 1
Fn
Get Info service_name = SDRSVC True 1
Fn
Get Info service_name = seclogon False 1
Fn
Get Info service_name = seclogon True 1
Fn
Get Info service_name = SENS False 1
Fn
Get Info service_name = SENS True 1
Fn
Get Info service_name = SensrSvc False 1
Fn
Get Info service_name = SensrSvc True 1
Fn
Get Info service_name = SessionEnv False 1
Fn
Get Info service_name = SessionEnv True 1
Fn
Get Info service_name = SharedAccess False 1
Fn
Get Info service_name = SharedAccess True 1
Fn
Get Info service_name = ShellHWDetection False 1
Fn
Get Info service_name = ShellHWDetection True 1
Fn
Get Info service_name = SNMPTRAP False 1
Fn
Get Info service_name = SNMPTRAP True 1
Fn
Get Info service_name = Spooler False 1
Fn
Get Info service_name = Spooler True 1
Fn
Get Info service_name = sppsvc False 1
Fn
Get Info service_name = sppsvc True 1
Fn
Get Info service_name = sppuinotify False 1
Fn
Get Info service_name = sppuinotify True 1
Fn
Get Info service_name = SSDPSRV False 1
Fn
Get Info service_name = SSDPSRV True 1
Fn
Get Info service_name = SstpSvc False 1
Fn
Get Info service_name = SstpSvc True 1
Fn
Get Info service_name = stisvc False 1
Fn
Get Info service_name = stisvc True 1
Fn
Get Info service_name = StorSvc False 1
Fn
Get Info service_name = StorSvc True 1
Fn
Get Info service_name = swprv False 1
Fn
Get Info service_name = swprv True 1
Fn
Get Info service_name = SysMain False 1
Fn
Get Info service_name = SysMain True 1
Fn
Get Info service_name = TabletInputService False 1
Fn
Get Info service_name = TabletInputService True 1
Fn
Get Info service_name = TapiSrv False 1
Fn
Get Info service_name = TapiSrv True 1
Fn
Get Info service_name = TBS False 1
Fn
Get Info service_name = TBS True 1
Fn
Get Info service_name = TermService False 1
Fn
Get Info service_name = TermService True 1
Fn
Get Info service_name = Themes False 1
Fn
Get Info service_name = Themes True 1
Fn
Get Info service_name = THREADORDER False 1
Fn
Get Info service_name = THREADORDER True 1
Fn
Get Info service_name = TrkWks False 1
Fn
Get Info service_name = TrkWks True 1
Fn
Get Info service_name = TrustedInstaller False 1
Fn
Get Info service_name = TrustedInstaller True 1
Fn
Get Info service_name = UI0Detect False 1
Fn
Get Info service_name = UI0Detect True 1
Fn
Get Info service_name = UmRdpService False 1
Fn
Get Info service_name = UmRdpService True 1
Fn
Get Info service_name = upnphost False 1
Fn
Get Info service_name = upnphost True 1
Fn
Get Info service_name = UxSms False 1
Fn
Get Info service_name = UxSms True 1
Fn
Get Info service_name = VaultSvc False 1
Fn
Get Info service_name = VaultSvc True 1
Fn
Get Info service_name = vds False 1
Fn
Get Info service_name = vds True 1
Fn
Get Info service_name = VSS False 1
Fn
Get Info service_name = VSS True 1
Fn
Get Info service_name = W32Time False 1
Fn
Get Info service_name = W32Time True 1
Fn
Get Info service_name = wbengine False 1
Fn
Get Info service_name = wbengine True 1
Fn
Get Info service_name = WbioSrvc False 1
Fn
Get Info service_name = WbioSrvc True 1
Fn
Get Info service_name = wcncsvc False 1
Fn
Get Info service_name = wcncsvc True 1
Fn
Get Info service_name = WcsPlugInService False 1
Fn
Get Info service_name = WcsPlugInService True 1
Fn
Get Info service_name = WdiServiceHost False 1
Fn
Get Info service_name = WdiServiceHost True 1
Fn
Get Info service_name = WdiSystemHost False 1
Fn
Get Info service_name = WdiSystemHost True 1
Fn
Get Info service_name = WebClient False 1
Fn
Get Info service_name = WebClient True 1
Fn
Get Info service_name = Wecsvc False 1
Fn
Get Info service_name = Wecsvc True 1
Fn
Get Info service_name = wercplsupport False 1
Fn
Get Info service_name = wercplsupport True 1
Fn
Get Info service_name = WerSvc False 1
Fn
Get Info service_name = WerSvc True 1
Fn
Get Info service_name = WinDefend False 1
Fn
Get Info service_name = WinDefend True 1
Fn
Get Info service_name = WinHttpAutoProxySvc False 1
Fn
Get Info service_name = WinHttpAutoProxySvc True 1
Fn
Get Info service_name = Winmgmt False 1
Fn
Get Info service_name = Winmgmt True 1
Fn
Get Info service_name = WinRM False 1
Fn
Get Info service_name = WinRM True 1
Fn
Get Info service_name = Wlansvc False 1
Fn
Get Info service_name = Wlansvc True 1
Fn
Get Info service_name = wmiApSrv False 1
Fn
Get Info service_name = wmiApSrv True 1
Fn
Get Info service_name = WMPNetworkSvc False 1
Fn
Get Info service_name = WMPNetworkSvc True 1
Fn
Get Info service_name = WPCSvc False 1
Fn
Get Info service_name = WPCSvc True 1
Fn
Get Info service_name = WPDBusEnum False 1
Fn
Get Info service_name = WPDBusEnum True 1
Fn
Get Info service_name = wscsvc False 1
Fn
Get Info service_name = wscsvc True 1
Fn
Get Info service_name = WSearch False 1
Fn
Get Info service_name = WSearch True 1
Fn
Get Info service_name = wuauserv False 1
Fn
Get Info service_name = wuauserv True 1
Fn
Get Info service_name = wudfsvc False 1
Fn
Get Info service_name = wudfsvc True 1
Fn
Get Info service_name = WwanSvc False 1
Fn
Get Info service_name = WwanSvc True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Register Handler - True 1
Fn
Driver (45)
»
Operation Driver Additional Information Success Count Logfile
Control C:\$Recycle.Bin control_code = 0x900a8 False 1
Fn
Control C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000 control_code = 0x900a8 False 1
Fn
Control C:\Boot control_code = 0x900a8 False 1
Fn
Control C:\Boot\cs-CZ control_code = 0x900a8 False 1
Fn
Control C:\Boot\da-DK control_code = 0x900a8 False 1
Fn
Control C:\Boot\de-DE control_code = 0x900a8 False 1
Fn
Control C:\Boot\el-GR control_code = 0x900a8 False 1
Fn
Control C:\Boot\en-US control_code = 0x900a8 False 1
Fn
Control C:\Boot\es-ES control_code = 0x900a8 False 1
Fn
Control C:\Boot\fi-FI control_code = 0x900a8 False 1
Fn
Control C:\Boot\Fonts control_code = 0x900a8 False 1
Fn
Control C:\Boot\fr-FR control_code = 0x900a8 False 1
Fn
Control C:\Boot\hu-HU control_code = 0x900a8 False 1
Fn
Control C:\Boot\it-IT control_code = 0x900a8 False 1
Fn
Control C:\Boot\ja-JP control_code = 0x900a8 False 1
Fn
Control C:\Boot\ko-KR control_code = 0x900a8 False 1
Fn
Control C:\Boot\nb-NO control_code = 0x900a8 False 1
Fn
Control C:\Boot\nl-NL control_code = 0x900a8 False 1
Fn
Control C:\Boot\pl-PL control_code = 0x900a8 False 1
Fn
Control C:\Boot\pt-BR control_code = 0x900a8 False 1
Fn
Control C:\Boot\pt-PT control_code = 0x900a8 False 1
Fn
Control C:\Boot\ru-RU control_code = 0x900a8 False 1
Fn
Control C:\Boot\sv-SE control_code = 0x900a8 False 1
Fn
Control C:\Boot\tr-TR control_code = 0x900a8 False 1
Fn
Control C:\Boot\zh-CN control_code = 0x900a8 False 1
Fn
Control C:\Boot\zh-HK control_code = 0x900a8 False 1
Fn
Control C:\Boot\zh-TW control_code = 0x900a8 False 1
Fn
Control C:\Config.Msi control_code = 0x900a8 False 1
Fn
Control C:\MSOCache control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
System (252)
»
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 249
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Wow64 Directory, result_out = C:\Windows\SysWOW64 True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Mutex (5)
»
Operation Additional Information Success Count Logfile
Create - True 1
Fn
Open mutex_name = Global\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E} False 2
Fn
Open mutex_name = Global\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E}, desired_access = SYNCHRONIZE True 1
Fn
Release - True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = COMPUTERNAME, result_out = XDUWTFONO True 1
Fn
Process #21: svchost.exe
0 0
»
Information Value
ID #21
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\System32\svchost.exe -k swprv
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:16, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:01:13
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xabc
Parent PID 0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x AC0
0x AC4
0x AC8
0x ACC
0x AD0
0x AD4
0x 80C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000c0000 0x000c0000 0x0017ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000180000 0x00180000 0x00181fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory Readable, Writable True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory Readable, Writable True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory Readable, Writable True False False -
private_0x0000000000410000 0x00410000 0x00410fff Private Memory Readable, Writable True False False -
private_0x0000000000420000 0x00420000 0x00420fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000430000 0x00430000 0x00430fff Pagefile Backed Memory Readable True False False -
private_0x0000000000490000 0x00490000 0x0050ffff Private Memory Readable, Writable True False False -
private_0x0000000000510000 0x00510000 0x0058ffff Private Memory Readable, Writable True False False -
private_0x0000000000590000 0x00590000 0x0059ffff Private Memory Readable, Writable True False False -
private_0x00000000005b0000 0x005b0000 0x0062ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x00630000 0x008fefff Memory Mapped File Readable False False False -
pagefile_0x0000000000900000 0x00900000 0x00a87fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000a90000 0x00a90000 0x00c10fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000c20000 0x00c20000 0x01012fff Pagefile Backed Memory Readable True False False -
private_0x0000000001140000 0x01140000 0x011bffff Private Memory Readable, Writable True False False -
private_0x0000000001210000 0x01210000 0x0128ffff Private Memory Readable, Writable True False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
svchost.exe 0xff470000 0xff47afff Memory Mapped File Readable, Writable, Executable False False False -
swprv.dll 0x7fef4590000 0x7fef4611fff Memory Mapped File Readable, Writable, Executable False False False -
vss_ps.dll 0x7fef8320000 0x7fef8333fff Memory Mapped File Readable, Writable, Executable False False False -
virtdisk.dll 0x7fef8370000 0x7fef8379fff Memory Mapped File Readable, Writable, Executable False False False -
fltlib.dll 0x7fef8390000 0x7fef8398fff Memory Mapped File Readable, Writable, Executable False False False -
vsstrace.dll 0x7fefac50000 0x7fefac66fff Memory Mapped File Readable, Writable, Executable False False False -
vssapi.dll 0x7fefac70000 0x7fefae1ffff Memory Mapped File Readable, Writable, Executable False False False -
atl.dll 0x7fefb770000 0x7fefb788fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7fefd190000 0x7fefd1d6fff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7fefd490000 0x7fefd4a6fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7fefda90000 0x7fefda9efff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x7fefdb80000 0x7fefdb93fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7fefdf70000 0x7fefe172fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7fefef10000 0x7fefefa8fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7feffb10000 0x7feffbe6fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory Readable, Writable True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory Readable, Writable True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory Readable, Writable True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory Readable, Writable True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory Readable, Writable True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory Readable, Writable True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True False False -
Process #22: v5hw0h~1:bin
323 0
»
Information Value
ID #22
File Name c:\users\5p5nrg~1\appdata\roaming\v5hw0h~1:bin
Command Line C:\Users\5P5NRG~1\AppData\Roaming\\V5HW0H~1:bin
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:17, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:01:12
OS Process Information
»
Information Value
PID 0xad8
Parent PID 0xa64 (c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x ADC
0x B28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory Readable True False False -
locale.nls 0x001b0000 0x00216fff Memory Mapped File Readable False False False -
oleaccrc.dll 0x00220000 0x00220fff Memory Mapped File Readable False False False -
private_0x0000000000230000 0x00230000 0x0024afff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000250000 0x00250000 0x00261fff Private Memory Readable, Writable True False False -
private_0x0000000000290000 0x00290000 0x0029ffff Private Memory Readable, Writable True False False -
private_0x00000000002c0000 0x002c0000 0x0033ffff Private Memory Readable, Writable True False False -
private_0x0000000000340000 0x00340000 0x0037ffff Private Memory Readable, Writable True False False -
rsaenh.dll 0x00380000 0x003bbfff Memory Mapped File Readable False False False -
v5hw0h~1 0x00400000 0x0042efff Memory Mapped File Readable, Writable, Executable True True False
...
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory Readable, Writable True False False -
private_0x0000000000540000 0x00540000 0x0063ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000640000 0x00640000 0x007c7fff Pagefile Backed Memory Readable True False False -
private_0x00000000007f0000 0x007f0000 0x007fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000800000 0x00800000 0x00980fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000990000 0x00990000 0x01d8ffff Pagefile Backed Memory Readable True False False -
private_0x0000000001d90000 0x01d90000 0x01e8ffff Private Memory Readable, Writable True False False -
private_0x0000000001ea0000 0x01ea0000 0x01eaffff Private Memory Readable, Writable True False False -
private_0x0000000002050000 0x02050000 0x0205ffff Private Memory Readable, Writable True False False -
private_0x0000000002240000 0x02240000 0x0224ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x02250000 0x0251efff Memory Mapped File Readable False False False -
wow64cpu.dll 0x75360000 0x75367fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x75370000 0x753cbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x753d0000 0x7540efff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x75620000 0x75640fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x75660000 0x7569afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x756a0000 0x756b5fff Memory Mapped File Readable, Writable, Executable False False False -
msimg32.dll 0x756e0000 0x756e4fff Memory Mapped File Readable, Writable, Executable False False False -
oledlg.dll 0x756f0000 0x7570bfff Memory Mapped File Readable, Writable, Executable False False False -
oleacc.dll 0x75710000 0x7574bfff Memory Mapped File Readable, Writable, Executable False False False -
winmm.dll 0x75750000 0x75781fff Memory Mapped File Readable, Writable, Executable False False False -
winspool.drv 0x75790000 0x757e0fff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x757f0000 0x75873fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75980000 0x7598bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75990000 0x759effff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x75a30000 0x75a48fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x75a60000 0x75b7cfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75bb0000 0x75bf5fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x75fd0000 0x760dffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x760e0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76180000 0x761d6fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x763c0000 0x763c9fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x763d0000 0x763dbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x763e0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x76670000 0x7671bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76720000 0x767ebfff Memory Mapped File Readable, Writable, Executable False False False -
comdlg32.dll 0x767f0000 0x7686afff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x76920000 0x77569fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x77570000 0x775cffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x775d0000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x776c0000 0x7781bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77820000 0x778affff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x77940000 0x77984fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x77990000 0x77a2cfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000077a30000 0x77a30000 0x77b4efff Private Memory Readable, Writable, Executable True False False -
private_0x0000000077b50000 0x77b50000 0x77c49fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77e30000 0x77faffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\windows\temp\fhb2f88.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\windows\temp\22f89.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\windows\temp\bc3380.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\windows\temp\xl3381.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\windows\temp\i3r3aa3.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\windows\temp\vp3aa4.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\windows\temp\hf3b7f.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\windows\temp\qe3b80.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\windows\temp\ac3d65.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\windows\temp\pk3d66.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\windows\temp\63ece.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\windows\temp\uzz3ecf.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\windows\temp\p6419d.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\windows\temp\hd041ae.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\windows\temp\bc3380.tmp 0.04 KB MD5: 605866a66fd890d4efa389a56fb183a4
SHA1: a367e27150a9a1902d7bbd65e63f683fe45f8f61
SHA256: 96dfbfffa039f5f9bce909a750cc90d5b1d1b4ccc4a515b2687a10c89f234047 		False
...
c:\windows\temp\i3r3aa3.tmp 0.04 KB MD5: 605866a66fd890d4efa389a56fb183a4
SHA1: a367e27150a9a1902d7bbd65e63f683fe45f8f61
SHA256: 96dfbfffa039f5f9bce909a750cc90d5b1d1b4ccc4a515b2687a10c89f234047 		False
...
c:\windows\temp\ac3d65.tmp 0.04 KB MD5: 605866a66fd890d4efa389a56fb183a4
SHA1: a367e27150a9a1902d7bbd65e63f683fe45f8f61
SHA256: 96dfbfffa039f5f9bce909a750cc90d5b1d1b4ccc4a515b2687a10c89f234047 		False
...
c:\windows\temp\xl3381.tmp 0.06 KB MD5: 44ab1155051f70b414b12b027f92fce8
SHA1: 83cf1732eb1c826953880ef2f800409b00f20818
SHA256: ba00146ddfc63902906c6fe74901c94ae285a832ac095aeaa07857dedda55ea4 		False
...
c:\windows\temp\vp3aa4.tmp 0.06 KB MD5: 58f0b5925675e4be77420b9d29c24c04
SHA1: e728cd694a3fee1e04e0124e86da05d7db5c1c54
SHA256: 1e81e0f55d5da3c062050676bb452f68b5c4cc944fddedebad1bfdb180e483b5 		False
...
c:\windows\temp\hf3b7f.tmp 0.09 KB MD5: a6ba8e0370f83b101efaead1ffe56ba3
SHA1: 52aa83c47c570d7df33575bfc06a161dd91cbb73
SHA256: b28fa7dfe5b277f9056c095bf93d5545b1c29c3766189fbce791520244f2e62e 		False
...
c:\windows\temp\pk3d66.tmp 0.06 KB MD5: fda9ff56c54a8234b5a8c49ae942aef0
SHA1: 239ebab32cb8f79a5ffb3f06cb6bdaaea40eef94
SHA256: 216a641af323ca047cc10c8660829e4ea4f9c29740c156ecc3871bcff884a4ff 		False
...
c:\windows\temp\63ece.tmp 0.27 KB MD5: 48dc487b4efeae7397cf3de8ad52b857
SHA1: c02eaa43c144a37abc36f11bde2400c80ad26bb0
SHA256: 5d12da043c8ef4de78510423075ad0f5761bdcb474a3acef5db643f1246616a4 		False
...
c:\windows\temp\uzz3ecf.tmp 0.10 KB MD5: 9a042997fea2f144df904de527694e58
SHA1: bebffe9adc332738333887230f1eec81ce8742ab
SHA256: f95584715df74f908b483323d278e9573e5b75adf0dd5d848859e849ebcdbcf7 		False
...
Host Behavior
File (71)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\TEMP\FHB2F88.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\22F89.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\FHB2F88.tmp desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\BC3380.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\xL3381.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\BC3380.tmp desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\I3R3AA3.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\vp3AA4.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\I3R3AA3.tmp desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\hF3B7F.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\qe3B80.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\hF3B7F.tmp desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\ac3D65.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\PK3D66.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\ac3D65.tmp desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\63ECE.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\Uzz3ECF.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\63ECE.tmp desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\P6419D.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\hD041AE.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\P6419D.tmp desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create Temp File C:\Windows\TEMP\FHB2F88.tmp path = C:\Windows\TEMP, prefix = FHB True 1
Fn
Create Temp File C:\Windows\TEMP\22F89.tmp path = C:\Windows\TEMP, prefix = 2 True 1
Fn
Create Temp File C:\Windows\TEMP\BC3380.tmp path = C:\Windows\TEMP, prefix = BC True 1
Fn
Create Temp File C:\Windows\TEMP\xL3381.tmp path = C:\Windows\TEMP, prefix = xL True 1
Fn
Create Temp File C:\Windows\TEMP\I3R3AA3.tmp path = C:\Windows\TEMP, prefix = I3R True 1
Fn
Create Temp File C:\Windows\TEMP\vp3AA4.tmp path = C:\Windows\TEMP, prefix = vp True 1
Fn
Create Temp File C:\Windows\TEMP\hF3B7F.tmp path = C:\Windows\TEMP, prefix = hF True 1
Fn
Create Temp File C:\Windows\TEMP\qe3B80.tmp path = C:\Windows\TEMP, prefix = qe True 1
Fn
Create Temp File C:\Windows\TEMP\ac3D65.tmp path = C:\Windows\TEMP, prefix = ac True 1
Fn
Create Temp File C:\Windows\TEMP\PK3D66.tmp path = C:\Windows\TEMP, prefix = PK True 1
Fn
Create Temp File C:\Windows\TEMP\63ECE.tmp path = C:\Windows\TEMP, prefix = 6 True 1
Fn
Create Temp File C:\Windows\TEMP\Uzz3ECF.tmp path = C:\Windows\TEMP, prefix = Uzz True 1
Fn
Create Temp File C:\Windows\TEMP\P6419D.tmp path = C:\Windows\TEMP, prefix = P6 True 1
Fn
Create Temp File C:\Windows\TEMP\hD041AE.tmp path = C:\Windows\TEMP, prefix = hD0 True 1
Fn
Get Info C:\Windows\TEMP\FHB2F88.tmp type = size, size_out = 0 True 1
Fn
Get Info C:\Windows\TEMP\22F89.tmp type = file_attributes True 1
Fn
Get Info C:\Windows\TEMP\BC3380.tmp type = size, size_out = 0 True 1
Fn
Get Info C:\Windows\TEMP\xL3381.tmp type = file_attributes True 1
Fn
Get Info C:\Windows\TEMP\I3R3AA3.tmp type = size, size_out = 0 True 1
Fn
Get Info C:\Windows\TEMP\vp3AA4.tmp type = file_attributes True 1
Fn
Get Info C:\Windows\TEMP\hF3B7F.tmp type = size, size_out = 0 True 1
Fn
Get Info C:\Windows\TEMP\qe3B80.tmp type = file_attributes True 1
Fn
Get Info C:\Windows\TEMP\ac3D65.tmp type = size, size_out = 0 True 1
Fn
Get Info C:\Windows\TEMP\PK3D66.tmp type = file_attributes True 1
Fn
Get Info C:\Windows\TEMP\63ECE.tmp type = size, size_out = 0 True 1
Fn
Get Info C:\Windows\TEMP\Uzz3ECF.tmp type = file_attributes True 1
Fn
Get Info C:\Windows\TEMP\P6419D.tmp type = size, size_out = 0 True 1
Fn
Get Info C:\Windows\TEMP\hD041AE.tmp type = file_attributes True 1
Fn
Read C:\Windows\TEMP\FHB2F88.tmp size = 378, size_out = 378 True 1
Fn
Data
Read C:\Windows\TEMP\BC3380.tmp size = 43, size_out = 43 True 1
Fn
Data
Read C:\Windows\TEMP\I3R3AA3.tmp size = 43, size_out = 43 True 1
Fn
Data
Read C:\Windows\TEMP\hF3B7F.tmp size = 92, size_out = 92 True 1
Fn
Data
Read C:\Windows\TEMP\ac3D65.tmp size = 43, size_out = 43 True 1
Fn
Data
Read C:\Windows\TEMP\63ECE.tmp size = 275, size_out = 275 True 1
Fn
Data
Read C:\Windows\TEMP\P6419D.tmp size = 0, size_out = 0 True 1
Fn
Delete C:\Windows\TEMP\FHB2F88.tmp - True 1
Fn
Delete C:\Windows\TEMP\22F89.tmp - True 1
Fn
Delete C:\Windows\TEMP\BC3380.tmp - True 1
Fn
Delete C:\Windows\TEMP\xL3381.tmp - True 1
Fn
Delete C:\Windows\TEMP\I3R3AA3.tmp - True 1
Fn
Delete C:\Windows\TEMP\vp3AA4.tmp - True 1
Fn
Delete C:\Windows\TEMP\hF3B7F.tmp - True 1
Fn
Delete C:\Windows\TEMP\qe3B80.tmp - True 1
Fn
Delete C:\Windows\TEMP\ac3D65.tmp - True 1
Fn
Delete C:\Windows\TEMP\PK3D66.tmp - True 1
Fn
Delete C:\Windows\TEMP\63ECE.tmp - True 1
Fn
Delete C:\Windows\TEMP\Uzz3ECF.tmp - True 1
Fn
Delete C:\Windows\TEMP\P6419D.tmp - True 1
Fn
Delete C:\Windows\TEMP\hD041AE.tmp - True 1
Fn
Delete C:\Users\5P5NRG~1\AppData\Roaming\V5HW0H~1 - True 1
Fn
Registry (213)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value_name = EnableLUA, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value_name = EnableLUA, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Duplicate Key - - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - False 1
Fn
Process (7)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\arp.exe os_pid = 0xb3c, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create C:\Windows\system32\nslookup.exe os_pid = 0xb6c, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create C:\Windows\system32\nslookup.exe os_pid = 0xb88, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create C:\Windows\system32\nslookup.exe os_pid = 0xba4, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create C:\Windows\system32\nslookup.exe os_pid = 0xbbc, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create C:\Windows\system32\nslookup.exe os_pid = 0xbd8, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create C:\Windows\system32\net.exe os_pid = 0xbf0, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\users\5p5nrg~1\appdata\roaming\v5hw0h~1 base_address = 0x400000 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Info type = Wow64 Directory, result_out = C:\Windows\SysWOW64 True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Mutex (5)
»
Operation Additional Information Success Count Logfile
Create - True 1
Fn
Open mutex_name = Global\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E} False 2
Fn
Open mutex_name = Global\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E}, desired_access = SYNCHRONIZE True 1
Fn
Release - True 1
Fn
Process #23: svchost.exe
0 0
»
Information Value
ID #23
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:20, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:01:09
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xae8
Parent PID 0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Local Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AEC
0x AF0
0x AF4
0x AF8
0x AFC
0x B1C
0x 6CC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory Readable, Writable True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000100000 0x00100000 0x001bffff Pagefile Backed Memory Readable True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory Readable, Writable True False False -
private_0x0000000000270000 0x00270000 0x002effff Private Memory Readable, Writable True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory Readable, Writable True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000510000 0x00510000 0x00697fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000006a0000 0x006a0000 0x00820fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000830000 0x00830000 0x00c22fff Pagefile Backed Memory Readable True False False -
private_0x0000000000c40000 0x00c40000 0x00cbffff Private Memory Readable, Writable True False False -
private_0x0000000000cf0000 0x00cf0000 0x00d6ffff Private Memory Readable, Writable True False False -
private_0x0000000000eb0000 0x00eb0000 0x00f2ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x00f30000 0x011fefff Memory Mapped File Readable False False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
svchost.exe 0xff470000 0xff47afff Memory Mapped File Readable, Writable, Executable False False False -
fntcache.dll 0x7fef41c0000 0x7fef42dafff Memory Mapped File Readable, Writable, Executable False False False -
ktmw32.dll 0x7fefb290000 0x7fefb299fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7fefda90000 0x7fefda9efff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7fefdf70000 0x7fefe172fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory Readable, Writable True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory Readable, Writable True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory Readable, Writable True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory Readable, Writable True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory Readable, Writable True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True False False -
Process #24: sppsvc.exe
0 0
»
Information Value
ID #24
File Name c:\windows\system32\sppsvc.exe
Command Line C:\Windows\system32\sppsvc.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:35, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:00:54
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb30
Parent PID 0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Network Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B34
0x B38
0x B4C
0x B54
0x B58
0x 850
0x 848
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory Readable, Writable True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False -
private_0x0000000000100000 0x00100000 0x001fffff Private Memory Readable, Writable True False False -
locale.nls 0x00200000 0x00266fff Memory Mapped File Readable False False False -
pagefile_0x0000000000270000 0x00270000 0x0032ffff Pagefile Backed Memory Readable True False False -
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory Readable, Writable True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000005f0000 0x005f0000 0x00770fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000780000 0x00780000 0x00b72fff Pagefile Backed Memory Readable True False False -
private_0x0000000000ba0000 0x00ba0000 0x00c1ffff Private Memory Readable, Writable True False False -
private_0x0000000000d40000 0x00d40000 0x00dbffff Private Memory Readable, Writable True False False -
private_0x0000000000ef0000 0x00ef0000 0x00f6ffff Private Memory Readable, Writable True False False -
private_0x0000000000fc0000 0x00fc0000 0x0103ffff Private Memory Readable, Writable True False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
sppsvc.exe 0xff150000 0xff4aefff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7fefda90000 0x7fefda9efff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7fefdf70000 0x7fefe172fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory Readable, Writable True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory Readable, Writable True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory Readable, Writable True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory Readable, Writable True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory Readable, Writable True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True False False -
Process #25: arp.exe
0 0
»
Information Value
ID #25
File Name c:\windows\system32\arp.exe
Command Line C:\Windows\system32\arp.exe -a
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:36, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:00:53
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb3c
Parent PID 0xad8 (c:\users\5p5nrg~1\appdata\roaming\v5hw0h~1:bin)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B40
0x B68
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory Readable, Writable True False False -
arp.exe.mui 0x00070000 0x00071fff Memory Mapped File Readable, Writable False False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory Readable, Writable True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory Readable, Writable True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory Readable, Writable True False False -
locale.nls 0x00290000 0x002f6fff Memory Mapped File Readable False False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory Readable, Writable True False False -
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory Readable, Writable True False False -
private_0x00000000004f0000 0x004f0000 0x004fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000500000 0x00500000 0x00687fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000690000 0x00690000 0x00810fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000820000 0x00820000 0x01c1ffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01c20000 0x01eeefff Memory Mapped File Readable False False False -
private_0x0000000002090000 0x02090000 0x0210ffff Private Memory Readable, Writable True False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fffc000 0x7fffc000 0x7fffcfff Private Memory Readable, Writable True False False -
arp.exe 0xff300000 0xff309fff Memory Mapped File Readable, Writable, Executable False False False -
inetmib1.dll 0x7fef5e00000 0x7fef5e13fff Memory Mapped File Readable, Writable, Executable False False False -
snmpapi.dll 0x7fef7d40000 0x7fef7d4afff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc.dll 0x7fefb4b0000 0x7fefb4c7fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc6.dll 0x7fefb4d0000 0x7fefb4e0fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x7fefb650000 0x7fefb65afff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x7fefb660000 0x7fefb686fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7feff650000 0x7feff69cfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x7feff720000 0x7feff727fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory Readable, Writable True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory Readable, Writable True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory Readable, Writable True False False -
Process #26: nslookup.exe
11 11
»
Information Value
ID #26
File Name c:\windows\system32\nslookup.exe
Command Line C:\Windows\system32\nslookup.exe 192.168.0.1
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:00:52
OS Process Information
»
Information Value
PID 0xb6c
Parent PID 0xad8 (c:\users\5p5nrg~1\appdata\roaming\v5hw0h~1:bin)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B70
0x B84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory Readable, Writable True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory Readable True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File Readable False False False -
pagefile_0x0000000000140000 0x00140000 0x00146fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory Readable, Writable True False False -
nslookup.exe.mui 0x00160000 0x00164fff Memory Mapped File Readable, Writable False False False -
private_0x0000000000170000 0x00170000 0x0017ffff Private Memory Readable, Writable True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory Readable, Writable True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory Readable, Writable True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory Readable, Writable True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory Readable, Writable True False False -
pagefile_0x00000000003b0000 0x003b0000 0x00537fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000540000 0x00540000 0x006c0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000006d0000 0x006d0000 0x01acffff Pagefile Backed Memory Readable True False False -
private_0x0000000001ad0000 0x01ad0000 0x01b3ffff Private Memory Readable, Writable True False False -
private_0x0000000001b50000 0x01b50000 0x01bcffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01bd0000 0x01e9efff Memory Mapped File Readable False False False -
private_0x0000000001ea0000 0x01ea0000 0x01f8ffff Private Memory Readable, Writable True False False -
private_0x0000000002020000 0x02020000 0x0209ffff Private Memory Readable, Writable True False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff6000 0x7fff6000 0x7fff6fff Private Memory Readable, Writable True False False -
nslookup.exe 0xff440000 0xff466fff Memory Mapped File Readable, Writable, Executable True False False -
wsock32.dll 0x7fef6c10000 0x7fef6c18fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc.dll 0x7fefb4b0000 0x7fefb4c7fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc6.dll 0x7fefb4d0000 0x7fefb4e0fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x7fefb650000 0x7fefb65afff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x7fefb660000 0x7fefb686fff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x7fefb7d0000 0x7fefb7e4fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x7fefbeb0000 0x7fefbec8fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x7fefbed0000 0x7fefbee4fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x7fefbf10000 0x7fefbf1afff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x7fefce30000 0x7fefce36fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x7fefd2b0000 0x7fefd30afff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x7fefd430000 0x7fefd484fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7feff650000 0x7feff69cfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x7feff720000 0x7feff727fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd3fff Private Memory Readable, Writable True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory Readable, Writable True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True False False -
Host Behavior
File (1)
»
Operation Filename Additional Information Success Count Logfile
Write STD_ERROR_HANDLE size = 57 True 1
Fn
Data
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\nslookup.exe base_address = 0xff440000 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-07-13 08:01:14 (UTC) True 1
Fn
Get Time type = Ticks, time = 145595 True 1
Fn
Network Behavior
DNS (1)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = XDuwTfOno True 1
Fn
UDP Sessions (2)
»
Information Value
Total Data Sent 84 bytes
Total Data Received 84 bytes
Contacted Host Count 1
Contacted Hosts 192.168.0.1:53
UDP Session #1
»
Information Value
Handle 0x110
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address -
Local Port -
Data Sent 42 bytes
Data Received 42 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 42, size_out = 42 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 42 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x110
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address -
Local Port -
Data Sent 42 bytes
Data Received 42 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 42, size_out = 42 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 42 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #27: nslookup.exe
11 11
»
Information Value
ID #27
File Name c:\windows\system32\nslookup.exe
Command Line C:\Windows\system32\nslookup.exe 192.168.0.255
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:00:50
OS Process Information
»
Information Value
PID 0xb88
Parent PID 0xad8 (c:\users\5p5nrg~1\appdata\roaming\v5hw0h~1:bin)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B8C
0x BA0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory Readable, Writable True False False -
nslookup.exe.mui 0x000e0000 0x000e4fff Memory Mapped File Readable, Writable False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True False False -
private_0x0000000000110000 0x00110000 0x0014ffff Private Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory Readable, Writable True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory Readable, Writable True False False -
private_0x00000000002f0000 0x002f0000 0x0038ffff Private Memory Readable, Writable True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000004d0000 0x004d0000 0x00657fff Pagefile Backed Memory Readable True False False -
private_0x00000000006c0000 0x006c0000 0x006cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000006d0000 0x006d0000 0x00850fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000860000 0x00860000 0x01c5ffff Pagefile Backed Memory Readable True False False -
private_0x0000000001d60000 0x01d60000 0x01ddffff Private Memory Readable, Writable True False False -
private_0x0000000001e20000 0x01e20000 0x01e9ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01ea0000 0x0216efff Memory Mapped File Readable False False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff9000 0x7fff9000 0x7fff9fff Private Memory Readable, Writable True False False -
nslookup.exe 0xff050000 0xff076fff Memory Mapped File Readable, Writable, Executable True False False -
wsock32.dll 0x7fef7030000 0x7fef7038fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc.dll 0x7fefb4b0000 0x7fefb4c7fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc6.dll 0x7fefb4d0000 0x7fefb4e0fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x7fefb650000 0x7fefb65afff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x7fefb660000 0x7fefb686fff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x7fefb7d0000 0x7fefb7e4fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x7fefbeb0000 0x7fefbec8fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x7fefbed0000 0x7fefbee4fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x7fefbf10000 0x7fefbf1afff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x7fefce30000 0x7fefce36fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x7fefd2b0000 0x7fefd30afff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x7fefd430000 0x7fefd484fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7feff650000 0x7feff69cfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x7feff720000 0x7feff727fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory Readable, Writable True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory Readable, Writable True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True False False -
Host Behavior
File (1)
»
Operation Filename Additional Information Success Count Logfile
Write STD_ERROR_HANDLE size = 59 True 1
Fn
Data
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\nslookup.exe base_address = 0xff050000 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-07-13 08:01:14 (UTC) True 1
Fn
Get Time type = Ticks, time = 146141 True 1
Fn
Network Behavior
DNS (1)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = XDuwTfOno True 1
Fn
UDP Sessions (2)
»
Information Value
Total Data Sent 86 bytes
Total Data Received 86 bytes
Contacted Host Count 1
Contacted Hosts 192.168.0.1:53
UDP Session #1
»
Information Value
Handle 0x110
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address -
Local Port -
Data Sent 42 bytes
Data Received 42 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 42, size_out = 42 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 42 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x110
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address -
Local Port -
Data Sent 44 bytes
Data Received 44 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 44, size_out = 44 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 44 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #28: nslookup.exe
10 11
»
Information Value
ID #28
File Name c:\windows\system32\nslookup.exe
Command Line C:\Windows\system32\nslookup.exe 224.0.0.22
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:00:50
OS Process Information
»
Information Value
PID 0xba4
Parent PID 0xad8 (c:\users\5p5nrg~1\appdata\roaming\v5hw0h~1:bin)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BA8
0x BB8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory Readable, Writable True False False -
nslookup.exe.mui 0x000f0000 0x000f4fff Memory Mapped File Readable, Writable False False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory Readable, Writable True False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory Readable, Writable True False False -
private_0x00000000001f0000 0x001f0000 0x0028ffff Private Memory Readable, Writable True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory Readable, Writable True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000004e0000 0x004e0000 0x00667fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000670000 0x00670000 0x007f0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000800000 0x00800000 0x01bfffff Pagefile Backed Memory Readable True False False -
private_0x0000000001c20000 0x01c20000 0x01c9ffff Private Memory Readable, Writable True False False -
private_0x0000000001d30000 0x01d30000 0x01daffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01db0000 0x0207efff Memory Mapped File Readable False False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff5000 0x7fff5000 0x7fff5fff Private Memory Readable, Writable True False False -
nslookup.exe 0xff6e0000 0xff706fff Memory Mapped File Readable, Writable, Executable True False False -
wsock32.dll 0x7fef7020000 0x7fef7028fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc.dll 0x7fefb4b0000 0x7fefb4c7fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc6.dll 0x7fefb4d0000 0x7fefb4e0fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x7fefb650000 0x7fefb65afff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x7fefb660000 0x7fefb686fff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x7fefb7d0000 0x7fefb7e4fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x7fefbeb0000 0x7fefbec8fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x7fefbed0000 0x7fefbee4fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x7fefbf10000 0x7fefbf1afff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x7fefce30000 0x7fefce36fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x7fefd2b0000 0x7fefd30afff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x7fefd430000 0x7fefd484fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7feff650000 0x7feff69cfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x7feff720000 0x7feff727fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory Readable, Writable True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory Readable, Writable True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory Readable, Writable True False False -
Host Behavior
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\nslookup.exe base_address = 0xff6e0000 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-07-13 08:01:15 (UTC) True 1
Fn
Get Time type = Ticks, time = 146640 True 1
Fn
Network Behavior
DNS (1)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = XDuwTfOno True 1
Fn
UDP Sessions (2)
»
Information Value
Total Data Sent 83 bytes
Total Data Received 111 bytes
Contacted Host Count 1
Contacted Hosts 192.168.0.1:53
UDP Session #1
»
Information Value
Handle 0x110
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address -
Local Port -
Data Sent 42 bytes
Data Received 42 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 42, size_out = 42 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 42 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x110
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address -
Local Port -
Data Sent 41 bytes
Data Received 69 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 41, size_out = 41 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 69 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #29: nslookup.exe
11 11
»
Information Value
ID #29
File Name c:\windows\system32\nslookup.exe
Command Line C:\Windows\system32\nslookup.exe 224.0.0.252
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:00:49
OS Process Information
»
Information Value
PID 0xbbc
Parent PID 0xad8 (c:\users\5p5nrg~1\appdata\roaming\v5hw0h~1:bin)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BC0
0x BD4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory Readable, Writable True False False -
nslookup.exe.mui 0x00070000 0x00074fff Memory Mapped File Readable, Writable False False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory Readable, Writable True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory Readable, Writable True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory Readable, Writable True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File Readable False False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory Readable, Writable True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000400000 0x00400000 0x00587fff Pagefile Backed Memory Readable True False False -
private_0x00000000005d0000 0x005d0000 0x005dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000005e0000 0x005e0000 0x00760fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000770000 0x00770000 0x01b6ffff Pagefile Backed Memory Readable True False False -
private_0x0000000001bb0000 0x01bb0000 0x01c2ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01c30000 0x01efefff Memory Mapped File Readable False False False -
private_0x0000000001f00000 0x01f00000 0x0205ffff Private Memory Readable, Writable True False False -
private_0x0000000002060000 0x02060000 0x0221ffff Private Memory Readable, Writable True False False -
private_0x0000000002100000 0x02100000 0x0217ffff Private Memory Readable, Writable True False False -
private_0x0000000002210000 0x02210000 0x0221ffff Private Memory Readable, Writable True False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff3000 0x7fff3000 0x7fff3fff Private Memory Readable, Writable True False False -
nslookup.exe 0xff380000 0xff3a6fff Memory Mapped File Readable, Writable, Executable True False False -
wsock32.dll 0x7fef7030000 0x7fef7038fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc.dll 0x7fefb4b0000 0x7fefb4c7fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc6.dll 0x7fefb4d0000 0x7fefb4e0fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x7fefb650000 0x7fefb65afff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x7fefb660000 0x7fefb686fff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x7fefb7d0000 0x7fefb7e4fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x7fefbeb0000 0x7fefbec8fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x7fefbed0000 0x7fefbee4fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x7fefbf10000 0x7fefbf1afff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x7fefce30000 0x7fefce36fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x7fefd2b0000 0x7fefd30afff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x7fefd430000 0x7fefd484fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7feff650000 0x7feff69cfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x7feff720000 0x7feff727fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory Readable, Writable True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory Readable, Writable True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory Readable, Writable True False False -
Host Behavior
File (1)
»
Operation Filename Additional Information Success Count Logfile
Write STD_ERROR_HANDLE size = 57 True 1
Fn
Data
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\nslookup.exe base_address = 0xff380000 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-07-13 08:01:15 (UTC) True 1
Fn
Get Time type = Ticks, time = 146843 True 1
Fn
Network Behavior
DNS (1)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = XDuwTfOno True 1
Fn
UDP Sessions (2)
»
Information Value
Total Data Sent 84 bytes
Total Data Received 141 bytes
Contacted Host Count 1
Contacted Hosts 192.168.0.1:53
UDP Session #1
»
Information Value
Handle 0x110
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address -
Local Port -
Data Sent 42 bytes
Data Received 42 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 42, size_out = 42 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 42 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x110
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address -
Local Port -
Data Sent 42 bytes
Data Received 99 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 42, size_out = 42 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 99 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #30: nslookup.exe
11 11
»
Information Value
ID #30
File Name c:\windows\system32\nslookup.exe
Command Line C:\Windows\system32\nslookup.exe 255.255.255.255
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:00:49
OS Process Information
»
Information Value
PID 0xbd8
Parent PID 0xad8 (c:\users\5p5nrg~1\appdata\roaming\v5hw0h~1:bin)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BDC
0x BEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory Readable, Writable True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory Readable, Writable True False False -
nslookup.exe.mui 0x001e0000 0x001e4fff Memory Mapped File Readable, Writable False False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory Readable, Writable True False False -
private_0x0000000000200000 0x00200000 0x00200fff Private Memory Readable, Writable True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory Readable, Writable True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory Readable, Writable True False False -
private_0x00000000002d0000 0x002d0000 0x0034ffff Private Memory Readable, Writable True False False -
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory Readable, Writable True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory Readable, Writable True False False -
pagefile_0x00000000004b0000 0x004b0000 0x00637fff Pagefile Backed Memory Readable True False False -
private_0x0000000000670000 0x00670000 0x0067ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000680000 0x00680000 0x00800fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000810000 0x00810000 0x01c0ffff Pagefile Backed Memory Readable True False False -
private_0x0000000001c10000 0x01c10000 0x01d7ffff Private Memory Readable, Writable True False False -
private_0x0000000001dc0000 0x01dc0000 0x01e3ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01e40000 0x0210efff Memory Mapped File Readable False False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff9000 0x7fff9000 0x7fff9fff Private Memory Readable, Writable True False False -
nslookup.exe 0xffe10000 0xffe36fff Memory Mapped File Readable, Writable, Executable True False False -
wsock32.dll 0x7fef7020000 0x7fef7028fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc.dll 0x7fefb4b0000 0x7fefb4c7fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc6.dll 0x7fefb4d0000 0x7fefb4e0fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x7fefb650000 0x7fefb65afff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x7fefb660000 0x7fefb686fff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x7fefb7d0000 0x7fefb7e4fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x7fefbeb0000 0x7fefbec8fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x7fefbed0000 0x7fefbee4fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x7fefbf10000 0x7fefbf1afff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x7fefce30000 0x7fefce36fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x7fefd2b0000 0x7fefd30afff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x7fefd430000 0x7fefd484fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7feff650000 0x7feff69cfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x7feff720000 0x7feff727fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory Readable, Writable True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory Readable, Writable True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory Readable, Writable True False False -
Host Behavior
File (1)
»
Operation Filename Additional Information Success Count Logfile
Write STD_ERROR_HANDLE size = 102 True 1
Fn
Data
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\nslookup.exe base_address = 0xffe10000 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-07-13 08:01:16 (UTC) True 1
Fn
Get Time type = Ticks, time = 147639 True 1
Fn
Network Behavior
DNS (1)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = XDuwTfOno True 1
Fn
UDP Sessions (2)
»
Information Value
Total Data Sent 88 bytes
Total Data Received 147 bytes
Contacted Host Count 1
Contacted Hosts 192.168.0.1:53
UDP Session #1
»
Information Value
Handle 0x110
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address -
Local Port -
Data Sent 42 bytes
Data Received 42 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 42, size_out = 42 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 42 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x110
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address -
Local Port -
Data Sent 46 bytes
Data Received 105 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 False 1
Fn
Send flags = NO_FLAG_SET, size = 46, size_out = 46 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 105 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #31: net.exe
0 0
»
Information Value
ID #31
File Name c:\windows\system32\net.exe
Command Line C:\Windows\system32\net.exe view igmp.mcast.net
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:00:48
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbf0
Parent PID 0xad8 (c:\users\5p5nrg~1\appdata\roaming\v5hw0h~1:bin)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BF4
0x 85C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory Readable, Writable True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory Readable True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000250000 0x00250000 0x00251fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory Readable, Writable True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000500000 0x00500000 0x008f2fff Pagefile Backed Memory Readable True False False -
private_0x00000000009b0000 0x009b0000 0x00a2ffff Private Memory Readable, Writable True False False -
netmsg.dll 0x75610000 0x75611fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fffa000 0x7fffa000 0x7fffafff Private Memory Readable, Writable True False False -
net.exe 0xffd40000 0xffd5bfff Memory Mapped File Readable, Writable, Executable False False False -
browcli.dll 0x7fef7020000 0x7fef7031fff Memory Mapped File Readable, Writable, Executable False False False -
cscapi.dll 0x7fef9100000 0x7fef910efff Memory Mapped File Readable, Writable, Executable False False False -
mpr.dll 0x7fefaaa0000 0x7fefaab7fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x7fefb650000 0x7fefb65afff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x7fefb660000 0x7fefb686fff Memory Mapped File Readable, Writable, Executable False False False -
samcli.dll 0x7fefbd70000 0x7fefbd83fff Memory Mapped File Readable, Writable, Executable False False False -
wkscli.dll 0x7fefbd90000 0x7fefbda4fff Memory Mapped File Readable, Writable, Executable False False False -
netutils.dll 0x7fefbdb0000 0x7fefbdbbfff Memory Mapped File Readable, Writable, Executable False False False -
srvcli.dll 0x7fefd990000 0x7fefd9b2fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x7feff720000 0x7feff727fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory Readable, Writable True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory Readable, Writable True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory Readable, Writable True False False -
Process #32: svchost.exe
0 0
»
Information Value
ID #32
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\System32\svchost.exe -k secsvcs
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:04, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:00:25
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x86c
Parent PID 0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 858
0x 860
0x 854
0x 66C
0x 878
0x 7B4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000050000 0x00050000 0x00051fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory Readable, Writable True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000090000 0x00090000 0x00090fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000b0000 0x000b0000 0x0012ffff Private Memory Readable, Writable True False False -
locale.nls 0x00130000 0x00196fff Memory Mapped File Readable False False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory Readable, Writable True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory Readable, Writable True False False -
private_0x0000000000470000 0x00470000 0x004effff Private Memory Readable, Writable True False False -
private_0x0000000000520000 0x00520000 0x0052ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000530000 0x00530000 0x005effff Pagefile Backed Memory Readable True False False -
private_0x00000000005f0000 0x005f0000 0x0066ffff Private Memory Readable, Writable True False False -
private_0x0000000000740000 0x00740000 0x007bffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x007c0000 0x00a8efff Memory Mapped File Readable False False False -
pagefile_0x0000000000a90000 0x00a90000 0x00c17fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000c20000 0x00c20000 0x00da0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000db0000 0x00db0000 0x011a2fff Pagefile Backed Memory Readable True False False -
private_0x0000000001280000 0x01280000 0x012fffff Private Memory Readable, Writable True False False -
private_0x0000000001320000 0x01320000 0x0139ffff Private Memory Readable, Writable True False False -
sfc.dll 0x74440000 0x74442fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
svchost.exe 0xff470000 0xff47afff Memory Mapped File Readable, Writable, Executable False False False -
mpsvc.dll 0x7fef3f00000 0x7fef3ffafff Memory Mapped File Readable, Writable, Executable False False False -
mpclient.dll 0x7fef43e0000 0x7fef446ffff Memory Mapped File Readable, Writable, Executable False False False -
sfc_os.dll 0x7fef8fa0000 0x7fef8faffff Memory Mapped File Readable, Writable, Executable False False False -
wtsapi32.dll 0x7fefbef0000 0x7fefbf00fff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x7fefcd60000 0x7fefcd6bfff Memory Mapped File Readable, Writable, Executable False False False -
gpapi.dll 0x7fefcf20000 0x7fefcf3afff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x7fefcf40000 0x7fefcf5dfff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x7fefdba0000 0x7fefdbaefff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x7fefdc40000 0x7fefdc4efff Memory Mapped File Readable, Writable, Executable False False False -
wintrust.dll 0x7fefdc50000 0x7fefdc89fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x7fefdcb0000 0x7fefde16fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7fefdf70000 0x7fefe172fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x7fefe180000 0x7fefef07fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7feff980000 0x7feff9f0fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7feffb10000 0x7feffbe6fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory Readable, Writable True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory Readable, Writable True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory Readable, Writable True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory Readable, Writable True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory Readable, Writable True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory Readable, Writable True False False -
Process #33: taskhost.exe
0 0
»
Information Value
ID #33
File Name c:\windows\system32\taskhost.exe
Command Line "taskhost.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:24, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Terminated by Timeout
Monitor Duration 00:00:05
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x87c
Parent PID 0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 460
0x 530
0x 5E4
0x 820
0x 580
0x 7BC
0x 7C4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00040000 0x000a6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory Readable, Writable True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory Readable, Writable True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000100000 0x00100000 0x00101fff Pagefile Backed Memory Readable True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory Readable, Writable True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory Readable, Writable True False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory Readable, Writable True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory Readable, Writable True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000500000 0x00500000 0x00687fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000690000 0x00690000 0x00810fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000820000 0x00820000 0x01c1ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001c20000 0x01c20000 0x02012fff Pagefile Backed Memory Readable True False False -
private_0x0000000002020000 0x02020000 0x0209ffff Private Memory Readable, Writable True False False -
private_0x00000000020a0000 0x020a0000 0x0211ffff Private Memory Readable, Writable True False False -
private_0x0000000002120000 0x02120000 0x0219ffff Private Memory Readable, Writable True False False -
private_0x00000000021a0000 0x021a0000 0x0221ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002220000 0x02220000 0x022fefff Pagefile Backed Memory Readable True False False -
private_0x0000000002310000 0x02310000 0x0238ffff Private Memory Readable, Writable True False False -
private_0x00000000023b0000 0x023b0000 0x0242ffff Private Memory Readable, Writable True False False -
private_0x00000000025a0000 0x025a0000 0x0261ffff Private Memory Readable, Writable True False False -
kernel32.dll 0x77a30000 0x77b4efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77b50000 0x77c49fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c50000 0x77df8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
taskhost.exe 0xff440000 0xff453fff Memory Mapped File Readable, Writable, Executable False False False -
rstrtmgr.dll 0x7fef46b0000 0x7fef46e2fff Memory Mapped File Readable, Writable, Executable False False False -
radarrs.dll 0x7fef7020000 0x7fef7037fff Memory Mapped File Readable, Writable, Executable False False False -
wer.dll 0x7fef7530000 0x7fef75abfff Memory Mapped File Readable, Writable, Executable False False False -
wdi.dll 0x7fefaa60000 0x7fefaa78fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x7fefc090000 0x7fefc0a7fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x7fefc4c0000 0x7fefc515fff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x7fefc670000 0x7fefc863fff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x7fefcd60000 0x7fefcd6bfff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x7fefd600000 0x7fefd621fff Memory Mapped File Readable, Writable, Executable False False False -
ncrypt.dll 0x7fefd630000 0x7fefd67dfff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7fefda90000 0x7fefda9efff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x7fefdc40000 0x7fefdc4efff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7fefde60000 0x7fefdecafff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7fefdf70000 0x7fefe172fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x7fefe180000 0x7fefef07fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7fefef10000 0x7fefefa8fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7fefefb0000 0x7feff0dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7feff210000 0x7feff2aefff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7feff2b0000 0x7feff38afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7feff390000 0x7feff3aefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x7feff3b0000 0x7feff3bdfff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7feff3c0000 0x7feff3edfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7feff910000 0x7feff976fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7feff980000 0x7feff9f0fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7feffa00000 0x7feffb08fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7feffb10000 0x7feffbe6fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x7feffe90000 0x7fefff58fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x7fefff70000 0x7fefff70fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory Readable, Writable True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory Readable, Writable True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory Readable, Writable True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory Readable, Writable True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory Readable, Writable True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory Readable, Writable True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory Readable, Writable True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True False False -
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image