Keylogger Packed with Open-Source C# Crypter | Grouped Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 96/100
Dynamic Analysis Report
Classification: Trojan, Dropper, Keylogger

62dcc35536fc49377722d40cf6fe4d924bd415aeb9a9036be067b25a306dd845 (SHA256)

muziko66.EXE

Windows Exe (x86-32)

Created at 2018-11-20 16:22:00

...

Notifications (2/3)

Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.

The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.

The operating system was rebooted during the analysis.

Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x128 Analysis Target High (Elevated) muziko66.exe "C:\Users\CIiHmnxMn6Ps\Desktop\muziko66.EXE" -
#2 0x8c8 Child Process High (Elevated) utorrent.exe C:\Users\CIiHmnxMn6Ps\AppData\Local\uTorrent.exe #1
#3 0x508 Injection Medium explorer.exe C:\Windows\Explorer.EXE #2
#4 0x128 Child Process High (Elevated) explorer.exe explorer.exe #2
#5 0xcac Child Process High (Elevated) explorer.exe explorer.exe #2
#6 0x244 Autostart System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -
#7 0x264 Autostart System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k RPCSS -
#8 0x354 Autostart System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -
#9 0x360 Autostart System (Elevated) svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -
#10 0x368 Autostart System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -
#11 0x3ec Autostart System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -
#12 0xfc Autostart System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k LocalService -
#13 0x164 Child Process System (Elevated) taskhostw.exe taskhostw.exe #8
#14 0x8 Autostart System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k NetworkService -
#15 0x478 Autostart System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k WbioSvcGroup -
#16 0x494 Autostart System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -
#17 0x64c Autostart System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k appmodel -
#18 0x548 RPC Server System (Elevated) officeclicktorun.exe "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service #12
#19 0x7ec Child Process System (Elevated) dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} #6
#20 0x4dc Child Process Medium sihost.exe sihost.exe #8
#21 0x530 Child Process Medium taskhostw.exe taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E} #8
#22 0x5b0 Child Process Medium msoia.exe "C:\Program Files\Microsoft Office\root\Office16\msoia.exe" scan upload #8
#23 0x670 Child Process Medium taskhostw.exe taskhostw.exe USER #8
#24 0x1b4 Child Process Medium runtimebroker.exe C:\Windows\System32\RuntimeBroker.exe -Embedding #6
#25 0x874 Child Process Medium dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} #6
#26 0x164 RPC Server Medium explorer.exe C:\Windows\Explorer.EXE #20
#27 0x97c Child Process Low shellexperiencehost.exe "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca #6
#28 0x9e8 Child Process Low searchui.exe "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca #6
#29 0xb00 Child Process Medium dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} #6
#30 0xb28 Child Process Low backgroundtaskhost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca #6
#31 0xb5c Child Process Medium mobsync.exe C:\Windows\System32\mobsync.exe -Embedding #6
#32 0xb88 Child Process Medium winamp.exe "C:\Users\CIiHmnxMn6Ps\AppData\Local\winamp.exe" #26
#33 0xb94 Child Process Medium runonce.exe C:\Windows\SysWOW64\runonce.exe /Run6432 #26
#34 0xbc0 Child Process Medium svchost.exe "C:\Windows\System32\install\svchost.exe" #33
#36 0x578 Child Process Medium dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} #6
#37 0x7cc Child Process Medium utorrent.exe C:\Users\CIiHmnxMn6Ps\AppData\Local\uTorrent.exe #32
#38 0x338 Child Process Medium explorer.exe explorer.exe #37
#39 0xb58 Child Process Medium explorer.exe explorer.exe #37
#40 0x7f0 Autostart System (Elevated) svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -
#41 0x57c Autostart Medium svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup -
#42 0x950 Child Process System (Elevated) mpcmdrun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable #9
#44 0xb14 Child Process Low backgroundtaskhost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca #6
#45 0x8a0 Child Process Low backgroundtaskhost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca #6
#46 0xb70 Child Process System (Elevated) wmiadap.exe wmiadap.exe /F /T /R #8
#47 0x5d0 Child Process System (Elevated) wmiprvse.exe C:\Windows\system32\wbem\wmiprvse.exe -Embedding #6
#48 0xb5c Child Process System (Elevated) taskeng.exe taskeng.exe {ED7B4F34-E0D4-424B-A7F2-947F125DE242} S-1-5-18:NT AUTHORITY\System:Service: #8
#49 0x30c Child Process Medium taskhostw.exe taskhostw.exe Logon #8
#50 0x6dc Child Process System (Elevated) officec2rclient.exe "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False #48
#51 0xbc8 Child Process System (Elevated) schtasks.exe schtasks.exe /change /tn "Microsoft\Office\Office ClickToRun Service Monitor" /enable #18
#53 0x9c0 Child Process System (Elevated) schtasks.exe schtasks.exe /change /tn "Microsoft\Office\Office Automatic Updates" /enable #18
#55 0x8a4 Child Process System (Elevated) schtasks.exe schtasks.exe /change /tn "Microsoft\Office\Office Automatic Updates 2.0" /enable #18

Behavior Information - Grouped by Category

Process #1: muziko66.exe
93 0
»
Information Value
ID #1
File Name c:\users\ciihmnxmn6ps\desktop\muziko66.exe
Command Line "C:\Users\CIiHmnxMn6Ps\Desktop\muziko66.EXE"
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:01:21, Reason: Analysis Target
Unmonitor End Time: 00:01:43, Reason: Self Terminated
Monitor Duration 00:00:22
OS Process Information
»
Information Value
PID 0x128
Parent PID 0x508 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 880
0x 420
0x 1F8
0x 570
0x 8E8
0x 3C8
0x 5C0
0x 5EC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
muziko66.exe 0x00e50000 0x00ef7fff Memory Mapped File rwx True False False -
private_0x0000000000f00000 0x00f00000 0x00f1ffff Private Memory rw True False False -
pagefile_0x0000000000f00000 0x00f00000 0x00f0ffff Pagefile Backed Memory rw True False False -
private_0x0000000000f10000 0x00f10000 0x00f13fff Private Memory rw True False False -
private_0x0000000000f20000 0x00f20000 0x00f20fff Private Memory rw True False False -
pagefile_0x0000000000f30000 0x00f30000 0x00f43fff Pagefile Backed Memory r True False False -
private_0x0000000000f50000 0x00f50000 0x00f8ffff Private Memory rw True False False -
private_0x0000000000f90000 0x00f90000 0x0108ffff Private Memory rw True False False -
pagefile_0x0000000001090000 0x01090000 0x01093fff Pagefile Backed Memory r True False False -
private_0x00000000010a0000 0x010a0000 0x010a1fff Private Memory rw True False False -
locale.nls 0x010b0000 0x0116dfff Memory Mapped File r False False False -
private_0x0000000001170000 0x01170000 0x011affff Private Memory rw True False False -
private_0x00000000011b0000 0x011b0000 0x011b0fff Private Memory rw True False False -
pagefile_0x00000000011c0000 0x011c0000 0x011c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000011d0000 0x011d0000 0x011d0fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000011e0000 0x011e0000 0x011e0fff Pagefile Backed Memory rw True False False -
private_0x00000000011f0000 0x011f0000 0x011fffff Private Memory rw True False False -
private_0x0000000001200000 0x01200000 0x012fffff Private Memory rw True False False -
private_0x0000000001300000 0x01300000 0x0130ffff Private Memory - True False False -
private_0x0000000001310000 0x01310000 0x0131ffff Private Memory - True False False -
private_0x0000000001320000 0x01320000 0x0132ffff Private Memory - True False False -
private_0x0000000001330000 0x01330000 0x0133ffff Private Memory - True False False -
private_0x0000000001340000 0x01340000 0x0134ffff Private Memory - True False False -
private_0x0000000001350000 0x01350000 0x0135ffff Private Memory rw True False False -
private_0x0000000001360000 0x01360000 0x0136ffff Private Memory - True False False -
pagefile_0x0000000001370000 0x01370000 0x01370fff Pagefile Backed Memory rw True False False -
private_0x0000000001380000 0x01380000 0x0138ffff Private Memory rw True False False -
private_0x0000000001390000 0x01390000 0x013cffff Private Memory rw True False False -
private_0x00000000013d0000 0x013d0000 0x013dffff Private Memory rw True False False -
l_intl.nls 0x013e0000 0x013e2fff Memory Mapped File r False False False -
private_0x00000000013f0000 0x013f0000 0x014effff Private Memory rw True False False -
pagefile_0x00000000014f0000 0x014f0000 0x01677fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001680000 0x01680000 0x01800fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001810000 0x01810000 0x02c0ffff Pagefile Backed Memory r True False False -
private_0x0000000002c10000 0x02c10000 0x02caffff Private Memory rw True False False -
private_0x0000000002cb0000 0x02cb0000 0x02ceffff Private Memory rw True False False -
private_0x0000000002cf0000 0x02cf0000 0x02cfffff Private Memory rw True False False -
private_0x0000000002d00000 0x02d00000 0x02d0ffff Private Memory - True False False -
pagefile_0x0000000002d10000 0x02d10000 0x02d10fff Pagefile Backed Memory r True False False -
private_0x0000000002d20000 0x02d20000 0x02d2ffff Private Memory rw True False False -
private_0x0000000002d30000 0x02d30000 0x02d3ffff Private Memory - True False False -
sorttbls.nlp 0x02d40000 0x02d44fff Memory Mapped File r False False False -
sortkey.nlp 0x02d50000 0x02d90fff Memory Mapped File r False False False -
private_0x0000000002da0000 0x02da0000 0x02da0fff Private Memory rwx True False False -
private_0x0000000002de0000 0x02de0000 0x02deffff Private Memory rwx True False False -
private_0x0000000002df0000 0x02df0000 0x02eeffff Private Memory rw True False False -
sortdefault.nls 0x02ef0000 0x03226fff Memory Mapped File r False False False -
private_0x0000000003230000 0x03230000 0x0522ffff Private Memory rw True False False -
private_0x0000000005230000 0x05230000 0x0532ffff Private Memory rw True False False -
pagefile_0x0000000005330000 0x05330000 0x0539dfff Pagefile Backed Memory rw True False False -
private_0x00000000053d0000 0x053d0000 0x053dffff Private Memory - True False False -
private_0x00000000053e0000 0x053e0000 0x054dffff Private Memory rw True False False -
wow64cpu.dll 0x64ae0000 0x64ae7fff Memory Mapped File rwx False False False -
wow64win.dll 0x64af0000 0x64b62fff Memory Mapped File rwx False False False -
wow64.dll 0x64b70000 0x64bbefff Memory Mapped File rwx False False False -
ntmarta.dll 0x72f50000 0x72f77fff Memory Mapped File rwx False False False -
microsoft.visualbasic.ni.dll 0x72f80000 0x73124fff Memory Mapped File rwx True False False -
shfolder.dll 0x73130000 0x73135fff Memory Mapped File rwx False False False -
rsaenh.dll 0x73140000 0x7316efff Memory Mapped File rwx False False False -
cryptsp.dll 0x73170000 0x73182fff Memory Mapped File rwx False False False -
bcrypt.dll 0x73190000 0x731aafff Memory Mapped File rwx False False False -
system.ni.dll 0x731b0000 0x73952fff Memory Mapped File rwx True False False -
mscorjit.dll 0x73960000 0x739bafff Memory Mapped File rwx True False False -
mscorlib.ni.dll 0x739c0000 0x744b9fff Memory Mapped File rwx True False False -
msvcr80.dll 0x744c0000 0x7455afff Memory Mapped File rwx False False False -
mscorwks.dll 0x74560000 0x74b0ffff Memory Mapped File rwx True False False -
version.dll 0x74b10000 0x74b17fff Memory Mapped File rwx False False False -
mscoreei.dll 0x74b20000 0x74b97fff Memory Mapped File rwx True False False -
mscoree.dll 0x74ba0000 0x74bf8fff Memory Mapped File rwx True False False -
uxtheme.dll 0x74c20000 0x74c94fff Memory Mapped File rwx False False False -
apphelp.dll 0x74ca0000 0x74d30fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74d40000 0x74d98fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74da0000 0x74da9fff Memory Mapped File rwx False False False -
sspicli.dll 0x74db0000 0x74dcdfff Memory Mapped File rwx False False False -
kernelbase.dll 0x74e70000 0x74fe5fff Memory Mapped File rwx False False False -
kernel32.dll 0x75260000 0x7534ffff Memory Mapped File rwx False False False -
powrprof.dll 0x753b0000 0x753f3fff Memory Mapped File rwx False False False -
imm32.dll 0x75400000 0x7542afff Memory Mapped File rwx False False False -
shell32.dll 0x75430000 0x767eefff Memory Mapped File rwx False False False -
profapi.dll 0x76810000 0x7681efff Memory Mapped File rwx False False False -
ole32.dll 0x768b0000 0x76999fff Memory Mapped File rwx False False False -
advapi32.dll 0x76a10000 0x76a8afff Memory Mapped File rwx False False False -
sechost.dll 0x76c40000 0x76c82fff Memory Mapped File rwx False False False -
oleaut32.dll 0x76c90000 0x76d21fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76d90000 0x76e3bfff Memory Mapped File rwx False False False -
combase.dll 0x76e40000 0x76ff9fff Memory Mapped File rwx False False False -
gdi32.dll 0x77000000 0x7714cfff Memory Mapped File rwx False False False -
user32.dll 0x77150000 0x7728ffff Memory Mapped File rwx False False False -
shlwapi.dll 0x77290000 0x772d3fff Memory Mapped File rwx False False False -
shcore.dll 0x77340000 0x773ccfff Memory Mapped File rwx False False False -
psapi.dll 0x773d0000 0x773d5fff Memory Mapped File rwx False False False -
windows.storage.dll 0x773f0000 0x778ccfff Memory Mapped File rwx False False False -
msctf.dll 0x778d0000 0x779effff Memory Mapped File rwx False False False -
msvcrt.dll 0x779f0000 0x77aadfff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x77c30000 0x77c3bfff Memory Mapped File rwx False False False -
ntdll.dll 0x77ca0000 0x77e18fff Memory Mapped File rwx False False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffff Private Memory - True False False -
private_0x0000000080000000 0x80000000 0x8000ffff Private Memory - True False False -
sysmain.sdb 0xfedd0000 0xff15ffff Memory Mapped File r False False False -
private_0x00000000ff16a000 0xff16a000 0xff16cfff Private Memory rw True False False -
private_0x00000000ff16d000 0xff16d000 0xff16ffff Private Memory rw True False False -
pagefile_0x00000000ff170000 0xff170000 0xff26ffff Pagefile Backed Memory r True False False -
pagefile_0x00000000ff270000 0xff270000 0xff292fff Pagefile Backed Memory r True False False -
private_0x00000000ff295000 0xff295000 0xff297fff Private Memory rw True False False -
private_0x00000000ff298000 0xff298000 0xff298fff Private Memory rw True False False -
private_0x00000000ff29a000 0xff29a000 0xff29afff Private Memory rw True False False -
private_0x00000000ff29d000 0xff29d000 0xff29ffff Private Memory rw True False False -
private_0x00000000fffe0000 0xfffe0000 0x7ff8ee37ffff Private Memory r True False False -
ntdll.dll 0x7ff8ee380000 0x7ff8ee541fff Memory Mapped File rwx False False False -
private_0x00007ff8ee542000 0x7ff8ee542000 0x7ffffffeffff Private Memory r True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\CIiHmnxMn6Ps\Desktop\muziko66.EXE 638.50 KB MD5: d82d5def9a8c3184e7116ea172c70e09
SHA1: 0886bb5f98a43c7464115644756c9a15bd95af54
SHA256: 62dcc35536fc49377722d40cf6fe4d924bd415aeb9a9036be067b25a306dd845
SSDeep: 12288:xvGPh1DOPLOgzyArtDaWZXpbGQENdag2gY7gQdAQ4+uG6at31SI5vG:8Z1DOPLXzyArtlMBcgQiL+WatlSIe 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Local\uTorrent.exe 1.12 MB MD5: e618b1550d4ccf3a62dd471bb87ef834
SHA1: a552f7f4f0bd46ae187820ef8ad884e292bbb57b
SHA256: f1b531118f5522b898b9fcda838032d4fdcfec9d7ba4592946a5cbb987baeb52
SSDeep: 24576:Up2silPhMAXGWClfuRcUqIJUKB5QskQZL:Up2sMOjVzUXJDB5QEZL 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Local\uTorrent.exe 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep: 3:: 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Local\cBxBGxB 428.01 KB MD5: 2a335af28de46ab0c68fc8f38cf4a1ce
SHA1: dc5d95d6c8ceb93d04dc5a4c2ae0928267784130
SHA256: 0c436da0aec39721cbacbccd7cea43ef0848440c79195c13169ab89cf9311327
SSDeep: 12288:iDk11YUzEhUFNGI8hpG+qLV9YzzHdEVGhPr:3HzEoNGIKGJHYzzHSVGR 		False
...
Host Behavior
File (25)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIiHmnxMn6Ps\Desktop\muziko66.EXE desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\cBxBGxB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\cBxBGxB desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\cBxBGxB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\Desktop\muziko66.EXE type = file_attributes True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\Desktop\muziko66.EXE type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\Desktop\muziko66.EXE type = size, size_out = 0 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\uTorrent.exe type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\winamp.exe type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\cBxBGxB type = file_type True 6
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\cBxBGxB type = size, size_out = 0 True 2
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Local\uTorrent.exe source_filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Local\winamp.exe source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\muziko66.EXE True 1
Fn
Read C:\Users\CIiHmnxMn6Ps\Desktop\muziko66.EXE size = 653824, size_out = 653824 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Local\cBxBGxB size = 438280, size_out = 438280 True 2
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Local\cBxBGxB size = 4096, size_out = 0 True 1
Fn
Write C:\Users\CIiHmnxMn6Ps\AppData\Local\cBxBGxB size = 438280 True 1
Fn
Data
Registry (3)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = winamp.exe, type = REG_NONE False 1
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = winamp.exe, data = C:\Users\CIiHmnxMn6Ps\AppData\Local\winamp.exe, size = 94, type = REG_SZ True 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\uTorrent.exe os_pid = 0x8c8, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Module (53)
»
Operation Module Additional Information Success Count Logfile
Load mscorjit.dll base_address = 0x73960000 True 1
Fn
Load kernel32 base_address = 0x75260000 True 7
Fn
Load ntdll base_address = 0x77ca0000 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\muziko66.EXE, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\MSCOREE.DLL, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\KERNEL32.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\KERNELBASE.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\system32\apphelp.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\ADVAPI32.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\msvcrt.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\sechost.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\RPCRT4.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\SspiCli.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\CRYPTBASE.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\bcryptPrimitives.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\SHLWAPI.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\combase.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\GDI32.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\USER32.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\IMM32.DLL, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\MSCTF.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\kernel.appcore.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\VERSION.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9185_none_d0905a48442809b8\MSVCR80.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\shell32.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\windows.storage.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\shcore.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\powrprof.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\profapi.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f87e9c65bcfc0dde0655ce19fb05fe8c\mscorlib.ni.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\ole32.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\system32\uxtheme.dll, size = 2048 True 1
Fn
Get Filename c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System\b0de8183f9e33cd0fbe10c8db1402653\System.ni.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\muziko66.exe, file_name_orig = C:\Windows\SYSTEM32\psapi.dll, size = 2048 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll function = getJit, address_out = 0x739a93e6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetThreadContext, address_out = 0x7527eb70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteProcessMemory, address_out = 0x752a2ae0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtUnmapViewOfSection, address_out = 0x77d08e80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadProcessMemory, address_out = 0x752a1ef0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ResumeThread, address_out = 0x7527a280 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadContext, address_out = 0x752a2700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAllocEx, address_out = 0x752a29a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtectEx, address_out = 0x752a2a00 True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System (5)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 4
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Process #2: utorrent.exe
1523 0
»
Information Value
ID #2
File Name c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe
Command Line C:\Users\CIiHmnxMn6Ps\AppData\Local\uTorrent.exe
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:01:57, Reason: Self Terminated
Monitor Duration 00:00:16
OS Process Information
»
Information Value
PID 0x8c8
Parent PID 0x128 (c:\users\ciihmnxmn6ps\desktop\muziko66.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 568
0x 274
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00023fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory rw True False False -
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x001d0fff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00210000 0x002cdfff Memory Mapped File r False False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
utorrent.exe 0x00400000 0x0051efff Memory Mapped File rwx True False False -
private_0x0000000000400000 0x00400000 0x00470fff Private Memory rwx True False False -
private_0x0000000000480000 0x00480000 0x004bffff Private Memory rw True False False -
private_0x00000000004c0000 0x004c0000 0x005bffff Private Memory rw True False False -
pagefile_0x00000000005c0000 0x005c0000 0x00747fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000750000 0x00750000 0x008d0fff Pagefile Backed Memory r True False False -
private_0x00000000008f0000 0x008f0000 0x008fffff Private Memory rw True False False -
pagefile_0x0000000000900000 0x00900000 0x01cfffff Pagefile Backed Memory r True False False -
private_0x0000000001d00000 0x01d00000 0x01dfffff Private Memory - True False False -
private_0x0000000001e00000 0x01e00000 0x01efffff Private Memory - True False False -
private_0x0000000010410000 0x10410000 0x1047ffff Private Memory rwx True False False -
private_0x0000000010480000 0x10480000 0x104effff Private Memory rwx True False False -
private_0x00000000104f0000 0x104f0000 0x1055ffff Private Memory rwx True False False -
wow64cpu.dll 0x64ae0000 0x64ae7fff Memory Mapped File rwx False False False -
wow64win.dll 0x64af0000 0x64b62fff Memory Mapped File rwx False False False -
wow64.dll 0x64b70000 0x64bbefff Memory Mapped File rwx False False False -
ntmarta.dll 0x74bd0000 0x74bf7fff Memory Mapped File rwx False False False -
apphelp.dll 0x74ca0000 0x74d30fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74d40000 0x74d98fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74da0000 0x74da9fff Memory Mapped File rwx False False False -
sspicli.dll 0x74db0000 0x74dcdfff Memory Mapped File rwx False False False -
kernelbase.dll 0x74e70000 0x74fe5fff Memory Mapped File rwx False False False -
kernel32.dll 0x75260000 0x7534ffff Memory Mapped File rwx False False False -
powrprof.dll 0x753b0000 0x753f3fff Memory Mapped File rwx False False False -
imm32.dll 0x75400000 0x7542afff Memory Mapped File rwx False False False -
shell32.dll 0x75430000 0x767eefff Memory Mapped File rwx False False False -
profapi.dll 0x76810000 0x7681efff Memory Mapped File rwx False False False -
advapi32.dll 0x76a10000 0x76a8afff Memory Mapped File rwx False False False -
sechost.dll 0x76c40000 0x76c82fff Memory Mapped File rwx False False False -
oleaut32.dll 0x76c90000 0x76d21fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76d90000 0x76e3bfff Memory Mapped File rwx False False False -
combase.dll 0x76e40000 0x76ff9fff Memory Mapped File rwx False False False -
gdi32.dll 0x77000000 0x7714cfff Memory Mapped File rwx False False False -
user32.dll 0x77150000 0x7728ffff Memory Mapped File rwx False False False -
shlwapi.dll 0x77290000 0x772d3fff Memory Mapped File rwx False False False -
shcore.dll 0x77340000 0x773ccfff Memory Mapped File rwx False False False -
windows.storage.dll 0x773f0000 0x778ccfff Memory Mapped File rwx False False False -
msctf.dll 0x778d0000 0x779effff Memory Mapped File rwx False False False -
msvcrt.dll 0x779f0000 0x77aadfff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x77c30000 0x77c3bfff Memory Mapped File rwx False False False -
ntdll.dll 0x77ca0000 0x77e18fff Memory Mapped File rwx False False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7ff8ee37ffff Private Memory r True False False -
ntdll.dll 0x7ff8ee380000 0x7ff8ee541fff Memory Mapped File rwx False False False -
private_0x00007ff8ee542000 0x7ff8ee542000 0x7ffffffeffff Private Memory r True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\CIiHmnxMn6Ps\AppData\Local\uTorrent.exe 1.12 MB MD5: e618b1550d4ccf3a62dd471bb87ef834
SHA1: a552f7f4f0bd46ae187820ef8ad884e292bbb57b
SHA256: f1b531118f5522b898b9fcda838032d4fdcfec9d7ba4592946a5cbb987baeb52
SSDeep: 24576:Up2silPhMAXGWClfuRcUqIJUKB5QskQZL:Up2sMOjVzUXJDB5QEZL 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Local\uTorrent.exe 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep: 3:: 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps2.txt 385.12 KB MD5: a317c7281bd18ad4bea976df0e02144f
SHA1: c7fec219b00a35d60b6a415ec09945f5d6702358
SHA256: 699eb8dca2b0918265d5073ddb279e1abe6e134c2340b10f346aaea4ed46227f
SSDeep: 6144:rA0nitqv/nHrHxVPGTZTzq9SkTr2m7mrUsqWBn837FNldObO3k1jh:rBi8vvrHxVPKyv2m77sZB07FxObO32l 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps2.txt 385.10 KB MD5: b2af7af5965cfbe7c37072fe9196e7dd
SHA1: edd23c5f0d1fe65827fb5a678bd590425e1c2b87
SHA256: 18999411b2fb51ed2cb6044a3e38bf76567fd6cdf1ac1155fe511a84d83606cd
SSDeep: 6144:gA0nitqv/nHrHxVPGTZTzq9SkTr2m7mrUsqWBn837FNldObO3k1jh:gBi8vvrHxVPKyv2m77sZB07FxObO32l 		False
...
Host Behavior
File (10)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps2.txt desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE True 1
Fn
Create Directory C:\Windows\system32\install\ - True 1
Fn
Get Info C:\Windows\system32\install\ type = file_attributes False 2
Fn
Get Info C:\ type = file_attributes True 1
Fn
Get Info C:\Windows\ type = file_attributes True 1
Fn
Get Info C:\Windows\system32\ type = file_attributes True 1
Fn
Get Info C:\Windows\system32\install\ type = file_attributes True 1
Fn
Copy C:\Windows\system32\install\svchost.exe source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\uTorrent.exe True 1
Fn
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps2.txt size = 394340 True 1
Fn
Data
Registry (24)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - True 1
Fn
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\ - True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = Startup, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = Startup, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKCU, type = REG_NONE False 1
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = C:\Windows\system32\install\svchost.exe, size = 39, type = REG_EXPAND_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = C:\Windows\system32\install\svchost.exe, size = 39, type = REG_EXPAND_SZ True 1
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = C:\Windows\system32\install\svchost.exe, size = 39, type = REG_EXPAND_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKCU, data = C:\Windows\system32\install\svchost.exe, size = 39, type = REG_EXPAND_SZ True 1
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = C:\Windows\system32\install\svchost.exe Restart, size = 48, type = REG_SZ True 1
Fn
Delete Key HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} - False 1
Fn
Process (3)
»
Operation Process Additional Information Success Count Logfile
Create explorer.exe os_pid = 0x128, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Create explorer.exe os_pid = 0xcac, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Thread (111)
»
Operation Process Additional Information Success Count Logfile
Create c:\windows\explorer.exe proc_address = 0x5250000, proc_parameter = 86245376, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0x5f40000, proc_parameter = 99811328, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0x5f80000, proc_parameter = 100073472, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0x60d0000, proc_parameter = 101449728, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0x61f0000, proc_parameter = 102105088, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0x64d0000, proc_parameter = 104792064, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0x9bd0000, proc_parameter = 163315712, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0x9c50000, proc_parameter = 163708928, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0x9c80000, proc_parameter = 164036608, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0x9cc0000, proc_parameter = 164298752, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0x9cf0000, proc_parameter = 164495360, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0x9f10000, proc_parameter = 166723584, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0x9f40000, proc_parameter = 166920192, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xa380000, proc_parameter = 171376640, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xa3b0000, proc_parameter = 171573248, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xb030000, proc_parameter = 171835392, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xb060000, proc_parameter = 184877056, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xb0a0000, proc_parameter = 185139200, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xb200000, proc_parameter = 186580992, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xb240000, proc_parameter = 186843136, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xb270000, proc_parameter = 187039744, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xb4b0000, proc_parameter = 189399040, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xb4e0000, proc_parameter = 189595648, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xb5a0000, proc_parameter = 189857792, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xb5d0000, proc_parameter = 190578688, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xb610000, proc_parameter = 190840832, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xb640000, proc_parameter = 191037440, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xb680000, proc_parameter = 191299584, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xb6b0000, proc_parameter = 191496192, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xb6f0000, proc_parameter = 191758336, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xb720000, proc_parameter = 191954944, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xb760000, proc_parameter = 192217088, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xb790000, proc_parameter = 192413696, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xb7d0000, proc_parameter = 192675840, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xb800000, proc_parameter = 192872448, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xb840000, proc_parameter = 193134592, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\explorer.exe proc_address = 0xb860000, proc_parameter = 193265664, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create explorer.exe proc_address = 0x4e30000, proc_parameter = 81920000, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x4ef0000, proc_parameter = 82706432, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x4f30000, proc_parameter = 82968576, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x4f70000, proc_parameter = 83230720, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x51b0000, proc_parameter = 85590016, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x5200000, proc_parameter = 85852160, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x5240000, proc_parameter = 86114304, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6e60000, proc_parameter = 115671040, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6e90000, proc_parameter = 115867648, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6f50000, proc_parameter = 116654080, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6f80000, proc_parameter = 116850688, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7040000, proc_parameter = 117637120, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7070000, proc_parameter = 117833728, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7130000, proc_parameter = 118620160, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7160000, proc_parameter = 118816768, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7220000, proc_parameter = 119603200, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7250000, proc_parameter = 119799808, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7340000, proc_parameter = 120782848, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7370000, proc_parameter = 120979456, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7430000, proc_parameter = 121765888, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7460000, proc_parameter = 121962496, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7520000, proc_parameter = 122748928, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7550000, proc_parameter = 122945536, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7610000, proc_parameter = 123731968, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7640000, proc_parameter = 123928576, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7700000, proc_parameter = 124715008, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7730000, proc_parameter = 124911616, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x77f0000, proc_parameter = 125698048, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7820000, proc_parameter = 125894656, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x78e0000, proc_parameter = 126681088, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7910000, proc_parameter = 126877696, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x79d0000, proc_parameter = 127664128, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7a00000, proc_parameter = 127860736, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7ac0000, proc_parameter = 128647168, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7af0000, proc_parameter = 128843776, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7bb0000, proc_parameter = 129630208, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7bd0000, proc_parameter = 129761280, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x4fc0000, proc_parameter = 83558400, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x5080000, proc_parameter = 84344832, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x50c0000, proc_parameter = 84606976, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x5100000, proc_parameter = 84869120, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x52c0000, proc_parameter = 86704128, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x5300000, proc_parameter = 86966272, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6b60000, proc_parameter = 112525312, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6c20000, proc_parameter = 113311744, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6c50000, proc_parameter = 113508352, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6d10000, proc_parameter = 114294784, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7090000, proc_parameter = 117964800, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7150000, proc_parameter = 118751232, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7180000, proc_parameter = 118947840, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7240000, proc_parameter = 119734272, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7270000, proc_parameter = 119930880, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7330000, proc_parameter = 120717312, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7360000, proc_parameter = 120913920, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7420000, proc_parameter = 121700352, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7450000, proc_parameter = 121896960, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7510000, proc_parameter = 122683392, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7540000, proc_parameter = 122880000, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7600000, proc_parameter = 123666432, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7630000, proc_parameter = 123863040, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x76f0000, proc_parameter = 124649472, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7720000, proc_parameter = 124846080, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x77e0000, proc_parameter = 125632512, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7810000, proc_parameter = 125829120, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x78d0000, proc_parameter = 126615552, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7900000, proc_parameter = 126812160, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x79c0000, proc_parameter = 127598592, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x79f0000, proc_parameter = 127795200, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7ab0000, proc_parameter = 128581632, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7ae0000, proc_parameter = 128778240, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7ba0000, proc_parameter = 129564672, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7bd0000, proc_parameter = 129761280, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7c90000, proc_parameter = 130547712, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7cb0000, proc_parameter = 130678784, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Memory (786)
»
Operation Process Additional Information Success Count Logfile
Allocate c:\windows\explorer.exe address = 0x10410000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 458752 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x5220000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x5240000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x5250000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x55e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x5f10000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x5f30000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x5f40000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x5f50000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x5f60000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x5f70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x5f80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x60a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x60b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x60c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x60d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x60e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x6140000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x6160000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x61f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x6200000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x63e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x63f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x64d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x6f00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9bc0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9bd0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9bf0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9c10000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9c20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9c50000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9c60000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9c70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9c80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9c90000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 7 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9ca0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9cb0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9cc0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9cd0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9ce0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9cf0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9d00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 9 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9ef0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9f00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9f10000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9f20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 8 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9f30000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9f40000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9f50000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate c:\windows\explorer.exe address = 0x9f60000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 8 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xa370000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xa380000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xa390000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xa3a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xa3b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xa3c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xa3d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xa3e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb030000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb040000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb050000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb060000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb070000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 24 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb080000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb090000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb0a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb1e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb1f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb200000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb210000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb220000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb230000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb240000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb250000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb260000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb270000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb280000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb290000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb4a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb4b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb4c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb4d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb4e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb4f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb500000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb510000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb5a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb5b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb5c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb5d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb5e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb5f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb600000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb610000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb620000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 11 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb630000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb640000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb650000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 6 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb660000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 11 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb670000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb680000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb690000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb6a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb6b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb6c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb6d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb6e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb6f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb700000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb710000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb720000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb730000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb740000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb750000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb760000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb770000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb780000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb790000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb7a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 11 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb7b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb7c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb7d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb7e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb7f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb800000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb810000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 5 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb820000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb830000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb840000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb850000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 8 True 1
Fn
Allocate c:\windows\explorer.exe address = 0xb860000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 313 True 1
Fn
Allocate explorer.exe address = 0x10480000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 458752 True 1
Fn
Allocate explorer.exe address = 0x4e10000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x4e20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x4e30000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x4ec0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x4ed0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x4ee0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x4ef0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x4f00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate explorer.exe address = 0x4f10000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x4f20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x4f30000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x4f40000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate explorer.exe address = 0x4f50000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x4f60000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x4f70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x5180000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x5190000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x51a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x51b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x51c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x51d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x51e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x5200000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x5210000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x5220000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x5240000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x6e30000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6e40000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x6e50000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x6e60000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x6e70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x6e80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6e90000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x6f20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 7 True 1
Fn
Allocate explorer.exe address = 0x6f30000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x6f40000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x6f50000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x6f60000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6f70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6f80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7010000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 9 True 1
Fn
Allocate explorer.exe address = 0x7020000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7030000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7040000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7050000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 8 True 1
Fn
Allocate explorer.exe address = 0x7060000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7070000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7100000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate explorer.exe address = 0x7110000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 8 True 1
Fn
Allocate explorer.exe address = 0x7120000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7130000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7140000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7150000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7160000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x71f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate explorer.exe address = 0x7200000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7210000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7220000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7230000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x7240000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7250000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x72a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 24 True 1
Fn
Allocate explorer.exe address = 0x7320000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x7330000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7340000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7350000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x7360000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7370000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate explorer.exe address = 0x7410000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x7420000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7430000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7440000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x7450000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7460000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x74f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate explorer.exe address = 0x7500000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x7510000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7520000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7530000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x7540000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7550000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x75e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16 True 1
Fn
Allocate explorer.exe address = 0x75f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x7600000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7610000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7620000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7630000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7640000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x76d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate explorer.exe address = 0x76e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x76f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7700000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7710000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 11 True 1
Fn
Allocate explorer.exe address = 0x7720000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7730000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x77c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 6 True 1
Fn
Allocate explorer.exe address = 0x77d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 11 True 1
Fn
Allocate explorer.exe address = 0x77e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x77f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7800000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7810000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7820000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x78b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate explorer.exe address = 0x78c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x78d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x78e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x78f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7900000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7910000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x79a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x79b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x79c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x79d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x79e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x79f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7a00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7a90000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 11 True 1
Fn
Allocate explorer.exe address = 0x7aa0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x7ab0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7ac0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7ad0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7ae0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7af0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7b80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 5 True 1
Fn
Allocate explorer.exe address = 0x7b90000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7ba0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7bb0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7bc0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 8 True 1
Fn
Allocate explorer.exe address = 0x7bd0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 313 True 1
Fn
Allocate explorer.exe address = 0x104f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 458752 True 1
Fn
Allocate explorer.exe address = 0x4fa0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x4fb0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x4fc0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x5050000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x5060000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x5070000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x5080000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x5090000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate explorer.exe address = 0x50a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x50b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x50c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x50d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate explorer.exe address = 0x50e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x50f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x5100000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x5290000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x52a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x52b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x52c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x52d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x52e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x52f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x5300000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x6b40000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x6b50000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6b60000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x6bf0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6c00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x6c10000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x6c20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x6c30000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x6c40000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6c50000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x6ce0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 7 True 1
Fn
Allocate explorer.exe address = 0x6cf0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x6d00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x6d10000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x6d20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7080000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7090000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7120000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 9 True 1
Fn
Allocate explorer.exe address = 0x7130000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7140000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7150000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7160000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 8 True 1
Fn
Allocate explorer.exe address = 0x7170000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7180000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7210000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate explorer.exe address = 0x7220000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 8 True 1
Fn
Allocate explorer.exe address = 0x7230000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7240000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7250000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7260000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7270000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7300000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate explorer.exe address = 0x7310000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7320000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7330000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7340000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x7350000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7360000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x73f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 24 True 1
Fn
Allocate explorer.exe address = 0x7400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x7410000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7420000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7430000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x7440000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7450000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x74e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate explorer.exe address = 0x74f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x7500000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7510000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7520000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x7530000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7540000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x75d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate explorer.exe address = 0x75e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x75f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7600000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7610000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x7620000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7630000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x76c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16 True 1
Fn
Allocate explorer.exe address = 0x76d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x76e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x76f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7700000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7710000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7720000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x77b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate explorer.exe address = 0x77c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x77d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x77e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x77f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 11 True 1
Fn
Allocate explorer.exe address = 0x7800000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7810000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x78a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 6 True 1
Fn
Allocate explorer.exe address = 0x78b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 11 True 1
Fn
Allocate explorer.exe address = 0x78c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x78d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x78e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x78f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7900000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7990000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate explorer.exe address = 0x79a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x79b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x79c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x79d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x79e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x79f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7a80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x7a90000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7aa0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7ab0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7ac0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x7ad0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7ae0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7b70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 11 True 1
Fn
Allocate explorer.exe address = 0x7b80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x7b90000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7ba0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7bb0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7bc0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7bd0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7c60000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 5 True 1
Fn
Allocate explorer.exe address = 0x7c70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7c80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7c90000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7ca0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 8 True 1
Fn
Allocate explorer.exe address = 0x7cb0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 313 True 1
Fn
Write c:\windows\explorer.exe address = 0x5220000, size = 13 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x5240000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x5250000, size = 210 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x55e0000, size = 13 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x5f10000, size = 13 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x5f30000, size = 20 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x5f40000, size = 142 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x5f50000, size = 15 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x5f60000, size = 13 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x5f70000, size = 20 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x5f80000, size = 142 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x60a0000, size = 15 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x60b0000, size = 13 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x60c0000, size = 20 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x60d0000, size = 142 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x60e0000, size = 13 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x6140000, size = 13 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x6160000, size = 20 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x61f0000, size = 142 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x6200000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x63e0000, size = 13 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x63f0000, size = 20 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x64d0000, size = 142 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x6f00000, size = 13 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9bc0000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9bd0000, size = 210 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9bf0000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9c10000, size = 13 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9c20000, size = 20 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9c50000, size = 142 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9c60000, size = 10 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9c70000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9c80000, size = 210 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9c90000, size = 7 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9ca0000, size = 10 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9cb0000, size = 20 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9cc0000, size = 142 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9cd0000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9ce0000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9cf0000, size = 210 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9d00000, size = 9 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9ef0000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9f00000, size = 20 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9f10000, size = 142 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9f20000, size = 8 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9f30000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9f40000, size = 210 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9f50000, size = 14 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x9f60000, size = 8 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xa370000, size = 20 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xa380000, size = 142 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xa390000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xa3a0000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xa3b0000, size = 210 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xa3c0000, size = 14 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xa3d0000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xa3e0000, size = 20 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb030000, size = 142 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb040000, size = 10 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb050000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb060000, size = 210 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb070000, size = 24 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb080000, size = 10 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb090000, size = 20 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb0a0000, size = 142 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb1e0000, size = 10 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb1f0000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb200000, size = 210 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb210000, size = 14 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb220000, size = 10 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb230000, size = 20 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb240000, size = 142 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb250000, size = 13 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb260000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb270000, size = 210 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb280000, size = 14 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb290000, size = 13 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb4a0000, size = 20 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb4b0000, size = 142 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb4c0000, size = 13 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb4d0000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb4e0000, size = 210 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb4f0000, size = 16 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb500000, size = 13 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb510000, size = 20 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb5a0000, size = 142 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb5b0000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb5c0000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb5d0000, size = 210 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb5e0000, size = 15 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb5f0000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb600000, size = 20 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb610000, size = 142 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb620000, size = 11 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb630000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb640000, size = 210 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb650000, size = 6 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb660000, size = 11 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb670000, size = 20 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb680000, size = 142 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb690000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb6a0000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb6b0000, size = 210 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb6c0000, size = 15 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb6d0000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb6e0000, size = 20 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb6f0000, size = 142 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb700000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb710000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb720000, size = 210 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb730000, size = 13 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb740000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb750000, size = 20 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb760000, size = 142 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb770000, size = 10 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb780000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb790000, size = 210 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb7a0000, size = 11 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb7b0000, size = 10 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb7c0000, size = 20 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb7d0000, size = 142 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb7e0000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb7f0000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb800000, size = 210 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb810000, size = 5 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb820000, size = 12 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb830000, size = 20 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb840000, size = 142 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x10410000, size = 458752 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb850000, size = 8 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0xb860000, size = 313 True 1
Fn
Data
Write explorer.exe address = 0x4e10000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x4e20000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x4e30000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x4ec0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x4ed0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x4ee0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x4ef0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x4f00000, size = 15 True 1
Fn
Data
Write explorer.exe address = 0x4f10000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x4f20000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x4f30000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x4f40000, size = 15 True 1
Fn
Data
Write explorer.exe address = 0x4f50000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x4f60000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x4f70000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x5180000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x5190000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x51a0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x51b0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x51c0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x51d0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x51e0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x5200000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x5210000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x5220000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x5240000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x6e30000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6e40000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x6e50000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x6e60000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x6e70000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x6e80000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6e90000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x6f20000, size = 7 True 1
Fn
Data
Write explorer.exe address = 0x6f30000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x6f40000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x6f50000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x6f60000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6f70000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6f80000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7010000, size = 9 True 1
Fn
Data
Write explorer.exe address = 0x7020000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7030000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7040000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7050000, size = 8 True 1
Fn
Data
Write explorer.exe address = 0x7060000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7070000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7100000, size = 14 True 1
Fn
Data
Write explorer.exe address = 0x7110000, size = 8 True 1
Fn
Data
Write explorer.exe address = 0x7120000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7130000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7140000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7150000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7160000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x71f0000, size = 14 True 1
Fn
Data
Write explorer.exe address = 0x7200000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7210000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7220000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7230000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x7240000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7250000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x72a0000, size = 24 True 1
Fn
Data
Write explorer.exe address = 0x7320000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x7330000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7340000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7350000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x7360000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7370000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7400000, size = 14 True 1
Fn
Data
Write explorer.exe address = 0x7410000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x7420000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7430000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7440000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x7450000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7460000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x74f0000, size = 14 True 1
Fn
Data
Write explorer.exe address = 0x7500000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x7510000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7520000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7530000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x7540000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7550000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x75e0000, size = 16 True 1
Fn
Data
Write explorer.exe address = 0x75f0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x7600000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7610000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7620000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7630000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7640000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x76d0000, size = 15 True 1
Fn
Data
Write explorer.exe address = 0x76e0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x76f0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7700000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7710000, size = 11 True 1
Fn
Data
Write explorer.exe address = 0x7720000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7730000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x77c0000, size = 6 True 1
Fn
Data
Write explorer.exe address = 0x77d0000, size = 11 True 1
Fn
Data
Write explorer.exe address = 0x77e0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x77f0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7800000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7810000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7820000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x78b0000, size = 15 True 1
Fn
Data
Write explorer.exe address = 0x78c0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x78d0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x78e0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x78f0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7900000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7910000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x79a0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x79b0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x79c0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x79d0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x79e0000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x79f0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7a00000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7a90000, size = 11 True 1
Fn
Data
Write explorer.exe address = 0x7aa0000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x7ab0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7ac0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7ad0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7ae0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7af0000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7b80000, size = 5 True 1
Fn
Data
Write explorer.exe address = 0x7b90000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7ba0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7bb0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x10480000, size = 458752 True 1
Fn
Data
Write explorer.exe address = 0x7bc0000, size = 8 True 1
Fn
Data
Write explorer.exe address = 0x7bd0000, size = 313 True 1
Fn
Data
Write explorer.exe address = 0x4fa0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x4fb0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x4fc0000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x5050000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x5060000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x5070000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x5080000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x5090000, size = 15 True 1
Fn
Data
Write explorer.exe address = 0x50a0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x50b0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x50c0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x50d0000, size = 15 True 1
Fn
Data
Write explorer.exe address = 0x50e0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x50f0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x5100000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x5290000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x52a0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x52b0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x52c0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x52d0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x52e0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x52f0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x5300000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x6b40000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x6b50000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6b60000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x6bf0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6c00000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x6c10000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x6c20000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x6c30000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x6c40000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6c50000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x6ce0000, size = 7 True 1
Fn
Data
Write explorer.exe address = 0x6cf0000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x6d00000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x6d10000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x6d20000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7080000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7090000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7120000, size = 9 True 1
Fn
Data
Write explorer.exe address = 0x7130000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7140000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7150000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7160000, size = 8 True 1
Fn
Data
Write explorer.exe address = 0x7170000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7180000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7210000, size = 14 True 1
Fn
Data
Write explorer.exe address = 0x7220000, size = 8 True 1
Fn
Data
Write explorer.exe address = 0x7230000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7240000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7250000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7260000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7270000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7300000, size = 14 True 1
Fn
Data
Write explorer.exe address = 0x7310000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7320000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7330000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7340000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x7350000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7360000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x73f0000, size = 24 True 1
Fn
Data
Write explorer.exe address = 0x7400000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x7410000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7420000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7430000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x7440000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7450000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x74e0000, size = 14 True 1
Fn
Data
Write explorer.exe address = 0x74f0000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x7500000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7510000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7520000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x7530000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7540000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x75d0000, size = 14 True 1
Fn
Data
Write explorer.exe address = 0x75e0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x75f0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7600000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7610000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x7620000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7630000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x76c0000, size = 16 True 1
Fn
Data
Write explorer.exe address = 0x76d0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x76e0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x76f0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7700000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7710000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7720000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x77b0000, size = 15 True 1
Fn
Data
Write explorer.exe address = 0x77c0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x77d0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x77e0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x77f0000, size = 11 True 1
Fn
Data
Write explorer.exe address = 0x7800000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7810000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x78a0000, size = 6 True 1
Fn
Data
Write explorer.exe address = 0x78b0000, size = 11 True 1
Fn
Data
Write explorer.exe address = 0x78c0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x78d0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x78e0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x78f0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7900000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7990000, size = 15 True 1
Fn
Data
Write explorer.exe address = 0x79a0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x79b0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x79c0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x79d0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x79e0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x79f0000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7a80000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x7a90000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7aa0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7ab0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7ac0000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x7ad0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7ae0000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7b70000, size = 11 True 1
Fn
Data
Write explorer.exe address = 0x7b80000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x7b90000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7ba0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7bb0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7bc0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7bd0000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7c60000, size = 5 True 1
Fn
Data
Write explorer.exe address = 0x7c70000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7c80000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7c90000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x104f0000, size = 458752 True 1
Fn
Data
Write explorer.exe address = 0x7ca0000, size = 8 True 1
Fn
Data
Write explorer.exe address = 0x7cb0000, size = 313 True 1
Fn
Data
Module (560)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x75260000 True 2
Fn
Get Handle c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe base_address = 0x400000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75260000 True 276
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Local\uTorrent.exe, size = 261 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemDirectoryA, address_out = 0x7527f5c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathA, address_out = 0x75286410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x752777b0 True 48
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x7527d8d0 True 48
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x75279640 True 60
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x75277940 True 60
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitThread, address_out = 0x77d02570 True 60
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Find - class_name = Shell_TrayWnd True 1
Fn
Keyboard (1)
»
Operation Additional Information Success Count Logfile
Get Info type = 0, result_out = 4 True 1
Fn
System (9)
»
Operation Additional Information Success Count Logfile
Sleep duration = 1000 milliseconds (1.000 seconds) True 2
Fn
Sleep duration = 2000 milliseconds (2.000 seconds) True 1
Fn
Get Time type = Ticks, time = 138734 True 1
Fn
Get Time type = Ticks, time = 149453 True 1
Fn
Get Time type = Ticks, time = 151859 True 1
Fn
Get Info type = Operating System True 2
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Mutex (3)
»
Operation Additional Information Success Count Logfile
Create mutex_name = CIiHmnxMn6Ps5 True 1
Fn
Create mutex_name = SWE2F15657A4JJ True 1
Fn
Create mutex_name = SWE2F15657A4JJCIiHmnxMn6Ps15 True 1
Fn
Process #3: explorer.exe
0 0
»
Information Value
ID #3
File Name c:\windows\explorer.exe
Command Line C:\Windows\Explorer.EXE
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:47, Reason: Injection
Unmonitor End Time: 00:02:15, Reason: Self Terminated
Monitor Duration 00:00:28
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x508
Parent PID 0xffffffffffffffff (Unknown)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 5C8
0x 6B8
0x 76C
0x 908
0x 90C
0x 960
0x 7C8
0x 7E8
0x 95C
0x 974
0x 46C
0x BE0
0x BDC
0x A9C
0x A98
0x A94
0x A90
0x A8C
0x A88
0x A84
0x A78
0x A64
0x A60
0x A18
0x 9E4
0x 9D4
0x 9A8
0x 970
0x 96C
0x 964
0x 958
0x 950
0x 94C
0x 948
0x 940
0x 938
0x 930
0x 92C
0x 928
0x 8FC
0x 8F8
0x 8F4
0x 8F0
0x 8C0
0x 8A4
0x 878
0x 86C
0x 84C
0x 848
0x 844
0x 840
0x 830
0x 82C
0x 810
0x 80C
0x 808
0x 804
0x 5BC
0x 478
0x 5B4
0x 65C
0x 5E8
0x 55C
0x 8E8
0x DCC
0x DD0
0x DD4
0x DD8
0x DDC
0x ED8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000dc0000 0x00dc0000 0x00dcffff Pagefile Backed Memory rw True False False -
private_0x0000000000dd0000 0x00dd0000 0x00dd6fff Private Memory rw True False False -
pagefile_0x0000000000de0000 0x00de0000 0x00df3fff Pagefile Backed Memory r True False False -
private_0x0000000000e00000 0x00e00000 0x00e7ffff Private Memory rw True False False -
pagefile_0x0000000000e80000 0x00e80000 0x00e83fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000e90000 0x00e90000 0x00e92fff Pagefile Backed Memory r True False False -
private_0x0000000000ea0000 0x00ea0000 0x00ea1fff Private Memory rw True False False -
locale.nls 0x00eb0000 0x00f6dfff Memory Mapped File r False False False -
private_0x0000000000ff0000 0x00ff0000 0x00ff6fff Private Memory rw True False False -
explorer.exe.mui 0x01000000 0x01007fff Memory Mapped File r False False False -
private_0x0000000001010000 0x01010000 0x01010fff Private Memory rw True False False -
private_0x0000000001020000 0x01020000 0x01020fff Private Memory rw True False False -
pagefile_0x0000000001030000 0x01030000 0x01030fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001040000 0x01040000 0x01040fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001050000 0x01050000 0x01050fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001060000 0x01060000 0x01060fff Pagefile Backed Memory r True False False -
cversions.1.db 0x01070000 0x01073fff Memory Mapped File r True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db 0x01080000 0x01092fff Memory Mapped File r True False False -
private_0x00000000010a0000 0x010a0000 0x0119ffff Private Memory rw True False False -
pagefile_0x00000000011a0000 0x011a0000 0x011a0fff Pagefile Backed Memory rw True False False -
private_0x00000000011b0000 0x011b0000 0x0122ffff Private Memory rw True False False -
{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000034.db 0x01230000 0x0124dfff Memory Mapped File r True False False -
pagefile_0x0000000001250000 0x01250000 0x01252fff Pagefile Backed Memory r True False False -
private_0x0000000001260000 0x01260000 0x0126ffff Private Memory rw True False False -
pagefile_0x0000000001270000 0x01270000 0x01272fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001280000 0x01280000 0x012a9fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000012b0000 0x012b0000 0x012b1fff Pagefile Backed Memory r True False False -
private_0x00000000012c0000 0x012c0000 0x012cffff Private Memory rw True False False -
pagefile_0x00000000012d0000 0x012d0000 0x01457fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001460000 0x01460000 0x015e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000015f0000 0x015f0000 0x029effff Pagefile Backed Memory r True False False -
sortdefault.nls 0x029f0000 0x02d26fff Memory Mapped File r False False False -
private_0x0000000002d30000 0x02d30000 0x02daffff Private Memory rw True False False -
private_0x0000000002db0000 0x02db0000 0x02e2ffff Private Memory rw True False False -
private_0x0000000002e30000 0x02e30000 0x02eaffff Private Memory rw True False False -
shell32.dll.mui 0x02eb0000 0x02f10fff Memory Mapped File r False False False -
kernelbase.dll.mui 0x02f20000 0x02ffefff Memory Mapped File r False False False -
private_0x0000000003000000 0x03000000 0x0307ffff Private Memory rw True False False -
private_0x0000000003080000 0x03080000 0x030fffff Private Memory rw True False False -
private_0x0000000003100000 0x03100000 0x0317ffff Private Memory rw True False False -
pagefile_0x0000000003180000 0x03180000 0x03181fff Pagefile Backed Memory r True False False -
oleaccrc.dll 0x03190000 0x03191fff Memory Mapped File r False False False -
oleaccrc.dll.mui 0x031a0000 0x031a4fff Memory Mapped File r False False False -
pagefile_0x00000000031b0000 0x031b0000 0x03267fff Pagefile Backed Memory r True False False -
pagefile_0x0000000003270000 0x03270000 0x03273fff Pagefile Backed Memory r True False False -
private_0x0000000003280000 0x03280000 0x0337ffff Private Memory rw True False False -
private_0x0000000003380000 0x03380000 0x0347ffff Private Memory rw True False False -
private_0x0000000003480000 0x03480000 0x03480fff Private Memory rw True False False -
staticcache.dat 0x03490000 0x044cffff Memory Mapped File r False False False -
private_0x00000000044d0000 0x044d0000 0x044d6fff Private Memory rw True False False -
private_0x00000000044e0000 0x044e0000 0x044e0fff Private Memory rw True False False -
private_0x00000000044f0000 0x044f0000 0x044f0fff Private Memory rw True False False -
private_0x0000000004500000 0x04500000 0x04500fff Private Memory rw True False False -
private_0x0000000004510000 0x04510000 0x0458ffff Private Memory rw True False False -
private_0x0000000004590000 0x04590000 0x04591fff Private Memory rw True False False -
private_0x00000000045a0000 0x045a0000 0x045a0fff Private Memory rw True False False -
private_0x00000000045b0000 0x045b0000 0x045b0fff Private Memory rw True False False -
private_0x00000000045c0000 0x045c0000 0x045c0fff Private Memory rw True False False -
pagefile_0x00000000045d0000 0x045d0000 0x045d2fff Pagefile Backed Memory r True False False -
cversions.1.db 0x045e0000 0x045e3fff Memory Mapped File r True False False -
private_0x00000000045f0000 0x045f0000 0x045f0fff Private Memory rw True False False -
pagefile_0x0000000004600000 0x04600000 0x04600fff Pagefile Backed Memory rw True False False -
private_0x0000000004610000 0x04610000 0x04610fff Private Memory rw True False False -
pagefile_0x0000000004620000 0x04620000 0x04622fff Pagefile Backed Memory r True False False -
pagefile_0x0000000004630000 0x04630000 0x04668fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000004670000 0x04670000 0x04672fff Pagefile Backed Memory r True False False -
private_0x0000000004680000 0x04680000 0x04680fff Private Memory rw True False False -
private_0x0000000004690000 0x04690000 0x04690fff Private Memory rw True False False -
private_0x00000000046a0000 0x046a0000 0x0471ffff Private Memory rw True False False -
private_0x0000000004720000 0x04720000 0x0479ffff Private Memory rw True False False -
pagefile_0x00000000047a0000 0x047a0000 0x047a2fff Pagefile Backed Memory r True False False -
cversions.2.db 0x047b0000 0x047b3fff Memory Mapped File r True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db 0x047c0000 0x04802fff Memory Mapped File r True False False -
cversions.2.db 0x04810000 0x04813fff Memory Mapped File r True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db 0x04820000 0x048aafff Memory Mapped File r True False False -
propsys.dll.mui 0x048b0000 0x048c0fff Memory Mapped File r False False False -
private_0x00000000048d0000 0x048d0000 0x0494ffff Private Memory rw True False False -
private_0x0000000004950000 0x04950000 0x049cffff Private Memory rw True False False -
private_0x00000000049d0000 0x049d0000 0x04a4ffff Private Memory rw True False False -
private_0x0000000004a50000 0x04a50000 0x04a50fff Private Memory rw True False False -
private_0x0000000004a60000 0x04a60000 0x04adffff Private Memory rw True False False -
private_0x0000000004ae0000 0x04ae0000 0x04b5ffff Private Memory rw True False False -
private_0x0000000004b60000 0x04b60000 0x04bdffff Private Memory rw True False False -
pagefile_0x0000000004be0000 0x04be0000 0x050d1fff Pagefile Backed Memory rw True False False -
private_0x00000000050e0000 0x050e0000 0x050e0fff Private Memory rw True False False -
private_0x00000000050f0000 0x050f0000 0x0516ffff Private Memory rw True False False -
iconcache_idx.db 0x05170000 0x05171fff Memory Mapped File rw True False False -
pagefile_0x0000000005180000 0x05180000 0x05180fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000051a0000 0x051a0000 0x051a2fff Pagefile Backed Memory r True False False -
iconcache_idx.db 0x051b0000 0x051b1fff Memory Mapped File rw True False False -
thumbcache_idx.db 0x051d0000 0x051d1fff Memory Mapped File rw True False False -
thumbcache_48.db 0x051e0000 0x051e0fff Memory Mapped File rw True False False -
{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000035.db 0x051f0000 0x0520bfff Memory Mapped File r True False False -
iconcache_256.db 0x05230000 0x05230fff Memory Mapped File rw True False False -
thumbcache_idx.db 0x05260000 0x05261fff Memory Mapped File rw True False False -
private_0x0000000005270000 0x05270000 0x052effff Private Memory rw True False False -
private_0x00000000052f0000 0x052f0000 0x0536ffff Private Memory rw True False False -
private_0x0000000005370000 0x05370000 0x053effff Private Memory rw True False False -
private_0x00000000053f0000 0x053f0000 0x0546ffff Private Memory rw True False False -
winnlsres.dll 0x05470000 0x05474fff Memory Mapped File r False False False -
winnlsres.dll.mui 0x05480000 0x0548ffff Memory Mapped File r False False False -
private_0x0000000005490000 0x05490000 0x0550ffff Private Memory rw True False False -
pagefile_0x0000000005510000 0x05510000 0x05510fff Pagefile Backed Memory rw True False False -
private_0x0000000005520000 0x05520000 0x05520fff Private Memory rw True False False -
private_0x0000000005530000 0x05530000 0x05530fff Private Memory rw True False False -
private_0x0000000005540000 0x05540000 0x055bffff Private Memory rw True False False -
mswsock.dll.mui 0x055c0000 0x055c2fff Memory Mapped File r False False False -
thumbcache_idx.db 0x055d0000 0x055d1fff Memory Mapped File rw True False False -
private_0x00000000055f0000 0x055f0000 0x05deffff Private Memory - True False False -
pagefile_0x0000000005df0000 0x05df0000 0x05df2fff Pagefile Backed Memory r True False False -
private_0x0000000005e00000 0x05e00000 0x05e00fff Private Memory rw True False False -
pagefile_0x0000000005e10000 0x05e10000 0x05e12fff Pagefile Backed Memory r True False False -
private_0x0000000005e20000 0x05e20000 0x05e20fff Private Memory rw True False False -
private_0x0000000005e30000 0x05e30000 0x05e38fff Private Memory rw True False False -
private_0x0000000005e40000 0x05e40000 0x05e43fff Private Memory rw True False False -
iconcache_idx.db 0x05e50000 0x05e51fff Memory Mapped File rw True False False -
thumbcache_idx.db 0x05e60000 0x05e61fff Memory Mapped File rw True False False -
private_0x0000000005e70000 0x05e70000 0x05e78fff Private Memory rw True False False -
private_0x0000000005e80000 0x05e80000 0x05e80fff Private Memory rw True False False -
pagefile_0x0000000005e90000 0x05e90000 0x05e9ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000005ea0000 0x05ea0000 0x05eaffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000005eb0000 0x05eb0000 0x05ebffff Pagefile Backed Memory rw True False False -
thumbcache_48.db 0x05ec0000 0x05ec4fff Memory Mapped File rw True False False -
pagefile_0x0000000005ed0000 0x05ed0000 0x05edffff Pagefile Backed Memory r True False False -
windows.storage.dll.mui 0x05ee0000 0x05ee7fff Memory Mapped File r False False False -
pagefile_0x0000000005ef0000 0x05ef0000 0x05ef2fff Pagefile Backed Memory r True False False -
counters.dat 0x05f00000 0x05f00fff Memory Mapped File rw True False False -
pagefile_0x0000000005f20000 0x05f20000 0x05f20fff Pagefile Backed Memory rw True False False -
private_0x0000000005f90000 0x05f90000 0x0608ffff Private Memory rw True False False -
pagefile_0x0000000006090000 0x06090000 0x06092fff Pagefile Backed Memory r True False False -
private_0x00000000060f0000 0x060f0000 0x06137fff Private Memory rw True False False -
thumbcache_idx.db 0x06150000 0x06151fff Memory Mapped File rw True False False -
stobject.dll.mui 0x06170000 0x06171fff Memory Mapped File r False False False -
private_0x0000000006180000 0x06180000 0x061ebfff Private Memory rw True False False -
netmsg.dll 0x06210000 0x06210fff Memory Mapped File r False False False -
netmsg.dll.mui 0x06220000 0x06251fff Memory Mapped File r False False False -
private_0x0000000006260000 0x06260000 0x062dffff Private Memory rw True False False -
iconcache_32.db 0x062e0000 0x063dffff Memory Mapped File rw True False False -
private_0x0000000006400000 0x06400000 0x06447fff Private Memory rw True False False -
private_0x0000000006450000 0x06450000 0x064cffff Private Memory rw True False False -
private_0x00000000064e0000 0x064e0000 0x0655ffff Private Memory rw True False False -
pagefile_0x0000000006560000 0x06560000 0x06561fff Pagefile Backed Memory r True False False -
grooveintlresource.dll 0x06570000 0x06df2fff Memory Mapped File rwx False False False -
iconcache_48.db 0x06e00000 0x06efffff Memory Mapped File rw True False False -
private_0x0000000006f10000 0x06f10000 0x06f8ffff Private Memory rw True False False -
private_0x0000000006f90000 0x06f90000 0x06fd8fff Private Memory rw True False False -
appdb.dat 0x06fe0000 0x09361fff Memory Mapped File rw True False False -
private_0x0000000009370000 0x09370000 0x093effff Private Memory rw True False False -
thumbcache_48.db 0x093f0000 0x094effff Memory Mapped File rw True False False -
thumbcache_256.db 0x094f0000 0x095effff Memory Mapped File rw True False False -
For performance reasons, the remaining 499 entries are omitted.
The remaining entries can be found in flog.txt.
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5220000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5240000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5250000, size = 210 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x55e0000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5f10000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5f30000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5f40000, size = 142 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5f50000, size = 15 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5f60000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5f70000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5f80000, size = 142 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x60a0000, size = 15 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x60b0000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x60c0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x60d0000, size = 142 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x60e0000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6140000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6160000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x61f0000, size = 142 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6200000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x63e0000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x63f0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x64d0000, size = 142 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6f00000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9bc0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9bd0000, size = 210 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9bf0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9c10000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9c20000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9c50000, size = 142 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9c60000, size = 10 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9c70000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9c80000, size = 210 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9c90000, size = 7 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9ca0000, size = 10 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9cb0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9cc0000, size = 142 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9cd0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9ce0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9cf0000, size = 210 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9d00000, size = 9 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9ef0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9f00000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9f10000, size = 142 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9f20000, size = 8 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9f30000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9f40000, size = 210 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9f50000, size = 14 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x9f60000, size = 8 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xa370000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xa380000, size = 142 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xa390000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xa3a0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xa3b0000, size = 210 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xa3c0000, size = 14 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xa3d0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xa3e0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb030000, size = 142 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb040000, size = 10 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb050000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb060000, size = 210 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb070000, size = 24 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb080000, size = 10 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb090000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb0a0000, size = 142 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb1e0000, size = 10 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb1f0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb200000, size = 210 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb210000, size = 14 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb220000, size = 10 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb230000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb240000, size = 142 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb250000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb260000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb270000, size = 210 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb280000, size = 14 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb290000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb4a0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb4b0000, size = 142 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb4c0000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb4d0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb4e0000, size = 210 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb4f0000, size = 16 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb500000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb510000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb5a0000, size = 142 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb5b0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb5c0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb5d0000, size = 210 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb5e0000, size = 15 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb5f0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb600000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb610000, size = 142 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb620000, size = 11 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb630000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb640000, size = 210 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb650000, size = 6 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb660000, size = 11 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb670000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb680000, size = 142 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb690000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb6a0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb6b0000, size = 210 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb6c0000, size = 15 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb6d0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb6e0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb6f0000, size = 142 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb700000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb710000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb720000, size = 210 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb730000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb740000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb750000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb760000, size = 142 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb770000, size = 10 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb780000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb790000, size = 210 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb7a0000, size = 11 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb7b0000, size = 10 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb7c0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb7d0000, size = 142 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb7e0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb7f0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb800000, size = 210 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb810000, size = 5 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb820000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb830000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb840000, size = 142 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x10410000, size = 458752 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb850000, size = 8 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0xb860000, size = 313 True 1
Fn
Data
Process #4: explorer.exe
454 0
»
Information Value
ID #4
File Name c:\windows\syswow64\explorer.exe
Command Line explorer.exe
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:01:48, Reason: Child Process
Unmonitor End Time: 00:02:09, Reason: Self Terminated
Monitor Duration 00:00:21
OS Process Information
»
Information Value
PID 0x128
Parent PID 0x8c8 (c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 304
0x 984
0x 35C
0x 350
0x 378
0x 574
0x B68
0x 7A8
0x 2FC
0x A40
0x 73C
0x 744
0x B84
0x C04
0x C08
0x C0C
0x C10
0x C14
0x C18
0x C20
0x C24
0x C28
0x C2C
0x C30
0x C34
0x C38
0x C3C
0x C40
0x C44
0x C48
0x C4C
0x C50
0x C54
0x C58
0x C5C
0x C60
0x C64
0x C68
0x C6C
0x C78
0x C7C
0x C80
0x C84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
explorer.exe 0x00930000 0x00d06fff Memory Mapped File rwx False False False -
pagefile_0x0000000000d10000 0x00d10000 0x04d0ffff Pagefile Backed Memory - True False False -
private_0x0000000004d10000 0x04d10000 0x04d2ffff Private Memory rw True False False -
pagefile_0x0000000004d10000 0x04d10000 0x04d1ffff Pagefile Backed Memory rw True False False -
private_0x0000000004d20000 0x04d20000 0x04d23fff Private Memory rw True False False -
private_0x0000000004d30000 0x04d30000 0x04d30fff Private Memory rw True False False -
explorer.exe.mui 0x04d30000 0x04d37fff Memory Mapped File r False False False -
pagefile_0x0000000004d40000 0x04d40000 0x04d53fff Pagefile Backed Memory r True False False -
private_0x0000000004d60000 0x04d60000 0x04d9ffff Private Memory rw True False False -
private_0x0000000004da0000 0x04da0000 0x04ddffff Private Memory rw True False False -
pagefile_0x0000000004de0000 0x04de0000 0x04de3fff Pagefile Backed Memory r True False False -
pagefile_0x0000000004df0000 0x04df0000 0x04df2fff Pagefile Backed Memory r True False False -
private_0x0000000004e00000 0x04e00000 0x04e01fff Private Memory rw True False False -
private_0x0000000004e10000 0x04e10000 0x04e10fff Private Memory rwx True False False -
private_0x0000000004e20000 0x04e20000 0x04e20fff Private Memory rwx True False False -
private_0x0000000004e30000 0x04e30000 0x04e30fff Private Memory rwx True False False -
private_0x0000000004e40000 0x04e40000 0x04e7ffff Private Memory rw True False False -
private_0x0000000004e80000 0x04e80000 0x04ebffff Private Memory rw True False False -
private_0x0000000004ec0000 0x04ec0000 0x04ec0fff Private Memory rwx True False False -
private_0x0000000004ed0000 0x04ed0000 0x04ed0fff Private Memory rwx True False False -
private_0x0000000004ee0000 0x04ee0000 0x04ee0fff Private Memory rwx True False False -
private_0x0000000004ef0000 0x04ef0000 0x04ef0fff Private Memory rwx True False False -
private_0x0000000004f00000 0x04f00000 0x04f3ffff Private Memory rw True False False -
private_0x0000000004f00000 0x04f00000 0x04f00fff Private Memory rwx True False False -
private_0x0000000004f10000 0x04f10000 0x04f10fff Private Memory rwx True False False -
private_0x0000000004f20000 0x04f20000 0x04f20fff Private Memory rwx True False False -
private_0x0000000004f30000 0x04f30000 0x04f30fff Private Memory rwx True False False -
private_0x0000000004f40000 0x04f40000 0x04f7ffff Private Memory rw True False False -
private_0x0000000004f40000 0x04f40000 0x04f40fff Private Memory rwx True False False -
private_0x0000000004f50000 0x04f50000 0x04f50fff Private Memory rwx True False False -
private_0x0000000004f60000 0x04f60000 0x04f60fff Private Memory rwx True False False -
private_0x0000000004f70000 0x04f70000 0x04f70fff Private Memory rwx True False False -
locale.nls 0x04f80000 0x0503dfff Memory Mapped File r False False False -
private_0x0000000005040000 0x05040000 0x0507ffff Private Memory rw True False False -
private_0x0000000005080000 0x05080000 0x05080fff Private Memory rw True False False -
private_0x0000000005090000 0x05090000 0x0509ffff Private Memory rw True False False -
private_0x00000000050a0000 0x050a0000 0x050dffff Private Memory rw True False False -
private_0x00000000050e0000 0x050e0000 0x0511ffff Private Memory rw True False False -
private_0x0000000005120000 0x05120000 0x0515ffff Private Memory rw True False False -
private_0x0000000005160000 0x05160000 0x05160fff Private Memory rw True False False -
private_0x0000000005170000 0x05170000 0x05173fff Private Memory rw True False False -
private_0x0000000005180000 0x05180000 0x051bffff Private Memory rw True False False -
private_0x0000000005180000 0x05180000 0x05180fff Private Memory rwx True False False -
private_0x0000000005190000 0x05190000 0x05190fff Private Memory rwx True False False -
private_0x00000000051a0000 0x051a0000 0x051a0fff Private Memory rwx True False False -
private_0x00000000051b0000 0x051b0000 0x051b0fff Private Memory rwx True False False -
private_0x00000000051c0000 0x051c0000 0x051c0fff Private Memory rwx True False False -
private_0x00000000051d0000 0x051d0000 0x051d0fff Private Memory rwx True False False -
private_0x00000000051e0000 0x051e0000 0x051e0fff Private Memory rwx True False False -
private_0x00000000051f0000 0x051f0000 0x051fffff Private Memory rw True False False -
private_0x0000000005200000 0x05200000 0x05200fff Private Memory rwx True False False -
private_0x0000000005210000 0x05210000 0x05210fff Private Memory rwx True False False -
private_0x0000000005220000 0x05220000 0x05220fff Private Memory rwx True False False -
private_0x0000000005230000 0x05230000 0x0523ffff Private Memory rw True False False -
private_0x0000000005240000 0x05240000 0x05240fff Private Memory rwx True False False -
private_0x0000000005250000 0x05250000 0x0534ffff Private Memory rw True False False -
pagefile_0x0000000005350000 0x05350000 0x054d7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000054e0000 0x054e0000 0x05660fff Pagefile Backed Memory r True False False -
pagefile_0x0000000005670000 0x05670000 0x06a6ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x06a70000 0x06da6fff Memory Mapped File r False False False -
private_0x0000000006db0000 0x06db0000 0x06deffff Private Memory rw True False False -
private_0x0000000006df0000 0x06df0000 0x06e2ffff Private Memory rw True False False -
private_0x0000000006e30000 0x06e30000 0x06e30fff Private Memory rwx True False False -
private_0x0000000006e40000 0x06e40000 0x06e40fff Private Memory rwx True False False -
private_0x0000000006e50000 0x06e50000 0x06e50fff Private Memory rwx True False False -
private_0x0000000006e60000 0x06e60000 0x06e60fff Private Memory rwx True False False -
private_0x0000000006e70000 0x06e70000 0x06eaffff Private Memory rw True False False -
private_0x0000000006e70000 0x06e70000 0x06e70fff Private Memory rwx True False False -
private_0x0000000006e80000 0x06e80000 0x06e80fff Private Memory rwx True False False -
private_0x0000000006e90000 0x06e90000 0x06e90fff Private Memory rwx True False False -
private_0x0000000006ea0000 0x06ea0000 0x06edffff Private Memory rw True False False -
private_0x0000000006eb0000 0x06eb0000 0x06eeffff Private Memory rw True False False -
private_0x0000000006ee0000 0x06ee0000 0x06f1ffff Private Memory rw True False False -
private_0x0000000006f20000 0x06f20000 0x06f20fff Private Memory rwx True False False -
private_0x0000000006f30000 0x06f30000 0x06f30fff Private Memory rwx True False False -
private_0x0000000006f40000 0x06f40000 0x06f40fff Private Memory rwx True False False -
private_0x0000000006f50000 0x06f50000 0x06f50fff Private Memory rwx True False False -
private_0x0000000006f60000 0x06f60000 0x06f9ffff Private Memory rw True False False -
private_0x0000000006f60000 0x06f60000 0x06f60fff Private Memory rwx True False False -
private_0x0000000006f70000 0x06f70000 0x06f70fff Private Memory rwx True False False -
private_0x0000000006f80000 0x06f80000 0x06f80fff Private Memory rwx True False False -
private_0x0000000006f90000 0x06f90000 0x06fcffff Private Memory rw True False False -
private_0x0000000006fa0000 0x06fa0000 0x06fdffff Private Memory rw True False False -
private_0x0000000006fd0000 0x06fd0000 0x0700ffff Private Memory rw True False False -
private_0x0000000007010000 0x07010000 0x07010fff Private Memory rwx True False False -
private_0x0000000007020000 0x07020000 0x07020fff Private Memory rwx True False False -
private_0x0000000007030000 0x07030000 0x07030fff Private Memory rwx True False False -
private_0x0000000007040000 0x07040000 0x07040fff Private Memory rwx True False False -
private_0x0000000007050000 0x07050000 0x0708ffff Private Memory rw True False False -
private_0x0000000007050000 0x07050000 0x07050fff Private Memory rwx True False False -
private_0x0000000007060000 0x07060000 0x07060fff Private Memory rwx True False False -
private_0x0000000007090000 0x07090000 0x070cffff Private Memory rw True False False -
gdiplus.dll 0x070d0000 0x07236fff Memory Mapped File r False False False -
private_0x0000000010480000 0x10480000 0x104effff Private Memory rwx True False False -
wow64cpu.dll 0x64ae0000 0x64ae7fff Memory Mapped File rwx False False False -
wow64win.dll 0x64af0000 0x64b62fff Memory Mapped File rwx False False False -
wow64.dll 0x64b70000 0x64bbefff Memory Mapped File rwx False False False -
gdiplus.dll 0x744c0000 0x7462afff Memory Mapped File rwx False False False -
sppc.dll 0x74630000 0x7464cfff Memory Mapped File rwx False False False -
slc.dll 0x74650000 0x74670fff Memory Mapped File rwx False False False -
dxgi.dll 0x74680000 0x746fdfff Memory Mapped File rwx False False False -
userenv.dll 0x74700000 0x74718fff Memory Mapped File rwx False False False -
dcomp.dll 0x74720000 0x747bbfff Memory Mapped File rwx False False False -
d3d11.dll 0x747c0000 0x749d2fff Memory Mapped File rwx False False False -
twinapi.dll 0x749e0000 0x74a78fff Memory Mapped File rwx False False False -
propsys.dll 0x74a80000 0x74bc1fff Memory Mapped File rwx False False False -
dwmapi.dll 0x74c00000 0x74c1cfff Memory Mapped File rwx False False False -
uxtheme.dll 0x74c20000 0x74c94fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74d40000 0x74d98fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74da0000 0x74da9fff Memory Mapped File rwx False False False -
sspicli.dll 0x74db0000 0x74dcdfff Memory Mapped File rwx False False False -
kernelbase.dll 0x74e70000 0x74fe5fff Memory Mapped File rwx False False False -
kernel32.dll 0x75260000 0x7534ffff Memory Mapped File rwx False False False -
powrprof.dll 0x753b0000 0x753f3fff Memory Mapped File rwx False False False -
imm32.dll 0x75400000 0x7542afff Memory Mapped File rwx False False False -
shell32.dll 0x75430000 0x767eefff Memory Mapped File rwx False False False -
profapi.dll 0x76810000 0x7681efff Memory Mapped File rwx False False False -
advapi32.dll 0x76a10000 0x76a8afff Memory Mapped File rwx False False False -
sechost.dll 0x76c40000 0x76c82fff Memory Mapped File rwx False False False -
oleaut32.dll 0x76c90000 0x76d21fff Memory Mapped File rwx False False False -
msasn1.dll 0x76d30000 0x76d3dfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76d90000 0x76e3bfff Memory Mapped File rwx False False False -
combase.dll 0x76e40000 0x76ff9fff Memory Mapped File rwx False False False -
gdi32.dll 0x77000000 0x7714cfff Memory Mapped File rwx False False False -
user32.dll 0x77150000 0x7728ffff Memory Mapped File rwx False False False -
shlwapi.dll 0x77290000 0x772d3fff Memory Mapped File rwx False False False -
shcore.dll 0x77340000 0x773ccfff Memory Mapped File rwx False False False -
windows.storage.dll 0x773f0000 0x778ccfff Memory Mapped File rwx False False False -
msctf.dll 0x778d0000 0x779effff Memory Mapped File rwx False False False -
msvcrt.dll 0x779f0000 0x77aadfff Memory Mapped File rwx False False False -
crypt32.dll 0x77ab0000 0x77c24fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x77c30000 0x77c3bfff Memory Mapped File rwx False False False -
ntdll.dll 0x77ca0000 0x77e18fff Memory Mapped File rwx False False False -
private_0x000000007eb0d000 0x7eb0d000 0x7eb0ffff Private Memory rw True False False -
pagefile_0x000000007eb10000 0x7eb10000 0x7ec0ffff Pagefile Backed Memory r True False False -
private_0x000000007ec11000 0x7ec11000 0x7ec13fff Private Memory rw True False False -
private_0x000000007ec14000 0x7ec14000 0x7ec16fff Private Memory rw True False False -
private_0x000000007ec17000 0x7ec17000 0x7ec19fff Private Memory rw True False False -
private_0x000000007ec1a000 0x7ec1a000 0x7ec1cfff Private Memory rw True False False -
private_0x000000007ec1d000 0x7ec1d000 0x7ec1ffff Private Memory rw True False False -
pagefile_0x000000007ec20000 0x7ec20000 0x7ec42fff Pagefile Backed Memory r True False False -
private_0x000000007ec45000 0x7ec45000 0x7ec45fff Private Memory rw True False False -
private_0x000000007ec47000 0x7ec47000 0x7ec49fff Private Memory rw True False False -
private_0x000000007ec4a000 0x7ec4a000 0x7ec4cfff Private Memory rw True False False -
private_0x000000007ec4d000 0x7ec4d000 0x7ec4dfff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7df8ee37ffff Private Memory r True False False -
pagefile_0x00007df8ee380000 0x7df8ee380000 0x7ff8ee37ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ff8ee380000 0x7ff8ee541fff Memory Mapped File rwx False False False -
private_0x00007ff8ee542000 0x7ff8ee542000 0x7ffffffeffff Private Memory r True False False -
For performance reasons, the remaining 181 entries are omitted.
The remaining entries can be found in flog.txt.
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4e10000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4e20000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4e30000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4e30000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4ec0000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4ed0000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4ee0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4ef0000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4ef0000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4f00000, size = 15 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4f10000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4f20000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4f30000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4f30000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4f40000, size = 15 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4f50000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4f60000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4f70000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4f70000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5180000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5190000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x51a0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x51b0000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x51b0000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x51c0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x51d0000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x51e0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5200000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5200000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5210000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5220000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5240000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5240000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6e30000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6e40000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6e50000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6e60000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6e60000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6e70000, size = 10 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6e80000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6e90000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6e90000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6f20000, size = 7 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6f30000, size = 10 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6f40000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6f50000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6f50000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6f60000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6f70000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6f80000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6f80000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7010000, size = 9 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7020000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7030000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7040000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7040000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7050000, size = 8 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7060000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7070000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7070000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7100000, size = 14 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7110000, size = 8 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7120000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7130000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7130000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7140000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7150000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7160000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7160000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x71f0000, size = 14 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7200000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7210000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7220000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7220000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7230000, size = 10 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7240000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7250000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7250000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x72a0000, size = 24 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7320000, size = 10 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7330000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7340000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7340000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7350000, size = 10 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7360000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7370000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7370000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7400000, size = 14 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7410000, size = 10 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7420000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7430000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7430000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7440000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7450000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7460000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7460000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x74f0000, size = 14 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7500000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7510000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7520000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7520000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7530000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7540000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7550000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7550000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x75e0000, size = 16 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x75f0000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7600000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7610000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7610000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7620000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7630000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7640000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7640000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x76d0000, size = 15 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x76e0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x76f0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7700000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7700000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7710000, size = 11 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7720000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7730000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7730000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x77c0000, size = 6 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x77d0000, size = 11 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x77e0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x77f0000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x77f0000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7800000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7810000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7820000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7820000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x78b0000, size = 15 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x78c0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x78d0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x78e0000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x78e0000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x78f0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7900000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7910000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7910000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x79a0000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x79b0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x79c0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x79d0000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x79d0000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x79e0000, size = 10 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x79f0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7a00000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7a00000 True 1
Fn
Host Behavior
File (6)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps2.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\system32\install\svchost.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps2.txt type = size True 1
Fn
Get Info C:\Windows\system32\install\svchost.exe type = size True 1
Fn
Read C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps2.txt size = 394340, size_out = 394340 True 1
Fn
Data
Read C:\Windows\system32\install\svchost.exe size = 1171592, size_out = 1171592 True 1
Fn
Registry (41)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Borland\Locales - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Borland\Locales - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Borland\Delphi\Locales - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\ - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run - True 2
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - True 2
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} - True 2
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\ - True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = 0, type = REG_EXPAND_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = C:\Windows\system32\install\svchost.exe, type = REG_EXPAND_SZ True 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKCU, data = 0, type = REG_EXPAND_SZ True 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKCU, data = C:\Windows\system32\install\svchost.exe, type = REG_EXPAND_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 0, type = REG_EXPAND_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = C:\Windows\system32\install\svchost.exe, type = REG_EXPAND_SZ True 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 0, type = REG_EXPAND_SZ True 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = C:\Windows\system32\install\svchost.exe, type = REG_EXPAND_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = C:\Windows\system32\install\svchost.exe Restart, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = C:\Windows\system32\install\svchost.exe, type = REG_EXPAND_SZ True 1
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = C:\Windows\system32\install\svchost.exe, size = 39, type = REG_EXPAND_SZ True 1
Fn
Delete Key HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} - False 3
Fn
Module (361)
»
Operation Module Additional Information Success Count Logfile
Load KERNEL32.DLL base_address = 0x75260000 True 4
Fn
Load advapi32.dll base_address = 0x76a10000 True 4
Fn
Load gdi32.dll base_address = 0x77000000 True 2
Fn
Load gdiplus.dll base_address = 0x744c0000 True 2
Fn
Load mpr.dll base_address = 0x744a0000 True 2
Fn
Load msacm32.dll base_address = 0x74480000 True 2
Fn
Load ntdll.dll base_address = 0x77ca0000 True 2
Fn
Load ole32.dll base_address = 0x768b0000 True 3
Fn
Load oleaut32.dll base_address = 0x76c90000 True 2
Fn
Load powrprof.dll base_address = 0x753b0000 True 2
Fn
Load shell32.dll base_address = 0x75430000 True 5
Fn
Load user32.dll base_address = 0x77150000 True 3
Fn
Load version.dll base_address = 0x74410000 True 2
Fn
Load wininet.dll base_address = 0x741e0000 True 2
Fn
Load winmm.dll base_address = 0x741b0000 True 2
Fn
Load wsock32.dll base_address = 0x741a0000 True 2
Fn
Load iphlpapi.dll base_address = 0x74170000 True 1
Fn
Load kernel32.dll base_address = 0x75260000 True 2
Fn
Load Crypt32.dll base_address = 0x77ab0000 True 1
Fn
Load Advapi32.dll base_address = 0x76a10000 True 7
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75260000 True 5
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x76a10000 True 1
Fn
Get Handle c:\windows\syswow64\gdi32.dll base_address = 0x77000000 True 1
Fn
Get Handle gdiplus.dll base_address = 0x0 False 1
Fn
Get Handle mpr.dll base_address = 0x744a0000 True 1
Fn
Get Handle msacm32.dll base_address = 0x74480000 True 1
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77ca0000 True 1
Fn
Get Handle ole32.dll base_address = 0x768b0000 True 1
Fn
Get Handle c:\windows\syswow64\oleaut32.dll base_address = 0x76c90000 True 1
Fn
Get Handle c:\windows\syswow64\powrprof.dll base_address = 0x753b0000 True 1
Fn
Get Handle c:\windows\syswow64\shell32.dll base_address = 0x75430000 True 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x77150000 True 1
Fn
Get Handle version.dll base_address = 0x74410000 True 1
Fn
Get Handle wininet.dll base_address = 0x741e0000 True 1
Fn
Get Handle winmm.dll base_address = 0x741b0000 True 1
Fn
Get Handle wsock32.dll base_address = 0x741a0000 True 1
Fn
Get Filename - process_name = c:\windows\syswow64\explorer.exe, size = 261 False 1
Fn
Get Filename Unknown module name process_name = c:\windows\syswow64\explorer.exe, file_name_orig = C:\Windows\SysWOW64\explorer.exe, size = 261 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x7527d8d0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x75277940 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x75278c50 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x75278b70 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x75278c70 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyA, address_out = 0x76a331a0 True 2
Fn
Get Address c:\windows\syswow64\gdi32.dll function = BitBlt, address_out = 0x77082170 True 2
Fn
Get Address Unknown module name function = GdipFree, address_out = 0x0 False 1
Fn
Get Address Unknown module name function = WNetOpenEnumA, address_out = 0x744ad6c0 True 2
Fn
Get Address Unknown module name function = acmStreamSize, address_out = 0x7448ace0 True 2
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwSetInformationProcess, address_out = 0x77d08da0 True 2
Fn
Get Address Unknown module name function = CoTaskMemFree, address_out = 0x76eccf40 True 2
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SysFreeString, address_out = 0x76ca9230 True 2
Fn
Get Address c:\windows\syswow64\powrprof.dll function = SetSuspendState, address_out = 0x753b9ab0 True 2
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFileInfoA, address_out = 0x755cf7f0 True 2
Fn
Get Address c:\windows\syswow64\user32.dll function = GetDC, address_out = 0x77184dd0 True 1
Fn
Get Address Unknown module name function = VerQueryValueA, address_out = 0x744114c0 True 1
Fn
Get Address Unknown module name function = FtpOpenFileA, address_out = 0x74329a80 True 1
Fn
Get Address Unknown module name function = waveInOpen, address_out = 0x741bcc80 True 1
Fn
Get Address Unknown module name function = send, address_out = 0x769bce20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x75271b90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedDecrement, address_out = 0x75277560 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x75277520 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x752775a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x75272d60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x75283a30 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynA, address_out = 0x7527f7b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExA, address_out = 0x75279f60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetThreadLocale, address_out = 0x7527a4e0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoA, address_out = 0x75279730 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoA, address_out = 0x7527e240 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x75272db0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileA, address_out = 0x75286210 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x752861d0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x752874f0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x75279700 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x75286590 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x752a28e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x75286530 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEndOfFile, address_out = 0x752864f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x75279a80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x752864a0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x75279ec0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x7527a060 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x75286360 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTime, address_out = 0x75284a60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x75286390 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x75286170 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x75285f20 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x7527a3c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x75271da0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x75271ba0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x75279930 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x75279a70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x752787c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x75278840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x75279640 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x7527a040 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x752798f0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x752725e0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77cdbae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x77cdda90 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x75277910 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpA, address_out = 0x7527c1f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteProcessMemory, address_out = 0x752a2ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WinExec, address_out = 0x752a0170 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x75286110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAllocEx, address_out = 0x752a29a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateThread, address_out = 0x7527fcb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x7527fbc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x752777b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadPriority, address_out = 0x75279490 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadLocale, address_out = 0x7527a310 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetNamedPipeHandleState, address_out = 0x752a2600 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileTime, address_out = 0x75286550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileAttributesA, address_out = 0x75286500 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x75278bf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RemoveDirectoryA, address_out = 0x752864d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x752792b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileA, address_out = 0x7527c240 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsBadReadPtr, address_out = 0x75271ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalUnlock, address_out = 0x75272a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalSize, address_out = 0x752777c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalReAlloc, address_out = 0x75272ba0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalMemoryStatus, address_out = 0x752792d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalHandle, address_out = 0x7527e030 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalLock, address_out = 0x75271bc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalFree, address_out = 0x75283a70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x75279600 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVolumeInformationA, address_out = 0x75286430 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x75279fe0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x752857f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemInfo, address_out = 0x7527a1f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetPrivateProfileStringA, address_out = 0x75280280 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetPrivateProfileIntA, address_out = 0x75280200 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalDriveStringsA, address_out = 0x7529e9a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocalTime, address_out = 0x75279a60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileAttributesA, address_out = 0x75286310 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x7527f6f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x7527a390 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeA, address_out = 0x752862f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x75271d90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x75272da0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameA, address_out = 0x7527f4b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileA, address_out = 0x75286270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FileTimeToLocalFileTime, address_out = 0x752861c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FileTimeToDosDateTime, address_out = 0x75282360 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x752861a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateRemoteThread, address_out = 0x752a0a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x752a0960 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreatePipe, address_out = 0x75270570 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexA, address_out = 0x75285fb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventA, address_out = 0x75285f70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x75286140 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileA, address_out = 0x7527c510 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExW, address_out = 0x7527a2a0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExA, address_out = 0x76a30750 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExA, address_out = 0x76a2ee40 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExA, address_out = 0x76a2f000 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumValueA, address_out = 0x76a32540 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumKeyExA, address_out = 0x76a32520 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegDeleteValueA, address_out = 0x76a30fb0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegDeleteKeyA, address_out = 0x76a2fc50 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyA, address_out = 0x76a33150 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x76a2efa0 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenProcessToken, address_out = 0x76a2ee90 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = LookupPrivilegeValueA, address_out = 0x76a43e70 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameA, address_out = 0x76a336d0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AdjustTokenPrivileges, address_out = 0x76a30680 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = StartServiceA, address_out = 0x76a46a40 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = QueryServiceStatus, address_out = 0x76a339f0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenServiceA, address_out = 0x76a46590 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenSCManagerA, address_out = 0x76a30f30 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = EnumServicesStatusA, address_out = 0x76a5ad50 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = DeleteService, address_out = 0x76a45e30 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CreateServiceA, address_out = 0x76a45670 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ControlService, address_out = 0x76a455f0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CloseServiceHandle, address_out = 0x76a306a0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetTextColor, address_out = 0x77081c80 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetBkColor, address_out = 0x77081da0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SelectObject, address_out = 0x7707fc80 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetObjectA, address_out = 0x77090530 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetDeviceCaps, address_out = 0x77080820 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetDIBits, address_out = 0x77080dc0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = DeleteObject, address_out = 0x77080050 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = DeleteDC, address_out = 0x77080550 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateSolidBrush, address_out = 0x770823d0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateFontA, address_out = 0x770b1180 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateCompatibleDC, address_out = 0x77081f90 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateCompatibleBitmap, address_out = 0x770822d0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipGetImageEncoders, address_out = 0x7451f380 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipGetImageEncodersSize, address_out = 0x7451f520 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipDrawImageRectI, address_out = 0x74507180 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipSetInterpolationMode, address_out = 0x74505ad0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipDeleteGraphics, address_out = 0x744e92d0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipCreateBitmapFromScan0, address_out = 0x745031c0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipCreateBitmapFromFileICM, address_out = 0x74554560 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipCreateBitmapFromStreamICM, address_out = 0x745546f0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipCreateBitmapFromFile, address_out = 0x745232f0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipCreateBitmapFromStream, address_out = 0x74529f10 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipGetImagePixelFormat, address_out = 0x7452d9f0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipGetImageGraphicsContext, address_out = 0x74503300 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipSaveImageToStream, address_out = 0x74524bd0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipDisposeImage, address_out = 0x745291c0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdiplusShutdown, address_out = 0x7452a7c0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdiplusStartup, address_out = 0x7452ab50 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipFree, address_out = 0x74503810 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipAlloc, address_out = 0x74503840 True 1
Fn
Get Address Unknown module name function = WNetEnumResourceA, address_out = 0x744acc80 True 1
Fn
Get Address Unknown module name function = WNetCloseEnum, address_out = 0x744a3710 True 1
Fn
Get Address Unknown module name function = acmStreamUnprepareHeader, address_out = 0x7448ade0 True 1
Fn
Get Address Unknown module name function = acmStreamPrepareHeader, address_out = 0x7448ab20 True 1
Fn
Get Address Unknown module name function = acmStreamConvert, address_out = 0x7448a440 True 1
Fn
Get Address Unknown module name function = acmStreamReset, address_out = 0x7448ac70 True 1
Fn
Get Address Unknown module name function = acmStreamClose, address_out = 0x7448a2f0 True 1
Fn
Get Address Unknown module name function = acmStreamOpen, address_out = 0x7448a630 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueryInformationProcess, address_out = 0x77d08d50 True 1
Fn
Get Address Unknown module name function = CLSIDFromString, address_out = 0x76ef1390 True 1
Fn
Get Address Unknown module name function = StringFromCLSID, address_out = 0x76eb1020 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SysReAllocStringLen, address_out = 0x76cb3ee0 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SysAllocStringLen, address_out = 0x76ca91a0 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExA, address_out = 0x75692190 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = DragQueryFileA, address_out = 0x7567f900 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderPathA, address_out = 0x756d4f00 True 3
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExA, address_out = 0x77184720 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wvsprintfA, address_out = 0x7717ea20 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = mouse_event, address_out = 0x771cfd40 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = keybd_event, address_out = 0x771cfcf0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x77177020 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UnregisterClassA, address_out = 0x77180b00 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x7716b9d0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ToUnicodeEx, address_out = 0x771cf4c0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SystemParametersInfoA, address_out = 0x77180860 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x771852a0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowTextA, address_out = 0x771745e0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowPos, address_out = 0x77184f70 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowLongA, address_out = 0x77180c20 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetTimer, address_out = 0x7716cd50 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetPropA, address_out = 0x77180e50 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetForegroundWindow, address_out = 0x7716df70 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetCursor, address_out = 0x77184ed0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetClipboardData, address_out = 0x771813e0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageTimeoutA, address_out = 0x7717dc40 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageA, address_out = 0x77171460 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ScreenToClient, address_out = 0x771656d0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RemovePropA, address_out = 0x77181000 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ReleaseDC, address_out = 0x771689f0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassA, address_out = 0x77183e50 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostQuitMessage, address_out = 0x77182430 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostMessageA, address_out = 0x7717ce20 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PeekMessageA, address_out = 0x7716aa70 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = OpenClipboard, address_out = 0x77181770 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MsgWaitForMultipleObjects, address_out = 0x7716a2f0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x771ccf50 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MapVirtualKeyExA, address_out = 0x771d7440 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MapVirtualKeyA, address_out = 0x77181fb0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadIconA, address_out = 0x77181ec0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorA, address_out = 0x77181e90 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsWindowVisible, address_out = 0x77176e80 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsWindow, address_out = 0x77167130 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = InvalidateRect, address_out = 0x77184d70 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowThreadProcessId, address_out = 0x7716ba70 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowTextLengthA, address_out = 0x77171670 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowTextA, address_out = 0x77174690 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowRect, address_out = 0x77165930 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowLongA, address_out = 0x7717cc90 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSystemMetrics, address_out = 0x771655d0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSystemMenu, address_out = 0x77185330 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSysColor, address_out = 0x7716c900 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetPropA, address_out = 0x7717e230 True 1
Fn
Get Address Unknown module name function = AllocateAndGetTcpExTableFromStack, address_out = 0x0 False 1
Fn
Get Address Unknown module name function = AllocateAndGetUdpExTableFromStack, address_out = 0x0 False 1
Fn
Get Address Unknown module name function = SetTcpEntry, address_out = 0x74192050 True 1
Fn
Get Address Unknown module name function = GetExtendedTcpTable, address_out = 0x7417b880 True 1
Fn
Get Address Unknown module name function = GetExtendedUdpTable, address_out = 0x7417c0d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathA, address_out = 0x75286410 True 2
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptUnprotectData, address_out = 0x77afaf50 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CredEnumerateA, address_out = 0x76a45710 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextA, address_out = 0x76a30c00 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptCreateHash, address_out = 0x76a2f930 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptHashData, address_out = 0x76a2f950 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetHashParam, address_out = 0x76a2f530 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyHash, address_out = 0x76a2fbf0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x76a30ad0 True 1
Fn
Get Address Unknown module name function = OleInitialize, address_out = 0x768d9c50 True 1
Fn
Get Address Unknown module name function = CoCreateInstance, address_out = 0x76ee8200 True 1
Fn
System (23)
»
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 16
Fn
Sleep duration = 5000 milliseconds (5.000 seconds) True 2
Fn
Sleep duration = 5000 milliseconds (5.000 seconds) False 1
Fn
Get Time type = Ticks, time = 150734 True 1
Fn
Get Time type = Ticks, time = 155750 True 1
Fn
Get Time type = Ticks, time = 162546 True 1
Fn
Get Info type = Operating System True 1
Fn
Mutex (7)
»
Operation Additional Information Success Count Logfile
Create mutex_name = SWE2F15657A4JJCIiHmnxMn6Ps15 True 1
Fn
Create mutex_name = SWE2F15657A4JJ_SAIR True 4
Fn
Create mutex_name = SWE2F15657A4JJ True 2
Fn
Process #5: explorer.exe
4501 0
»
Information Value
ID #5
File Name c:\windows\syswow64\explorer.exe
Command Line explorer.exe
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:01:54, Reason: Child Process
Unmonitor End Time: 00:02:09, Reason: Self Terminated
Monitor Duration 00:00:15
OS Process Information
»
Information Value
PID 0xcac
Parent PID 0x8c8 (c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CB0
0x CB4
0x CBC
0x CC4
0x CC8
0x CCC
0x CD0
0x CD4
0x CD8
0x CDC
0x CE0
0x CE4
0x CE8
0x CEC
0x CF0
0x CF4
0x CF8
0x CFC
0x D00
0x D04
0x D08
0x D0C
0x D10
0x D14
0x D18
0x D1C
0x D20
0x D24
0x D28
0x D2C
0x D30
0x D34
0x D38
0x D3C
0x D40
0x D44
0x D48
0x D4C
0x D50
0x D54
0x D58
0x D5C
0x D60
0x D64
0x D68
0x D6C
0x D70
0x D74
0x DC8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
explorer.exe 0x00930000 0x00d06fff Memory Mapped File rwx False False False -
pagefile_0x0000000000ea0000 0x00ea0000 0x04e9ffff Pagefile Backed Memory - True False False -
private_0x0000000004ea0000 0x04ea0000 0x04ebffff Private Memory rw True False False -
pagefile_0x0000000004ea0000 0x04ea0000 0x04eaffff Pagefile Backed Memory rw True False False -
private_0x0000000004eb0000 0x04eb0000 0x04eb3fff Private Memory rw True False False -
private_0x0000000004ec0000 0x04ec0000 0x04ec0fff Private Memory rw True False False -
explorer.exe.mui 0x04ec0000 0x04ec7fff Memory Mapped File r False False False -
pagefile_0x0000000004ed0000 0x04ed0000 0x04ee3fff Pagefile Backed Memory r True False False -
private_0x0000000004ef0000 0x04ef0000 0x04f2ffff Private Memory rw True False False -
private_0x0000000004f30000 0x04f30000 0x04f6ffff Private Memory rw True False False -
pagefile_0x0000000004f70000 0x04f70000 0x04f73fff Pagefile Backed Memory r True False False -
pagefile_0x0000000004f80000 0x04f80000 0x04f82fff Pagefile Backed Memory r True False False -
private_0x0000000004f90000 0x04f90000 0x04f91fff Private Memory rw True False False -
private_0x0000000004fa0000 0x04fa0000 0x04fa0fff Private Memory rwx True False False -
private_0x0000000004fb0000 0x04fb0000 0x04fb0fff Private Memory rwx True False False -
private_0x0000000004fc0000 0x04fc0000 0x04fc0fff Private Memory rwx True False False -
private_0x0000000004fd0000 0x04fd0000 0x0500ffff Private Memory rw True False False -
private_0x0000000005010000 0x05010000 0x0504ffff Private Memory rw True False False -
private_0x0000000005050000 0x05050000 0x05050fff Private Memory rwx True False False -
private_0x0000000005060000 0x05060000 0x05060fff Private Memory rwx True False False -
private_0x0000000005070000 0x05070000 0x05070fff Private Memory rwx True False False -
private_0x0000000005080000 0x05080000 0x05080fff Private Memory rwx True False False -
private_0x0000000005090000 0x05090000 0x050cffff Private Memory rw True False False -
private_0x0000000005090000 0x05090000 0x05090fff Private Memory rwx True False False -
private_0x00000000050a0000 0x050a0000 0x050a0fff Private Memory rwx True False False -
private_0x00000000050b0000 0x050b0000 0x050b0fff Private Memory rwx True False False -
private_0x00000000050c0000 0x050c0000 0x050c0fff Private Memory rwx True False False -
private_0x00000000050d0000 0x050d0000 0x0510ffff Private Memory rw True False False -
private_0x00000000050d0000 0x050d0000 0x050d0fff Private Memory rwx True False False -
private_0x00000000050e0000 0x050e0000 0x050e0fff Private Memory rwx True False False -
private_0x00000000050f0000 0x050f0000 0x050f0fff Private Memory rwx True False False -
private_0x0000000005100000 0x05100000 0x05100fff Private Memory rwx True False False -
private_0x0000000005110000 0x05110000 0x0514ffff Private Memory rw True False False -
private_0x0000000005150000 0x05150000 0x0518ffff Private Memory rw True False False -
private_0x0000000005190000 0x05190000 0x05190fff Private Memory rw True False False -
private_0x00000000051a0000 0x051a0000 0x051affff Private Memory rw True False False -
locale.nls 0x051b0000 0x0526dfff Memory Mapped File r False False False -
private_0x0000000005270000 0x05270000 0x05270fff Private Memory rw True False False -
private_0x0000000005280000 0x05280000 0x05283fff Private Memory rw True False False -
private_0x0000000005290000 0x05290000 0x052cffff Private Memory rw True False False -
private_0x0000000005290000 0x05290000 0x05290fff Private Memory rwx True False False -
private_0x00000000052a0000 0x052a0000 0x052a0fff Private Memory rwx True False False -
private_0x00000000052b0000 0x052b0000 0x052b0fff Private Memory rwx True False False -
private_0x00000000052c0000 0x052c0000 0x052c0fff Private Memory rwx True False False -
private_0x00000000052d0000 0x052d0000 0x0530ffff Private Memory rw True False False -
private_0x00000000052d0000 0x052d0000 0x052d0fff Private Memory rwx True False False -
private_0x00000000052e0000 0x052e0000 0x052e0fff Private Memory rwx True False False -
private_0x00000000052f0000 0x052f0000 0x052f0fff Private Memory rwx True False False -
private_0x0000000005300000 0x05300000 0x05300fff Private Memory rwx True False False -
private_0x0000000005310000 0x05310000 0x0540ffff Private Memory rw True False False -
pagefile_0x0000000005410000 0x05410000 0x05597fff Pagefile Backed Memory r True False False -
private_0x00000000055a0000 0x055a0000 0x055affff Private Memory rw True False False -
pagefile_0x00000000055b0000 0x055b0000 0x05730fff Pagefile Backed Memory r True False False -
pagefile_0x0000000005740000 0x05740000 0x06b3ffff Pagefile Backed Memory r True False False -
private_0x0000000006b40000 0x06b40000 0x06b7ffff Private Memory rw True False False -
private_0x0000000006b40000 0x06b40000 0x06b40fff Private Memory rwx True False False -
private_0x0000000006b50000 0x06b50000 0x06b50fff Private Memory rwx True False False -
private_0x0000000006b60000 0x06b60000 0x06b60fff Private Memory rwx True False False -
private_0x0000000006b70000 0x06b70000 0x06baffff Private Memory rw True False False -
private_0x0000000006b80000 0x06b80000 0x06bbffff Private Memory rw True False False -
private_0x0000000006bb0000 0x06bb0000 0x06beffff Private Memory rw True False False -
private_0x0000000006bf0000 0x06bf0000 0x06bf0fff Private Memory rwx True False False -
private_0x0000000006c00000 0x06c00000 0x06c00fff Private Memory rwx True False False -
private_0x0000000006c10000 0x06c10000 0x06c10fff Private Memory rwx True False False -
private_0x0000000006c20000 0x06c20000 0x06c20fff Private Memory rwx True False False -
private_0x0000000006c30000 0x06c30000 0x06c6ffff Private Memory rw True False False -
private_0x0000000006c30000 0x06c30000 0x06c30fff Private Memory rwx True False False -
private_0x0000000006c40000 0x06c40000 0x06c40fff Private Memory rwx True False False -
private_0x0000000006c50000 0x06c50000 0x06c50fff Private Memory rwx True False False -
private_0x0000000006c60000 0x06c60000 0x06c9ffff Private Memory rw True False False -
private_0x0000000006c70000 0x06c70000 0x06caffff Private Memory rw True False False -
private_0x0000000006ca0000 0x06ca0000 0x06cdffff Private Memory rw True False False -
private_0x0000000006ce0000 0x06ce0000 0x06ce0fff Private Memory rwx True False False -
private_0x0000000006cf0000 0x06cf0000 0x06cf0fff Private Memory rwx True False False -
private_0x0000000006d00000 0x06d00000 0x06d00fff Private Memory rwx True False False -
private_0x0000000006d10000 0x06d10000 0x06d10fff Private Memory rwx True False False -
private_0x0000000006d20000 0x06d20000 0x06d20fff Private Memory rwx True False False -
private_0x0000000006d30000 0x06d30000 0x06d3ffff Private Memory rw True False False -
sortdefault.nls 0x06d40000 0x07076fff Memory Mapped File r False False False -
private_0x0000000007080000 0x07080000 0x070bffff Private Memory rw True False False -
private_0x0000000007080000 0x07080000 0x07080fff Private Memory rwx True False False -
private_0x0000000007090000 0x07090000 0x07090fff Private Memory rwx True False False -
private_0x00000000070a0000 0x070a0000 0x070dffff Private Memory rw True False False -
private_0x00000000070c0000 0x070c0000 0x070fffff Private Memory rw True False False -
private_0x00000000070e0000 0x070e0000 0x0711ffff Private Memory rw True False False -
private_0x0000000007120000 0x07120000 0x07120fff Private Memory rwx True False False -
private_0x0000000007130000 0x07130000 0x07130fff Private Memory rwx True False False -
private_0x0000000007140000 0x07140000 0x07140fff Private Memory rwx True False False -
private_0x0000000007150000 0x07150000 0x07150fff Private Memory rwx True False False -
private_0x0000000007160000 0x07160000 0x0719ffff Private Memory rw True False False -
private_0x0000000007160000 0x07160000 0x07160fff Private Memory rwx True False False -
private_0x0000000007170000 0x07170000 0x07170fff Private Memory rwx True False False -
private_0x0000000007180000 0x07180000 0x07180fff Private Memory rwx True False False -
private_0x00000000071a0000 0x071a0000 0x071dffff Private Memory rw True False False -
private_0x00000000104f0000 0x104f0000 0x1055ffff Private Memory rwx True False False -
wow64cpu.dll 0x64ae0000 0x64ae7fff Memory Mapped File rwx False False False -
wow64win.dll 0x64af0000 0x64b62fff Memory Mapped File rwx False False False -
wow64.dll 0x64b70000 0x64bbefff Memory Mapped File rwx False False False -
gdiplus.dll 0x744c0000 0x7462afff Memory Mapped File rwx False False False -
sppc.dll 0x74630000 0x7464cfff Memory Mapped File rwx False False False -
slc.dll 0x74650000 0x74670fff Memory Mapped File rwx False False False -
dxgi.dll 0x74680000 0x746fdfff Memory Mapped File rwx False False False -
userenv.dll 0x74700000 0x74718fff Memory Mapped File rwx False False False -
dcomp.dll 0x74720000 0x747bbfff Memory Mapped File rwx False False False -
d3d11.dll 0x747c0000 0x749d2fff Memory Mapped File rwx False False False -
twinapi.dll 0x749e0000 0x74a78fff Memory Mapped File rwx False False False -
propsys.dll 0x74a80000 0x74bc1fff Memory Mapped File rwx False False False -
dwmapi.dll 0x74c00000 0x74c1cfff Memory Mapped File rwx False False False -
uxtheme.dll 0x74c20000 0x74c94fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74d40000 0x74d98fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74da0000 0x74da9fff Memory Mapped File rwx False False False -
sspicli.dll 0x74db0000 0x74dcdfff Memory Mapped File rwx False False False -
kernelbase.dll 0x74e70000 0x74fe5fff Memory Mapped File rwx False False False -
kernel32.dll 0x75260000 0x7534ffff Memory Mapped File rwx False False False -
powrprof.dll 0x753b0000 0x753f3fff Memory Mapped File rwx False False False -
imm32.dll 0x75400000 0x7542afff Memory Mapped File rwx False False False -
shell32.dll 0x75430000 0x767eefff Memory Mapped File rwx False False False -
profapi.dll 0x76810000 0x7681efff Memory Mapped File rwx False False False -
advapi32.dll 0x76a10000 0x76a8afff Memory Mapped File rwx False False False -
sechost.dll 0x76c40000 0x76c82fff Memory Mapped File rwx False False False -
oleaut32.dll 0x76c90000 0x76d21fff Memory Mapped File rwx False False False -
msasn1.dll 0x76d30000 0x76d3dfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76d90000 0x76e3bfff Memory Mapped File rwx False False False -
combase.dll 0x76e40000 0x76ff9fff Memory Mapped File rwx False False False -
gdi32.dll 0x77000000 0x7714cfff Memory Mapped File rwx False False False -
user32.dll 0x77150000 0x7728ffff Memory Mapped File rwx False False False -
shlwapi.dll 0x77290000 0x772d3fff Memory Mapped File rwx False False False -
shcore.dll 0x77340000 0x773ccfff Memory Mapped File rwx False False False -
windows.storage.dll 0x773f0000 0x778ccfff Memory Mapped File rwx False False False -
msctf.dll 0x778d0000 0x779effff Memory Mapped File rwx False False False -
msvcrt.dll 0x779f0000 0x77aadfff Memory Mapped File rwx False False False -
crypt32.dll 0x77ab0000 0x77c24fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x77c30000 0x77c3bfff Memory Mapped File rwx False False False -
ntdll.dll 0x77ca0000 0x77e18fff Memory Mapped File rwx False False False -
private_0x000000007e574000 0x7e574000 0x7e576fff Private Memory rw True False False -
private_0x000000007e577000 0x7e577000 0x7e579fff Private Memory rw True False False -
private_0x000000007e57a000 0x7e57a000 0x7e57cfff Private Memory rw True False False -
private_0x000000007e57d000 0x7e57d000 0x7e57ffff Private Memory rw True False False -
pagefile_0x000000007e580000 0x7e580000 0x7e67ffff Pagefile Backed Memory r True False False -
pagefile_0x000000007e680000 0x7e680000 0x7e6a2fff Pagefile Backed Memory r True False False -
private_0x000000007e6a5000 0x7e6a5000 0x7e6a5fff Private Memory rw True False False -
private_0x000000007e6a6000 0x7e6a6000 0x7e6a8fff Private Memory rw True False False -
private_0x000000007e6a9000 0x7e6a9000 0x7e6abfff Private Memory rw True False False -
private_0x000000007e6ac000 0x7e6ac000 0x7e6aefff Private Memory rw True False False -
private_0x000000007e6af000 0x7e6af000 0x7e6affff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7df8ee37ffff Private Memory r True False False -
pagefile_0x00007df8ee380000 0x7df8ee380000 0x7ff8ee37ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ff8ee380000 0x7ff8ee541fff Memory Mapped File rwx False False False -
private_0x00007ff8ee542000 0x7ff8ee542000 0x7ffffffeffff Private Memory r True False False -
For performance reasons, the remaining 192 entries are omitted.
The remaining entries can be found in flog.txt.
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4fa0000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4fb0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4fc0000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x4fc0000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5050000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5060000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5070000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5080000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5080000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5090000, size = 15 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x50a0000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x50b0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x50c0000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x50c0000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x50d0000, size = 15 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x50e0000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x50f0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5100000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5100000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5290000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x52a0000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x52b0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x52c0000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x52c0000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x52d0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x52e0000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x52f0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5300000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x5300000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6b40000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6b50000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6b60000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6b60000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6bf0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6c00000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6c10000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6c20000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6c20000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6c30000, size = 10 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6c40000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6c50000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6c50000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6ce0000, size = 7 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6cf0000, size = 10 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6d00000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6d10000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6d10000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x6d20000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7080000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7090000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7090000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7120000, size = 9 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7130000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7140000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7150000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7150000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7160000, size = 8 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7170000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7180000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7180000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7210000, size = 14 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7220000, size = 8 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7230000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7240000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7240000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7250000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7260000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7270000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7270000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7300000, size = 14 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7310000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7320000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7330000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7330000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7340000, size = 10 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7350000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7360000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7360000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x73f0000, size = 24 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7400000, size = 10 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7410000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7420000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7420000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7430000, size = 10 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7440000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7450000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7450000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x74e0000, size = 14 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x74f0000, size = 10 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7500000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7510000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7510000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7520000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7530000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7540000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7540000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x75d0000, size = 14 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x75e0000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x75f0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7600000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7600000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7610000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7620000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7630000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7630000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x76c0000, size = 16 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x76d0000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x76e0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x76f0000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x76f0000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7700000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7710000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7720000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7720000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x77b0000, size = 15 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x77c0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x77d0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x77e0000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x77e0000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x77f0000, size = 11 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7800000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7810000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7810000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x78a0000, size = 6 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x78b0000, size = 11 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x78c0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x78d0000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x78d0000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x78e0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x78f0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7900000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7900000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7990000, size = 15 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x79a0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x79b0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x79c0000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x79c0000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x79d0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x79e0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x79f0000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x79f0000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7a80000, size = 13 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7a90000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7aa0000, size = 20 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7ab0000, size = 142 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7ab0000 True 1
Fn
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7ac0000, size = 10 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7ad0000, size = 12 True 1
Fn
Data
Modify Memory #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7ae0000, size = 210 True 1
Fn
Data
Create Remote Thread #2: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x568 address = 0x7ae0000 True 1
Fn
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CIiHmnxMn6Ps-wchelper.dll 150.67 KB MD5: cf43d0f929ae3335692d014f4df05e6d
SHA1: 1cd8ec4e84a50167af2ce157138224535833543d
SHA256: b3ee6953ff49705ae90ce8b2cafbed7df9674b227f4aed0279fdf44f358d3e8e
SSDeep: 3072:vcJEm2+l1AHreW8xa4TfsBbxNkNx+ce5L69an8j2wEqD5r947d:EJEmL12rn8xa4Lsx7kNx+vgOu5+7d 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 0.01 KB MD5: cd58a6e3deb31a3408880f7ec26c44ca
SHA1: 69b783c9df7d1e7c00e1a451fffb81b0fe3e6c38
SHA256: 95f1966db6c767d5ce564d5ff2d6653c7d83c355cd34ff845c4bc8e5dc311fdb
SSDeep: 3:KfR:Kp 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 0.01 KB MD5: c3bcaed710909e32fdd105c10455febc
SHA1: 9abb0888ba30cd35a6a56356c52992b7df9b8b9d
SHA256: 94a9803f5b36ffcb30af44ce9a65301444c2e268328a6152b143d218f77b0610
SSDeep: 3:KfU:Ks 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 0.01 KB MD5: 92bfa1b6dca10a604cdce67900d747ab
SHA1: 19f4afce1cbc914b9e0d3d7c1cd8a9a85635f9b6
SHA256: c76529e2f3545090366fa8e21cfc0bbe69b9ee5000e53070d704d489994bc5f1
SSDeep: 3:OY:OY 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 0.01 KB MD5: f3bd5373cddbf133fd862cf2fbeb5239
SHA1: 1cfd136bdd8425796edd15f7b1270f24ab562972
SHA256: fc5ff02dd2a0d42d148aba0f7af2f466edb263d8265cc6a53270c98ee3a52d25
SSDeep: 3:KfS:Kq 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 0.01 KB MD5: dd10a37d7c14a670e3ac7eb9333eb638
SHA1: 61e4c5dea488d0d8f9e19e9a07dbf4f5f4fa32ba
SHA256: da23fab7c94a605936b4ac9df3da66f5104b040777acf1e30c0b40b8e3749291
SSDeep: 3:O8n:O8n 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 0.01 KB MD5: f80455e34ff5881a7c42231ac16d3e89
SHA1: 8514588816939921040ef030b253bcaf2cc9282d
SHA256: 0c37922dc8c0e9efa79b07ed75ee07e0761da9bc4a8e7331e57aa3ad940ed8c6
SSDeep: 3:OZ:OZ 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\D2CA4DEF\21-11-2018 0.08 KB MD5: af900417584624e7071641559d29e3c7
SHA1: f44abd35c252539ab183aa20b3c24ac2369c8674
SHA256: 68c33b1c6248cc3ed73dd758420ed370ff6dc082d607557c5e2e3da821fb71d8
SSDeep: 3:TlbC1c5TUmh/VJS1Joanh:Q1yAmhdyoWh 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 0.01 KB MD5: 7f77d674b1e8b92c8517b85260557f7f
SHA1: 49874a83cb0c1c3750ddf07592d0c5ae025a9259
SHA256: ffd96dec29021897a31ded76d58626b66b01b02b3926f5ebd1b1f860ac76a137
SSDeep: 3:OW:OW 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 0.01 KB MD5: 52fee28b460a0e82b479288ed9aad51b
SHA1: 16719a4829c12afae1904b12406dc2a4ce548017
SHA256: f1afa44be2980873252236d40071744e99df3014293f9ad5a49398152bd4344b
SSDeep: 3:O/n:O/ 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\D2CA4DEF\ak.tmp 0.05 KB MD5: fd67f0d2e500c599cab42685b05639f9
SHA1: aa373295b498c16ac40f61aadcb832b42c7bfb23
SHA256: 711f804d198e39db0e915fd6ccc57fcd7d1a8191db2d86a9d656e88fddcef271
SSDeep: 3:sZmP4tRBBFQtTUuybB:x4tRBBFQtTw 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 0.01 KB MD5: 7dd19ec7de17d6ba938ed733c514ef20
SHA1: 84dbb347b4ab71cc77df94532014b7df76adfb6c
SHA256: f838550cf4f44b2f3c44804ca2c4cbc2b3a42ffea9c0835533b72bf81ff7e38b
SSDeep: 3:O+n:O+n 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 0.01 KB MD5: c92b9edd5e62426a769875b1146290b7
SHA1: 5aedd83ec79466ce24ff92c75abf2989f6bd0126
SHA256: 0052a516da7df2a8166603c3e259fc79275fdaa681a727d2b5b58e1d8f9baf85
SSDeep: 3:KfT:Kr 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 0.01 KB MD5: 95500e551a451a5a4e882cdc125024b4
SHA1: 26c2b0aa79389778012999f7d8f5541ee3d725f8
SHA256: dfa472fec314521f4c76c4c35544ef966d74b33c2a11db8730920ed5daeea554
SSDeep: 3:KfV:Kt 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\D2CA4DEF\ak.tmp 0.03 KB MD5: aae305addaaaa35be9e6c3b41a07a48c
SHA1: 9a0c0aaac61cae7e701a3baf9da767189c5e65a7
SHA256: e5e97847049055d0e6bdac235a2904799d552b4fbebbaf11d5c540d5cf019741
SSDeep: 3:sZmP4tRBBFQF:x4tRBBFQF 		False
...
Host Behavior
File (1204)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps2.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\system32\install\svchost.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\system32\install\ desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\D2CA4DEF\ desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\D2CA4DEF\ak.tmp desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE True 1
Fn
Create - desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CIiHmnxMn6Ps-wchelper.dll desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE True 294
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps8 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE True 2
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps8 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\D2CA4DEF\21-11-2018 desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\D2CA4DEF\ - True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps2.txt type = size True 1
Fn
Get Info C:\Windows\system32\install\svchost.exe type = file_attributes True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 type = file_attributes True 294
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps8 type = file_attributes True 2
Fn
Read C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps2.txt size = 394340, size_out = 394340 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\D2CA4DEF\ak.tmp size = 31 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CIiHmnxMn6Ps-wchelper.dll size = 154283 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 size = 8 True 294
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps8 size = 8 True 2
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps8 size = 8 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\D2CA4DEF\21-11-2018 size = 77 True 1
Fn
Data
Delete C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps2.txt - True 1
Fn
Delete C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 - True 294
Fn
Delete C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps8 - True 2
Fn
Registry (25)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\remote - True 3
Fn
Open Key HKEY_CURRENT_USER\Software\Borland\Locales - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Borland\Locales - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Borland\Delphi\Locales - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\ - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\remote - False 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\remote - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\remote - True 2
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\remote value_name = FirstExecution, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\remote value_name = FirstExecution, data = 21/11/2018 -- 03:24, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\remote value_name = NewIdentification, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\remote value_name = NewGroup, type = REG_NONE False 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\remote value_name = FirstExecution, data = 21/11/2018 -- 03:24, size = 19, type = REG_EXPAND_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\remote value_name = NewIdentification, data = remote, size = 6, type = REG_EXPAND_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\remote value_name = NewGroup, size = 0, type = REG_EXPAND_SZ True 1
Fn
Delete Key HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} - False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Get Info c:\windows\syswow64\explorer.exe type = PROCESS_PRIORITY_BOOST True 1
Fn
Module (373)
»
Operation Module Additional Information Success Count Logfile
Load KERNEL32.DLL base_address = 0x75260000 True 4
Fn
Load advapi32.dll base_address = 0x76a10000 True 4
Fn
Load gdi32.dll base_address = 0x77000000 True 2
Fn
Load gdiplus.dll base_address = 0x744c0000 True 2
Fn
Load mpr.dll base_address = 0x744a0000 True 2
Fn
Load msacm32.dll base_address = 0x74480000 True 2
Fn
Load ntdll.dll base_address = 0x77ca0000 True 2
Fn
Load ole32.dll base_address = 0x768b0000 True 3
Fn
Load oleaut32.dll base_address = 0x76c90000 True 2
Fn
Load powrprof.dll base_address = 0x753b0000 True 2
Fn
Load shell32.dll base_address = 0x75430000 True 5
Fn
Load user32.dll base_address = 0x77150000 True 3
Fn
Load version.dll base_address = 0x74410000 True 2
Fn
Load wininet.dll base_address = 0x741e0000 True 2
Fn
Load winmm.dll base_address = 0x741b0000 True 2
Fn
Load wsock32.dll base_address = 0x741a0000 True 2
Fn
Load iphlpapi.dll base_address = 0x74170000 True 1
Fn
Load kernel32.dll base_address = 0x75260000 True 7
Fn
Load Crypt32.dll base_address = 0x77ab0000 True 1
Fn
Load Advapi32.dll base_address = 0x76a10000 True 7
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75260000 True 5
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x76a10000 True 1
Fn
Get Handle c:\windows\syswow64\gdi32.dll base_address = 0x77000000 True 1
Fn
Get Handle c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll base_address = 0x744c0000 True 1
Fn
Get Handle mpr.dll base_address = 0x744a0000 True 1
Fn
Get Handle msacm32.dll base_address = 0x74480000 True 1
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77ca0000 True 1
Fn
Get Handle ole32.dll base_address = 0x768b0000 True 1
Fn
Get Handle c:\windows\syswow64\oleaut32.dll base_address = 0x76c90000 True 1
Fn
Get Handle c:\windows\syswow64\powrprof.dll base_address = 0x753b0000 True 1
Fn
Get Handle c:\windows\syswow64\shell32.dll base_address = 0x75430000 True 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x77150000 True 1
Fn
Get Handle version.dll base_address = 0x74410000 True 1
Fn
Get Handle wininet.dll base_address = 0x741e0000 True 1
Fn
Get Handle winmm.dll base_address = 0x741b0000 True 1
Fn
Get Handle wsock32.dll base_address = 0x741a0000 True 1
Fn
Get Filename - process_name = c:\windows\syswow64\explorer.exe, size = 261 False 1
Fn
Get Filename - process_name = c:\windows\syswow64\explorer.exe, file_name_orig = C:\Windows\SysWOW64\explorer.exe, size = 261 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x7527d8d0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x75277940 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x75278c50 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x75278b70 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x75278c70 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyA, address_out = 0x76a331a0 True 2
Fn
Get Address c:\windows\syswow64\gdi32.dll function = BitBlt, address_out = 0x77082170 True 2
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipFree, address_out = 0x74503810 True 2
Fn
Get Address Unknown module name function = WNetOpenEnumA, address_out = 0x744ad6c0 True 2
Fn
Get Address Unknown module name function = acmStreamSize, address_out = 0x7448ace0 True 2
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwSetInformationProcess, address_out = 0x77d08da0 True 2
Fn
Get Address Unknown module name function = CoTaskMemFree, address_out = 0x76eccf40 True 2
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SysFreeString, address_out = 0x76ca9230 True 2
Fn
Get Address c:\windows\syswow64\powrprof.dll function = SetSuspendState, address_out = 0x753b9ab0 True 2
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFileInfoA, address_out = 0x755cf7f0 True 2
Fn
Get Address c:\windows\syswow64\user32.dll function = GetDC, address_out = 0x77184dd0 True 1
Fn
Get Address Unknown module name function = VerQueryValueA, address_out = 0x744114c0 True 1
Fn
Get Address Unknown module name function = FtpOpenFileA, address_out = 0x74329a80 True 1
Fn
Get Address Unknown module name function = waveInOpen, address_out = 0x741bcc80 True 1
Fn
Get Address Unknown module name function = send, address_out = 0x769bce20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x75271b90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedDecrement, address_out = 0x75277560 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x75277520 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x752775a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x75272d60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x75283a30 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynA, address_out = 0x7527f7b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExA, address_out = 0x75279f60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetThreadLocale, address_out = 0x7527a4e0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoA, address_out = 0x75279730 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoA, address_out = 0x7527e240 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x75272db0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileA, address_out = 0x75286210 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x752861d0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x752874f0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x75279700 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x75286590 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x752a28e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x75286530 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEndOfFile, address_out = 0x752864f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x75279a80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x752864a0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x75279ec0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x7527a060 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x75286360 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTime, address_out = 0x75284a60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x75286390 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x75286170 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x75285f20 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x7527a3c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x75271da0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x75271ba0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x75279930 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x75279a70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x752787c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x75278840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x75279640 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x7527a040 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x752798f0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x752725e0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77cdbae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x77cdda90 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x75277910 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpA, address_out = 0x7527c1f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteProcessMemory, address_out = 0x752a2ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WinExec, address_out = 0x752a0170 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x75286110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAllocEx, address_out = 0x752a29a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateThread, address_out = 0x7527fcb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x7527fbc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x752777b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadPriority, address_out = 0x75279490 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadLocale, address_out = 0x7527a310 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetNamedPipeHandleState, address_out = 0x752a2600 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileTime, address_out = 0x75286550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileAttributesA, address_out = 0x75286500 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x75278bf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RemoveDirectoryA, address_out = 0x752864d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x752792b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileA, address_out = 0x7527c240 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsBadReadPtr, address_out = 0x75271ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalUnlock, address_out = 0x75272a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalSize, address_out = 0x752777c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalReAlloc, address_out = 0x75272ba0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalMemoryStatus, address_out = 0x752792d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalHandle, address_out = 0x7527e030 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalLock, address_out = 0x75271bc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalFree, address_out = 0x75283a70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x75279600 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVolumeInformationA, address_out = 0x75286430 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x75279fe0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x752857f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemInfo, address_out = 0x7527a1f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetPrivateProfileStringA, address_out = 0x75280280 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetPrivateProfileIntA, address_out = 0x75280200 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalDriveStringsA, address_out = 0x7529e9a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocalTime, address_out = 0x75279a60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileAttributesA, address_out = 0x75286310 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x7527f6f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x7527a390 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeA, address_out = 0x752862f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x75271d90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x75272da0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameA, address_out = 0x7527f4b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileA, address_out = 0x75286270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FileTimeToLocalFileTime, address_out = 0x752861c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FileTimeToDosDateTime, address_out = 0x75282360 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x752861a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateRemoteThread, address_out = 0x752a0a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x752a0960 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreatePipe, address_out = 0x75270570 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexA, address_out = 0x75285fb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventA, address_out = 0x75285f70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x75286140 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileA, address_out = 0x7527c510 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExW, address_out = 0x7527a2a0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExA, address_out = 0x76a30750 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExA, address_out = 0x76a2ee40 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExA, address_out = 0x76a2f000 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumValueA, address_out = 0x76a32540 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumKeyExA, address_out = 0x76a32520 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegDeleteValueA, address_out = 0x76a30fb0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegDeleteKeyA, address_out = 0x76a2fc50 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyA, address_out = 0x76a33150 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x76a2efa0 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenProcessToken, address_out = 0x76a2ee90 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = LookupPrivilegeValueA, address_out = 0x76a43e70 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameA, address_out = 0x76a336d0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AdjustTokenPrivileges, address_out = 0x76a30680 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = StartServiceA, address_out = 0x76a46a40 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = QueryServiceStatus, address_out = 0x76a339f0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenServiceA, address_out = 0x76a46590 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenSCManagerA, address_out = 0x76a30f30 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = EnumServicesStatusA, address_out = 0x76a5ad50 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = DeleteService, address_out = 0x76a45e30 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CreateServiceA, address_out = 0x76a45670 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ControlService, address_out = 0x76a455f0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CloseServiceHandle, address_out = 0x76a306a0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetTextColor, address_out = 0x77081c80 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetBkColor, address_out = 0x77081da0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SelectObject, address_out = 0x7707fc80 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetObjectA, address_out = 0x77090530 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetDeviceCaps, address_out = 0x77080820 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetDIBits, address_out = 0x77080dc0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = DeleteObject, address_out = 0x77080050 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = DeleteDC, address_out = 0x77080550 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateSolidBrush, address_out = 0x770823d0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateFontA, address_out = 0x770b1180 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateCompatibleDC, address_out = 0x77081f90 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateCompatibleBitmap, address_out = 0x770822d0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipGetImageEncoders, address_out = 0x7451f380 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipGetImageEncodersSize, address_out = 0x7451f520 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipDrawImageRectI, address_out = 0x74507180 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipSetInterpolationMode, address_out = 0x74505ad0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipDeleteGraphics, address_out = 0x744e92d0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipCreateBitmapFromScan0, address_out = 0x745031c0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipCreateBitmapFromFileICM, address_out = 0x74554560 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipCreateBitmapFromStreamICM, address_out = 0x745546f0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipCreateBitmapFromFile, address_out = 0x745232f0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipCreateBitmapFromStream, address_out = 0x74529f10 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipGetImagePixelFormat, address_out = 0x7452d9f0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipGetImageGraphicsContext, address_out = 0x74503300 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipSaveImageToStream, address_out = 0x74524bd0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipDisposeImage, address_out = 0x745291c0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdiplusShutdown, address_out = 0x7452a7c0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdiplusStartup, address_out = 0x7452ab50 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipAlloc, address_out = 0x74503840 True 1
Fn
Get Address Unknown module name function = WNetEnumResourceA, address_out = 0x744acc80 True 1
Fn
Get Address Unknown module name function = WNetCloseEnum, address_out = 0x744a3710 True 1
Fn
Get Address Unknown module name function = acmStreamUnprepareHeader, address_out = 0x7448ade0 True 1
Fn
Get Address Unknown module name function = acmStreamPrepareHeader, address_out = 0x7448ab20 True 1
Fn
Get Address Unknown module name function = acmStreamConvert, address_out = 0x7448a440 True 1
Fn
Get Address Unknown module name function = acmStreamReset, address_out = 0x7448ac70 True 1
Fn
Get Address Unknown module name function = acmStreamClose, address_out = 0x7448a2f0 True 1
Fn
Get Address Unknown module name function = acmStreamOpen, address_out = 0x7448a630 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueryInformationProcess, address_out = 0x77d08d50 True 1
Fn
Get Address Unknown module name function = CLSIDFromString, address_out = 0x76ef1390 True 1
Fn
Get Address Unknown module name function = StringFromCLSID, address_out = 0x76eb1020 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SysReAllocStringLen, address_out = 0x76cb3ee0 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SysAllocStringLen, address_out = 0x76ca91a0 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExA, address_out = 0x75692190 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = DragQueryFileA, address_out = 0x7567f900 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderPathA, address_out = 0x756d4f00 True 3
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExA, address_out = 0x77184720 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wvsprintfA, address_out = 0x7717ea20 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = mouse_event, address_out = 0x771cfd40 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = keybd_event, address_out = 0x771cfcf0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x77177020 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UnregisterClassA, address_out = 0x77180b00 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x7716b9d0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ToUnicodeEx, address_out = 0x771cf4c0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SystemParametersInfoA, address_out = 0x77180860 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x771852a0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowTextA, address_out = 0x771745e0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowPos, address_out = 0x77184f70 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowLongA, address_out = 0x77180c20 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetTimer, address_out = 0x7716cd50 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetPropA, address_out = 0x77180e50 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetForegroundWindow, address_out = 0x7716df70 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetCursor, address_out = 0x77184ed0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetClipboardData, address_out = 0x771813e0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageTimeoutA, address_out = 0x7717dc40 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageA, address_out = 0x77171460 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ScreenToClient, address_out = 0x771656d0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RemovePropA, address_out = 0x77181000 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ReleaseDC, address_out = 0x771689f0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassA, address_out = 0x77183e50 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostQuitMessage, address_out = 0x77182430 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostMessageA, address_out = 0x7717ce20 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PeekMessageA, address_out = 0x7716aa70 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = OpenClipboard, address_out = 0x77181770 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MsgWaitForMultipleObjects, address_out = 0x7716a2f0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x771ccf50 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MapVirtualKeyExA, address_out = 0x771d7440 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MapVirtualKeyA, address_out = 0x77181fb0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadIconA, address_out = 0x77181ec0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorA, address_out = 0x77181e90 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsWindowVisible, address_out = 0x77176e80 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsWindow, address_out = 0x77167130 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = InvalidateRect, address_out = 0x77184d70 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowThreadProcessId, address_out = 0x7716ba70 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowTextLengthA, address_out = 0x77171670 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowTextA, address_out = 0x77174690 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowRect, address_out = 0x77165930 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowLongA, address_out = 0x7717cc90 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSystemMetrics, address_out = 0x771655d0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSystemMenu, address_out = 0x77185330 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSysColor, address_out = 0x7716c900 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetPropA, address_out = 0x7717e230 True 1
Fn
Get Address Unknown module name function = AllocateAndGetTcpExTableFromStack, address_out = 0x0 False 1
Fn
Get Address Unknown module name function = AllocateAndGetUdpExTableFromStack, address_out = 0x0 False 1
Fn
Get Address Unknown module name function = SetTcpEntry, address_out = 0x74192050 True 1
Fn
Get Address Unknown module name function = GetExtendedTcpTable, address_out = 0x7417b880 True 1
Fn
Get Address Unknown module name function = GetExtendedUdpTable, address_out = 0x7417c0d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathA, address_out = 0x75286410 True 5
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptUnprotectData, address_out = 0x77afaf50 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CredEnumerateA, address_out = 0x76a45710 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextA, address_out = 0x76a30c00 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptCreateHash, address_out = 0x76a2f930 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptHashData, address_out = 0x76a2f950 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetHashParam, address_out = 0x76a2f530 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyHash, address_out = 0x76a2fbf0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x76a30ad0 True 1
Fn
Get Address Unknown module name function = OleInitialize, address_out = 0x768d9c50 True 1
Fn
Get Address Unknown module name function = CoCreateInstance, address_out = 0x76ee8200 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetWindowsDirectoryA, address_out = 0x7527f8e0 True 2
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Keyboard (498)
»
Operation Additional Information Success Count Logfile
Read virtual_key_code = VK_BACK, result_out = 0 True 3
Fn
Read virtual_key_code = VK_TAB, result_out = 0 True 3
Fn
Read virtual_key_code = Undefined, result_out = 0 True 97
Fn
Read virtual_key_code = VK_CLEAR, result_out = 0 True 3
Fn
Read virtual_key_code = VK_RETURN, result_out = 0 True 2
Fn
Read virtual_key_code = VK_SHIFT, result_out = 0 True 3
Fn
Read virtual_key_code = VK_CONTROL, result_out = 0 True 3
Fn
Read virtual_key_code = VK_MENU, result_out = 0 True 3
Fn
Read virtual_key_code = VK_PAUSE, result_out = 0 True 3
Fn
Read virtual_key_code = VK_CAPITAL, result_out = 0 True 3
Fn
Read virtual_key_code = VK_HANGUL, result_out = 0 True 3
Fn
Read virtual_key_code = VK_JUNJA, result_out = 0 True 3
Fn
Read virtual_key_code = VK_FINAL, result_out = 0 True 3
Fn
Read virtual_key_code = VK_HANJA, result_out = 0 True 3
Fn
Read virtual_key_code = VK_ESCAPE, result_out = 0 True 3
Fn
Read virtual_key_code = VK_CONVERT, result_out = 0 True 3
Fn
Read virtual_key_code = VK_NONCONVERT, result_out = 0 True 3
Fn
Read virtual_key_code = VK_ACCEPT, result_out = 0 True 3
Fn
Read virtual_key_code = VK_MODECHANGE, result_out = 0 True 3
Fn
Read virtual_key_code = VK_SPACE, result_out = 0 True 3
Fn
Read virtual_key_code = VK_PRIOR, result_out = 0 True 3
Fn
Read virtual_key_code = VK_NEXT, result_out = 0 True 3
Fn
Read virtual_key_code = VK_END, result_out = 0 True 3
Fn
Read virtual_key_code = VK_HOME, result_out = 0 True 3
Fn
Read virtual_key_code = VK_LEFT, result_out = 0 True 3
Fn
Read virtual_key_code = VK_UP, result_out = 0 True 3
Fn
Read virtual_key_code = VK_RIGHT, result_out = 0 True 3
Fn
Read virtual_key_code = VK_DOWN, result_out = 0 True 4
Fn
Read virtual_key_code = VK_SELECT, result_out = 0 True 4
Fn
Read virtual_key_code = VK_PRINT, result_out = 0 True 3
Fn
Read virtual_key_code = VK_EXECUTE, result_out = 0 True 3
Fn
Read virtual_key_code = VK_SNAPSHOT, result_out = 0 True 3
Fn
Read virtual_key_code = VK_INSERT, result_out = 0 True 3
Fn
Read virtual_key_code = VK_DELETE, result_out = 0 True 3
Fn
Read virtual_key_code = VK_HELP, result_out = 0 True 3
Fn
Read virtual_key_code = 0 key, result_out = 0 True 3
Fn
Read virtual_key_code = 1 key, result_out = 0 True 3
Fn
Read virtual_key_code = 2 key, result_out = 0 True 3
Fn
Read virtual_key_code = 3 key, result_out = 0 True 3
Fn
Read virtual_key_code = 4 key, result_out = 0 True 3
Fn
Read virtual_key_code = 5 key, result_out = 0 True 3
Fn
Read virtual_key_code = 6 key, result_out = 0 True 3
Fn
Read virtual_key_code = 7 key, result_out = 0 True 3
Fn
Read virtual_key_code = 8 key, result_out = 0 True 3
Fn
Read virtual_key_code = 9 key, result_out = 0 True 3
Fn
Read virtual_key_code = A key, result_out = 0 True 3
Fn
Read virtual_key_code = B key, result_out = 0 True 3
Fn
Read virtual_key_code = C key, result_out = 0 True 3
Fn
Read virtual_key_code = D key, result_out = 0 True 3
Fn
Read virtual_key_code = E key, result_out = 0 True 3
Fn
Read virtual_key_code = F key, result_out = 0 True 3
Fn
Read virtual_key_code = G key, result_out = 0 True 3
Fn
Read virtual_key_code = H key, result_out = 0 True 3
Fn
Read virtual_key_code = I key, result_out = 0 True 3
Fn
Read virtual_key_code = J key, result_out = 0 True 2
Fn
Read virtual_key_code = K key, result_out = 0 True 2
Fn
Read virtual_key_code = L key, result_out = 0 True 2
Fn
Read virtual_key_code = M key, result_out = 0 True 2
Fn
Read virtual_key_code = N key, result_out = 0 True 2
Fn
Read virtual_key_code = O key, result_out = 0 True 2
Fn
Read virtual_key_code = P key, result_out = 0 True 2
Fn
Read virtual_key_code = Q key, result_out = 0 True 2
Fn
Read virtual_key_code = R key, result_out = 0 True 2
Fn
Read virtual_key_code = S key, result_out = 0 True 2
Fn
Read virtual_key_code = T key, result_out = 0 True 2
Fn
Read virtual_key_code = U key, result_out = 0 True 2
Fn
Read virtual_key_code = V key, result_out = 0 True 2
Fn
Read virtual_key_code = W key, result_out = 0 True 2
Fn
Read virtual_key_code = X key, result_out = 0 True 2
Fn
Read virtual_key_code = Y key, result_out = 0 True 2
Fn
Read virtual_key_code = Z key, result_out = 0 True 2
Fn
Read virtual_key_code = VK_LWIN, result_out = 0 True 2
Fn
Read virtual_key_code = VK_RWIN, result_out = 0 True 2
Fn
Read virtual_key_code = VK_APPS, result_out = 0 True 2
Fn
Read virtual_key_code = VK_SLEEP, result_out = 0 True 2
Fn
Read virtual_key_code = VK_NUMPAD0, result_out = 0 True 2
Fn
Read virtual_key_code = VK_NUMPAD1, result_out = 0 True 2
Fn
Read virtual_key_code = VK_NUMPAD2, result_out = 0 True 2
Fn
Read virtual_key_code = VK_NUMPAD3, result_out = 0 True 2
Fn
Read virtual_key_code = VK_NUMPAD4, result_out = 0 True 2
Fn
Read virtual_key_code = VK_NUMPAD5, result_out = 0 True 2
Fn
Read virtual_key_code = VK_NUMPAD6, result_out = 0 True 2
Fn
Read virtual_key_code = VK_NUMPAD7, result_out = 0 True 2
Fn
Read virtual_key_code = VK_NUMPAD8, result_out = 0 True 2
Fn
Read virtual_key_code = VK_NUMPAD9, result_out = 0 True 2
Fn
Read virtual_key_code = VK_MULTIPLY, result_out = 0 True 2
Fn
Read virtual_key_code = VK_ADD, result_out = 0 True 2
Fn
Read virtual_key_code = VK_SEPARATOR, result_out = 0 True 2
Fn
Read virtual_key_code = VK_SUBTRACT, result_out = 0 True 2
Fn
Read virtual_key_code = VK_DECIMAL, result_out = 0 True 2
Fn
Read virtual_key_code = VK_DIVIDE, result_out = 0 True 2
Fn
Read virtual_key_code = VK_F1, result_out = 0 True 2
Fn
Read virtual_key_code = VK_F2, result_out = 0 True 2
Fn
Read virtual_key_code = VK_F3, result_out = 0 True 2
Fn
Read virtual_key_code = VK_F4, result_out = 0 True 2
Fn
Read virtual_key_code = VK_F5, result_out = 0 True 2
Fn
Read virtual_key_code = VK_F6, result_out = 0 True 2
Fn
Read virtual_key_code = VK_F7, result_out = 0 True 2
Fn
Read virtual_key_code = VK_F8, result_out = 0 True 2
Fn
Read virtual_key_code = VK_F9, result_out = 0 True 2
Fn
Read virtual_key_code = VK_F10, result_out = 0 True 2
Fn
Read virtual_key_code = VK_F11, result_out = 0 True 2
Fn
Read virtual_key_code = VK_F12, result_out = 0 True 2
Fn
Read virtual_key_code = VK_F13, result_out = 0 True 2
Fn
Read virtual_key_code = VK_F14, result_out = 0 True 2
Fn
Read virtual_key_code = VK_F15, result_out = 0 True 2
Fn
Read virtual_key_code = VK_F16, result_out = 0 True 2
Fn
Read result_out = 0 True 2
Fn
Read virtual_key_code = VK_F18, result_out = 0 True 2
Fn
Read virtual_key_code = VK_F19, result_out = 0 True 2
Fn
Read virtual_key_code = VK_F20, result_out = 0 True 2
Fn
Read virtual_key_code = VK_F21, result_out = 0 True 2
Fn
Read virtual_key_code = VK_F22, result_out = 0 True 2
Fn
Read virtual_key_code = VK_F23, result_out = 0 True 2
Fn
Read virtual_key_code = VK_F24, result_out = 0 True 2
Fn
Read virtual_key_code = Unassigned, result_out = 0 True 34
Fn
Read virtual_key_code = VK_NUMLOCK, result_out = 0 True 2
Fn
Read virtual_key_code = VK_SCROLL, result_out = 0 True 2
Fn
Read virtual_key_code = OEM specific, result_out = 0 True 10
Fn
Read virtual_key_code = VK_LSHIFT, result_out = 0 True 2
Fn
Read virtual_key_code = VK_RSHIFT, result_out = 0 True 2
Fn
Read virtual_key_code = VK_LCONTROL, result_out = 0 True 2
Fn
Read virtual_key_code = VK_RCONTROL, result_out = 0 True 2
Fn
Read virtual_key_code = VK_LMENU, result_out = 0 True 2
Fn
Read virtual_key_code = VK_RMENU, result_out = 0 True 2
Fn
Read virtual_key_code = VK_BROWSER_BACK, result_out = 0 True 2
Fn
Read virtual_key_code = VK_BROWSER_FORWARD, result_out = 0 True 2
Fn
Read virtual_key_code = VK_BROWSER_REFRESH, result_out = 0 True 2
Fn
Read virtual_key_code = VK_BROWSER_STOP, result_out = 0 True 2
Fn
Read virtual_key_code = VK_BROWSER_SEARCH, result_out = 0 True 2
Fn
Read virtual_key_code = VK_BROWSER_FAVORITES, result_out = 0 True 2
Fn
Read virtual_key_code = VK_BROWSER_HOME, result_out = 0 True 2
Fn
Read virtual_key_code = VK_VOLUME_MUTE, result_out = 0 True 2
Fn
Read virtual_key_code = VK_VOLUME_DOWN, result_out = 0 True 2
Fn
Read virtual_key_code = VK_VOLUME_UP, result_out = 0 True 2
Fn
Read virtual_key_code = VK_MEDIA_NEXT_TRACK, result_out = 0 True 2
Fn
Read virtual_key_code = VK_MEDIA_PREV_TRACK, result_out = 0 True 2
Fn
Read virtual_key_code = VK_MEDIA_STOP, result_out = 0 True 2
Fn
Read virtual_key_code = VK_MEDIA_PLAY_PAUSE, result_out = 0 True 2
Fn
Read virtual_key_code = VK_LAUNCH_MAIL, result_out = 0 True 2
Fn
Read virtual_key_code = VK_LAUNCH_MEDIA_SELECT, result_out = 0 True 2
Fn
Read virtual_key_code = VK_LAUNCH_APP1, result_out = 0 True 2
Fn
Read virtual_key_code = VK_LAUNCH_APP2, result_out = 0 True 2
Fn
Read virtual_key_code = VK_OEM_1, result_out = 0 True 2
Fn
Read virtual_key_code = VK_OEM_PLUS, result_out = 0 True 2
Fn
Read virtual_key_code = VK_OEM_COMMA, result_out = 0 True 2
Fn
Read virtual_key_code = VK_OEM_MINUS, result_out = 0 True 2
Fn
Read virtual_key_code = VK_OEM_PERIOD, result_out = 0 True 2
Fn
Read virtual_key_code = VK_OEM_2, result_out = 0 True 2
Fn
Read virtual_key_code = VK_OEM_3, result_out = 0 True 2
Fn
Read virtual_key_code = VK_OEM_4, result_out = 0 True 2
Fn
Read virtual_key_code = VK_OEM_5, result_out = 0 True 2
Fn
Read virtual_key_code = VK_OEM_6, result_out = 0 True 2
Fn
Read virtual_key_code = VK_OEM_7, result_out = 0 True 2
Fn
Read virtual_key_code = VK_RETURN, result_out = 1 True 1
Fn
System (2069)
»
Operation Additional Information Success Count Logfile
Get Clipboard format = 1 False 1
Fn
Sleep duration = -1 (infinite) True 16
Fn
Sleep duration = 1 milliseconds (0.001 seconds) True 1
Fn
Sleep duration = 20 milliseconds (0.020 seconds) True 251
Fn
Sleep duration = 5 milliseconds (0.005 seconds) True 293
Fn
Sleep duration = 5000 milliseconds (5.000 seconds) True 2
Fn
Sleep duration = 100 milliseconds (0.100 seconds) False 1
Fn
Sleep duration = 10000 milliseconds (10.000 seconds) False 1
Fn
Sleep duration = 50 milliseconds (0.050 seconds) True 13
Fn
Sleep duration = 50 milliseconds (0.050 seconds) False 1
Fn
Sleep duration = 20 milliseconds (0.020 seconds) False 1
Fn
Get Time type = System Time, time = 2018-11-20 16:24:07 (UTC) True 1
Fn
Get Time type = Local Time, time = 2018-11-21 03:24:07 (Local Time) True 144
Fn
Get Time type = Ticks, time = 152156 True 1
Fn
Get Time type = Ticks, time = 152171 True 1
Fn
Get Time type = Ticks, time = 152187 True 2
Fn
Get Time type = Ticks, time = 152203 True 1
Fn
Get Time type = Ticks, time = 152218 True 2
Fn
Get Time type = Ticks, time = 152250 True 2
Fn
Get Time type = Ticks, time = 152265 True 1
Fn
Get Time type = Ticks, time = 152281 True 2
Fn
Get Time type = Ticks, time = 152296 True 1
Fn
Get Time type = Ticks, time = 152312 True 2
Fn
Get Time type = Ticks, time = 152328 True 1
Fn
Get Time type = Ticks, time = 152343 True 2
Fn
Get Time type = Ticks, time = 152359 True 1
Fn
Get Time type = Ticks, time = 152375 True 2
Fn
Get Time type = Ticks, time = 152390 True 1
Fn
Get Time type = Ticks, time = 152406 True 2
Fn
Get Time type = Ticks, time = 152421 True 1
Fn
Get Time type = Ticks, time = 152437 True 1
Fn
Get Time type = Ticks, time = 152453 True 1
Fn
Get Time type = Ticks, time = 152468 True 2
Fn
Get Time type = Ticks, time = 152484 True 1
Fn
Get Time type = Ticks, time = 152500 True 2
Fn
Get Time type = Ticks, time = 152515 True 1
Fn
Get Time type = Ticks, time = 152531 True 2
Fn
Get Time type = Ticks, time = 152546 True 1
Fn
Get Time type = Ticks, time = 152562 True 2
Fn
Get Time type = Ticks, time = 152578 True 1
Fn
Get Time type = Ticks, time = 152593 True 2
Fn
Get Time type = Ticks, time = 152609 True 1
Fn
Get Time type = Ticks, time = 152625 True 2
Fn
Get Time type = Ticks, time = 152640 True 1
Fn
Get Time type = Ticks, time = 152656 True 2
Fn
Get Time type = Ticks, time = 152671 True 1
Fn
Get Time type = Ticks, time = 152703 True 2
Fn
Get Time type = Ticks, time = 152718 True 1
Fn
Get Time type = Ticks, time = 152734 True 2
Fn
Get Time type = Ticks, time = 152750 True 1
Fn
Get Time type = Ticks, time = 152765 True 2
Fn
Get Time type = Ticks, time = 152781 True 1
Fn
Get Time type = Ticks, time = 152796 True 2
Fn
Get Time type = Ticks, time = 152812 True 1
Fn
Get Time type = Ticks, time = 152828 True 1
Fn
Get Time type = Ticks, time = 152859 True 1
Fn
Get Time type = Ticks, time = 152890 True 1
Fn
Get Time type = Ticks, time = 152921 True 2
Fn
Get Time type = Local Time, time = 2018-11-21 03:24:08 (Local Time) True 156
Fn
Get Time type = Ticks, time = 152937 True 1
Fn
Get Time type = Ticks, time = 152953 True 2
Fn
Get Time type = Ticks, time = 152968 True 1
Fn
Get Time type = Ticks, time = 152984 True 2
Fn
Get Time type = Ticks, time = 153000 True 1
Fn
Get Time type = Ticks, time = 153015 True 2
Fn
Get Time type = Ticks, time = 153031 True 1
Fn
Get Time type = Ticks, time = 153046 True 2
Fn
Get Time type = Ticks, time = 153062 True 1
Fn
Get Time type = Ticks, time = 153093 True 2
Fn
Get Time type = Ticks, time = 153109 True 1
Fn
Get Time type = Ticks, time = 153140 True 2
Fn
Get Time type = Ticks, time = 153156 True 1
Fn
Get Time type = Ticks, time = 153171 True 2
Fn
Get Time type = Ticks, time = 153187 True 1
Fn
Get Time type = Ticks, time = 153203 True 2
Fn
Get Time type = Ticks, time = 153265 True 2
Fn
Get Time type = Ticks, time = 153296 True 2
Fn
Get Time type = Ticks, time = 153312 True 1
Fn
Get Time type = Ticks, time = 153328 True 2
Fn
Get Time type = Ticks, time = 153343 True 1
Fn
Get Time type = Ticks, time = 153359 True 2
Fn
Get Time type = Ticks, time = 153375 True 1
Fn
Get Time type = Ticks, time = 153390 True 2
Fn
Get Time type = Ticks, time = 153406 True 1
Fn
Get Time type = Ticks, time = 153421 True 2
Fn
Get Time type = Ticks, time = 153437 True 1
Fn
Get Time type = Ticks, time = 153453 True 2
Fn
Get Time type = Ticks, time = 153468 True 1
Fn
Get Time type = Ticks, time = 153484 True 1
Fn
Get Time type = Ticks, time = 153500 True 3
Fn
Get Time type = Ticks, time = 153515 True 2
Fn
Get Time type = Ticks, time = 153531 True 2
Fn
Get Time type = Ticks, time = 153546 True 1
Fn
Get Time type = Ticks, time = 153562 True 2
Fn
Get Time type = Ticks, time = 153578 True 1
Fn
Get Time type = Ticks, time = 153593 True 2
Fn
Get Time type = Ticks, time = 153609 True 1
Fn
Get Time type = Ticks, time = 153625 True 2
Fn
Get Time type = Ticks, time = 153640 True 1
Fn
Get Time type = Ticks, time = 153656 True 2
Fn
Get Time type = Ticks, time = 153671 True 1
Fn
Get Time type = Ticks, time = 153703 True 2
Fn
Get Time type = Ticks, time = 153718 True 1
Fn
Get Time type = Ticks, time = 153734 True 2
Fn
Get Time type = Ticks, time = 153750 True 1
Fn
Get Time type = Ticks, time = 153765 True 2
Fn
Get Time type = Ticks, time = 153781 True 1
Fn
Get Time type = Ticks, time = 153796 True 2
Fn
Get Time type = Ticks, time = 153812 True 1
Fn
Get Time type = Ticks, time = 153828 True 2
Fn
Get Time type = Local Time, time = 2018-11-21 03:24:09 (Local Time) True 186
Fn
Get Time type = Ticks, time = 153843 True 1
Fn
Get Time type = Ticks, time = 153859 True 2
Fn
Get Time type = Ticks, time = 153875 True 1
Fn
Get Time type = Ticks, time = 153890 True 2
Fn
Get Time type = Ticks, time = 153906 True 1
Fn
Get Time type = Ticks, time = 153921 True 2
Fn
Get Time type = Ticks, time = 153937 True 1
Fn
Get Time type = Ticks, time = 153953 True 2
Fn
Get Time type = Ticks, time = 153968 True 1
Fn
Get Time type = Ticks, time = 153984 True 2
Fn
Get Time type = Ticks, time = 154000 True 1
Fn
Get Time type = Ticks, time = 154015 True 2
Fn
Get Time type = Ticks, time = 154031 True 1
Fn
Get Time type = Ticks, time = 154046 True 2
Fn
Get Time type = Ticks, time = 154062 True 1
Fn
Get Time type = Ticks, time = 154078 True 2
Fn
Get Time type = Ticks, time = 154093 True 1
Fn
Get Time type = Ticks, time = 154109 True 2
Fn
Get Time type = Ticks, time = 154125 True 1
Fn
Get Time type = Ticks, time = 154156 True 2
Fn
Get Time type = Ticks, time = 154171 True 2
Fn
Get Time type = Ticks, time = 154187 True 2
Fn
Get Time type = Ticks, time = 154203 True 1
Fn
Get Time type = Ticks, time = 154218 True 2
Fn
Get Time type = Ticks, time = 154234 True 1
Fn
Get Time type = Ticks, time = 154250 True 2
Fn
Get Time type = Ticks, time = 154265 True 1
Fn
Get Time type = Ticks, time = 154281 True 2
Fn
Get Time type = Ticks, time = 154312 True 2
Fn
Get Time type = Ticks, time = 154328 True 1
Fn
Get Time type = Ticks, time = 154343 True 2
Fn
Get Time type = Ticks, time = 154359 True 1
Fn
Get Time type = Ticks, time = 154375 True 2
Fn
Get Time type = Ticks, time = 154390 True 1
Fn
Get Time type = Ticks, time = 154406 True 2
Fn
Get Time type = Ticks, time = 154421 True 1
Fn
Get Time type = Ticks, time = 154437 True 2
Fn
Get Time type = Ticks, time = 154453 True 1
Fn
Get Time type = Ticks, time = 154468 True 2
Fn
Get Time type = Ticks, time = 154484 True 1
Fn
Get Time type = Ticks, time = 154500 True 2
Fn
Get Time type = Ticks, time = 154515 True 1
Fn
Get Time type = Ticks, time = 154531 True 2
Fn
Get Time type = Ticks, time = 154546 True 1
Fn
Get Time type = Ticks, time = 154562 True 2
Fn
Get Time type = Ticks, time = 154578 True 1
Fn
Get Time type = Ticks, time = 154593 True 2
Fn
Get Time type = Ticks, time = 154609 True 1
Fn
Get Time type = Ticks, time = 154625 True 2
Fn
Get Time type = Ticks, time = 154640 True 1
Fn
Get Time type = Ticks, time = 154656 True 2
Fn
Get Time type = Ticks, time = 154671 True 1
Fn
Get Time type = Ticks, time = 154703 True 2
Fn
Get Time type = Ticks, time = 154718 True 1
Fn
Get Time type = Ticks, time = 154734 True 2
Fn
Get Time type = Ticks, time = 154750 True 1
Fn
Get Time type = Ticks, time = 154765 True 2
Fn
Get Time type = Ticks, time = 154781 True 1
Fn
Get Time type = Ticks, time = 154796 True 2
Fn
Get Time type = Ticks, time = 154812 True 1
Fn
Get Time type = Ticks, time = 154828 True 2
Fn
Get Time type = Local Time, time = 2018-11-21 03:24:10 (Local Time) True 189
Fn
Get Time type = Ticks, time = 154843 True 1
Fn
Get Time type = Ticks, time = 154859 True 2
Fn
Get Time type = Ticks, time = 154875 True 1
Fn
Get Time type = Ticks, time = 154890 True 2
Fn
Get Time type = Ticks, time = 154906 True 1
Fn
Get Time type = Ticks, time = 154921 True 2
Fn
Get Time type = Ticks, time = 154937 True 1
Fn
Get Time type = Ticks, time = 154953 True 2
Fn
Get Time type = Ticks, time = 154968 True 1
Fn
Get Time type = Ticks, time = 154984 True 2
Fn
Get Time type = Ticks, time = 155000 True 1
Fn
Get Time type = Ticks, time = 155015 True 2
Fn
Get Time type = Ticks, time = 155031 True 1
Fn
Get Time type = Ticks, time = 155046 True 2
Fn
Get Time type = Ticks, time = 155062 True 1
Fn
Get Time type = Ticks, time = 155078 True 2
Fn
Get Time type = Ticks, time = 155093 True 1
Fn
Get Time type = Ticks, time = 155109 True 2
Fn
Get Time type = Ticks, time = 155125 True 1
Fn
Get Time type = Ticks, time = 155140 True 2
Fn
Get Time type = Ticks, time = 155156 True 1
Fn
Get Time type = Ticks, time = 155171 True 2
Fn
Get Time type = Ticks, time = 155187 True 1
Fn
Get Time type = Ticks, time = 155203 True 2
Fn
Get Time type = Ticks, time = 155218 True 1
Fn
Get Time type = Ticks, time = 155234 True 2
Fn
Get Time type = Ticks, time = 155250 True 1
Fn
Get Time type = Ticks, time = 155265 True 2
Fn
Get Time type = Ticks, time = 155281 True 1
Fn
Get Time type = Ticks, time = 155296 True 2
Fn
Get Time type = Ticks, time = 155312 True 1
Fn
Get Time type = Ticks, time = 155328 True 2
Fn
Get Time type = Ticks, time = 155343 True 1
Fn
Get Time type = Ticks, time = 155359 True 2
Fn
Get Time type = Ticks, time = 155375 True 1
Fn
Get Time type = Ticks, time = 155390 True 2
Fn
Get Time type = Ticks, time = 155406 True 1
Fn
Get Time type = Ticks, time = 155421 True 2
Fn
Get Time type = Ticks, time = 155437 True 1
Fn
Get Time type = Ticks, time = 155453 True 2
Fn
Get Time type = Ticks, time = 155468 True 1
Fn
Get Time type = Ticks, time = 155484 True 2
Fn
Get Time type = Ticks, time = 155500 True 1
Fn
Get Time type = Ticks, time = 155515 True 2
Fn
Get Time type = Ticks, time = 155531 True 1
Fn
Get Time type = Ticks, time = 155546 True 2
Fn
Get Time type = Ticks, time = 155562 True 1
Fn
Get Time type = Ticks, time = 155578 True 2
Fn
Get Time type = Ticks, time = 155593 True 1
Fn
Get Time type = Ticks, time = 155609 True 2
Fn
Get Time type = Ticks, time = 155625 True 1
Fn
Get Time type = Ticks, time = 155640 True 2
Fn
Get Time type = Ticks, time = 155656 True 1
Fn
Get Time type = Ticks, time = 155671 True 2
Fn
Get Time type = Ticks, time = 155703 True 2
Fn
Get Time type = Ticks, time = 155718 True 1
Fn
Get Time type = Ticks, time = 155734 True 2
Fn
Get Time type = Ticks, time = 155750 True 1
Fn
Get Time type = Ticks, time = 155765 True 2
Fn
Get Time type = Ticks, time = 155781 True 1
Fn
Get Time type = Ticks, time = 155796 True 2
Fn
Get Time type = Ticks, time = 155812 True 1
Fn
Get Time type = Ticks, time = 155828 True 2
Fn
Get Time type = Local Time, time = 2018-11-21 03:24:11 (Local Time) True 171
Fn
Get Time type = Ticks, time = 155843 True 1
Fn
Get Time type = Ticks, time = 155859 True 2
Fn
Get Time type = Ticks, time = 155875 True 1
Fn
Get Time type = Ticks, time = 155890 True 2
Fn
Get Time type = Ticks, time = 155906 True 1
Fn
Get Time type = Ticks, time = 155921 True 2
Fn
Get Time type = Ticks, time = 155937 True 1
Fn
Get Time type = Ticks, time = 155953 True 2
Fn
Get Time type = Ticks, time = 155968 True 1
Fn
Get Time type = Ticks, time = 155984 True 2
Fn
Get Time type = Ticks, time = 156000 True 1
Fn
Get Time type = Ticks, time = 156015 True 2
Fn
Get Time type = Ticks, time = 156031 True 1
Fn
Get Time type = Ticks, time = 156046 True 2
Fn
Get Time type = Ticks, time = 156062 True 1
Fn
Get Time type = Ticks, time = 156078 True 2
Fn
Get Time type = Ticks, time = 156093 True 1
Fn
Get Time type = Ticks, time = 156109 True 2
Fn
Get Time type = Ticks, time = 156125 True 1
Fn
Get Time type = Ticks, time = 156140 True 2
Fn
Get Time type = Ticks, time = 156156 True 1
Fn
Get Time type = Ticks, time = 156171 True 2
Fn
Get Time type = Ticks, time = 156187 True 1
Fn
Get Time type = Ticks, time = 156203 True 2
Fn
Get Time type = Ticks, time = 156218 True 1
Fn
Get Time type = Ticks, time = 156234 True 2
Fn
Get Time type = Ticks, time = 156250 True 1
Fn
Get Time type = Ticks, time = 156265 True 2
Fn
Get Time type = Ticks, time = 156281 True 1
Fn
Get Time type = Ticks, time = 156296 True 2
Fn
Get Time type = Ticks, time = 156312 True 1
Fn
Get Time type = Ticks, time = 156328 True 2
Fn
Get Time type = Ticks, time = 156343 True 1
Fn
Get Time type = Ticks, time = 156359 True 2
Fn
Get Time type = Ticks, time = 156375 True 1
Fn
Get Time type = Ticks, time = 156390 True 2
Fn
Get Time type = Ticks, time = 156406 True 1
Fn
Get Time type = Ticks, time = 156421 True 2
Fn
Get Time type = Ticks, time = 156437 True 1
Fn
Get Time type = Ticks, time = 156453 True 2
Fn
Get Time type = Ticks, time = 156484 True 2
Fn
Get Time type = Ticks, time = 156500 True 1
Fn
Get Time type = Ticks, time = 156515 True 2
Fn
Get Time type = Ticks, time = 156531 True 1
Fn
Get Time type = Ticks, time = 156546 True 2
Fn
Get Time type = Ticks, time = 156562 True 1
Fn
Get Time type = Ticks, time = 156578 True 2
Fn
Get Time type = Ticks, time = 156593 True 1
Fn
Get Time type = Ticks, time = 156609 True 2
Fn
Get Time type = Ticks, time = 156640 True 1
Fn
Get Time type = Ticks, time = 156671 True 1
Fn
Get Time type = Ticks, time = 156703 True 2
Fn
Get Time type = Ticks, time = 156718 True 1
Fn
Get Time type = Ticks, time = 156734 True 2
Fn
Get Time type = Ticks, time = 156750 True 1
Fn
Get Time type = Ticks, time = 156765 True 2
Fn
Get Time type = Ticks, time = 156781 True 1
Fn
Get Time type = Ticks, time = 156796 True 2
Fn
Get Time type = Ticks, time = 156812 True 1
Fn
Get Time type = Ticks, time = 156843 True 1
Fn
Get Time type = Ticks, time = 156859 True 1
Fn
Get Time type = Local Time, time = 2018-11-21 03:24:12 (Local Time) True 66
Fn
Get Time type = Ticks, time = 156875 True 2
Fn
Get Time type = Ticks, time = 156890 True 1
Fn
Get Time type = Ticks, time = 156906 True 2
Fn
Get Time type = Ticks, time = 156921 True 1
Fn
Get Time type = Ticks, time = 156937 True 2
Fn
Get Time type = Ticks, time = 156953 True 1
Fn
Get Time type = Ticks, time = 156968 True 2
Fn
Get Time type = Ticks, time = 156984 True 1
Fn
Get Time type = Ticks, time = 157000 True 2
Fn
Get Time type = Ticks, time = 157015 True 1
Fn
Get Time type = Ticks, time = 157031 True 2
Fn
Get Time type = Ticks, time = 157046 True 1
Fn
Get Time type = Ticks, time = 157062 True 2
Fn
Get Time type = Ticks, time = 157078 True 1
Fn
Get Time type = Ticks, time = 157093 True 2
Fn
Get Time type = Ticks, time = 157109 True 1
Fn
Get Time type = Ticks, time = 157125 True 2
Fn
Get Time type = Ticks, time = 157156 True 1
Fn
Get Time type = Ticks, time = 157171 True 1
Fn
Get Time type = Ticks, time = 157187 True 2
Fn
Get Time type = Ticks, time = 157203 True 3
Fn
Get Time type = Ticks, time = 157218 True 1
Fn
Get Time type = Ticks, time = 157250 True 1
Fn
Get Time type = Ticks, time = 157281 True 1
Fn
Get Time type = Ticks, time = 157312 True 1
Fn
Get Time type = Ticks, time = 157343 True 1
Fn
Get Time type = Ticks, time = 157375 True 1
Fn
Get Time type = Ticks, time = 157406 True 1
Fn
Get Time type = Ticks, time = 157437 True 1
Fn
Get Time type = Ticks, time = 157468 True 1
Fn
Get Time type = Ticks, time = 157500 True 1
Fn
Get Time type = Ticks, time = 157531 True 1
Fn
Get Time type = Ticks, time = 157562 True 1
Fn
Get Time type = Ticks, time = 157593 True 1
Fn
Get Time type = Ticks, time = 157625 True 1
Fn
Get Time type = Ticks, time = 157656 True 1
Fn
Get Time type = Ticks, time = 157765 True 1
Fn
Get Time type = Ticks, time = 157796 True 1
Fn
Get Time type = Ticks, time = 157812 True 1
Fn
Get Time type = Ticks, time = 157843 True 1
Fn
Get Time type = Ticks, time = 157875 True 1
Fn
Get Time type = Ticks, time = 157906 True 1
Fn
Get Time type = Ticks, time = 157937 True 1
Fn
Get Time type = Ticks, time = 157968 True 1
Fn
Get Time type = Ticks, time = 158000 True 1
Fn
Get Time type = Ticks, time = 158031 True 1
Fn
Get Time type = Ticks, time = 158062 True 1
Fn
Get Time type = Ticks, time = 158093 True 1
Fn
Get Time type = Ticks, time = 158125 True 1
Fn
Get Time type = Ticks, time = 158156 True 1
Fn
Get Time type = Ticks, time = 158187 True 1
Fn
Get Time type = Ticks, time = 158218 True 1
Fn
Get Time type = Ticks, time = 158250 True 1
Fn
Get Time type = Ticks, time = 158281 True 1
Fn
Get Time type = Ticks, time = 158312 True 1
Fn
Get Time type = Ticks, time = 158343 True 1
Fn
Get Time type = Ticks, time = 158375 True 1
Fn
Get Time type = Ticks, time = 158406 True 1
Fn
Get Time type = Ticks, time = 158437 True 1
Fn
Get Time type = Ticks, time = 158468 True 1
Fn
Get Time type = Ticks, time = 158500 True 1
Fn
Get Time type = Ticks, time = 158531 True 1
Fn
Get Time type = Ticks, time = 158562 True 1
Fn
Get Time type = Ticks, time = 158578 True 1
Fn
Get Time type = Ticks, time = 158609 True 1
Fn
Get Time type = Ticks, time = 158640 True 1
Fn
Get Time type = Ticks, time = 158671 True 1
Fn
Get Time type = Ticks, time = 158703 True 1
Fn
Get Time type = Ticks, time = 158734 True 1
Fn
Get Time type = Ticks, time = 158765 True 1
Fn
Get Time type = Ticks, time = 158796 True 1
Fn
Get Time type = Ticks, time = 158828 True 1
Fn
Get Time type = Ticks, time = 158859 True 1
Fn
Get Time type = Ticks, time = 158890 True 1
Fn
Get Time type = Ticks, time = 158921 True 1
Fn
Get Time type = Ticks, time = 158953 True 1
Fn
Get Time type = Ticks, time = 158984 True 1
Fn
Get Time type = Ticks, time = 159015 True 1
Fn
Get Time type = Ticks, time = 159046 True 1
Fn
Get Time type = Ticks, time = 159078 True 1
Fn
Get Time type = Ticks, time = 159109 True 1
Fn
Get Time type = Ticks, time = 159140 True 1
Fn
Get Time type = Ticks, time = 159171 True 1
Fn
Get Time type = Ticks, time = 159203 True 1
Fn
Get Time type = Ticks, time = 159234 True 1
Fn
Get Time type = Ticks, time = 159265 True 1
Fn
Get Time type = Ticks, time = 159296 True 1
Fn
Get Time type = Ticks, time = 159328 True 1
Fn
Get Time type = Ticks, time = 159359 True 1
Fn
Get Time type = Ticks, time = 159390 True 1
Fn
Get Time type = Ticks, time = 159421 True 1
Fn
Get Time type = Ticks, time = 159453 True 1
Fn
Get Time type = Ticks, time = 159484 True 1
Fn
Get Time type = Ticks, time = 159515 True 1
Fn
Get Time type = Ticks, time = 159546 True 1
Fn
Get Time type = Ticks, time = 159578 True 1
Fn
Get Time type = Ticks, time = 159609 True 1
Fn
Get Time type = Ticks, time = 159640 True 1
Fn
Get Time type = Ticks, time = 159671 True 1
Fn
Get Time type = Ticks, time = 160453 True 1
Fn
Get Time type = Ticks, time = 162390 True 1
Fn
Get Time type = Local Time, time = 2018-11-21 03:24:17 (Local Time) True 9
Fn
Get Time type = Ticks, time = 162453 True 1
Fn
Get Time type = Ticks, time = 162531 True 2
Fn
Get Time type = Ticks, time = 162875 True 2
Fn
Get Time type = Ticks, time = 162906 True 1
Fn
Get Time type = Ticks, time = 163000 True 1
Fn
Get Time type = Ticks, time = 163031 True 1
Fn
Get Time type = Ticks, time = 163062 True 2
Fn
Get Time type = Ticks, time = 163125 True 2
Fn
Get Time type = Ticks, time = 163187 True 2
Fn
Get Time type = Ticks, time = 163281 True 1
Fn
Get Time type = Ticks, time = 163296 True 1
Fn
Get Time type = Ticks, time = 163343 True 2
Fn
Get Time type = Ticks, time = 163421 True 1
Fn
Get Time type = Ticks, time = 163468 True 1
Fn
Get Time type = Ticks, time = 163562 True 2
Fn
Get Time type = Ticks, time = 163625 True 2
Fn
Get Time type = Ticks, time = 163671 True 1
Fn
Get Time type = Ticks, time = 164078 True 2
Fn
Get Info type = Operating System True 2
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 2
Fn
Mutex (3)
»
Operation Additional Information Success Count Logfile
Create mutex_name = SWE2F15657A4JJCIiHmnxMn6Ps15 True 1
Fn
Create mutex_name = SWE2F15657A4JJ True 1
Fn
Create mutex_name = xXx_key_xXx True 1
Fn
Process #6: svchost.exe
0 0
»
Information Value
ID #6
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k DcomLaunch
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:45, Reason: Autostart
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:08:37
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x244
Parent PID 0x1e4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 248
0x 24C
0x 250
0x 254
0x 258
0x 260
0x 26C
0x 270
0x 278
0x 284
0x 294
0x 29C
0x 2A8
0x 2AC
0x 2B4
0x 2BC
0x 2CC
0x 2D0
0x 340
0x 348
0x 3D8
0x 3E0
0x 138
0x 49C
0x 6DC
0x 7B8
0x 538
0x AF0
0x BB8
0x BE8
0x 7E0
0x BA0
0x 53C
0x 988
0x 794
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000022c940000 0x22c940000 0x22c95ffff Private Memory rw True False False -
pagefile_0x000000022c940000 0x22c940000 0x22c94ffff Pagefile Backed Memory rw True False False -
private_0x000000022c950000 0x22c950000 0x22c954fff Private Memory rw True False False -
pagefile_0x000000022c960000 0x22c960000 0x22c973fff Pagefile Backed Memory r True False False -
private_0x000000022c980000 0x22c980000 0x22c9fffff Private Memory rw True False False -
pagefile_0x000000022ca00000 0x22ca00000 0x22ca03fff Pagefile Backed Memory r True False False -
pagefile_0x000000022ca10000 0x22ca10000 0x22ca10fff Pagefile Backed Memory r True False False -
private_0x000000022ca20000 0x22ca20000 0x22ca21fff Private Memory rw True False False -
locale.nls 0x22ca30000 0x22caedfff Memory Mapped File r False False False -
private_0x000000022caf0000 0x22caf0000 0x22caf6fff Private Memory rw True False False -
private_0x000000022cb00000 0x22cb00000 0x22cbfffff Private Memory rw True False False -
private_0x000000022cc00000 0x22cc00000 0x22cc7ffff Private Memory rw True False False -
private_0x000000022cc80000 0x22cc80000 0x22cd7ffff Private Memory rw True False False -
private_0x000000022cc80000 0x22cc80000 0x22ccfffff Private Memory rw True False False -
pagefile_0x000000022cd00000 0x22cd00000 0x22cd00fff Pagefile Backed Memory rw True False False -
pagefile_0x000000022cd10000 0x22cd10000 0x22cd10fff Pagefile Backed Memory r True False False -
private_0x000000022cd20000 0x22cd20000 0x22cd20fff Private Memory rw True False False -
private_0x000000022cd30000 0x22cd30000 0x22cd30fff Private Memory rw True False False -
pagefile_0x000000022cd40000 0x22cd40000 0x22cd40fff Pagefile Backed Memory r True False False -
pagefile_0x000000022cd50000 0x22cd50000 0x22cd50fff Pagefile Backed Memory r True False False -
lsm.dll.mui 0x22cd60000 0x22cd62fff Memory Mapped File r False False False -
svchost.exe.mui 0x22cd70000 0x22cd70fff Memory Mapped File r False False False -
pagefile_0x000000022cd80000 0x22cd80000 0x22cd80fff Pagefile Backed Memory rw True False False -
private_0x000000022cd90000 0x22cd90000 0x22cd90fff Private Memory rw True False False -
private_0x000000022cda0000 0x22cda0000 0x22cda0fff Private Memory rw True False False -
private_0x000000022cdb0000 0x22cdb0000 0x22cdb6fff Private Memory rw True False False -
pagefile_0x000000022cdc0000 0x22cdc0000 0x22cdc0fff Pagefile Backed Memory r True False False -
pagefile_0x000000022cdd0000 0x22cdd0000 0x22cdd0fff Pagefile Backed Memory r True False False -
private_0x000000022cde0000 0x22cde0000 0x22cde6fff Private Memory rw True False False -
private_0x000000022ce00000 0x22ce00000 0x22cefffff Private Memory rw True False False -
private_0x000000022cf00000 0x22cf00000 0x22cffffff Private Memory rw True False False -
private_0x000000022d000000 0x22d000000 0x22d0fffff Private Memory rw True False False -
private_0x000000022d100000 0x22d100000 0x22d17ffff Private Memory rw True False False -
private_0x000000022d180000 0x22d180000 0x22d1fffff Private Memory rw True False False -
private_0x000000022d200000 0x22d200000 0x22d2fffff Private Memory rw True False False -
private_0x000000022d300000 0x22d300000 0x22d3fffff Private Memory rw True False False -
private_0x000000022d300000 0x22d300000 0x22d37ffff Private Memory rw True False False -
private_0x000000022d380000 0x22d380000 0x22d3fffff Private Memory rw True False False -
private_0x000000022d400000 0x22d400000 0x22d4fffff Private Memory rw True False False -
private_0x000000022d400000 0x22d400000 0x22d47ffff Private Memory rw True False False -
private_0x000000022d480000 0x22d480000 0x22d4fffff Private Memory rw True False False -
private_0x000000022d500000 0x22d500000 0x22d5fffff Private Memory rw True False False -
private_0x000000022d600000 0x22d600000 0x22d6fffff Private Memory rw True False False -
private_0x000000022d700000 0x22d700000 0x22d7fffff Private Memory rw True False False -
private_0x000000022d890000 0x22d890000 0x22d896fff Private Memory rw True False False -
private_0x000000022d900000 0x22d900000 0x22d9fffff Private Memory rw True False False -
sortdefault.nls 0x22da00000 0x22dd36fff Memory Mapped File r False False False -
private_0x000000022dd40000 0x22dd40000 0x22de3ffff Private Memory rw True False False -
private_0x000000022de40000 0x22de40000 0x22df3ffff Private Memory rw True False False -
private_0x000000022df40000 0x22df40000 0x22e03ffff Private Memory rw True False False -
private_0x000000022e040000 0x22e040000 0x22e13ffff Private Memory rw True False False -
private_0x000000022e140000 0x22e140000 0x22e23ffff Private Memory rw True False False -
pagefile_0x000000022e240000 0x22e240000 0x22e2fffff Pagefile Backed Memory r True False False -
private_0x000000022e300000 0x22e300000 0x22e3fffff Private Memory rw True False False -
pagefile_0x000000022e400000 0x22e400000 0x22e587fff Pagefile Backed Memory r True False False -
pagefile_0x000000022e590000 0x22e590000 0x22e710fff Pagefile Backed Memory r True False False -
private_0x000000022e720000 0x22e720000 0x22e81ffff Private Memory rw True False False -
private_0x000000022e820000 0x22e820000 0x22e91ffff Private Memory rw True False False -
pagefile_0x00007df5ff7f0000 0x7df5ff7f0000 0x7ff5ff7effff Pagefile Backed Memory - True False False -
private_0x00007ff6bacd4000 0x7ff6bacd4000 0x7ff6bacd5fff Private Memory rw True False False -
private_0x00007ff6bacd6000 0x7ff6bacd6000 0x7ff6bacd7fff Private Memory rw True False False -
private_0x00007ff6bacd8000 0x7ff6bacd8000 0x7ff6bacd9fff Private Memory rw True False False -
private_0x00007ff6bacda000 0x7ff6bacda000 0x7ff6bacdbfff Private Memory rw True False False -
private_0x00007ff6bacdc000 0x7ff6bacdc000 0x7ff6bacddfff Private Memory rw True False False -
private_0x00007ff6bacde000 0x7ff6bacde000 0x7ff6bacdffff Private Memory rw True False False -
private_0x00007ff6bace0000 0x7ff6bace0000 0x7ff6bace1fff Private Memory rw True False False -
private_0x00007ff6bace2000 0x7ff6bace2000 0x7ff6bace3fff Private Memory rw True False False -
private_0x00007ff6bace4000 0x7ff6bace4000 0x7ff6bace5fff Private Memory rw True False False -
private_0x00007ff6bace6000 0x7ff6bace6000 0x7ff6bace7fff Private Memory rw True False False -
private_0x00007ff6bace8000 0x7ff6bace8000 0x7ff6bace9fff Private Memory rw True False False -
private_0x00007ff6bacea000 0x7ff6bacea000 0x7ff6bacebfff Private Memory rw True False False -
private_0x00007ff6bacec000 0x7ff6bacec000 0x7ff6bacedfff Private Memory rw True False False -
private_0x00007ff6bacee000 0x7ff6bacee000 0x7ff6baceffff Private Memory rw True False False -
pagefile_0x00007ff6bacf0000 0x7ff6bacf0000 0x7ff6badeffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6badf0000 0x7ff6badf0000 0x7ff6bae12fff Pagefile Backed Memory r True False False -
private_0x00007ff6bae13000 0x7ff6bae13000 0x7ff6bae14fff Private Memory rw True False False -
private_0x00007ff6bae15000 0x7ff6bae15000 0x7ff6bae16fff Private Memory rw True False False -
private_0x00007ff6bae17000 0x7ff6bae17000 0x7ff6bae18fff Private Memory rw True False False -
private_0x00007ff6bae19000 0x7ff6bae19000 0x7ff6bae1afff Private Memory rw True False False -
private_0x00007ff6bae1b000 0x7ff6bae1b000 0x7ff6bae1cfff Private Memory rw True False False -
private_0x00007ff6bae1d000 0x7ff6bae1d000 0x7ff6bae1efff Private Memory rw True False False -
private_0x00007ff6bae1f000 0x7ff6bae1f000 0x7ff6bae1ffff Private Memory rw True False False -
svchost.exe 0x7ff6bbac0000 0x7ff6bbaccfff Memory Mapped File rwx False False False -
capauthz.dll 0x7ffef5d50000 0x7ffef5d65fff Memory Mapped File rwx False False False -
licensemanagerapi.dll 0x7ffef5d70000 0x7ffef5d7bfff Memory Mapped File rwx False False False -
execmodelproxy.dll 0x7ffef90d0000 0x7ffef90e4fff Memory Mapped File rwx False False False -
sebbackgroundmanagerpolicy.dll 0x7ffef90f0000 0x7ffef90fdfff Memory Mapped File rwx False False False -
windows.networking.backgroundtransfer.backgroundmanagerpolicy.dll 0x7ffef9100000 0x7ffef9117fff Memory Mapped File rwx False False False -
acpbackgroundmanagerpolicy.dll 0x7ffef9120000 0x7ffef9136fff Memory Mapped File rwx False False False -
cbtbackgroundmanagerpolicy.dll 0x7ffef9140000 0x7ffef914bfff Memory Mapped File rwx False False False -
backgroundmediapolicy.dll 0x7ffef9150000 0x7ffef915ffff Memory Mapped File rwx False False False -
execmodelclient.dll 0x7ffef92c0000 0x7ffef9302fff Memory Mapped File rwx False False False -
actxprxy.dll 0x7ffef93f0000 0x7ffef9859fff Memory Mapped File rwx False False False -
appxalluserstore.dll 0x7ffef9cb0000 0x7ffef9ce5fff Memory Mapped File rwx False False False -
msvcp110_win.dll 0x7ffefe790000 0x7ffefe821fff Memory Mapped File rwx False False False -
propsys.dll 0x7ffeff870000 0x7ffeff9f2fff Memory Mapped File rwx False False False -
mmdevapi.dll 0x7ffeffa00000 0x7ffeffa71fff Memory Mapped File rwx False False False -
bi.dll 0x7fff00010000 0x7fff0001bfff Memory Mapped File rwx False False False -
usermgrcli.dll 0x7fff00110000 0x7fff0011ffff Memory Mapped File rwx False False False -
coremessaging.dll 0x7fff02fe0000 0x7fff030a7fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fff033a0000 0x7fff033b2fff Memory Mapped File rwx False False False -
dab.dll 0x7fff035b0000 0x7fff035d0fff Memory Mapped File rwx False False False -
brokerlib.dll 0x7fff036a0000 0x7fff036defff Memory Mapped File rwx False False False -
systemeventsbrokerserver.dll 0x7fff036e0000 0x7fff03741fff Memory Mapped File rwx False False False -
devobj.dll 0x7fff03750000 0x7fff03776fff Memory Mapped File rwx False False False -
twinapi.appcore.dll 0x7fff037a0000 0x7fff0388dfff Memory Mapped File rwx False False False -
psmserviceexthost.dll 0x7fff03890000 0x7fff03913fff Memory Mapped File rwx False False False -
wmsgapi.dll 0x7fff03960000 0x7fff03968fff Memory Mapped File rwx False False False -
sysntfy.dll 0x7fff03970000 0x7fff0397bfff Memory Mapped File rwx False False False -
lsm.dll 0x7fff03980000 0x7fff03a40fff Memory Mapped File rwx False False False -
rmclient.dll 0x7fff03ae0000 0x7fff03b07fff Memory Mapped File rwx False False False -
psmsrv.dll 0x7fff03b10000 0x7fff03b41fff Memory Mapped File rwx False False False -
bisrv.dll 0x7fff03b50000 0x7fff03bd5fff Memory Mapped File rwx False False False -
rpcss.dll 0x7fff03c20000 0x7fff03cfafff Memory Mapped File rwx False False False -
gpapi.dll 0x7fff03d00000 0x7fff03d22fff Memory Mapped File rwx False False False -
tdh.dll 0x7fff03d30000 0x7fff03e27fff Memory Mapped File rwx False False False -
hid.dll 0x7fff03e30000 0x7fff03e3bfff Memory Mapped File rwx False False False -
umpoext.dll 0x7fff03e40000 0x7fff03e55fff Memory Mapped File rwx False False False -
umpo.dll 0x7fff03e60000 0x7fff03e7afff Memory Mapped File rwx False False False -
umpnpmgr.dll 0x7fff03e80000 0x7fff03e9ffff Memory Mapped File rwx False False False -
ntmarta.dll 0x7fff04120000 0x7fff04151fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
userenv.dll 0x7fff04390000 0x7fff043aefff Memory Mapped File rwx False False False -
winsta.dll 0x7fff044a0000 0x7fff044f7fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fff04a00000 0x7fff04a2bfff Memory Mapped File rwx False False False -
eventaggregation.dll 0x7fff04bd0000 0x7fff04be9fff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
powrprof.dll 0x7fff04e20000 0x7fff04e69fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fff05110000 0x7fff05153fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
ole32.dll 0x7fff06430000 0x7fff06570fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
coml2.dll 0x7fff08140000 0x7fff081aefff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #7: svchost.exe
0 0
»
Information Value
ID #7
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k RPCSS
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:46, Reason: Autostart
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:08:36
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x264
Parent PID 0x1e4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Network Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 268
0x 274
0x 27C
0x 280
0x 288
0x 28C
0x 298
0x 2A0
0x 2A4
0x 32C
0x 5D8
0x 618
0x 634
0x 65C
0x 660
0x 664
0x 430
0x 7C0
0x 95C
0x B34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000655a850000 0x655a850000 0x655a86ffff Private Memory rw True False False -
pagefile_0x000000655a850000 0x655a850000 0x655a85ffff Pagefile Backed Memory rw True False False -
mswsock.dll.mui 0x655a860000 0x655a862fff Memory Mapped File r False False False -
pagefile_0x000000655a870000 0x655a870000 0x655a883fff Pagefile Backed Memory r True False False -
private_0x000000655a890000 0x655a890000 0x655a90ffff Private Memory rw True False False -
pagefile_0x000000655a910000 0x655a910000 0x655a913fff Pagefile Backed Memory r True False False -
pagefile_0x000000655a920000 0x655a920000 0x655a920fff Pagefile Backed Memory r True False False -
private_0x000000655a930000 0x655a930000 0x655a931fff Private Memory rw True False False -
locale.nls 0x655a940000 0x655a9fdfff Memory Mapped File r False False False -
pagefile_0x000000655aa00000 0x655aa00000 0x655aa00fff Pagefile Backed Memory r True False False -
private_0x000000655aa10000 0x655aa10000 0x655aa16fff Private Memory rw True False False -
private_0x000000655aa20000 0x655aa20000 0x655aa9ffff Private Memory rw True False False -
pagefile_0x000000655aaa0000 0x655aaa0000 0x655aaa0fff Pagefile Backed Memory r True False False -
pagefile_0x000000655aac0000 0x655aac0000 0x655aac1fff Pagefile Backed Memory rw True False False -
pagefile_0x000000655aad0000 0x655aad0000 0x655aad1fff Pagefile Backed Memory rw True False False -
private_0x000000655ab00000 0x655ab00000 0x655abfffff Private Memory rw True False False -
private_0x000000655ac00000 0x655ac00000 0x655acfffff Private Memory rw True False False -
private_0x000000655ac00000 0x655ac00000 0x655ac7ffff Private Memory rw True False False -
private_0x000000655acd0000 0x655acd0000 0x655acd6fff Private Memory rw True False False -
private_0x000000655ad00000 0x655ad00000 0x655adfffff Private Memory rw True False False -
private_0x000000655ae00000 0x655ae00000 0x655aefffff Private Memory rw True False False -
sortdefault.nls 0x655af00000 0x655b236fff Memory Mapped File r False False False -
private_0x000000655b240000 0x655b240000 0x655b33ffff Private Memory rw True False False -
private_0x000000655b340000 0x655b340000 0x655b43ffff Private Memory rw True False False -
private_0x000000655b440000 0x655b440000 0x655b53ffff Private Memory rw True False False -
private_0x000000655b540000 0x655b540000 0x655b63ffff Private Memory rw True False False -
private_0x000000655b640000 0x655b640000 0x655b73ffff Private Memory rw True False False -
private_0x000000655b740000 0x655b740000 0x655b83ffff Private Memory rw True False False -
private_0x000000655b840000 0x655b840000 0x655b93ffff Private Memory rw True False False -
private_0x000000655b940000 0x655b940000 0x655ba3ffff Private Memory rw True False False -
private_0x000000655ba40000 0x655ba40000 0x655bb3ffff Private Memory rw True False False -
private_0x000000655bb40000 0x655bb40000 0x655bc3ffff Private Memory rw True False False -
private_0x000000655bc40000 0x655bc40000 0x655bd3ffff Private Memory rw True False False -
private_0x000000655be00000 0x655be00000 0x655befffff Private Memory rw True False False -
pagefile_0x00007df5ffc20000 0x7df5ffc20000 0x7ff5ffc1ffff Pagefile Backed Memory - True False False -
private_0x00007ff6bb7ce000 0x7ff6bb7ce000 0x7ff6bb7cffff Private Memory rw True False False -
private_0x00007ff6bb7d0000 0x7ff6bb7d0000 0x7ff6bb7d1fff Private Memory rw True False False -
private_0x00007ff6bb7d2000 0x7ff6bb7d2000 0x7ff6bb7d3fff Private Memory rw True False False -
private_0x00007ff6bb7d4000 0x7ff6bb7d4000 0x7ff6bb7d5fff Private Memory rw True False False -
private_0x00007ff6bb7d6000 0x7ff6bb7d6000 0x7ff6bb7d7fff Private Memory rw True False False -
private_0x00007ff6bb7d8000 0x7ff6bb7d8000 0x7ff6bb7d9fff Private Memory rw True False False -
private_0x00007ff6bb7da000 0x7ff6bb7da000 0x7ff6bb7dbfff Private Memory rw True False False -
private_0x00007ff6bb7dc000 0x7ff6bb7dc000 0x7ff6bb7ddfff Private Memory rw True False False -
private_0x00007ff6bb7de000 0x7ff6bb7de000 0x7ff6bb7dffff Private Memory rw True False False -
pagefile_0x00007ff6bb7e0000 0x7ff6bb7e0000 0x7ff6bb8dffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6bb8e0000 0x7ff6bb8e0000 0x7ff6bb902fff Pagefile Backed Memory r True False False -
private_0x00007ff6bb903000 0x7ff6bb903000 0x7ff6bb904fff Private Memory rw True False False -
private_0x00007ff6bb905000 0x7ff6bb905000 0x7ff6bb906fff Private Memory rw True False False -
private_0x00007ff6bb907000 0x7ff6bb907000 0x7ff6bb908fff Private Memory rw True False False -
private_0x00007ff6bb909000 0x7ff6bb909000 0x7ff6bb90afff Private Memory rw True False False -
private_0x00007ff6bb90b000 0x7ff6bb90b000 0x7ff6bb90cfff Private Memory rw True False False -
private_0x00007ff6bb90d000 0x7ff6bb90d000 0x7ff6bb90efff Private Memory rw True False False -
private_0x00007ff6bb90f000 0x7ff6bb90f000 0x7ff6bb90ffff Private Memory rw True False False -
svchost.exe 0x7ff6bbac0000 0x7ff6bbaccfff Memory Mapped File rwx False False False -
capauthz.dll 0x7ffef5d50000 0x7ffef5d65fff Memory Mapped File rwx False False False -
fwpuclnt.dll 0x7ffeff3b0000 0x7ffeff417fff Memory Mapped File rwx False False False -
usermgrcli.dll 0x7fff00110000 0x7fff0011ffff Memory Mapped File rwx False False False -
fwbase.dll 0x7fff03920000 0x7fff03951fff Memory Mapped File rwx False False False -
firewallapi.dll 0x7fff03a50000 0x7fff03ad1fff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fff03be0000 0x7fff03bf2fff Memory Mapped File rwx False False False -
rpcepmap.dll 0x7fff03c00000 0x7fff03c16fff Memory Mapped File rwx False False False -
rpcss.dll 0x7fff03c20000 0x7fff03cfafff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
mswsock.dll 0x7fff04650000 0x7fff046acfff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fff04a00000 0x7fff04a2bfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
powrprof.dll 0x7fff04e20000 0x7fff04e69fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
nsi.dll 0x7fff05a80000 0x7fff05a87fff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fff080d0000 0x7fff08138fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #8: svchost.exe
0 0
»
Information Value
ID #8
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k netsvcs
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:56, Reason: Autostart
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:08:26
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x354
Parent PID 0x1e4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 358
0x 35C
0x 380
0x 398
0x 39C
0x 3A0
0x 3A4
0x 3A8
0x 3AC
0x 3B0
0x 3B4
0x 3B8
0x 3BC
0x 3C0
0x 3C4
0x 3C8
0x 3E8
0x 3F8
0x 120
0x 158
0x 238
0x 428
0x 484
0x 230
0x 568
0x 58C
0x 598
0x 5A0
0x 5A4
0x 5B4
0x 5B8
0x 5BC
0x 5C0
0x 5C4
0x 5CC
0x 5D0
0x 5DC
0x 5E0
0x 5E8
0x 5EC
0x 5F4
0x 5F8
0x 5FC
0x 600
0x 604
0x 608
0x 638
0x 668
0x 6BC
0x 6EC
0x 714
0x 718
0x 71C
0x 720
0x 724
0x 728
0x 730
0x 734
0x 73C
0x 740
0x 744
0x 754
0x 468
0x 2C0
0x 4A0
0x 810
0x 830
0x 85C
0x 860
0x 934
0x 938
0x 944
0x 948
0x 94C
0x 950
0x 954
0x 958
0x 95C
0x 960
0x 964
0x 34C
0x BC8
0x 5E0
0x 5FC
0x 600
0x 720
0x 754
0x 654
0x 524
0x AB8
0x ABC
0x F4
0x 330
0x B90
0x 750
0x 58C
0x 8CC
0x 898
0x BE0
0x 774
0x 78C
0x 11C
0x 59C
0x 90C
0x B8C
0x 910
0x 4B4
0x 770
0x 76C
0x 7A8
0x 18C
0x 5E4
0x 8F0
0x 8DC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000a294ba0000 0xa294ba0000 0xa294bbffff Private Memory rw True False False -
pagefile_0x000000a294ba0000 0xa294ba0000 0xa294baffff Pagefile Backed Memory rw True False False -
svchost.exe.mui 0xa294bb0000 0xa294bb0fff Memory Mapped File r False False False -
pagefile_0x000000a294bc0000 0xa294bc0000 0xa294bd3fff Pagefile Backed Memory r True False False -
private_0x000000a294be0000 0xa294be0000 0xa294c5ffff Private Memory rw True False False -
pagefile_0x000000a294c60000 0xa294c60000 0xa294c63fff Pagefile Backed Memory r True False False -
pagefile_0x000000a294c70000 0xa294c70000 0xa294c70fff Pagefile Backed Memory r True False False -
private_0x000000a294c80000 0xa294c80000 0xa294c81fff Private Memory rw True False False -
locale.nls 0xa294c90000 0xa294d4dfff Memory Mapped File r False False False -
private_0x000000a294d50000 0xa294d50000 0xa294dcffff Private Memory rw True False False -
private_0x000000a294dd0000 0xa294dd0000 0xa294dd0fff Private Memory rw True False False -
private_0x000000a294de0000 0xa294de0000 0xa294de0fff Private Memory rw True False False -
pagefile_0x000000a294df0000 0xa294df0000 0xa294df0fff Pagefile Backed Memory r True False False -
pagefile_0x000000a294e00000 0xa294e00000 0xa294e00fff Pagefile Backed Memory r True False False -
private_0x000000a294e10000 0xa294e10000 0xa294e10fff Private Memory rw True False False -
private_0x000000a294e20000 0xa294e20000 0xa294e26fff Private Memory rw True False False -
private_0x000000a294e30000 0xa294e30000 0xa294eaffff Private Memory rw True False False -
pagefile_0x000000a294eb0000 0xa294eb0000 0xa294eb0fff Pagefile Backed Memory rw True False False -
private_0x000000a294ec0000 0xa294ec0000 0xa294ec6fff Private Memory rw True False False -
gpsvc.dll.mui 0xa294ed0000 0xa294edcfff Memory Mapped File r False False False -
private_0x000000a294ee0000 0xa294ee0000 0xa294ee6fff Private Memory rw True False False -
cversions.2.db 0xa294ef0000 0xa294ef3fff Memory Mapped File r True False False -
private_0x000000a294f00000 0xa294f00000 0xa294ffffff Private Memory rw True False False -
private_0x000000a295000000 0xa295000000 0xa2950fffff Private Memory rw True False False -
pagefile_0x000000a295100000 0xa295100000 0xa295287fff Pagefile Backed Memory r True False False -
pagefile_0x000000a295290000 0xa295290000 0xa295410fff Pagefile Backed Memory r True False False -
pagefile_0x000000a295420000 0xa295420000 0xa2954dffff Pagefile Backed Memory r True False False -
private_0x000000a2954e0000 0xa2954e0000 0xa2955dffff Private Memory rw True False False -
private_0x000000a2955e0000 0xa2955e0000 0xa2956dffff Private Memory rw True False False -
private_0x000000a2956e0000 0xa2956e0000 0xa2956e6fff Private Memory rw True False False -
cversions.2.db 0xa2956f0000 0xa2956f3fff Memory Mapped File r True False False -
private_0x000000a295700000 0xa295700000 0xa2957fffff Private Memory rw True False False -
sortdefault.nls 0xa295800000 0xa295b36fff Memory Mapped File r False False False -
private_0x000000a295b40000 0xa295b40000 0xa295c3ffff Private Memory rw True False False -
private_0x000000a295c40000 0xa295c40000 0xa295d3ffff Private Memory rw True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db 0xa295c40000 0xa295c82fff Memory Mapped File r True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db 0xa295c90000 0xa295d1afff Memory Mapped File r True False False -
propsys.dll.mui 0xa295d20000 0xa295d30fff Memory Mapped File r False False False -
private_0x000000a295d40000 0xa295d40000 0xa295dbffff Private Memory rw True False False -
private_0x000000a295e00000 0xa295e00000 0xa295efffff Private Memory rw True False False -
private_0x000000a295f00000 0xa295f00000 0xa295ffffff Private Memory rw True False False -
private_0x000000a296000000 0xa296000000 0xa2960fffff Private Memory rw True False False -
private_0x000000a296100000 0xa296100000 0xa2961fffff Private Memory rw True False False -
private_0x000000a296200000 0xa296200000 0xa29627ffff Private Memory rw True False False -
private_0x000000a296280000 0xa296280000 0xa29637ffff Private Memory rw True False False -
private_0x000000a296380000 0xa296380000 0xa2963fffff Private Memory rw True False False -
private_0x000000a296400000 0xa296400000 0xa2964fffff Private Memory rw True False False -
private_0x000000a296500000 0xa296500000 0xa2965fffff Private Memory rw True False False -
private_0x000000a296600000 0xa296600000 0xa2966fffff Private Memory rw True False False -
private_0x000000a296700000 0xa296700000 0xa2967fffff Private Memory rw True False False -
private_0x000000a296800000 0xa296800000 0xa29687ffff Private Memory rw True False False -
private_0x000000a296880000 0xa296880000 0xa29697ffff Private Memory rw True False False -
private_0x000000a296880000 0xa296880000 0xa2968fffff Private Memory rw True False False -
private_0x000000a296900000 0xa296900000 0xa2969fffff Private Memory rw True False False -
private_0x000000a296a00000 0xa296a00000 0xa296afffff Private Memory rw True False False -
pagefile_0x00007df5ff5c0000 0x7df5ff5c0000 0x7ff5ff5bffff Pagefile Backed Memory - True False False -
private_0x00007ff6bab64000 0x7ff6bab64000 0x7ff6bab65fff Private Memory rw True False False -
private_0x00007ff6bab66000 0x7ff6bab66000 0x7ff6bab67fff Private Memory rw True False False -
private_0x00007ff6bab68000 0x7ff6bab68000 0x7ff6bab69fff Private Memory rw True False False -
private_0x00007ff6bab6a000 0x7ff6bab6a000 0x7ff6bab6bfff Private Memory rw True False False -
private_0x00007ff6bab6c000 0x7ff6bab6c000 0x7ff6bab6dfff Private Memory rw True False False -
private_0x00007ff6bab6e000 0x7ff6bab6e000 0x7ff6bab6ffff Private Memory rw True False False -
private_0x00007ff6bab70000 0x7ff6bab70000 0x7ff6bab71fff Private Memory rw True False False -
private_0x00007ff6bab72000 0x7ff6bab72000 0x7ff6bab73fff Private Memory rw True False False -
private_0x00007ff6bab74000 0x7ff6bab74000 0x7ff6bab75fff Private Memory rw True False False -
private_0x00007ff6bab76000 0x7ff6bab76000 0x7ff6bab77fff Private Memory rw True False False -
private_0x00007ff6bab78000 0x7ff6bab78000 0x7ff6bab79fff Private Memory rw True False False -
private_0x00007ff6bab7a000 0x7ff6bab7a000 0x7ff6bab7bfff Private Memory rw True False False -
private_0x00007ff6bab7c000 0x7ff6bab7c000 0x7ff6bab7dfff Private Memory rw True False False -
private_0x00007ff6bab7e000 0x7ff6bab7e000 0x7ff6bab7ffff Private Memory rw True False False -
pagefile_0x00007ff6bab80000 0x7ff6bab80000 0x7ff6bac7ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6bac80000 0x7ff6bac80000 0x7ff6baca2fff Pagefile Backed Memory r True False False -
private_0x00007ff6baca3000 0x7ff6baca3000 0x7ff6baca4fff Private Memory rw True False False -
private_0x00007ff6baca5000 0x7ff6baca5000 0x7ff6baca6fff Private Memory rw True False False -
private_0x00007ff6baca7000 0x7ff6baca7000 0x7ff6baca8fff Private Memory rw True False False -
private_0x00007ff6baca9000 0x7ff6baca9000 0x7ff6bacaafff Private Memory rw True False False -
private_0x00007ff6bacab000 0x7ff6bacab000 0x7ff6bacacfff Private Memory rw True False False -
private_0x00007ff6bacad000 0x7ff6bacad000 0x7ff6bacaefff Private Memory rw True False False -
private_0x00007ff6bacaf000 0x7ff6bacaf000 0x7ff6bacaffff Private Memory rw True False False -
svchost.exe 0x7ff6bbac0000 0x7ff6bbaccfff Memory Mapped File rwx False False False -
samlib.dll 0x7ffeff530000 0x7ffeff54bfff Memory Mapped File rwx False False False -
propsys.dll 0x7ffeff870000 0x7ffeff9f2fff Memory Mapped File rwx False False False -
sens.dll 0x7ffeffad0000 0x7ffeffae6fff Memory Mapped File rwx False False False -
usermgrproxy.dll 0x7ffeffb70000 0x7ffeffbadfff Memory Mapped File rwx False False False -
netjoin.dll 0x7ffeffca0000 0x7ffeffcccfff Memory Mapped File rwx False False False -
themeservice.dll 0x7ffeffcd0000 0x7ffeffce2fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffeffcf0000 0x7ffeffd05fff Memory Mapped File rwx False False False -
wevtapi.dll 0x7ffeffd10000 0x7ffeffd74fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffeffd80000 0x7ffeffd97fff Memory Mapped File rwx False False False -
usermgr.dll 0x7ffeffda0000 0x7ffeffe53fff Memory Mapped File rwx False False False -
atl.dll 0x7fff00020000 0x7fff0003dfff Memory Mapped File rwx False False False -
profsvcext.dll 0x7fff00040000 0x7fff00066fff Memory Mapped File rwx False False False -
profsvc.dll 0x7fff00070000 0x7fff000c4fff Memory Mapped File rwx False False False -
timebrokerclient.dll 0x7fff000d0000 0x7fff000dffff Memory Mapped File rwx False False False -
wptaskscheduler.dll 0x7fff000e0000 0x7fff0010dfff Memory Mapped File rwx False False False -
taskcomp.dll 0x7fff00120000 0x7fff0018dfff Memory Mapped File rwx False False False -
wmiclnt.dll 0x7fff00190000 0x7fff001a0fff Memory Mapped File rwx False False False -
csystemeventsbrokerclient.dll 0x7fff001b0000 0x7fff001bcfff Memory Mapped File rwx False False False -
ubpm.dll 0x7fff001c0000 0x7fff001fffff Memory Mapped File rwx False False False -
schedsvc.dll 0x7fff00200000 0x7fff002fbfff Memory Mapped File rwx False False False -
taskschd.dll 0x7fff00300000 0x7fff003bffff Memory Mapped File rwx False False False -
dsrole.dll 0x7fff003f0000 0x7fff003f9fff Memory Mapped File rwx False False False -
nlaapi.dll 0x7fff00470000 0x7fff00487fff Memory Mapped File rwx False False False -
gpsvc.dll 0x7fff00490000 0x7fff005dcfff Memory Mapped File rwx False False False -
wintypes.dll 0x7fff00cf0000 0x7fff00e20fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fff033a0000 0x7fff033b2fff Memory Mapped File rwx False False False -
sysntfy.dll 0x7fff03970000 0x7fff0397bfff Memory Mapped File rwx False False False -
gpapi.dll 0x7fff03d00000 0x7fff03d22fff Memory Mapped File rwx False False False -
authz.dll 0x7fff03ea0000 0x7fff03ee7fff Memory Mapped File rwx False False False -
netutils.dll 0x7fff04030000 0x7fff0403bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fff04040000 0x7fff04065fff Memory Mapped File rwx False False False -
ntmarta.dll 0x7fff04120000 0x7fff04151fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
userenv.dll 0x7fff04390000 0x7fff043aefff Memory Mapped File rwx False False False -
logoncli.dll 0x7fff043b0000 0x7fff043edfff Memory Mapped File rwx False False False -
winsta.dll 0x7fff044a0000 0x7fff044f7fff Memory Mapped File rwx False False False -
mswsock.dll 0x7fff04650000 0x7fff046acfff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
joinutil.dll 0x7fff04860000 0x7fff04880fff Memory Mapped File rwx False False False -
ntasn1.dll 0x7fff048b0000 0x7fff048e5fff Memory Mapped File rwx False False False -
ncrypt.dll 0x7fff048f0000 0x7fff04915fff Memory Mapped File rwx False False False -
sspicli.dll 0x7fff04a00000 0x7fff04a2bfff Memory Mapped File rwx False False False -
eventaggregation.dll 0x7fff04bd0000 0x7fff04be9fff Memory Mapped File rwx False False False -
dabapi.dll 0x7fff04bf0000 0x7fff04bf7fff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
powrprof.dll 0x7fff04e20000 0x7fff04e69fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
shcore.dll 0x7fff04e80000 0x7fff04f32fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7fff05270000 0x7fff05897fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
nsi.dll 0x7fff05a80000 0x7fff05a87fff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fff05d00000 0x7fff05d50fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
wldap32.dll 0x7fff05ed0000 0x7fff05f2afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
shell32.dll 0x7fff067d0000 0x7fff07cf4fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fff080d0000 0x7fff08138fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
For performance reasons, the remaining 214 entries are omitted.
The remaining entries can be found in flog.txt.
Process #9: svchost.exe
0 0
»
Information Value
ID #9
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:56, Reason: Autostart
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:08:26
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x360
Parent PID 0x1e4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Local Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 364
0x 374
0x 384
0x 38C
0x 3E4
0x 3FC
0x 40
0x 124
0x 134
0x 128
0x 130
0x 144
0x 29C
0x 2C8
0x 308
0x 380
0x 238
0x 27C
0x 388
0x 404
0x 408
0x 40C
0x 410
0x 414
0x 418
0x 4A0
0x 594
0x 76C
0x 770
0x 710
0x 870
0x 798
0x 7D4
0x 2F8
0x 574
0x B44
0x 7D0
0x 34C
0x 3D8
0x 7D8
0x 900
0x 86C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000003f491b0000 0x3f491b0000 0x3f491cffff Private Memory rw True False False -
pagefile_0x0000003f491b0000 0x3f491b0000 0x3f491bffff Pagefile Backed Memory rw True False False -
svchost.exe.mui 0x3f491c0000 0x3f491c0fff Memory Mapped File r False False False -
pagefile_0x0000003f491d0000 0x3f491d0000 0x3f491e3fff Pagefile Backed Memory r True False False -
private_0x0000003f491f0000 0x3f491f0000 0x3f4926ffff Private Memory rw True False False -
pagefile_0x0000003f49270000 0x3f49270000 0x3f49273fff Pagefile Backed Memory r True False False -
pagefile_0x0000003f49280000 0x3f49280000 0x3f49280fff Pagefile Backed Memory r True False False -
private_0x0000003f49290000 0x3f49290000 0x3f49291fff Private Memory rw True False False -
locale.nls 0x3f492a0000 0x3f4935dfff Memory Mapped File r False False False -
private_0x0000003f49360000 0x3f49360000 0x3f493dffff Private Memory rw True False False -
private_0x0000003f493e0000 0x3f493e0000 0x3f493e0fff Private Memory rw True False False -
private_0x0000003f493f0000 0x3f493f0000 0x3f493f0fff Private Memory rw True False False -
private_0x0000003f49400000 0x3f49400000 0x3f49406fff Private Memory rw True False False -
wevtsvc.dll.mui 0x3f49410000 0x3f49412fff Memory Mapped File r False False False -
pagefile_0x0000003f49420000 0x3f49420000 0x3f49420fff Pagefile Backed Memory r True False False -
private_0x0000003f49430000 0x3f49430000 0x3f49436fff Private Memory rw True False False -
pagefile_0x0000003f49440000 0x3f49440000 0x3f494fffff Pagefile Backed Memory r True False False -
private_0x0000003f49500000 0x3f49500000 0x3f495fffff Private Memory rw True False False -
private_0x0000003f49600000 0x3f49600000 0x3f496fffff Private Memory rw True False False -
pagefile_0x0000003f49700000 0x3f49700000 0x3f49887fff Pagefile Backed Memory r True False False -
pagefile_0x0000003f49890000 0x3f49890000 0x3f49a10fff Pagefile Backed Memory r True False False -
private_0x0000003f49a20000 0x3f49a20000 0x3f49b1ffff Private Memory rw True False False -
private_0x0000003f49b20000 0x3f49b20000 0x3f49c1ffff Private Memory rw True False False -
private_0x0000003f49c20000 0x3f49c20000 0x3f49d1ffff Private Memory rw True False False -
classpnp.sys 0x3f49c20000 0x3f49c7ffff Memory Mapped File r False False False -
pagefile_0x0000003f49c20000 0x3f49c20000 0x3f49c20fff Pagefile Backed Memory r True False False -
private_0x0000003f49c30000 0x3f49c30000 0x3f49c30fff Private Memory rw True False False -
private_0x0000003f49c40000 0x3f49c40000 0x3f49c40fff Private Memory rw True False False -
pagefile_0x0000003f49c50000 0x3f49c50000 0x3f49c50fff Pagefile Backed Memory rw True False False -
pcaevts.dll 0x3f49c60000 0x3f49c64fff Memory Mapped File r False False False -
private_0x0000003f49c80000 0x3f49c80000 0x3f49c9ffff Private Memory rw True False False -
private_0x0000003f49ca0000 0x3f49ca0000 0x3f49d1ffff Private Memory rw True False False -
private_0x0000003f49d20000 0x3f49d20000 0x3f49e1ffff Private Memory rw True False False -
private_0x0000003f49e20000 0x3f49e20000 0x3f49e3ffff Private Memory rw True False False -
private_0x0000003f49e40000 0x3f49e40000 0x3f49e5ffff Private Memory rw True False False -
private_0x0000003f49e60000 0x3f49e60000 0x3f49e66fff Private Memory rw True False False -
wevtapi.dll 0x3f49e70000 0x3f49ed4fff Memory Mapped File r False False False -
private_0x0000003f49f00000 0x3f49f00000 0x3f49ffffff Private Memory rw True False False -
private_0x0000003f4a000000 0x3f4a000000 0x3f4a07ffff Private Memory rw True False False -
private_0x0000003f4a080000 0x3f4a080000 0x3f4a0fffff Private Memory rw True False False -
private_0x0000003f4a100000 0x3f4a100000 0x3f4a17ffff Private Memory rw True False False -
private_0x0000003f4a180000 0x3f4a180000 0x3f4a1fffff Private Memory rw True False False -
private_0x0000003f4a200000 0x3f4a200000 0x3f4a27ffff Private Memory rw True False False -
private_0x0000003f4a280000 0x3f4a280000 0x3f4a2fffff Private Memory rw True False False -
private_0x0000003f4a300000 0x3f4a300000 0x3f4a3fffff Private Memory rw True False False -
private_0x0000003f4a400000 0x3f4a400000 0x3f4a4fffff Private Memory rw True False False -
private_0x0000003f4a500000 0x3f4a500000 0x3f4a5fffff Private Memory rw True False False -
private_0x0000003f4a600000 0x3f4a600000 0x3f4a6fffff Private Memory rw True False False -
private_0x0000003f4a700000 0x3f4a700000 0x3f4a7fffff Private Memory rw True False False -
private_0x0000003f4a800000 0x3f4a800000 0x3f4a8fffff Private Memory rw True False False -
sortdefault.nls 0x3f4a900000 0x3f4ac36fff Memory Mapped File r False False False -
private_0x0000003f4ac40000 0x3f4ac40000 0x3f4ad3ffff Private Memory rw True False False -
private_0x0000003f4ac40000 0x3f4ac40000 0x3f4acbffff Private Memory rw True False False -
private_0x0000003f4ad00000 0x3f4ad00000 0x3f4adfffff Private Memory rw True False False -
private_0x0000003f4ad40000 0x3f4ad40000 0x3f4ae3ffff Private Memory rw True False False -
private_0x0000003f4ae00000 0x3f4ae00000 0x3f4aefffff Private Memory rw True False False -
private_0x0000003f4ae40000 0x3f4ae40000 0x3f4af3ffff Private Memory rw True False False -
private_0x0000003f4af40000 0x3f4af40000 0x3f4b03ffff Private Memory rw True False False -
services.exe 0x3f4b040000 0x3f4b0affff Memory Mapped File r False False False -
private_0x0000003f4b100000 0x3f4b100000 0x3f4b1fffff Private Memory rw True False False -
private_0x0000003f4b200000 0x3f4b200000 0x3f4b2fffff Private Memory rw True False False -
private_0x0000003f4b300000 0x3f4b300000 0x3f4b3fffff Private Memory rw True False False -
private_0x0000003f4b400000 0x3f4b400000 0x3f4b4fffff Private Memory rw True False False -
private_0x0000003f4b500000 0x3f4b500000 0x3f4b5fffff Private Memory rw True False False -
private_0x0000003f4b600000 0x3f4b600000 0x3f4b6fffff Private Memory rw True False False -
private_0x0000003f4b700000 0x3f4b700000 0x3f4b7fffff Private Memory rw True False False -
winlogon.exe 0x3f4b800000 0x3f4b892fff Memory Mapped File r False False False -
private_0x0000003f4b900000 0x3f4b900000 0x3f4b9fffff Private Memory rw True False False -
private_0x0000003f4bb00000 0x3f4bb00000 0x3f4bbfffff Private Memory rw True False False -
private_0x0000003f4bc00000 0x3f4bc00000 0x3f4bcfffff Private Memory rw True False False -
pagefile_0x00007df5ff7d0000 0x7df5ff7d0000 0x7ff5ff7cffff Pagefile Backed Memory - True False False -
private_0x00007ff6bb300000 0x7ff6bb300000 0x7ff6bb301fff Private Memory rw True False False -
private_0x00007ff6bb302000 0x7ff6bb302000 0x7ff6bb303fff Private Memory rw True False False -
private_0x00007ff6bb304000 0x7ff6bb304000 0x7ff6bb305fff Private Memory rw True False False -
private_0x00007ff6bb306000 0x7ff6bb306000 0x7ff6bb307fff Private Memory rw True False False -
private_0x00007ff6bb308000 0x7ff6bb308000 0x7ff6bb309fff Private Memory rw True False False -
private_0x00007ff6bb30a000 0x7ff6bb30a000 0x7ff6bb30bfff Private Memory rw True False False -
private_0x00007ff6bb30c000 0x7ff6bb30c000 0x7ff6bb30dfff Private Memory rw True False False -
private_0x00007ff6bb30e000 0x7ff6bb30e000 0x7ff6bb30ffff Private Memory rw True False False -
private_0x00007ff6bb310000 0x7ff6bb310000 0x7ff6bb311fff Private Memory rw True False False -
private_0x00007ff6bb312000 0x7ff6bb312000 0x7ff6bb313fff Private Memory rw True False False -
private_0x00007ff6bb314000 0x7ff6bb314000 0x7ff6bb315fff Private Memory rw True False False -
private_0x00007ff6bb316000 0x7ff6bb316000 0x7ff6bb317fff Private Memory rw True False False -
private_0x00007ff6bb318000 0x7ff6bb318000 0x7ff6bb319fff Private Memory rw True False False -
private_0x00007ff6bb31a000 0x7ff6bb31a000 0x7ff6bb31bfff Private Memory rw True False False -
private_0x00007ff6bb31c000 0x7ff6bb31c000 0x7ff6bb31dfff Private Memory rw True False False -
private_0x00007ff6bb31e000 0x7ff6bb31e000 0x7ff6bb31ffff Private Memory rw True False False -
pagefile_0x00007ff6bb320000 0x7ff6bb320000 0x7ff6bb41ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6bb420000 0x7ff6bb420000 0x7ff6bb442fff Pagefile Backed Memory r True False False -
private_0x00007ff6bb443000 0x7ff6bb443000 0x7ff6bb444fff Private Memory rw True False False -
private_0x00007ff6bb445000 0x7ff6bb445000 0x7ff6bb446fff Private Memory rw True False False -
private_0x00007ff6bb447000 0x7ff6bb447000 0x7ff6bb448fff Private Memory rw True False False -
private_0x00007ff6bb449000 0x7ff6bb449000 0x7ff6bb44afff Private Memory rw True False False -
private_0x00007ff6bb44b000 0x7ff6bb44b000 0x7ff6bb44cfff Private Memory rw True False False -
private_0x00007ff6bb44d000 0x7ff6bb44d000 0x7ff6bb44efff Private Memory rw True False False -
private_0x00007ff6bb44f000 0x7ff6bb44f000 0x7ff6bb44ffff Private Memory rw True False False -
svchost.exe 0x7ff6bbac0000 0x7ff6bbaccfff Memory Mapped File rwx False False False -
dbghelp.dll 0x7ffef0910000 0x7ffef0a99fff Memory Mapped File rwx False False False -
cmintegrator.dll 0x7ffeff270000 0x7ffeff27dfff Memory Mapped File rwx False False False -
wcmcsp.dll 0x7ffeff280000 0x7ffeff2b5fff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7ffeff2c0000 0x7ffeff2d9fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7ffeff2e0000 0x7ffeff2f5fff Memory Mapped File rwx False False False -
wcmsvc.dll 0x7ffeff300000 0x7ffeff397fff Memory Mapped File rwx False False False -
dhcpcore6.dll 0x7ffeff470000 0x7ffeff4b7fff Memory Mapped File rwx False False False -
dhcpcore.dll 0x7ffeff4c0000 0x7ffeff51cfff Memory Mapped File rwx False False False -
avrt.dll 0x7ffeff580000 0x7ffeff58afff Memory Mapped File rwx False False False -
ksuser.dll 0x7ffeff590000 0x7ffeff597fff Memory Mapped File rwx False False False -
audiosrv.dll 0x7ffeff5a0000 0x7ffeff6b0fff Memory Mapped File rwx False False False -
propsys.dll 0x7ffeff870000 0x7ffeff9f2fff Memory Mapped File rwx False False False -
mmdevapi.dll 0x7ffeffa00000 0x7ffeffa71fff Memory Mapped File rwx False False False -
wevtsvc.dll 0x7ffeffe60000 0x7fff0000afff Memory Mapped File rwx False False False -
wmiclnt.dll 0x7fff00190000 0x7fff001a0fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fff00400000 0x7fff0040afff Memory Mapped File rwx False False False -
nrpsrv.dll 0x7fff00410000 0x7fff00418fff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fff00420000 0x7fff00457fff Memory Mapped File rwx False False False -
lmhsvc.dll 0x7fff00460000 0x7fff00469fff Memory Mapped File rwx False False False -
nlaapi.dll 0x7fff00470000 0x7fff00487fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fff033a0000 0x7fff033b2fff Memory Mapped File rwx False False False -
devobj.dll 0x7fff03750000 0x7fff03776fff Memory Mapped File rwx False False False -
fwbase.dll 0x7fff03920000 0x7fff03951fff Memory Mapped File rwx False False False -
firewallapi.dll 0x7fff03a50000 0x7fff03ad1fff Memory Mapped File rwx False False False -
gpapi.dll 0x7fff03d00000 0x7fff03d22fff Memory Mapped File rwx False False False -
hid.dll 0x7fff03e30000 0x7fff03e3bfff Memory Mapped File rwx False False False -
dnsapi.dll 0x7fff043f0000 0x7fff04497fff Memory Mapped File rwx False False False -
winsta.dll 0x7fff044a0000 0x7fff044f7fff Memory Mapped File rwx False False False -
mswsock.dll 0x7fff04650000 0x7fff046acfff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fff04a00000 0x7fff04a2bfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
msasn1.dll 0x7fff04de0000 0x7fff04df0fff Memory Mapped File rwx False False False -
powrprof.dll 0x7fff04e20000 0x7fff04e69fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
crypt32.dll 0x7fff04f40000 0x7fff05100fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fff05110000 0x7fff05153fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
nsi.dll 0x7fff05a80000 0x7fff05a87fff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fff080d0000 0x7fff08138fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
For performance reasons, the remaining 11 entries are omitted.
The remaining entries can be found in flog.txt.
Process #10: svchost.exe
0 0
»
Information Value
ID #10
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:56, Reason: Autostart
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:08:26
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x368
Parent PID 0x1e4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Local Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 36C
0x 378
0x 388
0x 390
0x 394
0x 704
0x 834
0x 838
0x 848
0x 84C
0x 850
0x 854
0x 864
0x 320
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000d4acdf0000 0xd4acdf0000 0xd4ace0ffff Private Memory rw True False False -
pagefile_0x000000d4acdf0000 0xd4acdf0000 0xd4acdfffff Pagefile Backed Memory rw True False False -
svchost.exe.mui 0xd4ace00000 0xd4ace00fff Memory Mapped File r False False False -
pagefile_0x000000d4ace10000 0xd4ace10000 0xd4ace23fff Pagefile Backed Memory r True False False -
private_0x000000d4ace30000 0xd4ace30000 0xd4aceaffff Private Memory rw True False False -
pagefile_0x000000d4aceb0000 0xd4aceb0000 0xd4aceb3fff Pagefile Backed Memory r True False False -
pagefile_0x000000d4acec0000 0xd4acec0000 0xd4acec0fff Pagefile Backed Memory r True False False -
private_0x000000d4aced0000 0xd4aced0000 0xd4aced1fff Private Memory rw True False False -
private_0x000000d4acee0000 0xd4acee0000 0xd4acee0fff Private Memory rw True False False -
private_0x000000d4acef0000 0xd4acef0000 0xd4acef0fff Private Memory rw True False False -
private_0x000000d4acf00000 0xd4acf00000 0xd4acf06fff Private Memory rw True False False -
locale.nls 0xd4acf10000 0xd4acfcdfff Memory Mapped File r False False False -
pagefile_0x000000d4acfd0000 0xd4acfd0000 0xd4acfd0fff Pagefile Backed Memory r True False False -
pagefile_0x000000d4acfe0000 0xd4acfe0000 0xd4acfe0fff Pagefile Backed Memory r True False False -
private_0x000000d4ad000000 0xd4ad000000 0xd4ad0fffff Private Memory rw True False False -
private_0x000000d4ad100000 0xd4ad100000 0xd4ad17ffff Private Memory rw True False False -
pagefile_0x000000d4ad180000 0xd4ad180000 0xd4ad307fff Pagefile Backed Memory r True False False -
private_0x000000d4ad350000 0xd4ad350000 0xd4ad356fff Private Memory rw True False False -
private_0x000000d4ad360000 0xd4ad360000 0xd4ad3dffff Private Memory rw True False False -
private_0x000000d4ad400000 0xd4ad400000 0xd4ad4fffff Private Memory rw True False False -
pagefile_0x000000d4ad500000 0xd4ad500000 0xd4ad680fff Pagefile Backed Memory r True False False -
pagefile_0x000000d4ad690000 0xd4ad690000 0xd4ad74ffff Pagefile Backed Memory r True False False -
private_0x000000d4ad750000 0xd4ad750000 0xd4ad84ffff Private Memory rw True False False -
private_0x000000d4ad850000 0xd4ad850000 0xd4ad94ffff Private Memory rw True False False -
private_0x000000d4ad950000 0xd4ad950000 0xd4ada4ffff Private Memory rw True False False -
sortdefault.nls 0xd4ada50000 0xd4add86fff Memory Mapped File r False False False -
pagefile_0x00007df5ff770000 0x7df5ff770000 0x7ff5ff76ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff6bb170000 0x7ff6bb170000 0x7ff6bb26ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6bb270000 0x7ff6bb270000 0x7ff6bb292fff Pagefile Backed Memory r True False False -
private_0x00007ff6bb293000 0x7ff6bb293000 0x7ff6bb294fff Private Memory rw True False False -
private_0x00007ff6bb295000 0x7ff6bb295000 0x7ff6bb296fff Private Memory rw True False False -
private_0x00007ff6bb297000 0x7ff6bb297000 0x7ff6bb298fff Private Memory rw True False False -
private_0x00007ff6bb299000 0x7ff6bb299000 0x7ff6bb29afff Private Memory rw True False False -
private_0x00007ff6bb29b000 0x7ff6bb29b000 0x7ff6bb29bfff Private Memory rw True False False -
private_0x00007ff6bb29c000 0x7ff6bb29c000 0x7ff6bb29dfff Private Memory rw True False False -
private_0x00007ff6bb29e000 0x7ff6bb29e000 0x7ff6bb29ffff Private Memory rw True False False -
svchost.exe 0x7ff6bbac0000 0x7ff6bbaccfff Memory Mapped File rwx False False False -
ssdpsrv.dll 0x7ffef6bd0000 0x7ffef6c10fff Memory Mapped File rwx False False False -
execmodelclient.dll 0x7ffef92c0000 0x7ffef9302fff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7ffeff2c0000 0x7ffeff2d9fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7ffeff2e0000 0x7ffeff2f5fff Memory Mapped File rwx False False False -
propsys.dll 0x7ffeff870000 0x7ffeff9f2fff Memory Mapped File rwx False False False -
mmdevapi.dll 0x7ffeffa00000 0x7ffeffa71fff Memory Mapped File rwx False False False -
bi.dll 0x7fff00010000 0x7fff0001bfff Memory Mapped File rwx False False False -
timebrokerserver.dll 0x7fff003c0000 0x7fff003ecfff Memory Mapped File rwx False False False -
winnsi.dll 0x7fff00400000 0x7fff0040afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fff00420000 0x7fff00457fff Memory Mapped File rwx False False False -
coremessaging.dll 0x7fff02fe0000 0x7fff030a7fff Memory Mapped File rwx False False False -
brokerlib.dll 0x7fff036a0000 0x7fff036defff Memory Mapped File rwx False False False -
devobj.dll 0x7fff03750000 0x7fff03776fff Memory Mapped File rwx False False False -
fwbase.dll 0x7fff03920000 0x7fff03951fff Memory Mapped File rwx False False False -
firewallapi.dll 0x7fff03a50000 0x7fff03ad1fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
powrprof.dll 0x7fff04e20000 0x7fff04e69fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fff05110000 0x7fff05153fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
nsi.dll 0x7fff05a80000 0x7fff05a87fff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fff080d0000 0x7fff08138fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #11: svchost.exe
0 0
»
Information Value
ID #11
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:59, Reason: Autostart
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:08:23
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x3ec
Parent PID 0x1e4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 3F0
0x 3F4
0x 12C
0x 190
0x 18C
0x 1E0
0x 230
0x 250
0x 254
0x 260
0x 458
0x 45C
0x 460
0x 464
0x 5F0
0x 60C
0x 610
0x 614
0x 640
0x 670
0x 6AC
0x 4BC
0x 8EC
0x 8F4
0x 914
0x 92C
0x 930
0x 968
0x 984
0x 9F4
0x B08
0x BF4
0x 58C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000052602c0000 0x52602c0000 0x52602dffff Private Memory rw True False False -
pagefile_0x00000052602c0000 0x52602c0000 0x52602cffff Pagefile Backed Memory rw True False False -
svchost.exe.mui 0x52602d0000 0x52602d0fff Memory Mapped File r False False False -
pagefile_0x00000052602e0000 0x52602e0000 0x52602f3fff Pagefile Backed Memory r True False False -
private_0x0000005260300000 0x5260300000 0x526037ffff Private Memory rw True False False -
pagefile_0x0000005260380000 0x5260380000 0x5260383fff Pagefile Backed Memory r True False False -
pagefile_0x0000005260390000 0x5260390000 0x5260390fff Pagefile Backed Memory r True False False -
private_0x00000052603a0000 0x52603a0000 0x52603a1fff Private Memory rw True False False -
private_0x00000052603b0000 0x52603b0000 0x526042ffff Private Memory rw True False False -
private_0x00000052603b0000 0x52603b0000 0x52603f7fff Private Memory rw True False False -
private_0x0000005260430000 0x5260430000 0x5260436fff Private Memory rw True False False -
locale.nls 0x5260440000 0x52604fdfff Memory Mapped File r False False False -
private_0x0000005260500000 0x5260500000 0x52605fffff Private Memory rw True False False -
private_0x0000005260600000 0x5260600000 0x5260600fff Private Memory rw True False False -
private_0x0000005260610000 0x5260610000 0x5260610fff Private Memory rw True False False -
pagefile_0x0000005260620000 0x5260620000 0x5260620fff Pagefile Backed Memory r True False False -
pagefile_0x0000005260630000 0x5260630000 0x5260630fff Pagefile Backed Memory r True False False -
private_0x0000005260640000 0x5260640000 0x5260640fff Private Memory rw True False False -
private_0x0000005260650000 0x5260650000 0x5260650fff Private Memory rw True False False -
mmdevapi.dll.mui 0x5260660000 0x5260660fff Memory Mapped File r False False False -
audioendpointbuilder.dll.mui 0x5260670000 0x5260670fff Memory Mapped File r False False False -
private_0x0000005260680000 0x5260680000 0x5260680fff Private Memory rw True False False -
sysmain.dll.mui 0x5260690000 0x5260695fff Memory Mapped File r False False False -
private_0x00000052606a0000 0x52606a0000 0x52606a6fff Private Memory rw True False False -
pfpre_871cf952.mkd 0x52606b0000 0x52606e0fff Memory Mapped File rw False False False -
private_0x0000005260700000 0x5260700000 0x52607fffff Private Memory rw True False False -
pagefile_0x0000005260800000 0x5260800000 0x5260987fff Pagefile Backed Memory r True False False -
pagefile_0x0000005260990000 0x5260990000 0x5260b10fff Pagefile Backed Memory r True False False -
pagefile_0x0000005260b20000 0x5260b20000 0x5260bdffff Pagefile Backed Memory r True False False -
private_0x0000005260be0000 0x5260be0000 0x5260cdffff Private Memory rw True False False -
private_0x0000005260be0000 0x5260be0000 0x5260c5ffff Private Memory rw True False False -
private_0x0000005260c60000 0x5260c60000 0x5260cdffff Private Memory rw True False False -
private_0x0000005260ce0000 0x5260ce0000 0x5260ddffff Private Memory rw True False False -
private_0x0000005260de0000 0x5260de0000 0x5260edffff Private Memory rw True False False -
private_0x0000005260ee0000 0x5260ee0000 0x5260fdffff Private Memory rw True False False -
private_0x0000005260fe0000 0x5260fe0000 0x52610dffff Private Memory rw True False False -
sortdefault.nls 0x52610e0000 0x5261416fff Memory Mapped File r False False False -
private_0x0000005261420000 0x5261420000 0x526149ffff Private Memory rw True False False -
private_0x00000052614a0000 0x52614a0000 0x526159ffff Private Memory rw True False False -
private_0x00000052615a0000 0x52615a0000 0x526161ffff Private Memory rw True False False -
private_0x0000005261620000 0x5261620000 0x526171ffff Private Memory rw True False False -
private_0x0000005261720000 0x5261720000 0x526181ffff Private Memory rw True False False -
private_0x0000005261820000 0x5261820000 0x526191ffff Private Memory rw True False False -
private_0x0000005261a00000 0x5261a00000 0x5261afffff Private Memory rw True False False -
private_0x0000005261b00000 0x5261b00000 0x5261bfffff Private Memory rw True False False -
private_0x0000005261c00000 0x5261c00000 0x5261cfffff Private Memory rw True False False -
private_0x0000005261d40000 0x5261d40000 0x5261d46fff Private Memory rw True False False -
private_0x0000005261e00000 0x5261e00000 0x5261efffff Private Memory rw True False False -
private_0x0000005261f00000 0x5261f00000 0x5361efffff Private Memory rw True False False -
private_0x0000005361f00000 0x5361f00000 0x53622fffff Private Memory rw True False False -
private_0x0000005362300000 0x5362300000 0x53623fcfff Private Memory rw True False False -
private_0x0000005362400000 0x5362400000 0x53624fffff Private Memory rw True False False -
private_0x0000005362500000 0x5362500000 0x53625fffff Private Memory rw True False False -
private_0x00000053626a0000 0x53626a0000 0x5362846fff Private Memory rw True False False -
private_0x0000005362850000 0x5362850000 0x536294ffff Private Memory rw True False False -
private_0x0000005362950000 0x5362950000 0x5362a4ffff Private Memory rw True False False -
private_0x0000005362a50000 0x5362a50000 0x5362a56fff Private Memory rw True False False -
private_0x0000005362b00000 0x5362b00000 0x5362bfffff Private Memory rw True False False -
private_0x0000005362c00000 0x5362c00000 0x5362cfffff Private Memory rw True False False -
private_0x0000005362d00000 0x5362d00000 0x5362dfffff Private Memory rw True False False -
private_0x0000005362e00000 0x5362e00000 0x5362efffff Private Memory rw True False False -
private_0x0000005362f00000 0x5362f00000 0x5362ffffff Private Memory rw True False False -
private_0x0000005363000000 0x5363000000 0x53630fffff Private Memory rw True False False -
private_0x0000005363100000 0x5363100000 0x53631fffff Private Memory rw True False False -
private_0x00000053632e0000 0x53632e0000 0x53632e6fff Private Memory rw True False False -
private_0x0000005363300000 0x5363300000 0x53633fffff Private Memory rw True False False -
private_0x0000005363400000 0x5363400000 0x53634f1fff Private Memory rw True False False -
private_0x0000005363540000 0x5363540000 0x536363ffff Private Memory rw True False False -
private_0x0000005363700000 0x5363700000 0x53637fffff Private Memory rw True False False -
private_0x0000005363800000 0x5363800000 0x53638fffff Private Memory rw True False False -
private_0x0000005363900000 0x5363900000 0x53639fffff Private Memory rw True False False -
pagefile_0x00007df5ff760000 0x7df5ff760000 0x7ff5ff75ffff Pagefile Backed Memory - True False False -
private_0x00007ff6bb346000 0x7ff6bb346000 0x7ff6bb347fff Private Memory rw True False False -
private_0x00007ff6bb348000 0x7ff6bb348000 0x7ff6bb349fff Private Memory rw True False False -
private_0x00007ff6bb34c000 0x7ff6bb34c000 0x7ff6bb34dfff Private Memory rw True False False -
private_0x00007ff6bb34e000 0x7ff6bb34e000 0x7ff6bb34ffff Private Memory rw True False False -
private_0x00007ff6bb350000 0x7ff6bb350000 0x7ff6bb351fff Private Memory rw True False False -
private_0x00007ff6bb352000 0x7ff6bb352000 0x7ff6bb353fff Private Memory rw True False False -
private_0x00007ff6bb354000 0x7ff6bb354000 0x7ff6bb355fff Private Memory rw True False False -
private_0x00007ff6bb356000 0x7ff6bb356000 0x7ff6bb357fff Private Memory rw True False False -
private_0x00007ff6bb358000 0x7ff6bb358000 0x7ff6bb359fff Private Memory rw True False False -
private_0x00007ff6bb35a000 0x7ff6bb35a000 0x7ff6bb35bfff Private Memory rw True False False -
private_0x00007ff6bb35c000 0x7ff6bb35c000 0x7ff6bb35dfff Private Memory rw True False False -
private_0x00007ff6bb35e000 0x7ff6bb35e000 0x7ff6bb35ffff Private Memory rw True False False -
pagefile_0x00007ff6bb360000 0x7ff6bb360000 0x7ff6bb45ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6bb460000 0x7ff6bb460000 0x7ff6bb482fff Pagefile Backed Memory r True False False -
private_0x00007ff6bb483000 0x7ff6bb483000 0x7ff6bb484fff Private Memory rw True False False -
private_0x00007ff6bb485000 0x7ff6bb485000 0x7ff6bb486fff Private Memory rw True False False -
private_0x00007ff6bb487000 0x7ff6bb487000 0x7ff6bb488fff Private Memory rw True False False -
private_0x00007ff6bb489000 0x7ff6bb489000 0x7ff6bb489fff Private Memory rw True False False -
private_0x00007ff6bb48a000 0x7ff6bb48a000 0x7ff6bb48bfff Private Memory rw True False False -
private_0x00007ff6bb48c000 0x7ff6bb48c000 0x7ff6bb48dfff Private Memory rw True False False -
private_0x00007ff6bb48e000 0x7ff6bb48e000 0x7ff6bb48ffff Private Memory rw True False False -
svchost.exe 0x7ff6bbac0000 0x7ff6bbaccfff Memory Mapped File rwx False False False -
systemeventsbrokerclient.dll 0x7ffef5ee0000 0x7ffef5eeafff Memory Mapped File rwx False False False -
ncbservice.dll 0x7ffef65c0000 0x7ffef6617fff Memory Mapped File rwx False False False -
execmodelclient.dll 0x7ffef92c0000 0x7ffef9302fff Memory Mapped File rwx False False False -
trkwks.dll 0x7ffefc310000 0x7ffefc331fff Memory Mapped File rwx False False False -
sysmain.dll 0x7ffefcdb0000 0x7ffefcec2fff Memory Mapped File rwx False False False -
pcasvc.dll 0x7ffefd140000 0x7ffefd1bffff Memory Mapped File rwx False False False -
httpprxc.dll 0x7ffefe870000 0x7ffefe878fff Memory Mapped File rwx False False False -
wudfplatform.dll 0x7ffeff170000 0x7ffeff1a2fff Memory Mapped File rwx False False False -
wudfsvc.dll 0x7ffeff1b0000 0x7ffeff1cafff Memory Mapped File rwx False False False -
propsys.dll 0x7ffeff870000 0x7ffeff9f2fff Memory Mapped File rwx False False False -
mmdevapi.dll 0x7ffeffa00000 0x7ffeffa71fff Memory Mapped File rwx False False False -
audioendpointbuilder.dll 0x7ffeffa80000 0x7ffeffac9fff Memory Mapped File rwx False False False -
portabledeviceconnectapi.dll 0x7ffeffbb0000 0x7ffeffbc6fff Memory Mapped File rwx False False False -
portabledeviceapi.dll 0x7ffeffbd0000 0x7ffeffc70fff Memory Mapped File rwx False False False -
wpdbusenum.dll 0x7ffeffc80000 0x7ffeffc99fff Memory Mapped File rwx False False False -
bi.dll 0x7fff00010000 0x7fff0001bfff Memory Mapped File rwx False False False -
taskschd.dll 0x7fff00300000 0x7fff003bffff Memory Mapped File rwx False False False -
winnsi.dll 0x7fff00400000 0x7fff0040afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fff00420000 0x7fff00457fff Memory Mapped File rwx False False False -
coremessaging.dll 0x7fff02fe0000 0x7fff030a7fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fff033a0000 0x7fff033b2fff Memory Mapped File rwx False False False -
apphelp.dll 0x7fff03530000 0x7fff035a7fff Memory Mapped File rwx False False False -
brokerlib.dll 0x7fff036a0000 0x7fff036defff Memory Mapped File rwx False False False -
devobj.dll 0x7fff03750000 0x7fff03776fff Memory Mapped File rwx False False False -
ntmarta.dll 0x7fff04120000 0x7fff04151fff Memory Mapped File rwx False False False -
userenv.dll 0x7fff04390000 0x7fff043aefff Memory Mapped File rwx False False False -
winsta.dll 0x7fff044a0000 0x7fff044f7fff Memory Mapped File rwx False False False -
mswsock.dll 0x7fff04650000 0x7fff046acfff Memory Mapped File rwx False False False -
sspicli.dll 0x7fff04a00000 0x7fff04a2bfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
msasn1.dll 0x7fff04de0000 0x7fff04df0fff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
powrprof.dll 0x7fff04e20000 0x7fff04e69fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
shcore.dll 0x7fff04e80000 0x7fff04f32fff Memory Mapped File rwx False False False -
crypt32.dll 0x7fff04f40000 0x7fff05100fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fff05110000 0x7fff05153fff Memory Mapped File rwx False False False -
wintrust.dll 0x7fff05210000 0x7fff05263fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
nsi.dll 0x7fff05a80000 0x7fff05a87fff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fff05d00000 0x7fff05d50fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
setupapi.dll 0x7fff065e0000 0x7fff067a4fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fff080d0000 0x7fff08138fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
For performance reasons, the remaining 10 entries are omitted.
The remaining entries can be found in flog.txt.
Process #12: svchost.exe
0 0
»
Information Value
ID #12
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k LocalService
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:00, Reason: Autostart
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:08:22
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xfc
Parent PID 0x1e4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Local Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 100
0x 11C
0x 8
0x 150
0x 14C
0x 1A0
0x 234
0x 27C
0x 294
0x F8
0x 388
0x 550
0x 558
0x 55C
0x 56C
0x 570
0x 588
0x 694
0x 6B8
0x 6C4
0x 6C8
0x 6CC
0x 6D0
0x 6D4
0x 6D8
0x 6E0
0x 70C
0x 4B8
0x AF8
0x 430
0x 334
0x BF0
0x 710
0x 918
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000ab34230000 0xab34230000 0xab3424ffff Private Memory rw True False False -
pagefile_0x000000ab34230000 0xab34230000 0xab3423ffff Pagefile Backed Memory rw True False False -
svchost.exe.mui 0xab34240000 0xab34240fff Memory Mapped File r False False False -
pagefile_0x000000ab34250000 0xab34250000 0xab34263fff Pagefile Backed Memory r True False False -
private_0x000000ab34270000 0xab34270000 0xab342effff Private Memory rw True False False -
pagefile_0x000000ab342f0000 0xab342f0000 0xab342f3fff Pagefile Backed Memory r True False False -
pagefile_0x000000ab34300000 0xab34300000 0xab34300fff Pagefile Backed Memory r True False False -
private_0x000000ab34310000 0xab34310000 0xab34311fff Private Memory rw True False False -
private_0x000000ab34320000 0xab34320000 0xab3439ffff Private Memory rw True False False -
private_0x000000ab343a0000 0xab343a0000 0xab343a6fff Private Memory rw True False False -
private_0x000000ab343b0000 0xab343b0000 0xab343b0fff Private Memory rw True False False -
private_0x000000ab343c0000 0xab343c0000 0xab343c0fff Private Memory rw True False False -
pagefile_0x000000ab343d0000 0xab343d0000 0xab343d0fff Pagefile Backed Memory r True False False -
es.dll 0xab343e0000 0xab343f1fff Memory Mapped File r False False False -
private_0x000000ab34400000 0xab34400000 0xab344fffff Private Memory rw True False False -
locale.nls 0xab34500000 0xab345bdfff Memory Mapped File r False False False -
pagefile_0x000000ab345c0000 0xab345c0000 0xab3467ffff Pagefile Backed Memory r True False False -
stdole2.tlb 0xab34680000 0xab34684fff Memory Mapped File r False False False -
pagefile_0x000000ab34690000 0xab34690000 0xab34691fff Pagefile Backed Memory r True False False -
netprofmsvc.dll.mui 0xab346a0000 0xab346a1fff Memory Mapped File r False False False -
pagefile_0x000000ab346b0000 0xab346b0000 0xab346b0fff Pagefile Backed Memory r True False False -
private_0x000000ab346c0000 0xab346c0000 0xab346c6fff Private Memory rw True False False -
framd.ttf 0xab346d0000 0xab346f2fff Memory Mapped File r False False False -
lucon.ttf 0xab346d0000 0xab346ecfff Memory Mapped File r False False False -
private_0x000000ab34700000 0xab34700000 0xab347fffff Private Memory rw True False False -
pagefile_0x000000ab34800000 0xab34800000 0xab34987fff Pagefile Backed Memory r True False False -
pagefile_0x000000ab34990000 0xab34990000 0xab34b10fff Pagefile Backed Memory r True False False -
private_0x000000ab34b20000 0xab34b20000 0xab34c1ffff Private Memory rw True False False -
candara.ttf 0xab34b20000 0xab34b55fff Memory Mapped File r False False False -
courbi.ttf 0xab34b20000 0xab34bacfff Memory Mapped File r False False False -
gadugib.ttf 0xab34b20000 0xab34b53fff Memory Mapped File r False False False -
georgia.ttf 0xab34b60000 0xab34b95fff Memory Mapped File r False False False -
l_10646.ttf 0xab34ba0000 0xab34beffff Memory Mapped File r False False False -
framdit.ttf 0xab34bb0000 0xab34bd5fff Memory Mapped File r False False False -
gadugi.ttf 0xab34be0000 0xab34c13fff Memory Mapped File r False False False -
sortdefault.nls 0xab34c20000 0xab34f56fff Memory Mapped File r False False False -
private_0x000000ab34f60000 0xab34f60000 0xab3505ffff Private Memory rw True False False -
private_0x000000ab35060000 0xab35060000 0xab3515ffff Private Memory rw True False False -
private_0x000000ab35160000 0xab35160000 0xab3525ffff Private Memory rw True False False -
private_0x000000ab35260000 0xab35260000 0xab352dffff Private Memory rw True False False -
private_0x000000ab352e0000 0xab352e0000 0xab353dffff Private Memory rw True False False -
private_0x000000ab353e0000 0xab353e0000 0xab354dffff Private Memory rw True False False -
private_0x000000ab354e0000 0xab354e0000 0xab355dffff Private Memory rw True False False -
~fontcache-fontface.dat 0xab355e0000 0xab365dffff Memory Mapped File rw False False False -
cambriab.ttf 0xab365e0000 0xab366a2fff Memory Mapped File r False False False -
cambriai.ttf 0xab365e0000 0xab366adfff Memory Mapped File r False False False -
couri.ttf 0xab365e0000 0xab36682fff Memory Mapped File r False False False -
georgiab.ttf 0xab365e0000 0xab36612fff Memory Mapped File r False False False -
georgiaz.ttf 0xab36620000 0xab36653fff Memory Mapped File r False False False -
georgiai.ttf 0xab36660000 0xab36692fff Memory Mapped File r False False False -
private_0x000000ab366b0000 0xab366b0000 0xab367affff Private Memory rw True False False -
private_0x000000ab367b0000 0xab367b0000 0xab368affff Private Memory rw True False False -
impact.ttf 0xab368b0000 0xab368e4fff Memory Mapped File r False False False -
private_0x000000ab36900000 0xab36900000 0xab369fffff Private Memory rw True False False -
cambria.ttc 0xab36950000 0xab36af1fff Memory Mapped File r False False False -
private_0x000000ab36a00000 0xab36a00000 0xab36afffff Private Memory rw True False False -
private_0x000000ab36b00000 0xab36b00000 0xab36bfffff Private Memory rw True False False -
private_0x000000ab36c00000 0xab36c00000 0xab36cfffff Private Memory rw True False False -
cambriaz.ttf 0xab36d00000 0xab36dc5fff Memory Mapped File r False False False -
cour.ttf 0xab36d00000 0xab36dc1fff Memory Mapped File r False False False -
ebrimabd.ttf 0xab36d00000 0xab36dd6fff Memory Mapped File r False False False -
javatext.ttf 0xab36d00000 0xab36d4afff Memory Mapped File r False False False -
leelawui.ttf 0xab36d50000 0xab36daffff Memory Mapped File r False False False -
private_0x000000ab36dd0000 0xab36dd0000 0xab36ecffff Private Memory rw True False False -
private_0x000000ab36de0000 0xab36de0000 0xab36edffff Private Memory rw True False False -
courbd.ttf 0xab36ed0000 0xab36f91fff Memory Mapped File r False False False -
leelauib.ttf 0xab36ee0000 0xab36f2ffff Memory Mapped File r False False False -
leeluisl.ttf 0xab36f30000 0xab36f8efff Memory Mapped File r False False False -
kernelbase.dll.mui 0xab36f90000 0xab3706efff Memory Mapped File r False False False -
ebrima.ttf 0xab36fa0000 0xab37075fff Memory Mapped File r False False False -
private_0x000000ab37080000 0xab37080000 0xab3717ffff Private Memory rw True False False -
gabriola.ttf 0xab37180000 0xab37338fff Memory Mapped File r False False False -
private_0x000000ab37340000 0xab37340000 0xab3743ffff Private Memory rw True False False -
private_0x000000ab37440000 0xab37440000 0xab3753ffff Private Memory rw True False False -
private_0x000000ab37540000 0xab37540000 0xab3763ffff Private Memory rw True False False -
private_0x000000ab37640000 0xab37640000 0xab3773ffff Private Memory rw True False False -
private_0x000000ab37740000 0xab37740000 0xab3783ffff Private Memory rw True False False -
malgun.ttf 0xab37840000 0xab38515fff Memory Mapped File r False False False -
pagefile_0x00007df5ff890000 0x7df5ff890000 0x7ff5ff88ffff Pagefile Backed Memory - True False False -
private_0x00007ff6bb3b4000 0x7ff6bb3b4000 0x7ff6bb3b5fff Private Memory rw True False False -
private_0x00007ff6bb3b6000 0x7ff6bb3b6000 0x7ff6bb3b7fff Private Memory rw True False False -
private_0x00007ff6bb3b8000 0x7ff6bb3b8000 0x7ff6bb3b9fff Private Memory rw True False False -
private_0x00007ff6bb3ba000 0x7ff6bb3ba000 0x7ff6bb3bbfff Private Memory rw True False False -
private_0x00007ff6bb3bc000 0x7ff6bb3bc000 0x7ff6bb3bdfff Private Memory rw True False False -
private_0x00007ff6bb3be000 0x7ff6bb3be000 0x7ff6bb3bffff Private Memory rw True False False -
private_0x00007ff6bb3c0000 0x7ff6bb3c0000 0x7ff6bb3c1fff Private Memory rw True False False -
private_0x00007ff6bb3c2000 0x7ff6bb3c2000 0x7ff6bb3c3fff Private Memory rw True False False -
private_0x00007ff6bb3c4000 0x7ff6bb3c4000 0x7ff6bb3c5fff Private Memory rw True False False -
private_0x00007ff6bb3c6000 0x7ff6bb3c6000 0x7ff6bb3c7fff Private Memory rw True False False -
private_0x00007ff6bb3c8000 0x7ff6bb3c8000 0x7ff6bb3c9fff Private Memory rw True False False -
private_0x00007ff6bb3ca000 0x7ff6bb3ca000 0x7ff6bb3cbfff Private Memory rw True False False -
private_0x00007ff6bb3cc000 0x7ff6bb3cc000 0x7ff6bb3cdfff Private Memory rw True False False -
private_0x00007ff6bb3ce000 0x7ff6bb3ce000 0x7ff6bb3cffff Private Memory rw True False False -
pagefile_0x00007ff6bb3d0000 0x7ff6bb3d0000 0x7ff6bb4cffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6bb4d0000 0x7ff6bb4d0000 0x7ff6bb4f2fff Pagefile Backed Memory r True False False -
private_0x00007ff6bb4f3000 0x7ff6bb4f3000 0x7ff6bb4f4fff Private Memory rw True False False -
private_0x00007ff6bb4f5000 0x7ff6bb4f5000 0x7ff6bb4f6fff Private Memory rw True False False -
private_0x00007ff6bb4f7000 0x7ff6bb4f7000 0x7ff6bb4f8fff Private Memory rw True False False -
private_0x00007ff6bb4f9000 0x7ff6bb4f9000 0x7ff6bb4fafff Private Memory rw True False False -
private_0x00007ff6bb4fb000 0x7ff6bb4fb000 0x7ff6bb4fcfff Private Memory rw True False False -
private_0x00007ff6bb4fd000 0x7ff6bb4fd000 0x7ff6bb4fefff Private Memory rw True False False -
private_0x00007ff6bb4ff000 0x7ff6bb4ff000 0x7ff6bb4fffff Private Memory rw True False False -
svchost.exe 0x7ff6bbac0000 0x7ff6bbaccfff Memory Mapped File rwx False False False -
bthtelemetry.dll 0x7ffefbb30000 0x7ffefbb3cfff Memory Mapped File rwx False False False -
bthradiomedia.dll 0x7ffefbb40000 0x7ffefbb57fff Memory Mapped File rwx False False False -
wlanradiomanager.dll 0x7ffefbf70000 0x7ffefbf83fff Memory Mapped File rwx False False False -
netprofmsvc.dll 0x7ffefc0e0000 0x7ffefc16cfff Memory Mapped File rwx False False False -
npmproxy.dll 0x7ffefc1e0000 0x7ffefc1edfff Memory Mapped File rwx False False False -
wlanapi.dll 0x7ffefcd50000 0x7ffefcdaefff Memory Mapped File rwx False False False -
rasadhlp.dll 0x7ffefd5d0000 0x7ffefd5d9fff Memory Mapped File rwx False False False -
perftrack.dll 0x7ffefdb30000 0x7ffefdb47fff Memory Mapped File rwx False False False -
winhttp.dll 0x7ffefdf10000 0x7ffefdfe5fff Memory Mapped File rwx False False False -
wdi.dll 0x7ffefdff0000 0x7ffefe00cfff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7ffeff2c0000 0x7ffeff2d9fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7ffeff2e0000 0x7ffeff2f5fff Memory Mapped File rwx False False False -
nsisvc.dll 0x7ffeff520000 0x7ffeff52bfff Memory Mapped File rwx False False False -
fontprovider.dll 0x7ffeff550000 0x7ffeff578fff Memory Mapped File rwx False False False -
fntcache.dll 0x7ffeff6c0000 0x7ffeff863fff Memory Mapped File rwx False False False -
es.dll 0x7ffeffaf0000 0x7ffeffb69fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fff00400000 0x7fff0040afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fff00420000 0x7fff00457fff Memory Mapped File rwx False False False -
nlaapi.dll 0x7fff00470000 0x7fff00487fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
dnsapi.dll 0x7fff043f0000 0x7fff04497fff Memory Mapped File rwx False False False -
mswsock.dll 0x7fff04650000 0x7fff046acfff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
sxs.dll 0x7fff04ca0000 0x7fff04d37fff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
powrprof.dll 0x7fff04e20000 0x7fff04e69fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fff05110000 0x7fff05153fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
nsi.dll 0x7fff05a80000 0x7fff05a87fff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
ole32.dll 0x7fff06430000 0x7fff06570fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fff080d0000 0x7fff08138fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
For performance reasons, the remaining 3 entries are omitted.
The remaining entries can be found in flog.txt.
Process #13: taskhostw.exe
0 0
»
Information Value
ID #13
File Name c:\windows\system32\taskhostw.exe
Command Line taskhostw.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:02, Reason: Child Process
Unmonitor End Time: 00:03:41, Reason: Self Terminated
Monitor Duration 00:00:39
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x164
Parent PID 0x354 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 168
0x 4FC
0x 504
0x 500
0x 538
0x 654
0x 6DC
0x 704
0x 700
0x 794
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000ff41100000 0xff41100000 0xff4111ffff Private Memory rw True False False -
pagefile_0x000000ff41100000 0xff41100000 0xff4110ffff Pagefile Backed Memory rw True False False -
private_0x000000ff41110000 0xff41110000 0xff41116fff Private Memory rw True False False -
pagefile_0x000000ff41120000 0xff41120000 0xff41133fff Pagefile Backed Memory r True False False -
private_0x000000ff41140000 0xff41140000 0xff411bffff Private Memory rw True False False -
pagefile_0x000000ff411c0000 0xff411c0000 0xff411c3fff Pagefile Backed Memory r True False False -
pagefile_0x000000ff411d0000 0xff411d0000 0xff411d0fff Pagefile Backed Memory r True False False -
private_0x000000ff411e0000 0xff411e0000 0xff411e1fff Private Memory rw True False False -
locale.nls 0xff411f0000 0xff412adfff Memory Mapped File r False False False -
private_0x000000ff412b0000 0xff412b0000 0xff4132ffff Private Memory rw True False False -
private_0x000000ff41330000 0xff41330000 0xff41336fff Private Memory rw True False False -
private_0x000000ff41340000 0xff41340000 0xff4143ffff Private Memory rw True False False -
pagefile_0x000000ff41440000 0xff41440000 0xff415c7fff Pagefile Backed Memory r True False False -
taskhostw.exe.mui 0xff415d0000 0xff415d0fff Memory Mapped File r False False False -
private_0x000000ff415e0000 0xff415e0000 0xff415e0fff Private Memory rw True False False -
private_0x000000ff415f0000 0xff415f0000 0xff415f0fff Private Memory rw True False False -
pagefile_0x000000ff41600000 0xff41600000 0xff41600fff Pagefile Backed Memory r True False False -
pagefile_0x000000ff41610000 0xff41610000 0xff41610fff Pagefile Backed Memory r True False False -
pagefile_0x000000ff41620000 0xff41620000 0xff41622fff Pagefile Backed Memory r True False False -
private_0x000000ff41630000 0xff41630000 0xff4163ffff Private Memory rw True False False -
pagefile_0x000000ff41640000 0xff41640000 0xff417c0fff Pagefile Backed Memory r True False False -
pagefile_0x000000ff417d0000 0xff417d0000 0xff4188ffff Pagefile Backed Memory r True False False -
private_0x000000ff41890000 0xff41890000 0xff4190ffff Private Memory rw True False False -
private_0x000000ff41910000 0xff41910000 0xff4198ffff Private Memory rw True False False -
private_0x000000ff41990000 0xff41990000 0xff41a0ffff Private Memory rw True False False -
private_0x000000ff41a10000 0xff41a10000 0xff41a8ffff Private Memory rw True False False -
sortdefault.nls 0xff41a90000 0xff41dc6fff Memory Mapped File r False False False -
private_0x000000ff41dd0000 0xff41dd0000 0xff41e4ffff Private Memory rw True False False -
private_0x000000ff41e50000 0xff41e50000 0xff41ecffff Private Memory rw True False False -
pagefile_0x00007df5ff550000 0x7df5ff550000 0x7ff5ff54ffff Pagefile Backed Memory - True False False -
private_0x00007ff79c6ba000 0x7ff79c6ba000 0x7ff79c6bbfff Private Memory rw True False False -
private_0x00007ff79c6bc000 0x7ff79c6bc000 0x7ff79c6bdfff Private Memory rw True False False -
private_0x00007ff79c6be000 0x7ff79c6be000 0x7ff79c6bffff Private Memory rw True False False -
pagefile_0x00007ff79c6c0000 0x7ff79c6c0000 0x7ff79c7bffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff79c7c0000 0x7ff79c7c0000 0x7ff79c7e2fff Pagefile Backed Memory r True False False -
private_0x00007ff79c7e4000 0x7ff79c7e4000 0x7ff79c7e5fff Private Memory rw True False False -
private_0x00007ff79c7e6000 0x7ff79c7e6000 0x7ff79c7e7fff Private Memory rw True False False -
private_0x00007ff79c7e8000 0x7ff79c7e8000 0x7ff79c7e9fff Private Memory rw True False False -
private_0x00007ff79c7ea000 0x7ff79c7ea000 0x7ff79c7ebfff Private Memory rw True False False -
private_0x00007ff79c7ec000 0x7ff79c7ec000 0x7ff79c7edfff Private Memory rw True False False -
private_0x00007ff79c7ee000 0x7ff79c7ee000 0x7ff79c7eefff Private Memory rw True False False -
taskhostw.exe 0x7ff79cd00000 0x7ff79cd18fff Memory Mapped File rwx False False False -
certenroll.dll 0x7ffefa710000 0x7ffefa9d9fff Memory Mapped File rwx False False False -
certca.dll 0x7ffefb090000 0x7ffefb14efff Memory Mapped File rwx False False False -
pautoenr.dll 0x7ffefb760000 0x7ffefb773fff Memory Mapped File rwx False False False -
cryptnet.dll 0x7ffefc030000 0x7ffefc05efff Memory Mapped File rwx False False False -
npmproxy.dll 0x7ffefc1e0000 0x7ffefc1edfff Memory Mapped File rwx False False False -
dimsjob.dll 0x7ffefced0000 0x7ffefcedefff Memory Mapped File rwx False False False -
netcfgx.dll 0x7ffefcee0000 0x7ffefcf53fff Memory Mapped File rwx False False False -
netprofm.dll 0x7ffefd550000 0x7ffefd58efff Memory Mapped File rwx False False False -
tpmcoreprovisioning.dll 0x7ffefd600000 0x7ffefd66bfff Memory Mapped File rwx False False False -
tpmtasks.dll 0x7ffefd670000 0x7ffefd67dfff Memory Mapped File rwx False False False -
winhttp.dll 0x7ffefdf10000 0x7ffefdfe5fff Memory Mapped File rwx False False False -
dsrole.dll 0x7fff003f0000 0x7fff003f9fff Memory Mapped File rwx False False False -
netutils.dll 0x7fff04030000 0x7fff0403bfff Memory Mapped File rwx False False False -
tbs.dll 0x7fff04090000 0x7fff0409cfff Memory Mapped File rwx False False False -
dpapi.dll 0x7fff04200000 0x7fff04209fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
logoncli.dll 0x7fff043b0000 0x7fff043edfff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
ntasn1.dll 0x7fff048b0000 0x7fff048e5fff Memory Mapped File rwx False False False -
ncrypt.dll 0x7fff048f0000 0x7fff04915fff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
msasn1.dll 0x7fff04de0000 0x7fff04df0fff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
crypt32.dll 0x7fff04f40000 0x7fff05100fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
nsi.dll 0x7fff05a80000 0x7fff05a87fff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
wldap32.dll 0x7fff05ed0000 0x7fff05f2afff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #14: svchost.exe
0 0
»
Information Value
ID #14
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k NetworkService
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:04, Reason: Autostart
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:08:18
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8
Parent PID 0x1e4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Network Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 12C
0x 250
0x 2BC
0x 29C
0x 2C8
0x 41C
0x 420
0x 424
0x 42C
0x 430
0x 434
0x 438
0x 49C
0x 4B0
0x 4C0
0x 524
0x 530
0x 554
0x 59C
0x 5B0
0x 52C
0x 648
0x 66C
0x 680
0x 6B4
0x 710
0x 758
0x 75C
0x 764
0x 768
0x 774
0x 784
0x 788
0x 78C
0x 858
0x 988
0x BF8
0x 59C
0x 53C
0x BDC
0x F0
0x 460
0x B38
0x 828
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000039dd0b0000 0x39dd0b0000 0x39dd0cffff Private Memory rw True False False -
pagefile_0x00000039dd0b0000 0x39dd0b0000 0x39dd0bffff Pagefile Backed Memory rw True False False -
svchost.exe.mui 0x39dd0c0000 0x39dd0c0fff Memory Mapped File r False False False -
pagefile_0x00000039dd0d0000 0x39dd0d0000 0x39dd0e3fff Pagefile Backed Memory r True False False -
private_0x00000039dd0f0000 0x39dd0f0000 0x39dd16ffff Private Memory rw True False False -
pagefile_0x00000039dd170000 0x39dd170000 0x39dd173fff Pagefile Backed Memory r True False False -
pagefile_0x00000039dd180000 0x39dd180000 0x39dd180fff Pagefile Backed Memory r True False False -
private_0x00000039dd190000 0x39dd190000 0x39dd191fff Private Memory rw True False False -
private_0x00000039dd1a0000 0x39dd1a0000 0x39dd1a0fff Private Memory rw True False False -
private_0x00000039dd1b0000 0x39dd1b0000 0x39dd1b6fff Private Memory rw True False False -
private_0x00000039dd1c0000 0x39dd1c0000 0x39dd1c0fff Private Memory rw True False False -
pagefile_0x00000039dd1d0000 0x39dd1d0000 0x39dd1d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000039dd1e0000 0x39dd1e0000 0x39dd1e0fff Pagefile Backed Memory r True False False -
vsstrace.dll.mui 0x39dd1f0000 0x39dd1f8fff Memory Mapped File r False False False -
private_0x00000039dd200000 0x39dd200000 0x39dd2fffff Private Memory rw True False False -
locale.nls 0x39dd300000 0x39dd3bdfff Memory Mapped File r False False False -
private_0x00000039dd3c0000 0x39dd3c0000 0x39dd43ffff Private Memory rw True False False -
pagefile_0x00000039dd440000 0x39dd440000 0x39dd5c7fff Pagefile Backed Memory r True False False -
private_0x00000039dd5d0000 0x39dd5d0000 0x39dd5d6fff Private Memory rw True False False -
private_0x00000039dd5e0000 0x39dd5e0000 0x39dd5e0fff Private Memory rw True False False -
winnlsres.dll 0x39dd5f0000 0x39dd5f4fff Memory Mapped File r False False False -
private_0x00000039dd600000 0x39dd600000 0x39dd6fffff Private Memory rw True False False -
pagefile_0x00000039dd700000 0x39dd700000 0x39dd880fff Pagefile Backed Memory r True False False -
pagefile_0x00000039dd890000 0x39dd890000 0x39dd94ffff Pagefile Backed Memory r True False False -
private_0x00000039dd950000 0x39dd950000 0x39dda4ffff Private Memory rw True False False -
private_0x00000039dda50000 0x39dda50000 0x39ddb4ffff Private Memory rw True False False -
private_0x00000039ddb50000 0x39ddb50000 0x39ddc4ffff Private Memory rw True False False -
private_0x00000039ddc50000 0x39ddc50000 0x39ddd4ffff Private Memory rw True False False -
private_0x00000039ddd50000 0x39ddd50000 0x39dde4ffff Private Memory rw True False False -
private_0x00000039dde50000 0x39dde50000 0x39ddf4ffff Private Memory rw True False False -
private_0x00000039ddf50000 0x39ddf50000 0x39de04ffff Private Memory rw True False False -
private_0x00000039de050000 0x39de050000 0x39de14ffff Private Memory rw True False False -
private_0x00000039de150000 0x39de150000 0x39de24ffff Private Memory rw True False False -
private_0x00000039de250000 0x39de250000 0x39de34ffff Private Memory rw True False False -
winnlsres.dll.mui 0x39de350000 0x39de35ffff Memory Mapped File r False False False -
mswsock.dll.mui 0x39de360000 0x39de362fff Memory Mapped File r False False False -
private_0x00000039de370000 0x39de370000 0x39de370fff Private Memory rw True False False -
private_0x00000039de380000 0x39de380000 0x39de380fff Private Memory rw True False False -
private_0x00000039de390000 0x39de390000 0x39de390fff Private Memory rw True False False -
private_0x00000039de3a0000 0x39de3a0000 0x39de3a0fff Private Memory rw True False False -
private_0x00000039de3b0000 0x39de3b0000 0x39de3b6fff Private Memory rw True False False -
private_0x00000039de400000 0x39de400000 0x39de4fffff Private Memory rw True False False -
private_0x00000039de500000 0x39de500000 0x39de5fffff Private Memory rw True False False -
private_0x00000039de600000 0x39de600000 0x39de67ffff Private Memory rw True False False -
sortdefault.nls 0x39de680000 0x39de9b6fff Memory Mapped File r False False False -
private_0x00000039de9c0000 0x39de9c0000 0x39deabffff Private Memory rw True False False -
private_0x00000039deac0000 0x39deac0000 0x39debbffff Private Memory rw True False False -
private_0x00000039debc0000 0x39debc0000 0x39decbffff Private Memory rw True False False -
private_0x00000039dece0000 0x39dece0000 0x39dece6fff Private Memory rw True False False -
private_0x00000039ded00000 0x39ded00000 0x39dedfffff Private Memory rw True False False -
private_0x00000039dee70000 0x39dee70000 0x39dee76fff Private Memory rw True False False -
private_0x00000039dee80000 0x39dee80000 0x39def41fff Private Memory rw True False False -
private_0x00000039defa0000 0x39defa0000 0x39defa6fff Private Memory rw True False False -
private_0x00000039df000000 0x39df000000 0x39df0fffff Private Memory rw True False False -
private_0x00000039df100000 0x39df100000 0x39df1fffff Private Memory rw True False False -
private_0x00000039df200000 0x39df200000 0x39df2fffff Private Memory rw True False False -
private_0x00000039df300000 0x39df300000 0x39df37ffff Private Memory rw True False False -
private_0x00000039df400000 0x39df400000 0x39df4fffff Private Memory rw True False False -
private_0x00000039df500000 0x39df500000 0x39df5fffff Private Memory rw True False False -
private_0x00000039df600000 0x39df600000 0x39df6fffff Private Memory rw True False False -
pagefile_0x00007df5ff5b0000 0x7df5ff5b0000 0x7ff5ff5affff Pagefile Backed Memory - True False False -
private_0x00007ff6baba6000 0x7ff6baba6000 0x7ff6baba7fff Private Memory rw True False False -
private_0x00007ff6baba8000 0x7ff6baba8000 0x7ff6baba9fff Private Memory rw True False False -
private_0x00007ff6babaa000 0x7ff6babaa000 0x7ff6bababfff Private Memory rw True False False -
private_0x00007ff6babac000 0x7ff6babac000 0x7ff6babadfff Private Memory rw True False False -
private_0x00007ff6babae000 0x7ff6babae000 0x7ff6babaffff Private Memory rw True False False -
private_0x00007ff6babb0000 0x7ff6babb0000 0x7ff6babb1fff Private Memory rw True False False -
private_0x00007ff6babb2000 0x7ff6babb2000 0x7ff6babb3fff Private Memory rw True False False -
private_0x00007ff6babb4000 0x7ff6babb4000 0x7ff6babb5fff Private Memory rw True False False -
private_0x00007ff6babb6000 0x7ff6babb6000 0x7ff6babb7fff Private Memory rw True False False -
private_0x00007ff6babb8000 0x7ff6babb8000 0x7ff6babb9fff Private Memory rw True False False -
private_0x00007ff6babba000 0x7ff6babba000 0x7ff6babbbfff Private Memory rw True False False -
private_0x00007ff6babbc000 0x7ff6babbc000 0x7ff6babbdfff Private Memory rw True False False -
private_0x00007ff6babbe000 0x7ff6babbe000 0x7ff6babbffff Private Memory rw True False False -
pagefile_0x00007ff6babc0000 0x7ff6babc0000 0x7ff6bacbffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6bacc0000 0x7ff6bacc0000 0x7ff6bace2fff Pagefile Backed Memory r True False False -
private_0x00007ff6bace3000 0x7ff6bace3000 0x7ff6bace4fff Private Memory rw True False False -
private_0x00007ff6bace5000 0x7ff6bace5000 0x7ff6bace6fff Private Memory rw True False False -
private_0x00007ff6bace7000 0x7ff6bace7000 0x7ff6bace8fff Private Memory rw True False False -
private_0x00007ff6bace9000 0x7ff6bace9000 0x7ff6baceafff Private Memory rw True False False -
private_0x00007ff6baceb000 0x7ff6baceb000 0x7ff6bacecfff Private Memory rw True False False -
private_0x00007ff6baced000 0x7ff6baced000 0x7ff6baceefff Private Memory rw True False False -
private_0x00007ff6bacef000 0x7ff6bacef000 0x7ff6baceffff Private Memory rw True False False -
svchost.exe 0x7ff6bbac0000 0x7ff6bbaccfff Memory Mapped File rwx False False False -
webio.dll 0x7ffefc280000 0x7ffefc2fffff Memory Mapped File rwx False False False -
wlanapi.dll 0x7ffefcd50000 0x7ffefcdaefff Memory Mapped File rwx False False False -
ondemandconnroutehelper.dll 0x7ffefd1c0000 0x7ffefd1d4fff Memory Mapped File rwx False False False -
ssdpapi.dll 0x7ffefd3b0000 0x7ffefd3c4fff Memory Mapped File rwx False False False -
ncsi.dll 0x7ffefd460000 0x7ffefd4befff Memory Mapped File rwx False False False -
nlasvc.dll 0x7ffefd4c0000 0x7ffefd51ffff Memory Mapped File rwx False False False -
winhttp.dll 0x7ffefdf10000 0x7ffefdfe5fff Memory Mapped File rwx False False False -
vsstrace.dll 0x7ffefe010000 0x7ffefe027fff Memory Mapped File rwx False False False -
vssapi.dll 0x7ffefe070000 0x7ffefe1f2fff Memory Mapped File rwx False False False -
cryptcatsvc.dll 0x7ffefe6e0000 0x7ffefe703fff Memory Mapped File rwx False False False -
crypttpmeksvc.dll 0x7ffefe710000 0x7ffefe722fff Memory Mapped File rwx False False False -
cryptsvc.dll 0x7ffefe730000 0x7ffefe746fff Memory Mapped File rwx False False False -
wkssvc.dll 0x7ffefecf0000 0x7ffefed38fff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7ffeff2c0000 0x7ffeff2d9fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7ffeff2e0000 0x7ffeff2f5fff Memory Mapped File rwx False False False -
dnsext.dll 0x7ffeff3a0000 0x7ffeff3a9fff Memory Mapped File rwx False False False -
fwpuclnt.dll 0x7ffeff3b0000 0x7ffeff417fff Memory Mapped File rwx False False False -
dnsrslvr.dll 0x7ffeff420000 0x7ffeff468fff Memory Mapped File rwx False False False -
samlib.dll 0x7ffeff530000 0x7ffeff54bfff Memory Mapped File rwx False False False -
propsys.dll 0x7ffeff870000 0x7ffeff9f2fff Memory Mapped File rwx False False False -
es.dll 0x7ffeffaf0000 0x7ffeffb69fff Memory Mapped File rwx False False False -
netjoin.dll 0x7ffeffca0000 0x7ffeffcccfff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffeffcf0000 0x7ffeffd05fff Memory Mapped File rwx False False False -
wevtapi.dll 0x7ffeffd10000 0x7ffeffd74fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffeffd80000 0x7ffeffd97fff Memory Mapped File rwx False False False -
wmiclnt.dll 0x7fff00190000 0x7fff001a0fff Memory Mapped File rwx False False False -
taskschd.dll 0x7fff00300000 0x7fff003bffff Memory Mapped File rwx False False False -
winnsi.dll 0x7fff00400000 0x7fff0040afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fff00420000 0x7fff00457fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fff033a0000 0x7fff033b2fff Memory Mapped File rwx False False False -
gpapi.dll 0x7fff03d00000 0x7fff03d22fff Memory Mapped File rwx False False False -
netutils.dll 0x7fff04030000 0x7fff0403bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
userenv.dll 0x7fff04390000 0x7fff043aefff Memory Mapped File rwx False False False -
dnsapi.dll 0x7fff043f0000 0x7fff04497fff Memory Mapped File rwx False False False -
winsta.dll 0x7fff044a0000 0x7fff044f7fff Memory Mapped File rwx False False False -
mswsock.dll 0x7fff04650000 0x7fff046acfff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
joinutil.dll 0x7fff04860000 0x7fff04880fff Memory Mapped File rwx False False False -
ntasn1.dll 0x7fff048b0000 0x7fff048e5fff Memory Mapped File rwx False False False -
ncrypt.dll 0x7fff048f0000 0x7fff04915fff Memory Mapped File rwx False False False -
sspicli.dll 0x7fff04a00000 0x7fff04a2bfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
msasn1.dll 0x7fff04de0000 0x7fff04df0fff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
powrprof.dll 0x7fff04e20000 0x7fff04e69fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
crypt32.dll 0x7fff04f40000 0x7fff05100fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fff05110000 0x7fff05153fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
nsi.dll 0x7fff05a80000 0x7fff05a87fff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fff080d0000 0x7fff08138fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
For performance reasons, the remaining 88 entries are omitted.
The remaining entries can be found in flog.txt.
Process #15: svchost.exe
0 0
»
Information Value
ID #15
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k WbioSvcGroup
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:07, Reason: Autostart
Unmonitor End Time: 00:06:29, Reason: Self Terminated
Monitor Duration 00:03:22
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x478
Parent PID 0x1e4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 47C
0x 480
0x 488
0x 48C
0x 490
0x 798
0x 79C
0x 734
0x 9C0
0x 9BC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000008bb5180000 0x8bb5180000 0x8bb519ffff Private Memory rw True False False -
pagefile_0x0000008bb5180000 0x8bb5180000 0x8bb518ffff Pagefile Backed Memory rw True False False -
wbiosrvc.dll.mui 0x8bb5190000 0x8bb5195fff Memory Mapped File r False False False -
pagefile_0x0000008bb51a0000 0x8bb51a0000 0x8bb51b3fff Pagefile Backed Memory r True False False -
private_0x0000008bb51c0000 0x8bb51c0000 0x8bb523ffff Private Memory rw True False False -
pagefile_0x0000008bb5240000 0x8bb5240000 0x8bb5243fff Pagefile Backed Memory r True False False -
pagefile_0x0000008bb5250000 0x8bb5250000 0x8bb5250fff Pagefile Backed Memory r True False False -
private_0x0000008bb5260000 0x8bb5260000 0x8bb5261fff Private Memory rw True False False -
locale.nls 0x8bb5270000 0x8bb532dfff Memory Mapped File r False False False -
winbiostorageadapter.dll.mui 0x8bb5330000 0x8bb5330fff Memory Mapped File r False False False -
svchost.exe.mui 0x8bb5340000 0x8bb5340fff Memory Mapped File r False False False -
private_0x0000008bb5350000 0x8bb5350000 0x8bb5350fff Private Memory rw True False False -
private_0x0000008bb5360000 0x8bb5360000 0x8bb5360fff Private Memory rw True False False -
private_0x0000008bb5380000 0x8bb5380000 0x8bb5386fff Private Memory rw True False False -
private_0x0000008bb53a0000 0x8bb53a0000 0x8bb53a6fff Private Memory rw True False False -
private_0x0000008bb5400000 0x8bb5400000 0x8bb54fffff Private Memory rw True False False -
private_0x0000008bb5500000 0x8bb5500000 0x8bb557ffff Private Memory rw True False False -
private_0x0000008bb5580000 0x8bb5580000 0x8bb567ffff Private Memory rw True False False -
private_0x0000008bb5680000 0x8bb5680000 0x8bb577ffff Private Memory rw True False False -
private_0x0000008bb5800000 0x8bb5800000 0x8bb58fffff Private Memory rw True False False -
private_0x0000008bb5900000 0x8bb5900000 0x8bb59fffff Private Memory rw True False False -
pagefile_0x0000008bb5a00000 0x8bb5a00000 0x8bb5b87fff Pagefile Backed Memory r True False False -
pagefile_0x0000008bb5b90000 0x8bb5b90000 0x8bb5d10fff Pagefile Backed Memory r True False False -
pagefile_0x0000008bb5d20000 0x8bb5d20000 0x8bb5ddffff Pagefile Backed Memory r True False False -
pagefile_0x00007df5ff770000 0x7df5ff770000 0x7ff5ff76ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff6babd0000 0x7ff6babd0000 0x7ff6baccffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6bacd0000 0x7ff6bacd0000 0x7ff6bacf2fff Pagefile Backed Memory r True False False -
private_0x00007ff6bacf5000 0x7ff6bacf5000 0x7ff6bacf6fff Private Memory rw True False False -
private_0x00007ff6bacf7000 0x7ff6bacf7000 0x7ff6bacf8fff Private Memory rw True False False -
private_0x00007ff6bacf9000 0x7ff6bacf9000 0x7ff6bacfafff Private Memory rw True False False -
private_0x00007ff6bacfb000 0x7ff6bacfb000 0x7ff6bacfcfff Private Memory rw True False False -
private_0x00007ff6bacfd000 0x7ff6bacfd000 0x7ff6bacfefff Private Memory rw True False False -
private_0x00007ff6bacff000 0x7ff6bacff000 0x7ff6bacfffff Private Memory rw True False False -
svchost.exe 0x7ff6bbac0000 0x7ff6bbaccfff Memory Mapped File rwx False False False -
rtworkq.dll 0x7ffefeab0000 0x7ffefeadffff Memory Mapped File rwx False False False -
mfplat.dll 0x7ffefeae0000 0x7ffefebebfff Memory Mapped File rwx False False False -
nuivoicewbsadapters.dll 0x7ffefebf0000 0x7ffefec5afff Memory Mapped File rwx False False False -
winbiostorageadapter.dll 0x7ffefec60000 0x7ffefec6afff Memory Mapped File rwx False False False -
facerecognitionengineadapter.dll 0x7ffefec70000 0x7ffefeca5fff Memory Mapped File rwx False False False -
facerecognitionsensoradapter.dll 0x7ffefecb0000 0x7ffefece0fff Memory Mapped File rwx False False False -
winbioext.dll 0x7ffefed40000 0x7ffefed47fff Memory Mapped File rwx False False False -
ucrtbase.dll 0x7ffefed50000 0x7ffefee41fff Memory Mapped File rwx False False False -
msvcp_win.dll 0x7ffefee50000 0x7ffefeeeafff Memory Mapped File rwx False False False -
wbiosrvc.dll 0x7ffefeef0000 0x7ffefef89fff Memory Mapped File rwx False False False -
avrt.dll 0x7ffeff580000 0x7ffeff58afff Memory Mapped File rwx False False False -
d2d1.dll 0x7fff005e0000 0x7fff00b24fff Memory Mapped File rwx False False False -
devobj.dll 0x7fff03750000 0x7fff03776fff Memory Mapped File rwx False False False -
dpapi.dll 0x7fff04200000 0x7fff04209fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
msasn1.dll 0x7fff04de0000 0x7fff04df0fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
shcore.dll 0x7fff04e80000 0x7fff04f32fff Memory Mapped File rwx False False False -
crypt32.dll 0x7fff04f40000 0x7fff05100fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fff05110000 0x7fff05153fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #16: svchost.exe
0 0
»
Information Value
ID #16
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:09, Reason: Autostart
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:08:13
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x494
Parent PID 0x1e4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Local Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 498
0x 4A4
0x 4BC
0x 4C4
0x 4C8
0x 4CC
0x 4D0
0x 4D4
0x 4DC
0x 4E0
0x 4E4
0x 4E8
0x 4EC
0x 4F4
0x 4F8
0x 508
0x 50C
0x 510
0x 514
0x 534
0x 540
0x 544
0x 560
0x 564
0x 57C
0x 580
0x 584
0x 590
0x 5A8
0x 5AC
0x 708
0x 72C
0x 748
0x 750
0x 7E8
0x 644
0x 348
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000001c45ef0000 0x1c45ef0000 0x1c45f0ffff Private Memory rw True False False -
pagefile_0x0000001c45ef0000 0x1c45ef0000 0x1c45efffff Pagefile Backed Memory rw True False False -
svchost.exe.mui 0x1c45f00000 0x1c45f00fff Memory Mapped File r False False False -
pagefile_0x0000001c45f10000 0x1c45f10000 0x1c45f23fff Pagefile Backed Memory r True False False -
private_0x0000001c45f30000 0x1c45f30000 0x1c45faffff Private Memory rw True False False -
pagefile_0x0000001c45fb0000 0x1c45fb0000 0x1c45fb3fff Pagefile Backed Memory r True False False -
pagefile_0x0000001c45fc0000 0x1c45fc0000 0x1c45fc0fff Pagefile Backed Memory r True False False -
private_0x0000001c45fd0000 0x1c45fd0000 0x1c45fd1fff Private Memory rw True False False -
private_0x0000001c45fe0000 0x1c45fe0000 0x1c4605ffff Private Memory rw True False False -
private_0x0000001c46060000 0x1c46060000 0x1c46060fff Private Memory rw True False False -
private_0x0000001c46070000 0x1c46070000 0x1c46076fff Private Memory rw True False False -
private_0x0000001c46080000 0x1c46080000 0x1c46080fff Private Memory rw True False False -
bfe.dll.mui 0x1c46090000 0x1c46096fff Memory Mapped File r False False False -
firewallapi.dll.mui 0x1c460a0000 0x1c460c3fff Memory Mapped File r False False False -
private_0x0000001c460d0000 0x1c460d0000 0x1c460dffff Private Memory rw True False False -
private_0x0000001c460e0000 0x1c460e0000 0x1c460e0fff Private Memory rw True False False -
pagefile_0x0000001c460f0000 0x1c460f0000 0x1c460f0fff Pagefile Backed Memory r True False False -
private_0x0000001c46100000 0x1c46100000 0x1c461fffff Private Memory rw True False False -
locale.nls 0x1c46200000 0x1c462bdfff Memory Mapped File r False False False -
pagefile_0x0000001c462c0000 0x1c462c0000 0x1c46447fff Pagefile Backed Memory r True False False -
pagefile_0x0000001c46450000 0x1c46450000 0x1c46450fff Pagefile Backed Memory r True False False -
private_0x0000001c46460000 0x1c46460000 0x1c46467fff Private Memory rw True False False -
private_0x0000001c46470000 0x1c46470000 0x1c46470fff Private Memory rw True False False -
pagefile_0x0000001c46470000 0x1c46470000 0x1c46471fff Pagefile Backed Memory r True False False -
private_0x0000001c46480000 0x1c46480000 0x1c46486fff Private Memory rw True False False -
private_0x0000001c46490000 0x1c46490000 0x1c46490fff Private Memory rw True False False -
private_0x0000001c46490000 0x1c46490000 0x1c46494fff Private Memory rw True False False -
private_0x0000001c464a0000 0x1c464a0000 0x1c464a0fff Private Memory rw True False False -
private_0x0000001c464b0000 0x1c464b0000 0x1c464b0fff Private Memory rw True False False -
private_0x0000001c464c0000 0x1c464c0000 0x1c464c0fff Private Memory rw True False False -
pagefile_0x0000001c464c0000 0x1c464c0000 0x1c464cffff Pagefile Backed Memory rw True False False -
pagefile_0x0000001c464d0000 0x1c464d0000 0x1c464dffff Pagefile Backed Memory rw True False False -
pagefile_0x0000001c464e0000 0x1c464e0000 0x1c464effff Pagefile Backed Memory rw True False False -
pagefile_0x0000001c464f0000 0x1c464f0000 0x1c464fffff Pagefile Backed Memory rw True False False -
private_0x0000001c46500000 0x1c46500000 0x1c465fffff Private Memory rw True False False -
pagefile_0x0000001c46600000 0x1c46600000 0x1c46780fff Pagefile Backed Memory r True False False -
pagefile_0x0000001c46790000 0x1c46790000 0x1c4684ffff Pagefile Backed Memory r True False False -
private_0x0000001c46850000 0x1c46850000 0x1c4694ffff Private Memory rw True False False -
firewallapi.dll 0x1c46950000 0x1c469ccfff Memory Mapped File r False False False -
pagefile_0x0000001c469d0000 0x1c469d0000 0x1c469dffff Pagefile Backed Memory rw True False False -
pagefile_0x0000001c469e0000 0x1c469e0000 0x1c469effff Pagefile Backed Memory rw True False False -
private_0x0000001c46a40000 0x1c46a40000 0x1c46a46fff Private Memory rw True False False -
private_0x0000001c46a50000 0x1c46a50000 0x1c46acffff Private Memory rw True False False -
private_0x0000001c46b00000 0x1c46b00000 0x1c46bfffff Private Memory rw True False False -
private_0x0000001c46c00000 0x1c46c00000 0x1c46cfffff Private Memory rw True False False -
private_0x0000001c46d00000 0x1c46d00000 0x1c46dfffff Private Memory rw True False False -
private_0x0000001c46e00000 0x1c46e00000 0x1c46efffff Private Memory rw True False False -
private_0x0000001c46f00000 0x1c46f00000 0x1c46ffffff Private Memory rw True False False -
private_0x0000001c47000000 0x1c47000000 0x1c470fffff Private Memory rw True False False -
private_0x0000001c47100000 0x1c47100000 0x1c471fffff Private Memory rw True False False -
private_0x0000001c47200000 0x1c47200000 0x1c472fffff Private Memory rw True False False -
private_0x0000001c47300000 0x1c47300000 0x1c473fffff Private Memory rw True False False -
private_0x0000001c47400000 0x1c47400000 0x1c474fffff Private Memory rw True False False -
private_0x0000001c47500000 0x1c47500000 0x1c475fffff Private Memory rw True False False -
private_0x0000001c47600000 0x1c47600000 0x1c476fffff Private Memory rw True False False -
private_0x0000001c47700000 0x1c47700000 0x1c477fffff Private Memory rw True False False -
private_0x0000001c47800000 0x1c47800000 0x1c47ffffff Private Memory - True False False -
private_0x0000001c48000000 0x1c48000000 0x1c480fffff Private Memory rw True False False -
private_0x0000001c48100000 0x1c48100000 0x1c481fffff Private Memory rw True False False -
private_0x0000001c48200000 0x1c48200000 0x1c482fffff Private Memory rw True False False -
private_0x0000001c48300000 0x1c48300000 0x1c483fffff Private Memory rw True False False -
private_0x0000001c48400000 0x1c48400000 0x1c484fffff Private Memory rw True False False -
private_0x0000001c48500000 0x1c48500000 0x1c485fffff Private Memory rw True False False -
sortdefault.nls 0x1c48600000 0x1c48936fff Memory Mapped File r False False False -
private_0x0000001c48940000 0x1c48940000 0x1c48a3ffff Private Memory rw True False False -
pagefile_0x00007df5fff90000 0x7df5fff90000 0x7ff5fff8ffff Pagefile Backed Memory - True False False -
private_0x00007ff6bb5be000 0x7ff6bb5be000 0x7ff6bb5bffff Private Memory rw True False False -
private_0x00007ff6bb5c0000 0x7ff6bb5c0000 0x7ff6bb5c1fff Private Memory rw True False False -
private_0x00007ff6bb5c2000 0x7ff6bb5c2000 0x7ff6bb5c3fff Private Memory rw True False False -
private_0x00007ff6bb5c4000 0x7ff6bb5c4000 0x7ff6bb5c5fff Private Memory rw True False False -
private_0x00007ff6bb5c6000 0x7ff6bb5c6000 0x7ff6bb5c7fff Private Memory rw True False False -
private_0x00007ff6bb5c8000 0x7ff6bb5c8000 0x7ff6bb5c9fff Private Memory rw True False False -
private_0x00007ff6bb5ca000 0x7ff6bb5ca000 0x7ff6bb5cbfff Private Memory rw True False False -
private_0x00007ff6bb5cc000 0x7ff6bb5cc000 0x7ff6bb5cdfff Private Memory rw True False False -
private_0x00007ff6bb5ce000 0x7ff6bb5ce000 0x7ff6bb5cffff Private Memory rw True False False -
private_0x00007ff6bb5d0000 0x7ff6bb5d0000 0x7ff6bb5d1fff Private Memory rw True False False -
private_0x00007ff6bb5d2000 0x7ff6bb5d2000 0x7ff6bb5d3fff Private Memory rw True False False -
private_0x00007ff6bb5d4000 0x7ff6bb5d4000 0x7ff6bb5d5fff Private Memory rw True False False -
private_0x00007ff6bb5d6000 0x7ff6bb5d6000 0x7ff6bb5d7fff Private Memory rw True False False -
private_0x00007ff6bb5d8000 0x7ff6bb5d8000 0x7ff6bb5d9fff Private Memory rw True False False -
private_0x00007ff6bb5da000 0x7ff6bb5da000 0x7ff6bb5dbfff Private Memory rw True False False -
private_0x00007ff6bb5dc000 0x7ff6bb5dc000 0x7ff6bb5ddfff Private Memory rw True False False -
private_0x00007ff6bb5de000 0x7ff6bb5de000 0x7ff6bb5dffff Private Memory rw True False False -
pagefile_0x00007ff6bb5e0000 0x7ff6bb5e0000 0x7ff6bb6dffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6bb6e0000 0x7ff6bb6e0000 0x7ff6bb702fff Pagefile Backed Memory r True False False -
private_0x00007ff6bb704000 0x7ff6bb704000 0x7ff6bb705fff Private Memory rw True False False -
private_0x00007ff6bb706000 0x7ff6bb706000 0x7ff6bb707fff Private Memory rw True False False -
private_0x00007ff6bb708000 0x7ff6bb708000 0x7ff6bb709fff Private Memory rw True False False -
private_0x00007ff6bb70a000 0x7ff6bb70a000 0x7ff6bb70bfff Private Memory rw True False False -
private_0x00007ff6bb70c000 0x7ff6bb70c000 0x7ff6bb70dfff Private Memory rw True False False -
private_0x00007ff6bb70e000 0x7ff6bb70e000 0x7ff6bb70efff Private Memory rw True False False -
svchost.exe 0x7ff6bbac0000 0x7ff6bbaccfff Memory Mapped File rwx False False False -
esent.dll 0x7ffefd800000 0x7ffefdae1fff Memory Mapped File rwx False False False -
srumsvc.dll 0x7ffefdaf0000 0x7ffefdb27fff Memory Mapped File rwx False False False -
diagperf.dll 0x7ffefdb50000 0x7ffefdcb5fff Memory Mapped File rwx False False False -
pots.dll 0x7ffefdd20000 0x7ffefdd2cfff Memory Mapped File rwx False False False -
pnpts.dll 0x7ffefdd30000 0x7ffefdd38fff Memory Mapped File rwx False False False -
wfapigp.dll 0x7ffefdf00000 0x7ffefdf0bfff Memory Mapped File rwx False False False -
wdi.dll 0x7ffefdff0000 0x7ffefe00cfff Memory Mapped File rwx False False False -
dps.dll 0x7ffefe290000 0x7ffefe2befff Memory Mapped File rwx False False False -
wship6.dll 0x7ffefe750000 0x7ffefe757fff Memory Mapped File rwx False False False -
wshtcpip.dll 0x7ffefe760000 0x7ffefe767fff Memory Mapped File rwx False False False -
wshqos.dll 0x7ffefe770000 0x7ffefe779fff Memory Mapped File rwx False False False -
adhapi.dll 0x7ffefe780000 0x7ffefe789fff Memory Mapped File rwx False False False -
msvcp110_win.dll 0x7ffefe790000 0x7ffefe821fff Memory Mapped File rwx False False False -
policymanager.dll 0x7ffefe830000 0x7ffefe868fff Memory Mapped File rwx False False False -
httpprxc.dll 0x7ffefe870000 0x7ffefe878fff Memory Mapped File rwx False False False -
fwpolicyiomgr.dll 0x7ffefe880000 0x7ffefe8b4fff Memory Mapped File rwx False False False -
mpssvc.dll 0x7ffefe8c0000 0x7ffefe999fff Memory Mapped File rwx False False False -
xmllite.dll 0x7ffefe9a0000 0x7ffefe9d5fff Memory Mapped File rwx False False False -
bfe.dll 0x7ffefe9e0000 0x7ffefeaa9fff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7ffeff2c0000 0x7ffeff2d9fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7ffeff2e0000 0x7ffeff2f5fff Memory Mapped File rwx False False False -
fwpuclnt.dll 0x7ffeff3b0000 0x7ffeff417fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffeffcf0000 0x7ffeffd05fff Memory Mapped File rwx False False False -
wevtapi.dll 0x7ffeffd10000 0x7ffeffd74fff Memory Mapped File rwx False False False -
taskschd.dll 0x7fff00300000 0x7fff003bffff Memory Mapped File rwx False False False -
winnsi.dll 0x7fff00400000 0x7fff0040afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fff00420000 0x7fff00457fff Memory Mapped File rwx False False False -
iertutil.dll 0x7fff00e30000 0x7fff011a5fff Memory Mapped File rwx False False False -
mrmcorer.dll 0x7fff02250000 0x7fff0235efff Memory Mapped File rwx False False False -
coremessaging.dll 0x7fff02fe0000 0x7fff030a7fff Memory Mapped File rwx False False False -
fwbase.dll 0x7fff03920000 0x7fff03951fff Memory Mapped File rwx False False False -
gpapi.dll 0x7fff03d00000 0x7fff03d22fff Memory Mapped File rwx False False False -
tdh.dll 0x7fff03d30000 0x7fff03e27fff Memory Mapped File rwx False False False -
authz.dll 0x7fff03ea0000 0x7fff03ee7fff Memory Mapped File rwx False False False -
netutils.dll 0x7fff04030000 0x7fff0403bfff Memory Mapped File rwx False False False -
dnsapi.dll 0x7fff043f0000 0x7fff04497fff Memory Mapped File rwx False False False -
mswsock.dll 0x7fff04650000 0x7fff046acfff Memory Mapped File rwx False False False -
sspicli.dll 0x7fff04a00000 0x7fff04a2bfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
shcore.dll 0x7fff04e80000 0x7fff04f32fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fff05110000 0x7fff05153fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
nsi.dll 0x7fff05a80000 0x7fff05a87fff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fff080d0000 0x7fff08138fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
For performance reasons, the remaining 71 entries are omitted.
The remaining entries can be found in flog.txt.
Process #17: svchost.exe
0 0
»
Information Value
ID #17
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k appmodel
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:24, Reason: Autostart
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:07:58
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x64c
Parent PID 0x1e4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 650
0x 658
0x 6C0
0x 6E8
0x 6F0
0x 6F4
0x 8C8
0x 8E8
0x 910
0x 924
0x 928
0x AD8
0x ADC
0x AE0
0x AE4
0x AE8
0x BDC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000af481e0000 0xaf481e0000 0xaf481fffff Private Memory rw True False False -
pagefile_0x000000af481e0000 0xaf481e0000 0xaf481effff Pagefile Backed Memory rw True False False -
svchost.exe.mui 0xaf481f0000 0xaf481f0fff Memory Mapped File r False False False -
pagefile_0x000000af48200000 0xaf48200000 0xaf48213fff Pagefile Backed Memory r True False False -
private_0x000000af48220000 0xaf48220000 0xaf4829ffff Private Memory rw True False False -
pagefile_0x000000af482a0000 0xaf482a0000 0xaf482a3fff Pagefile Backed Memory r True False False -
pagefile_0x000000af482b0000 0xaf482b0000 0xaf482b0fff Pagefile Backed Memory r True False False -
private_0x000000af482c0000 0xaf482c0000 0xaf482c1fff Private Memory rw True False False -
locale.nls 0xaf482d0000 0xaf4838dfff Memory Mapped File r False False False -
private_0x000000af48390000 0xaf48390000 0xaf48390fff Private Memory rw True False False -
private_0x000000af483a0000 0xaf483a0000 0xaf483a6fff Private Memory rw True False False -
private_0x000000af483b0000 0xaf483b0000 0xaf483b0fff Private Memory rw True False False -
pagefile_0x000000af483c0000 0xaf483c0000 0xaf483c0fff Pagefile Backed Memory r True False False -
pagefile_0x000000af483d0000 0xaf483d0000 0xaf483d0fff Pagefile Backed Memory rw True False False -
private_0x000000af483e0000 0xaf483e0000 0xaf483e0fff Private Memory rw True False False -
private_0x000000af483f0000 0xaf483f0000 0xaf483f0fff Private Memory rw True False False -
private_0x000000af48400000 0xaf48400000 0xaf484fffff Private Memory rw True False False -
private_0x000000af48500000 0xaf48500000 0xaf4857ffff Private Memory rw True False False -
pagefile_0x000000af48580000 0xaf48580000 0xaf4863ffff Pagefile Backed Memory r True False False -
pagefile_0x000000af48640000 0xaf48640000 0xaf4864ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000af48650000 0xaf48650000 0xaf4865ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000af48660000 0xaf48660000 0xaf4866ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000af48670000 0xaf48670000 0xaf4867ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000af48680000 0xaf48680000 0xaf4868ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000af48690000 0xaf48690000 0xaf4869ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000af486a0000 0xaf486a0000 0xaf486affff Pagefile Backed Memory rw True False False -
pagefile_0x000000af486b0000 0xaf486b0000 0xaf486bffff Pagefile Backed Memory rw True False False -
private_0x000000af486c0000 0xaf486c0000 0xaf486c0fff Private Memory rw True False False -
private_0x000000af486d0000 0xaf486d0000 0xaf486d0fff Private Memory rw True False False -
private_0x000000af486e0000 0xaf486e0000 0xaf486e0fff Private Memory rw True False False -
private_0x000000af486f0000 0xaf486f0000 0xaf486f6fff Private Memory rw True False False -
private_0x000000af48700000 0xaf48700000 0xaf487fffff Private Memory rw True False False -
pagefile_0x000000af48800000 0xaf48800000 0xaf48987fff Pagefile Backed Memory r True False False -
pagefile_0x000000af48990000 0xaf48990000 0xaf48b10fff Pagefile Backed Memory r True False False -
private_0x000000af48b20000 0xaf48b20000 0xaf48c1ffff Private Memory rw True False False -
private_0x000000af48c20000 0xaf48c20000 0xaf48d1ffff Private Memory rw True False False -
sortdefault.nls 0xaf48d20000 0xaf49056fff Memory Mapped File r False False False -
private_0x000000af49060000 0xaf49060000 0xaf4915ffff Private Memory rw True False False -
private_0x000000af49160000 0xaf49160000 0xaf4925ffff Private Memory rw True False False -
private_0x000000af49260000 0xaf49260000 0xaf4935ffff Private Memory rw True False False -
private_0x000000af49360000 0xaf49360000 0xaf4a35ffff Private Memory rw True False False -
private_0x000000af4a360000 0xaf4a360000 0xaf4a363fff Private Memory rw True False False -
private_0x000000af4a370000 0xaf4a370000 0xaf4a371fff Private Memory rw True False False -
private_0x000000af4a380000 0xaf4a380000 0xaf4a380fff Private Memory rw True False False -
private_0x000000af4a390000 0xaf4a390000 0xaf4a3affff Private Memory rw True False False -
private_0x000000af4a3b0000 0xaf4a3b0000 0xaf5a3affff Private Memory rw True False False -
private_0x000000af5a3b0000 0xaf5a3b0000 0xaf6a3affff Private Memory rw True False False -
private_0x000000af6a3b0000 0xaf6a3b0000 0xaf6a3b0fff Private Memory rw True False False -
vedatamodel.edb 0xaf6a3c0000 0xaf6a3cffff Memory Mapped File r True False False -
vedatamodel.edb 0xaf6a3d0000 0xaf6a3dffff Memory Mapped File r True False False -
vedatamodel.edb 0xaf6a3e0000 0xaf6a3effff Memory Mapped File r True False False -
vedatamodel.edb 0xaf6a3f0000 0xaf6a3fffff Memory Mapped File r True False False -
vedatamodel.edb 0xaf6a400000 0xaf6a40ffff Memory Mapped File r True False False -
vedatamodel.edb 0xaf6a410000 0xaf6a41ffff Memory Mapped File r True False False -
vedatamodel.edb 0xaf6a420000 0xaf6a42ffff Memory Mapped File r True False False -
vedatamodel.edb 0xaf6a430000 0xaf6a43ffff Memory Mapped File r True False False -
vedatamodel.edb 0xaf6a440000 0xaf6a44ffff Memory Mapped File r True False False -
vedatamodel.edb 0xaf6a450000 0xaf6a45ffff Memory Mapped File r True False False -
vedatamodel.edb 0xaf6a460000 0xaf6a46ffff Memory Mapped File r True False False -
vedatamodel.edb 0xaf6a470000 0xaf6a47ffff Memory Mapped File r True False False -
vedatamodel.edb 0xaf6a480000 0xaf6a48ffff Memory Mapped File r True False False -
vedatamodel.edb 0xaf6a490000 0xaf6a49ffff Memory Mapped File r True False False -
vedatamodel.edb 0xaf6a4a0000 0xaf6a4affff Memory Mapped File r True False False -
private_0x000000af6a4b0000 0xaf6a4b0000 0xaf6a52ffff Private Memory rw True False False -
vedatamodel.edb 0xaf6a530000 0xaf6a53ffff Memory Mapped File r True False False -
private_0x000000af6a540000 0xaf6a540000 0xaf6a540fff Private Memory rw True False False -
vedatamodel.edb 0xaf6a550000 0xaf6a55ffff Memory Mapped File r True False False -
vedatamodel.edb 0xaf6a560000 0xaf6a56ffff Memory Mapped File r True False False -
vedatamodel.edb 0xaf6a570000 0xaf6a57ffff Memory Mapped File r True False False -
private_0x000000af6a580000 0xaf6a580000 0xaf6a67ffff Private Memory rw True False False -
pagefile_0x00007df5ff610000 0x7df5ff610000 0x7ff5ff60ffff Pagefile Backed Memory - True False False -
private_0x00007ff6baadc000 0x7ff6baadc000 0x7ff6baaddfff Private Memory rw True False False -
private_0x00007ff6baade000 0x7ff6baade000 0x7ff6baadffff Private Memory rw True False False -
pagefile_0x00007ff6baae0000 0x7ff6baae0000 0x7ff6babdffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6babe0000 0x7ff6babe0000 0x7ff6bac02fff Pagefile Backed Memory r True False False -
private_0x00007ff6bac03000 0x7ff6bac03000 0x7ff6bac04fff Private Memory rw True False False -
private_0x00007ff6bac05000 0x7ff6bac05000 0x7ff6bac05fff Private Memory rw True False False -
private_0x00007ff6bac06000 0x7ff6bac06000 0x7ff6bac07fff Private Memory rw True False False -
private_0x00007ff6bac08000 0x7ff6bac08000 0x7ff6bac09fff Private Memory rw True False False -
private_0x00007ff6bac0a000 0x7ff6bac0a000 0x7ff6bac0bfff Private Memory rw True False False -
private_0x00007ff6bac0c000 0x7ff6bac0c000 0x7ff6bac0dfff Private Memory rw True False False -
private_0x00007ff6bac0e000 0x7ff6bac0e000 0x7ff6bac0ffff Private Memory rw True False False -
svchost.exe 0x7ff6bbac0000 0x7ff6bbaccfff Memory Mapped File rwx False False False -
staterepository.core.dll 0x7ffef6180000 0x7ffef6218fff Memory Mapped File rwx False False False -
windows.staterepository.dll 0x7ffef6220000 0x7ffef64b1fff Memory Mapped File rwx False False False -
actxprxy.dll 0x7ffef93f0000 0x7ffef9859fff Memory Mapped File rwx False False False -
tileobjserver.dll 0x7ffefc1f0000 0x7ffefc270fff Memory Mapped File rwx False False False -
urlmon.dll 0x7ffefc5f0000 0x7ffefc786fff Memory Mapped File rwx False False False -
esent.dll 0x7ffefd800000 0x7ffefdae1fff Memory Mapped File rwx False False False -
iertutil.dll 0x7fff00e30000 0x7fff011a5fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fff033a0000 0x7fff033b2fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
userenv.dll 0x7fff04390000 0x7fff043aefff Memory Mapped File rwx False False False -
winsta.dll 0x7fff044a0000 0x7fff044f7fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fff04a00000 0x7fff04a2bfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
powrprof.dll 0x7fff04e20000 0x7fff04e69fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
shcore.dll 0x7fff04e80000 0x7fff04f32fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7fff05270000 0x7fff05897fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fff05d00000 0x7fff05d50fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #18: officeclicktorun.exe
0 0
»
Information Value
ID #18
File Name c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
Command Line "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:39, Reason: RPC Server
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:07:43
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x548
Parent PID 0x1e4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 7B8
0x 7B4
0x 7B0
0x 7AC
0x 7A8
0x 7A4
0x 7A0
0x 74C
0x 738
0x 6FC
0x 6F8
0x 6E4
0x 6B0
0x 6A8
0x 6A4
0x 6A0
0x 69C
0x 698
0x 690
0x 578
0x 574
0x 54C
0x 7BC
0x 558
0x 654
0x 2C4
0x 2E8
0x 584
0x B2C
0x B00
0x B14
0x 8E0
0x 8FC
0x 73C
0x 83C
0x 320
0x 394
0x 9D4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
pagefile_0x000000cd9a5d0000 0xcd9a5d0000 0xcd9a5dffff Pagefile Backed Memory rw True False False -
private_0x000000cd9a5e0000 0xcd9a5e0000 0xcd9a5e6fff Private Memory rw True False False -
pagefile_0x000000cd9a5f0000 0xcd9a5f0000 0xcd9a603fff Pagefile Backed Memory r True False False -
private_0x000000cd9a610000 0xcd9a610000 0xcd9a70ffff Private Memory rw True False False -
pagefile_0x000000cd9a710000 0xcd9a710000 0xcd9a713fff Pagefile Backed Memory r True False False -
pagefile_0x000000cd9a720000 0xcd9a720000 0xcd9a722fff Pagefile Backed Memory r True False False -
private_0x000000cd9a730000 0xcd9a730000 0xcd9a731fff Private Memory rw True False False -
locale.nls 0xcd9a740000 0xcd9a7fdfff Memory Mapped File r False False False -
private_0x000000cd9a800000 0xcd9a800000 0xcd9a806fff Private Memory rw True False False -
private_0x000000cd9a810000 0xcd9a810000 0xcd9a90ffff Private Memory rw True False False -
private_0x000000cd9a910000 0xcd9a910000 0xcd9aa0ffff Private Memory rw True False False -
private_0x000000cd9aa10000 0xcd9aa10000 0xcd9ab0ffff Private Memory rw True False False -
pagefile_0x000000cd9ab10000 0xcd9ab10000 0xcd9abcffff Pagefile Backed Memory r True False False -
private_0x000000cd9abd0000 0xcd9abd0000 0xcd9abd0fff Private Memory rw True False False -
private_0x000000cd9abe0000 0xcd9abe0000 0xcd9abe0fff Private Memory rw True False False -
private_0x000000cd9abf0000 0xcd9abf0000 0xcd9abf0fff Private Memory rw True False False -
private_0x000000cd9ac00000 0xcd9ac00000 0xcd9ac00fff Private Memory rw True False False -
pagefile_0x000000cd9ac10000 0xcd9ac10000 0xcd9ac11fff Pagefile Backed Memory r True False False -
pagefile_0x000000cd9ac20000 0xcd9ac20000 0xcd9ac20fff Pagefile Backed Memory rw True False False -
pagefile_0x000000cd9ac30000 0xcd9ac30000 0xcd9ac31fff Pagefile Backed Memory r True False False -
pagefile_0x000000cd9ac40000 0xcd9ac40000 0xcd9ac40fff Pagefile Backed Memory rw True False False -
counters.dat 0xcd9ac50000 0xcd9ac50fff Memory Mapped File rw False False False -
winnlsres.dll 0xcd9ac60000 0xcd9ac64fff Memory Mapped File r False False False -
winnlsres.dll.mui 0xcd9ac70000 0xcd9ac7ffff Memory Mapped File r False False False -
private_0x000000cd9ac80000 0xcd9ac80000 0xcd9ac84fff Private Memory rw True False False -
private_0x000000cd9ac90000 0xcd9ac90000 0xcd9ac9ffff Private Memory rw True False False -
pagefile_0x000000cd9aca0000 0xcd9aca0000 0xcd9ae27fff Pagefile Backed Memory r True False False -
pagefile_0x000000cd9ae30000 0xcd9ae30000 0xcd9afb0fff Pagefile Backed Memory r True False False -
sortdefault.nls 0xcd9afc0000 0xcd9b2f6fff Memory Mapped File r False False False -
private_0x000000cd9b300000 0xcd9b300000 0xcd9b3fffff Private Memory rw True False False -
private_0x000000cd9b400000 0xcd9b400000 0xcd9b4fffff Private Memory rw True False False -
private_0x000000cd9b500000 0xcd9b500000 0xcd9b5fffff Private Memory rw True False False -
private_0x000000cd9b600000 0xcd9b600000 0xcd9b6fffff Private Memory rw True False False -
private_0x000000cd9b700000 0xcd9b700000 0xcd9b7fffff Private Memory rw True False False -
private_0x000000cd9b800000 0xcd9b800000 0xcd9b8fffff Private Memory rw True False False -
private_0x000000cd9b900000 0xcd9b900000 0xcd9b9fffff Private Memory rw True False False -
private_0x000000cd9ba00000 0xcd9ba00000 0xcd9bafffff Private Memory rw True False False -
mswsock.dll.mui 0xcd9bb00000 0xcd9bb02fff Memory Mapped File r False False False -
pagefile_0x000000cd9bb10000 0xcd9bb10000 0xcd9bb11fff Pagefile Backed Memory rw True False False -
pagefile_0x000000cd9bb20000 0xcd9bb20000 0xcd9bb21fff Pagefile Backed Memory rw True False False -
tdh.dll.mui 0xcd9bb30000 0xcd9bb4afff Memory Mapped File r False False False -
crypt32.dll.mui 0xcd9bb50000 0xcd9bb59fff Memory Mapped File r False False False -
pagefile_0x000000cd9bb60000 0xcd9bb60000 0xcd9bb60fff Pagefile Backed Memory r True False False -
pagefile_0x000000cd9bb70000 0xcd9bb70000 0xcd9bb70fff Pagefile Backed Memory r True False False -
msxml6r.dll 0xcd9bb80000 0xcd9bb80fff Memory Mapped File r False False False -
private_0x000000cd9bb90000 0xcd9bb90000 0xcd9bc8ffff Private Memory rw True False False -
private_0x000000cd9bc90000 0xcd9bc90000 0xcd9be8ffff Private Memory rw True False False -
private_0x000000cd9be90000 0xcd9be90000 0xcd9bf8ffff Private Memory rw True False False -
private_0x000000cd9bf90000 0xcd9bf90000 0xcd9c08ffff Private Memory rw True False False -
private_0x000000cd9c090000 0xcd9c090000 0xcd9c192fff Private Memory rw True False False -
private_0x000000cd9c1a0000 0xcd9c1a0000 0xcd9c3a1fff Private Memory rw True False False -
private_0x000000cd9c3b0000 0xcd9c3b0000 0xcd9c4affff Private Memory rw True False False -
private_0x000000cd9c4b0000 0xcd9c4b0000 0xcd9c5affff Private Memory rw True False False -
private_0x000000cd9c5b0000 0xcd9c5b0000 0xcd9c6affff Private Memory rw True False False -
private_0x000000cd9c6b0000 0xcd9c6b0000 0xcd9caaffff Private Memory rw True False False -
private_0x000000cd9cab0000 0xcd9cab0000 0xcd9cab6fff Private Memory rw True False False -
pagefile_0x000000cd9cac0000 0xcd9cac0000 0xcd9cac0fff Pagefile Backed Memory r True False False -
pagefile_0x000000cd9cad0000 0xcd9cad0000 0xcd9cad0fff Pagefile Backed Memory r True False False -
pagefile_0x000000cd9cae0000 0xcd9cae0000 0xcd9cae0fff Pagefile Backed Memory r True False False -
pagefile_0x000000cd9caf0000 0xcd9caf0000 0xcd9caf0fff Pagefile Backed Memory r True False False -
private_0x000000cd9cb00000 0xcd9cb00000 0xcd9cb0ffff Private Memory rw True False False -
kernelbase.dll.mui 0xcd9cb10000 0xcd9cbeefff Memory Mapped File r False False False -
private_0x000000cd9cbf0000 0xcd9cbf0000 0xcd9cceffff Private Memory rw True False False -
private_0x000000cd9ccf0000 0xcd9ccf0000 0xcd9ceeffff Private Memory rw True False False -
pagefile_0x000000cd9cef0000 0xcd9cef0000 0xcd9cef0fff Pagefile Backed Memory r True False False -
pagefile_0x000000cd9cf00000 0xcd9cf00000 0xcd9cf00fff Pagefile Backed Memory r True False False -
pagefile_0x000000cd9cf10000 0xcd9cf10000 0xcd9cf10fff Pagefile Backed Memory r True False False -
pagefile_0x000000cd9cf20000 0xcd9cf20000 0xcd9cf20fff Pagefile Backed Memory r True False False -
pagefile_0x000000cd9cf30000 0xcd9cf30000 0xcd9cf30fff Pagefile Backed Memory r True False False -
pagefile_0x000000cd9cf40000 0xcd9cf40000 0xcd9cf40fff Pagefile Backed Memory r True False False -
private_0x000000cd9cf50000 0xcd9cf50000 0xcd9d04ffff Private Memory rw True False False -
private_0x000000cd9d050000 0xcd9d050000 0xcd9d14ffff Private Memory rw True False False -
private_0x000000cd9d150000 0xcd9d150000 0xcd9d24ffff Private Memory rw True False False -
private_0x000000cd9d250000 0xcd9d250000 0xcd9d34ffff Private Memory rw True False False -
private_0x000000cd9d350000 0xcd9d350000 0xcd9d44ffff Private Memory rw True False False -
private_0x000000cd9d450000 0xcd9d450000 0xcd9d54ffff Private Memory rw True False False -
private_0x000000cd9d550000 0xcd9d550000 0xcd9d64ffff Private Memory rw True False False -
private_0x000000cd9d650000 0xcd9d650000 0xcd9d74ffff Private Memory rw True False False -
pagefile_0x00007df5ff290000 0x7df5ff290000 0x7ff5ff28ffff Pagefile Backed Memory - True False False -
private_0x00007ff61107e000 0x7ff61107e000 0x7ff61107ffff Private Memory rw True False False -
private_0x00007ff611080000 0x7ff611080000 0x7ff611081fff Private Memory rw True False False -
private_0x00007ff611082000 0x7ff611082000 0x7ff611083fff Private Memory rw True False False -
private_0x00007ff611084000 0x7ff611084000 0x7ff611085fff Private Memory rw True False False -
private_0x00007ff611086000 0x7ff611086000 0x7ff611087fff Private Memory rw True False False -
private_0x00007ff611088000 0x7ff611088000 0x7ff611089fff Private Memory rw True False False -
private_0x00007ff61108a000 0x7ff61108a000 0x7ff61108bfff Private Memory rw True False False -
private_0x00007ff61108c000 0x7ff61108c000 0x7ff61108dfff Private Memory rw True False False -
private_0x00007ff61108e000 0x7ff61108e000 0x7ff61108ffff Private Memory rw True False False -
private_0x00007ff611090000 0x7ff611090000 0x7ff611091fff Private Memory rw True False False -
private_0x00007ff611092000 0x7ff611092000 0x7ff611093fff Private Memory rw True False False -
private_0x00007ff611094000 0x7ff611094000 0x7ff611095fff Private Memory rw True False False -
private_0x00007ff611096000 0x7ff611096000 0x7ff611097fff Private Memory rw True False False -
private_0x00007ff611098000 0x7ff611098000 0x7ff611099fff Private Memory rw True False False -
private_0x00007ff61109a000 0x7ff61109a000 0x7ff61109bfff Private Memory rw True False False -
private_0x00007ff61109c000 0x7ff61109c000 0x7ff61109dfff Private Memory rw True False False -
private_0x00007ff61109e000 0x7ff61109e000 0x7ff61109ffff Private Memory rw True False False -
pagefile_0x00007ff6110a0000 0x7ff6110a0000 0x7ff61119ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6111a0000 0x7ff6111a0000 0x7ff6111c2fff Pagefile Backed Memory r True False False -
private_0x00007ff6111c3000 0x7ff6111c3000 0x7ff6111c4fff Private Memory rw True False False -
private_0x00007ff6111c5000 0x7ff6111c5000 0x7ff6111c6fff Private Memory rw True False False -
private_0x00007ff6111c7000 0x7ff6111c7000 0x7ff6111c8fff Private Memory rw True False False -
private_0x00007ff6111c9000 0x7ff6111c9000 0x7ff6111c9fff Private Memory rw True False False -
private_0x00007ff6111ca000 0x7ff6111ca000 0x7ff6111cbfff Private Memory rw True False False -
private_0x00007ff6111cc000 0x7ff6111cc000 0x7ff6111cdfff Private Memory rw True False False -
private_0x00007ff6111ce000 0x7ff6111ce000 0x7ff6111cffff Private Memory rw True False False -
officeclicktorun.exe 0x7ff611700000 0x7ff611f5bfff Memory Mapped File rwx False False False -
appvisvsubsystemcontroller.dll 0x7ffefa340000 0x7ffefa4c5fff Memory Mapped File rwx False False False -
appvintegration.dll 0x7ffefa4d0000 0x7ffefa700fff Memory Mapped File rwx False False False -
appvisvvirtualization.dll 0x7ffefa9e0000 0x7ffefaa77fff Memory Mapped File rwx False False False -
appvcatalog.dll 0x7ffefaa80000 0x7ffefab29fff Memory Mapped File rwx False False False -
appvmanifest.dll 0x7ffefab30000 0x7ffefac61fff Memory Mapped File rwx False False False -
appvisvstreamingmanager.dll 0x7ffefac70000 0x7ffefaca6fff Memory Mapped File rwx False False False -
appvorchestration.dll 0x7ffefacb0000 0x7ffefad9ffff Memory Mapped File rwx False False False -
msvcr120.dll 0x7ffefada0000 0x7ffefae8efff Memory Mapped File rwx False False False -
msvcp120.dll 0x7ffefae90000 0x7ffefaf35fff Memory Mapped File rwx False False False -
appvpolicy.dll 0x7ffefaf40000 0x7ffefb080fff Memory Mapped File rwx False False False -
msxml6.dll 0x7ffefb150000 0x7ffefb3c6fff Memory Mapped File rwx False False False -
mskeyprotect.dll 0x7ffefb3f0000 0x7ffefb403fff Memory Mapped File rwx False False False -
ncryptsslp.dll 0x7ffefb4a0000 0x7ffefb4befff Memory Mapped File rwx False False False -
msdelta.dll 0x7ffefba40000 0x7ffefbac1fff Memory Mapped File rwx False False False -
streamserver.dll 0x7ffefbb80000 0x7ffefbf67fff Memory Mapped File rwx False False False -
appvisvapi.dll 0x7ffefc060000 0x7ffefc0dbfff Memory Mapped File rwx False False False -
appvfilesystemmetadata.dll 0x7ffefc190000 0x7ffefc1dcfff Memory Mapped File rwx False False False -
npmproxy.dll 0x7ffefc1e0000 0x7ffefc1edfff Memory Mapped File rwx False False False -
webio.dll 0x7ffefc280000 0x7ffefc2fffff Memory Mapped File rwx False False False -
version.dll 0x7ffefc300000 0x7ffefc309fff Memory Mapped File rwx False False False -
wininet.dll 0x7ffefc340000 0x7ffefc5e6fff Memory Mapped File rwx False False False -
urlmon.dll 0x7ffefc5f0000 0x7ffefc786fff Memory Mapped File rwx False False False -
comctl32.dll 0x7ffefc790000 0x7ffefca03fff Memory Mapped File rwx False False False -
msi.dll 0x7ffefca10000 0x7ffefcd4cfff Memory Mapped File rwx False False False -
ondemandconnroutehelper.dll 0x7ffefd1c0000 0x7ffefd1d4fff Memory Mapped File rwx False False False -
secur32.dll 0x7ffefd250000 0x7ffefd25bfff Memory Mapped File rwx False False False -
netapi32.dll 0x7ffefd260000 0x7ffefd276fff Memory Mapped File rwx False False False -
netprofm.dll 0x7ffefd550000 0x7ffefd58efff Memory Mapped File rwx False False False -
rasadhlp.dll 0x7ffefd5d0000 0x7ffefd5d9fff Memory Mapped File rwx False False False -
rstrtmgr.dll 0x7ffefdcc0000 0x7ffefdcf1fff Memory Mapped File rwx False False False -
apiclient.dll 0x7ffefdd40000 0x7ffefdd79fff Memory Mapped File rwx False False False -
msvcp140.dll 0x7ffefdd80000 0x7ffefde1efff Memory Mapped File rwx False False False -
vcruntime140.dll 0x7ffefde20000 0x7ffefde35fff Memory Mapped File rwx False False False -
winhttp.dll 0x7ffefdf10000 0x7ffefdfe5fff Memory Mapped File rwx False False False -
cabinet.dll 0x7ffefe6b0000 0x7ffefe6d6fff Memory Mapped File rwx False False False -
xmllite.dll 0x7ffefe9a0000 0x7ffefe9d5fff Memory Mapped File rwx False False False -
ucrtbase.dll 0x7ffefed50000 0x7ffefee41fff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7ffeff2c0000 0x7ffeff2d9fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7ffeff2e0000 0x7ffeff2f5fff Memory Mapped File rwx False False False -
fwpuclnt.dll 0x7ffeff3b0000 0x7ffeff417fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffeffcf0000 0x7ffeffd05fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffeffd80000 0x7ffeffd97fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fff00400000 0x7fff0040afff Memory Mapped File rwx False False False -
For performance reasons, the remaining 70 entries are omitted.
The remaining entries can be found in flog.txt.
Process #19: dllhost.exe
0 0
»
Information Value
ID #19
File Name c:\windows\system32\dllhost.exe
Command Line C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:52, Reason: Child Process
Unmonitor End Time: 00:03:59, Reason: Self Terminated
Monitor Duration 00:00:07
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7ec
Parent PID 0x244 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 7F0
0x 7F4
0x 7F8
0x 7FC
0x 408
0x 388
0x 404
0x 458
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000f0618b0000 0xf0618b0000 0xf0618cffff Private Memory rw True False False -
pagefile_0x000000f0618b0000 0xf0618b0000 0xf0618bffff Pagefile Backed Memory rw True False False -
private_0x000000f0618c0000 0xf0618c0000 0xf0618c6fff Private Memory rw True False False -
pagefile_0x000000f0618d0000 0xf0618d0000 0xf0618e3fff Pagefile Backed Memory r True False False -
private_0x000000f0618f0000 0xf0618f0000 0xf0619effff Private Memory rw True False False -
pagefile_0x000000f0619f0000 0xf0619f0000 0xf0619f3fff Pagefile Backed Memory r True False False -
private_0x000000f061a00000 0xf061a00000 0xf061a01fff Private Memory rw True False False -
locale.nls 0xf061a10000 0xf061acdfff Memory Mapped File r False False False -
pagefile_0x000000f061ad0000 0xf061ad0000 0xf061ad0fff Pagefile Backed Memory r True False False -
private_0x000000f061ae0000 0xf061ae0000 0xf061ae6fff Private Memory rw True False False -
pagefile_0x000000f061af0000 0xf061af0000 0xf061af0fff Pagefile Backed Memory r True False False -
private_0x000000f061b00000 0xf061b00000 0xf061b00fff Private Memory rw True False False -
private_0x000000f061b10000 0xf061b10000 0xf061b10fff Private Memory rw True False False -
private_0x000000f061b90000 0xf061b90000 0xf061b9ffff Private Memory rw True False False -
private_0x000000f061bc0000 0xf061bc0000 0xf061cbffff Private Memory rw True False False -
private_0x000000f061cc0000 0xf061cc0000 0xf061dbffff Private Memory rw True False False -
pagefile_0x000000f061dc0000 0xf061dc0000 0xf061f47fff Pagefile Backed Memory r True False False -
pagefile_0x000000f061f50000 0xf061f50000 0xf0620d0fff Pagefile Backed Memory r True False False -
pagefile_0x000000f0620e0000 0xf0620e0000 0xf06219ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0xf0621a0000 0xf0624d6fff Memory Mapped File r False False False -
private_0x000000f0624e0000 0xf0624e0000 0xf0625dffff Private Memory rw True False False -
private_0x000000f0625e0000 0xf0625e0000 0xf0626dffff Private Memory rw True False False -
private_0x000000f0626e0000 0xf0626e0000 0xf0627dffff Private Memory rw True False False -
private_0x000000f0627e0000 0xf0627e0000 0xf0628dffff Private Memory rw True False False -
private_0x000000f0628e0000 0xf0628e0000 0xf0629dffff Private Memory rw True False False -
pagefile_0x00007df5ff280000 0x7df5ff280000 0x7ff5ff27ffff Pagefile Backed Memory - True False False -
private_0x00007ff6dd99c000 0x7ff6dd99c000 0x7ff6dd99dfff Private Memory rw True False False -
private_0x00007ff6dd99e000 0x7ff6dd99e000 0x7ff6dd99ffff Private Memory rw True False False -
pagefile_0x00007ff6dd9a0000 0x7ff6dd9a0000 0x7ff6dda9ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6ddaa0000 0x7ff6ddaa0000 0x7ff6ddac2fff Pagefile Backed Memory r True False False -
private_0x00007ff6ddac4000 0x7ff6ddac4000 0x7ff6ddac4fff Private Memory rw True False False -
private_0x00007ff6ddac6000 0x7ff6ddac6000 0x7ff6ddac7fff Private Memory rw True False False -
private_0x00007ff6ddac8000 0x7ff6ddac8000 0x7ff6ddac9fff Private Memory rw True False False -
private_0x00007ff6ddaca000 0x7ff6ddaca000 0x7ff6ddacbfff Private Memory rw True False False -
private_0x00007ff6ddacc000 0x7ff6ddacc000 0x7ff6ddacdfff Private Memory rw True False False -
private_0x00007ff6ddace000 0x7ff6ddace000 0x7ff6ddacffff Private Memory rw True False False -
dllhost.exe 0x7ff6de1e0000 0x7ff6de1e6fff Memory Mapped File rwx False False False -
idstore.dll 0x7ffefa720000 0x7ffefa746fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
userenv.dll 0x7fff04390000 0x7fff043aefff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #20: sihost.exe
0 0
»
Information Value
ID #20
File Name c:\windows\system32\sihost.exe
Command Line sihost.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:53, Reason: Child Process
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:07:29
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x4dc
Parent PID 0x354 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 50C
0x 4B4
0x 2EC
0x 5F8
0x 5F0
0x 434
0x 764
0x 768
0x 644
0x 790
0x 504
0x 654
0x 700
0x 91C
0x 2F0
0x 944
0x 954
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000005becb10000 0x5becb10000 0x5becb2ffff Private Memory rw True False False -
pagefile_0x0000005becb10000 0x5becb10000 0x5becb1ffff Pagefile Backed Memory rw True False False -
private_0x0000005becb20000 0x5becb20000 0x5becb26fff Private Memory rw True False False -
pagefile_0x0000005becb30000 0x5becb30000 0x5becb43fff Pagefile Backed Memory r True False False -
private_0x0000005becb50000 0x5becb50000 0x5becbcffff Private Memory rw True False False -
pagefile_0x0000005becbd0000 0x5becbd0000 0x5becbd3fff Pagefile Backed Memory r True False False -
private_0x0000005becbe0000 0x5becbe0000 0x5becbe1fff Private Memory rw True False False -
locale.nls 0x5becbf0000 0x5beccadfff Memory Mapped File r False False False -
private_0x0000005beccb0000 0x5beccb0000 0x5becd2ffff Private Memory rw True False False -
private_0x0000005becd30000 0x5becd30000 0x5becd36fff Private Memory rw True False False -
private_0x0000005becd40000 0x5becd40000 0x5becd40fff Private Memory rw True False False -
private_0x0000005becd50000 0x5becd50000 0x5becd50fff Private Memory rw True False False -
pagefile_0x0000005becd60000 0x5becd60000 0x5becd60fff Pagefile Backed Memory r True False False -
private_0x0000005becd70000 0x5becd70000 0x5bece6ffff Private Memory rw True False False -
pagefile_0x0000005bece70000 0x5bece70000 0x5becff7fff Pagefile Backed Memory r True False False -
pagefile_0x0000005bed000000 0x5bed000000 0x5bed000fff Pagefile Backed Memory r True False False -
pagefile_0x0000005bed010000 0x5bed010000 0x5bed039fff Pagefile Backed Memory rw True False False -
private_0x0000005bed040000 0x5bed040000 0x5bed04ffff Private Memory rw True False False -
pagefile_0x0000005bed050000 0x5bed050000 0x5bed1d0fff Pagefile Backed Memory r True False False -
pagefile_0x0000005bed1e0000 0x5bed1e0000 0x5bee5dffff Pagefile Backed Memory r True False False -
private_0x0000005bee5e0000 0x5bee5e0000 0x5bee6dffff Private Memory rw True False False -
sortdefault.nls 0x5bee6e0000 0x5beea16fff Memory Mapped File r False False False -
private_0x0000005beea20000 0x5beea20000 0x5beea9ffff Private Memory rw True False False -
private_0x0000005beeaa0000 0x5beeaa0000 0x5beeb1ffff Private Memory rw True False False -
private_0x0000005beeb20000 0x5beeb20000 0x5beeb9ffff Private Memory rw True False False -
private_0x0000005beeba0000 0x5beeba0000 0x5beec1ffff Private Memory rw True False False -
private_0x0000005beec20000 0x5beec20000 0x5beec9ffff Private Memory rw True False False -
private_0x0000005beeca0000 0x5beeca0000 0x5beed1ffff Private Memory rw True False False -
private_0x0000005beed30000 0x5beed30000 0x5beed3ffff Private Memory rw True False False -
private_0x0000005beed40000 0x5beed40000 0x5beee3ffff Private Memory rw True False False -
private_0x0000005beee40000 0x5beee40000 0x5bef63ffff Private Memory - True False False -
private_0x0000005bef640000 0x5bef640000 0x5bef6bffff Private Memory rw True False False -
private_0x0000005bef6c0000 0x5bef6c0000 0x5bef73ffff Private Memory rw True False False -
private_0x0000005bef740000 0x5bef740000 0x5bef7bffff Private Memory rw True False False -
private_0x0000005bef7c0000 0x5bef7c0000 0x5bef83ffff Private Memory rw True False False -
private_0x0000005bef840000 0x5bef840000 0x5bef8bffff Private Memory rw True False False -
private_0x0000005bef8c0000 0x5bef8c0000 0x5bef93ffff Private Memory rw True False False -
kernelbase.dll.mui 0x5bef940000 0x5befa1efff Memory Mapped File r False False False -
pagefile_0x00007df5ff020000 0x7df5ff020000 0x7ff5ff01ffff Pagefile Backed Memory - True False False -
private_0x00007ff67fd4e000 0x7ff67fd4e000 0x7ff67fd4ffff Private Memory rw True False False -
private_0x00007ff67fd50000 0x7ff67fd50000 0x7ff67fd51fff Private Memory rw True False False -
private_0x00007ff67fd52000 0x7ff67fd52000 0x7ff67fd53fff Private Memory rw True False False -
private_0x00007ff67fd54000 0x7ff67fd54000 0x7ff67fd55fff Private Memory rw True False False -
private_0x00007ff67fd56000 0x7ff67fd56000 0x7ff67fd57fff Private Memory rw True False False -
private_0x00007ff67fd58000 0x7ff67fd58000 0x7ff67fd59fff Private Memory rw True False False -
private_0x00007ff67fd5a000 0x7ff67fd5a000 0x7ff67fd5bfff Private Memory rw True False False -
private_0x00007ff67fd5c000 0x7ff67fd5c000 0x7ff67fd5dfff Private Memory rw True False False -
private_0x00007ff67fd5e000 0x7ff67fd5e000 0x7ff67fd5ffff Private Memory rw True False False -
pagefile_0x00007ff67fd60000 0x7ff67fd60000 0x7ff67fe5ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff67fe60000 0x7ff67fe60000 0x7ff67fe82fff Pagefile Backed Memory r True False False -
private_0x00007ff67fe84000 0x7ff67fe84000 0x7ff67fe85fff Private Memory rw True False False -
private_0x00007ff67fe86000 0x7ff67fe86000 0x7ff67fe87fff Private Memory rw True False False -
private_0x00007ff67fe88000 0x7ff67fe88000 0x7ff67fe89fff Private Memory rw True False False -
private_0x00007ff67fe8a000 0x7ff67fe8a000 0x7ff67fe8bfff Private Memory rw True False False -
private_0x00007ff67fe8c000 0x7ff67fe8c000 0x7ff67fe8cfff Private Memory rw True False False -
private_0x00007ff67fe8e000 0x7ff67fe8e000 0x7ff67fe8ffff Private Memory rw True False False -
sihost.exe 0x7ff6802b0000 0x7ff6802c5fff Memory Mapped File rwx False False False -
licensemanagerapi.dll 0x7ffef5d70000 0x7ffef5d7bfff Memory Mapped File rwx False False False -
staterepository.core.dll 0x7ffef6180000 0x7ffef6218fff Memory Mapped File rwx False False False -
windows.staterepository.dll 0x7ffef6220000 0x7ffef64b1fff Memory Mapped File rwx False False False -
twinui.appcore.dll 0x7ffef7ae0000 0x7ffef7cecfff Memory Mapped File rwx False False False -
execmodelproxy.dll 0x7ffef90d0000 0x7ffef90e4fff Memory Mapped File rwx False False False -
sharehost.dll 0x7ffef9160000 0x7ffef9204fff Memory Mapped File rwx False False False -
appcontracts.dll 0x7ffef9210000 0x7ffef92bbfff Memory Mapped File rwx False False False -
execmodelclient.dll 0x7ffef92c0000 0x7ffef9302fff Memory Mapped File rwx False False False -
modernexecserver.dll 0x7ffef9310000 0x7ffef93e7fff Memory Mapped File rwx False False False -
actxprxy.dll 0x7ffef93f0000 0x7ffef9859fff Memory Mapped File rwx False False False -
coreuicomponents.dll 0x7ffef9860000 0x7ffef9ac0fff Memory Mapped File rwx False False False -
ondemandbrokerclient.dll 0x7ffef9ad0000 0x7ffef9ae0fff Memory Mapped File rwx False False False -
notificationplatformcomponent.dll 0x7ffef9af0000 0x7ffef9afcfff Memory Mapped File rwx False False False -
userdatatypehelperutil.dll 0x7ffef9b00000 0x7ffef9b10fff Memory Mapped File rwx False False False -
appointmentactivation.dll 0x7ffef9b20000 0x7ffef9b41fff Memory Mapped File rwx False False False -
activationmanager.dll 0x7ffef9b50000 0x7ffef9badfff Memory Mapped File rwx False False False -
edputil.dll 0x7ffef9bb0000 0x7ffef9bdefff Memory Mapped File rwx False False False -
clipboardserver.dll 0x7ffef9be0000 0x7ffef9c0ffff Memory Mapped File rwx False False False -
windows.shell.servicehostbuilder.dll 0x7ffef9cb0000 0x7ffef9cc1fff Memory Mapped File rwx False False False -
desktopshellext.dll 0x7ffef9cd0000 0x7ffef9ce6fff Memory Mapped File rwx False False False -
wpportinglibrary.dll 0x7ffefa710000 0x7ffefa718fff Memory Mapped File rwx False False False -
dsclient.dll 0x7ffefb090000 0x7ffefb09bfff Memory Mapped File rwx False False False -
msvcp110_win.dll 0x7ffefe790000 0x7ffefe821fff Memory Mapped File rwx False False False -
policymanager.dll 0x7ffefe830000 0x7ffefe868fff Memory Mapped File rwx False False False -
xmllite.dll 0x7ffefe9a0000 0x7ffefe9d5fff Memory Mapped File rwx False False False -
propsys.dll 0x7ffeff870000 0x7ffeff9f2fff Memory Mapped File rwx False False False -
mmdevapi.dll 0x7ffeffa00000 0x7ffeffa71fff Memory Mapped File rwx False False False -
usermgrproxy.dll 0x7ffeffb70000 0x7ffeffbadfff Memory Mapped File rwx False False False -
usermgrcli.dll 0x7fff00110000 0x7fff0011ffff Memory Mapped File rwx False False False -
wintypes.dll 0x7fff00cf0000 0x7fff00e20fff Memory Mapped File rwx False False False -
iertutil.dll 0x7fff00e30000 0x7fff011a5fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fff02e50000 0x7fff02e71fff Memory Mapped File rwx False False False -
coremessaging.dll 0x7fff02fe0000 0x7fff030a7fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fff03600000 0x7fff03695fff Memory Mapped File rwx False False False -
devobj.dll 0x7fff03750000 0x7fff03776fff Memory Mapped File rwx False False False -
twinapi.appcore.dll 0x7fff037a0000 0x7fff0388dfff Memory Mapped File rwx False False False -
rmclient.dll 0x7fff03ae0000 0x7fff03b07fff Memory Mapped File rwx False False False -
netutils.dll 0x7fff04030000 0x7fff0403bfff Memory Mapped File rwx False False False -
ntmarta.dll 0x7fff04120000 0x7fff04151fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
userenv.dll 0x7fff04390000 0x7fff043aefff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fff04a00000 0x7fff04a2bfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
msasn1.dll 0x7fff04de0000 0x7fff04df0fff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
powrprof.dll 0x7fff04e20000 0x7fff04e69fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
shcore.dll 0x7fff04e80000 0x7fff04f32fff Memory Mapped File rwx False False False -
crypt32.dll 0x7fff04f40000 0x7fff05100fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fff05110000 0x7fff05153fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7fff05270000 0x7fff05897fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fff05d00000 0x7fff05d50fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
imm32.dll 0x7fff06170000 0x7fff061a5fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
ole32.dll 0x7fff06430000 0x7fff06570fff Memory Mapped File rwx False False False -
msctf.dll 0x7fff07eb0000 0x7fff0800bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #21: taskhostw.exe
0 0
»
Information Value
ID #21
File Name c:\windows\system32\taskhostw.exe
Command Line taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:07:28
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x530
Parent PID 0x354 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 550
0x 58C
0x 63C
0x 6C0
0x 6EC
0x 41C
0x 274
0x 2FC
0x 300
0x 388
0x 7F4
0x 808
0x A2C
0x A30
0x 6CC
0x 788
0x 5D8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000003527a50000 0x3527a50000 0x3527a6ffff Private Memory rw True False False -
pagefile_0x0000003527a50000 0x3527a50000 0x3527a5ffff Pagefile Backed Memory rw True False False -
private_0x0000003527a60000 0x3527a60000 0x3527a66fff Private Memory rw True False False -
pagefile_0x0000003527a70000 0x3527a70000 0x3527a83fff Pagefile Backed Memory r True False False -
private_0x0000003527a90000 0x3527a90000 0x3527b0ffff Private Memory rw True False False -
pagefile_0x0000003527b10000 0x3527b10000 0x3527b13fff Pagefile Backed Memory r True False False -
pagefile_0x0000003527b20000 0x3527b20000 0x3527b20fff Pagefile Backed Memory r True False False -
private_0x0000003527b30000 0x3527b30000 0x3527b31fff Private Memory rw True False False -
locale.nls 0x3527b40000 0x3527bfdfff Memory Mapped File r False False False -
private_0x0000003527c00000 0x3527c00000 0x3527c7ffff Private Memory rw True False False -
private_0x0000003527c80000 0x3527c80000 0x3527c86fff Private Memory rw True False False -
private_0x0000003527c90000 0x3527c90000 0x3527d8ffff Private Memory rw True False False -
taskhostw.exe.mui 0x3527d90000 0x3527d90fff Memory Mapped File r False False False -
private_0x0000003527da0000 0x3527da0000 0x3527da0fff Private Memory rw True False False -
private_0x0000003527db0000 0x3527db0000 0x3527db0fff Private Memory rw True False False -
pagefile_0x0000003527dc0000 0x3527dc0000 0x3527dc3fff Pagefile Backed Memory r True False False -
pagefile_0x0000003527dd0000 0x3527dd0000 0x3527dd0fff Pagefile Backed Memory r True False False -
pagefile_0x0000003527de0000 0x3527de0000 0x3527de0fff Pagefile Backed Memory r True False False -
msctfmonitor.dll.mui 0x3527df0000 0x3527df0fff Memory Mapped File r False False False -
private_0x0000003527e00000 0x3527e00000 0x3527e0ffff Private Memory rw True False False -
private_0x0000003527e10000 0x3527e10000 0x3527e8ffff Private Memory rw True False False -
pagefile_0x0000003527e90000 0x3527e90000 0x3528017fff Pagefile Backed Memory r True False False -
pagefile_0x0000003528020000 0x3528020000 0x35281a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000035281b0000 0x35281b0000 0x35295affff Pagefile Backed Memory r True False False -
pagefile_0x00000035295b0000 0x35295b0000 0x3529667fff Pagefile Backed Memory r True False False -
private_0x0000003529670000 0x3529670000 0x35296effff Private Memory rw True False False -
private_0x0000003529670000 0x3529670000 0x3529670fff Private Memory rw True False False -
pagefile_0x00000035296f0000 0x35296f0000 0x35296f0fff Pagefile Backed Memory rw True False False -
private_0x0000003529700000 0x3529700000 0x352970ffff Private Memory rw True False False -
private_0x0000003529710000 0x3529710000 0x352978ffff Private Memory rw True False False -
private_0x0000003529790000 0x3529790000 0x352980ffff Private Memory rw True False False -
pagefile_0x0000003529800000 0x3529800000 0x3529800fff Pagefile Backed Memory rw True False False -
sortdefault.nls 0x3529810000 0x3529b46fff Memory Mapped File r False False False -
private_0x0000003529b50000 0x3529b50000 0x3529bcffff Private Memory rw True False False -
private_0x0000003529bd0000 0x3529bd0000 0x3529c4ffff Private Memory rw True False False -
private_0x0000003529c50000 0x3529c50000 0x3529ccffff Private Memory rw True False False -
private_0x0000003529cd0000 0x3529cd0000 0x3529d4ffff Private Memory rw True False False -
private_0x0000003529d50000 0x3529d50000 0x3529e4ffff Private Memory rw True False False -
private_0x0000003529e50000 0x3529e50000 0x3529e56fff Private Memory rw True False False -
pagefile_0x00007df5ff740000 0x7df5ff740000 0x7ff5ff73ffff Pagefile Backed Memory - True False False -
private_0x00007ff79c6e6000 0x7ff79c6e6000 0x7ff79c6e7fff Private Memory rw True False False -
private_0x00007ff79c6e8000 0x7ff79c6e8000 0x7ff79c6e9fff Private Memory rw True False False -
private_0x00007ff79c6ea000 0x7ff79c6ea000 0x7ff79c6ebfff Private Memory rw True False False -
private_0x00007ff79c6ec000 0x7ff79c6ec000 0x7ff79c6edfff Private Memory rw True False False -
private_0x00007ff79c6ee000 0x7ff79c6ee000 0x7ff79c6effff Private Memory rw True False False -
pagefile_0x00007ff79c6f0000 0x7ff79c6f0000 0x7ff79c7effff Pagefile Backed Memory r True False False -
pagefile_0x00007ff79c7f0000 0x7ff79c7f0000 0x7ff79c812fff Pagefile Backed Memory r True False False -
private_0x00007ff79c814000 0x7ff79c814000 0x7ff79c815fff Private Memory rw True False False -
private_0x00007ff79c816000 0x7ff79c816000 0x7ff79c817fff Private Memory rw True False False -
private_0x00007ff79c818000 0x7ff79c818000 0x7ff79c819fff Private Memory rw True False False -
private_0x00007ff79c81a000 0x7ff79c81a000 0x7ff79c81bfff Private Memory rw True False False -
private_0x00007ff79c81c000 0x7ff79c81c000 0x7ff79c81dfff Private Memory rw True False False -
private_0x00007ff79c81e000 0x7ff79c81e000 0x7ff79c81efff Private Memory rw True False False -
taskhostw.exe 0x7ff79cd00000 0x7ff79cd18fff Memory Mapped File rwx False False False -
winmmbase.dll 0x7ffef76a0000 0x7ffef76cbfff Memory Mapped File rwx False False False -
winmm.dll 0x7ffef76d0000 0x7ffef76f2fff Memory Mapped File rwx False False False -
msutb.dll 0x7ffef9c10000 0x7ffef9c88fff Memory Mapped File rwx False False False -
playsndsrv.dll 0x7ffef9c90000 0x7ffef9caafff Memory Mapped File rwx False False False -
msctfmonitor.dll 0x7ffefc180000 0x7ffefc18bfff Memory Mapped File rwx False False False -
wininet.dll 0x7ffefc340000 0x7ffefc5e6fff Memory Mapped File rwx False False False -
esent.dll 0x7ffefd800000 0x7ffefdae1fff Memory Mapped File rwx False False False -
iertutil.dll 0x7fff00e30000 0x7fff011a5fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fff02e50000 0x7fff02e71fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fff033a0000 0x7fff033b2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fff03600000 0x7fff03695fff Memory Mapped File rwx False False False -
devobj.dll 0x7fff03750000 0x7fff03776fff Memory Mapped File rwx False False False -
winsta.dll 0x7fff044a0000 0x7fff044f7fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
powrprof.dll 0x7fff04e20000 0x7fff04e69fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
shcore.dll 0x7fff04e80000 0x7fff04f32fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fff05110000 0x7fff05153fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7fff05270000 0x7fff05897fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fff05d00000 0x7fff05d50fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
imm32.dll 0x7fff06170000 0x7fff061a5fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
ole32.dll 0x7fff06430000 0x7fff06570fff Memory Mapped File rwx False False False -
shell32.dll 0x7fff067d0000 0x7fff07cf4fff Memory Mapped File rwx False False False -
msctf.dll 0x7fff07eb0000 0x7fff0800bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #22: msoia.exe
0 0
»
Information Value
ID #22
File Name c:\program files\microsoft office\root\office16\msoia.exe
Command Line "C:\Program Files\Microsoft Office\root\Office16\msoia.exe" scan upload
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:05:43, Reason: Self Terminated
Monitor Duration 00:01:49
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x5b0
Parent PID 0x354 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 6AC
0x 868
0x 2BC
0x 7C0
0x BC0
0x B5C
0x 30C
0x 988
0x 868
0x 90C
0x 6CC
0x 788
0x B8C
0x 464
0x B88
0x 79C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000219bcc0000 0x219bcc0000 0x219bcdffff Private Memory rw True False False -
pagefile_0x000000219bcc0000 0x219bcc0000 0x219bccffff Pagefile Backed Memory rw True False False -
private_0x000000219bcd0000 0x219bcd0000 0x219bcd6fff Private Memory rw True False False -
pagefile_0x000000219bce0000 0x219bce0000 0x219bcf3fff Pagefile Backed Memory r True False False -
private_0x000000219bd00000 0x219bd00000 0x219bdfffff Private Memory rw True False False -
pagefile_0x000000219be00000 0x219be00000 0x219be03fff Pagefile Backed Memory r True False False -
private_0x000000219be10000 0x219be10000 0x219be11fff Private Memory rw True False False -
locale.nls 0x219be20000 0x219beddfff Memory Mapped File r False False False -
private_0x000000219bee0000 0x219bee0000 0x219bfdffff Private Memory rw True False False -
private_0x000000219bfe0000 0x219bfe0000 0x219c0dffff Private Memory rw True False False -
pagefile_0x000000219c0e0000 0x219c0e0000 0x219c0e0fff Pagefile Backed Memory r True False False -
private_0x000000219c0f0000 0x219c0f0000 0x219c0f6fff Private Memory rw True False False -
pagefile_0x000000219c100000 0x219c100000 0x219c287fff Pagefile Backed Memory r True False False -
private_0x000000219c290000 0x219c290000 0x219c29ffff Private Memory rw True False False -
pagefile_0x000000219c2a0000 0x219c2a0000 0x219c420fff Pagefile Backed Memory r True False False -
pagefile_0x000000219c430000 0x219c430000 0x219d82ffff Pagefile Backed Memory r True False False -
private_0x000000219d830000 0x219d830000 0x219d830fff Private Memory rw True False False -
private_0x000000219d840000 0x219d840000 0x219d840fff Private Memory rw True False False -
sortdefault.nls 0x219d850000 0x219db86fff Memory Mapped File r False False False -
private_0x000000219db90000 0x219db90000 0x219db90fff Private Memory rw True False False -
private_0x000000219dba0000 0x219dba0000 0x219dba0fff Private Memory rw True False False -
private_0x000000219dbb0000 0x219dbb0000 0x219dcaffff Private Memory rw True False False -
private_0x000000219dcb0000 0x219dcb0000 0x219ddaffff Private Memory rw True False False -
pagefile_0x000000219ddb0000 0x219ddb0000 0x219ddb1fff Pagefile Backed Memory r True False False -
pagefile_0x000000219ddc0000 0x219ddc0000 0x219ddc0fff Pagefile Backed Memory rw True False False -
pagefile_0x000000219ddd0000 0x219ddd0000 0x219ddd1fff Pagefile Backed Memory r True False False -
office.odf 0x219dde0000 0x219dffefff Memory Mapped File r False False False -
pagefile_0x000000219e000000 0x219e000000 0x219e0b7fff Pagefile Backed Memory r True False False -
private_0x000000219e0c0000 0x219e0c0000 0x219e0cffff Private Memory rw True False False -
private_0x000000219e0d0000 0x219e0d0000 0x219e1cffff Private Memory rw True False False -
private_0x000000219e1d0000 0x219e1d0000 0x219e2cffff Private Memory rw True False False -
private_0x000000219e2d0000 0x219e2d0000 0x219e3cffff Private Memory rw True False False -
pagefile_0x000000219e3d0000 0x219e3d0000 0x219e3d3fff Pagefile Backed Memory r True False False -
private_0x000000219e3e0000 0x219e3e0000 0x219e3e6fff Private Memory rw True False False -
pagefile_0x000000219e3f0000 0x219e3f0000 0x219e3f0fff Pagefile Backed Memory rw True False False -
counters.dat 0x219e400000 0x219e400fff Memory Mapped File rw True False False -
pagefile_0x000000219e410000 0x219e410000 0x219e410fff Pagefile Backed Memory r True False False -
winnlsres.dll 0x219e420000 0x219e424fff Memory Mapped File r False False False -
winnlsres.dll.mui 0x219e430000 0x219e43ffff Memory Mapped File r False False False -
pagefile_0x000000219e440000 0x219e440000 0x219e440fff Pagefile Backed Memory r True False False -
mswsock.dll.mui 0x219e450000 0x219e452fff Memory Mapped File r False False False -
pagefile_0x000000219e460000 0x219e460000 0x219e461fff Pagefile Backed Memory rw True False False -
pagefile_0x000000219e470000 0x219e470000 0x219e471fff Pagefile Backed Memory rw True False False -
crypt32.dll.mui 0x219e480000 0x219e489fff Memory Mapped File r False False False -
private_0x000000219e490000 0x219e490000 0x219e49ffff Private Memory rw True False False -
private_0x000000219e4a0000 0x219e4a0000 0x219e59ffff Private Memory rw True False False -
private_0x000000219e5a0000 0x219e5a0000 0x219e69ffff Private Memory rw True False False -
private_0x000000219e6a0000 0x219e6a0000 0x219e79ffff Private Memory rw True False False -
private_0x000000219e7a0000 0x219e7a0000 0x219e99ffff Private Memory rw True False False -
private_0x000000219e9a0000 0x219e9a0000 0x219ea9ffff Private Memory rw True False False -
private_0x000000219eaa0000 0x219eaa0000 0x219eb9ffff Private Memory rw True False False -
private_0x000000219eba0000 0x219eba0000 0x219ec9ffff Private Memory rw True False False -
private_0x000000219eca0000 0x219eca0000 0x219ed9ffff Private Memory rw True False False -
private_0x000000219eda0000 0x219eda0000 0x219ee9ffff Private Memory rw True False False -
private_0x000000219eea0000 0x219eea0000 0x219ef9ffff Private Memory rw True False False -
private_0x000000219efa0000 0x219efa0000 0x219f39ffff Private Memory rw True False False -
private_0x000000219f3a0000 0x219f3a0000 0x219f49ffff Private Memory rw True False False -
pagefile_0x00007df5ff610000 0x7df5ff610000 0x7ff5ff60ffff Pagefile Backed Memory - True False False -
private_0x00007ff64512e000 0x7ff64512e000 0x7ff64512ffff Private Memory rw True False False -
private_0x00007ff645130000 0x7ff645130000 0x7ff645131fff Private Memory rw True False False -
private_0x00007ff645132000 0x7ff645132000 0x7ff645133fff Private Memory rw True False False -
private_0x00007ff645134000 0x7ff645134000 0x7ff645135fff Private Memory rw True False False -
private_0x00007ff645136000 0x7ff645136000 0x7ff645137fff Private Memory rw True False False -
private_0x00007ff645138000 0x7ff645138000 0x7ff645139fff Private Memory rw True False False -
private_0x00007ff64513a000 0x7ff64513a000 0x7ff64513bfff Private Memory rw True False False -
private_0x00007ff64513c000 0x7ff64513c000 0x7ff64513dfff Private Memory rw True False False -
private_0x00007ff64513e000 0x7ff64513e000 0x7ff64513ffff Private Memory rw True False False -
pagefile_0x00007ff645140000 0x7ff645140000 0x7ff64523ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff645240000 0x7ff645240000 0x7ff645262fff Pagefile Backed Memory r True False False -
private_0x00007ff645263000 0x7ff645263000 0x7ff645264fff Private Memory rw True False False -
private_0x00007ff645265000 0x7ff645265000 0x7ff645266fff Private Memory rw True False False -
private_0x00007ff645267000 0x7ff645267000 0x7ff645268fff Private Memory rw True False False -
private_0x00007ff645269000 0x7ff645269000 0x7ff64526afff Private Memory rw True False False -
private_0x00007ff64526b000 0x7ff64526b000 0x7ff64526cfff Private Memory rw True False False -
private_0x00007ff64526d000 0x7ff64526d000 0x7ff64526efff Private Memory rw True False False -
private_0x00007ff64526f000 0x7ff64526f000 0x7ff64526ffff Private Memory rw True False False -
msoia.exe 0x7ff645760000 0x7ff645adcfff Memory Mapped File rwx False False False -
private_0x00007ffec8430000 0x7ffec8430000 0x7ffec843ffff Private Memory rwx True False False -
comctl32.dll 0x7ffef0be0000 0x7ffef0c89fff Memory Mapped File rwx False False False -
c2r64.dll 0x7ffef4d60000 0x7ffef5044fff Memory Mapped File rwx False False False -
appvisvsubsystems64.dll 0x7ffef5ef0000 0x7ffef6173fff Memory Mapped File rwx False False False -
msvcp140.dll 0x7ffef6cb0000 0x7ffef6d4efff Memory Mapped File rwx False False False -
vcruntime140.dll 0x7ffef6d50000 0x7ffef6d65fff Memory Mapped File rwx False False False -
mskeyprotect.dll 0x7ffefb3f0000 0x7ffefb403fff Memory Mapped File rwx False False False -
ncryptsslp.dll 0x7ffefb4a0000 0x7ffefb4befff Memory Mapped File rwx False False False -
npmproxy.dll 0x7ffefc1e0000 0x7ffefc1edfff Memory Mapped File rwx False False False -
webio.dll 0x7ffefc280000 0x7ffefc2fffff Memory Mapped File rwx False False False -
wininet.dll 0x7ffefc340000 0x7ffefc5e6fff Memory Mapped File rwx False False False -
urlmon.dll 0x7ffefc5f0000 0x7ffefc786fff Memory Mapped File rwx False False False -
comctl32.dll 0x7ffefc790000 0x7ffefca03fff Memory Mapped File rwx False False False -
msi.dll 0x7ffefca10000 0x7ffefcd4cfff Memory Mapped File rwx False False False -
ondemandconnroutehelper.dll 0x7ffefd1c0000 0x7ffefd1d4fff Memory Mapped File rwx False False False -
secur32.dll 0x7ffefd250000 0x7ffefd25bfff Memory Mapped File rwx False False False -
netprofm.dll 0x7ffefd550000 0x7ffefd58efff Memory Mapped File rwx False False False -
rasadhlp.dll 0x7ffefd5d0000 0x7ffefd5d9fff Memory Mapped File rwx False False False -
winhttp.dll 0x7ffefdf10000 0x7ffefdfe5fff Memory Mapped File rwx False False False -
xmllite.dll 0x7ffefe9a0000 0x7ffefe9d5fff Memory Mapped File rwx False False False -
ucrtbase.dll 0x7ffefed50000 0x7ffefee41fff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7ffeff2c0000 0x7ffeff2d9fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7ffeff2e0000 0x7ffeff2f5fff Memory Mapped File rwx False False False -
fwpuclnt.dll 0x7ffeff3b0000 0x7ffeff417fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fff00400000 0x7fff0040afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fff00420000 0x7fff00457fff Memory Mapped File rwx False False False -
iertutil.dll 0x7fff00e30000 0x7fff011a5fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fff02e50000 0x7fff02e71fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fff03600000 0x7fff03695fff Memory Mapped File rwx False False False -
gpapi.dll 0x7fff03d00000 0x7fff03d22fff Memory Mapped File rwx False False False -
schannel.dll 0x7fff04180000 0x7fff041f3fff Memory Mapped File rwx False False False -
dpapi.dll 0x7fff04200000 0x7fff04209fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
userenv.dll 0x7fff04390000 0x7fff043aefff Memory Mapped File rwx False False False -
dnsapi.dll 0x7fff043f0000 0x7fff04497fff Memory Mapped File rwx False False False -
mswsock.dll 0x7fff04650000 0x7fff046acfff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
ntasn1.dll 0x7fff048b0000 0x7fff048e5fff Memory Mapped File rwx False False False -
ncrypt.dll 0x7fff048f0000 0x7fff04915fff Memory Mapped File rwx False False False -
sspicli.dll 0x7fff04a00000 0x7fff04a2bfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
msasn1.dll 0x7fff04de0000 0x7fff04df0fff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
powrprof.dll 0x7fff04e20000 0x7fff04e69fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
shcore.dll 0x7fff04e80000 0x7fff04f32fff Memory Mapped File rwx False False False -
crypt32.dll 0x7fff04f40000 0x7fff05100fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7fff05270000 0x7fff05897fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
nsi.dll 0x7fff05a80000 0x7fff05a87fff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fff05d00000 0x7fff05d50fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
imm32.dll 0x7fff06170000 0x7fff061a5fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
ole32.dll 0x7fff06430000 0x7fff06570fff Memory Mapped File rwx False False False -
shell32.dll 0x7fff067d0000 0x7fff07cf4fff Memory Mapped File rwx False False False -
msctf.dll 0x7fff07eb0000 0x7fff0800bfff Memory Mapped File rwx False False False -
normaliz.dll 0x7fff08010000 0x7fff08016fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fff080d0000 0x7fff08138fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #23: taskhostw.exe
0 0
»
Information Value
ID #23
File Name c:\windows\system32\taskhostw.exe
Command Line taskhostw.exe USER
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:54, Reason: Child Process
Unmonitor End Time: 00:04:08, Reason: Self Terminated
Monitor Duration 00:00:14
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x670
Parent PID 0x354 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 694
0x 500
0x 588
0x 2BC
0x 7E4
0x 458
0x 7F0
0x 83C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000009ae1540000 0x9ae1540000 0x9ae155ffff Private Memory rw True False False -
pagefile_0x0000009ae1540000 0x9ae1540000 0x9ae154ffff Pagefile Backed Memory rw True False False -
private_0x0000009ae1550000 0x9ae1550000 0x9ae1556fff Private Memory rw True False False -
pagefile_0x0000009ae1560000 0x9ae1560000 0x9ae1573fff Pagefile Backed Memory r True False False -
private_0x0000009ae1580000 0x9ae1580000 0x9ae15fffff Private Memory rw True False False -
pagefile_0x0000009ae1600000 0x9ae1600000 0x9ae1603fff Pagefile Backed Memory r True False False -
pagefile_0x0000009ae1610000 0x9ae1610000 0x9ae1610fff Pagefile Backed Memory r True False False -
private_0x0000009ae1620000 0x9ae1620000 0x9ae1621fff Private Memory rw True False False -
locale.nls 0x9ae1630000 0x9ae16edfff Memory Mapped File r False False False -
private_0x0000009ae16f0000 0x9ae16f0000 0x9ae176ffff Private Memory rw True False False -
private_0x0000009ae1770000 0x9ae1770000 0x9ae186ffff Private Memory rw True False False -
private_0x0000009ae1870000 0x9ae1870000 0x9ae1876fff Private Memory rw True False False -
private_0x0000009ae1880000 0x9ae1880000 0x9ae18fffff Private Memory rw True False False -
taskhostw.exe.mui 0x9ae1900000 0x9ae1900fff Memory Mapped File r False False False -
private_0x0000009ae1910000 0x9ae1910000 0x9ae1910fff Private Memory rw True False False -
private_0x0000009ae1920000 0x9ae1920000 0x9ae1920fff Private Memory rw True False False -
pagefile_0x0000009ae1930000 0x9ae1930000 0x9ae1933fff Pagefile Backed Memory r True False False -
pagefile_0x0000009ae1940000 0x9ae1940000 0x9ae1940fff Pagefile Backed Memory r True False False -
private_0x0000009ae1950000 0x9ae1950000 0x9ae195ffff Private Memory rw True False False -
private_0x0000009ae1960000 0x9ae1960000 0x9ae19dffff Private Memory rw True False False -
pagefile_0x0000009ae19e0000 0x9ae19e0000 0x9ae19e0fff Pagefile Backed Memory r True False False -
pagefile_0x0000009ae19f0000 0x9ae19f0000 0x9ae19f2fff Pagefile Backed Memory r True False False -
private_0x0000009ae1a10000 0x9ae1a10000 0x9ae1a1ffff Private Memory rw True False False -
pagefile_0x0000009ae1a20000 0x9ae1a20000 0x9ae1ba7fff Pagefile Backed Memory r True False False -
pagefile_0x0000009ae1bb0000 0x9ae1bb0000 0x9ae1d30fff Pagefile Backed Memory r True False False -
pagefile_0x0000009ae1d40000 0x9ae1d40000 0x9ae313ffff Pagefile Backed Memory r True False False -
pagefile_0x0000009ae3140000 0x9ae3140000 0x9ae31f7fff Pagefile Backed Memory r True False False -
sortdefault.nls 0x9ae3200000 0x9ae3536fff Memory Mapped File r False False False -
private_0x0000009ae3540000 0x9ae3540000 0x9ae35bffff Private Memory rw True False False -
private_0x0000009ae35c0000 0x9ae35c0000 0x9ae363ffff Private Memory rw True False False -
private_0x0000009ae3640000 0x9ae3640000 0x9ae36bffff Private Memory rw True False False -
private_0x0000009ae36c0000 0x9ae36c0000 0x9ae373ffff Private Memory rw True False False -
pagefile_0x00007df5ff850000 0x7df5ff850000 0x7ff5ff84ffff Pagefile Backed Memory - True False False -
private_0x00007ff79bd2c000 0x7ff79bd2c000 0x7ff79bd2dfff Private Memory rw True False False -
private_0x00007ff79bd2e000 0x7ff79bd2e000 0x7ff79bd2ffff Private Memory rw True False False -
pagefile_0x00007ff79bd30000 0x7ff79bd30000 0x7ff79be2ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff79be30000 0x7ff79be30000 0x7ff79be52fff Pagefile Backed Memory r True False False -
private_0x00007ff79be53000 0x7ff79be53000 0x7ff79be54fff Private Memory rw True False False -
private_0x00007ff79be55000 0x7ff79be55000 0x7ff79be56fff Private Memory rw True False False -
private_0x00007ff79be57000 0x7ff79be57000 0x7ff79be58fff Private Memory rw True False False -
private_0x00007ff79be59000 0x7ff79be59000 0x7ff79be5afff Private Memory rw True False False -
private_0x00007ff79be5b000 0x7ff79be5b000 0x7ff79be5cfff Private Memory rw True False False -
private_0x00007ff79be5d000 0x7ff79be5d000 0x7ff79be5efff Private Memory rw True False False -
private_0x00007ff79be5f000 0x7ff79be5f000 0x7ff79be5ffff Private Memory rw True False False -
taskhostw.exe 0x7ff79cd00000 0x7ff79cd18fff Memory Mapped File rwx False False False -
certenroll.dll 0x7ffef6820000 0x7ffef6ae9fff Memory Mapped File rwx False False False -
certca.dll 0x7ffef6af0000 0x7ffef6baefff Memory Mapped File rwx False False False -
pautoenr.dll 0x7ffef6bb0000 0x7ffef6bc3fff Memory Mapped File rwx False False False -
dimsjob.dll 0x7ffefc030000 0x7ffefc03efff Memory Mapped File rwx False False False -
npmproxy.dll 0x7ffefc1e0000 0x7ffefc1edfff Memory Mapped File rwx False False False -
netprofm.dll 0x7ffefd550000 0x7ffefd58efff Memory Mapped File rwx False False False -
dsrole.dll 0x7fff003f0000 0x7fff003f9fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fff02e50000 0x7fff02e71fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fff03600000 0x7fff03695fff Memory Mapped File rwx False False False -
dpapi.dll 0x7fff04200000 0x7fff04209fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
msasn1.dll 0x7fff04de0000 0x7fff04df0fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
crypt32.dll 0x7fff04f40000 0x7fff05100fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
nsi.dll 0x7fff05a80000 0x7fff05a87fff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
wldap32.dll 0x7fff05ed0000 0x7fff05f2afff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
imm32.dll 0x7fff06170000 0x7fff061a5fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
msctf.dll 0x7fff07eb0000 0x7fff0800bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #24: runtimebroker.exe
0 0
»
Information Value
ID #24
File Name c:\windows\system32\runtimebroker.exe
Command Line C:\Windows\System32\RuntimeBroker.exe -Embedding
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:04, Reason: Child Process
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:07:18
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1b4
Parent PID 0x244 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 378
0x 11C
0x 250
0x 814
0x 818
0x 9D4
0x 9F0
0x A40
0x 7C4
0x B4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000089c3cb0000 0x89c3cb0000 0x89c3ccffff Private Memory rw True False False -
pagefile_0x00000089c3cb0000 0x89c3cb0000 0x89c3cbffff Pagefile Backed Memory rw True False False -
private_0x00000089c3cc0000 0x89c3cc0000 0x89c3cc0fff Private Memory rw True False False -
pagefile_0x00000089c3cd0000 0x89c3cd0000 0x89c3ce3fff Pagefile Backed Memory r True False False -
private_0x00000089c3cf0000 0x89c3cf0000 0x89c3d6ffff Private Memory rw True False False -
pagefile_0x00000089c3d70000 0x89c3d70000 0x89c3d73fff Pagefile Backed Memory r True False False -
pagefile_0x00000089c3d80000 0x89c3d80000 0x89c3d81fff Pagefile Backed Memory r True False False -
private_0x00000089c3d90000 0x89c3d90000 0x89c3d91fff Private Memory rw True False False -
private_0x00000089c3da0000 0x89c3da0000 0x89c3da0fff Private Memory rw True False False -
pagefile_0x00000089c3db0000 0x89c3db0000 0x89c3db0fff Pagefile Backed Memory r True False False -
pagefile_0x00000089c3dc0000 0x89c3dc0000 0x89c3dc0fff Pagefile Backed Memory r True False False -
pagefile_0x00000089c3dd0000 0x89c3dd0000 0x89c3dd2fff Pagefile Backed Memory r True False False -
private_0x00000089c3de0000 0x89c3de0000 0x89c3de6fff Private Memory rw True False False -
pagefile_0x00000089c3df0000 0x89c3df0000 0x89c3df0fff Pagefile Backed Memory rw True False False -
private_0x00000089c3e00000 0x89c3e00000 0x89c3efffff Private Memory rw True False False -
locale.nls 0x89c3f00000 0x89c3fbdfff Memory Mapped File r False False False -
private_0x00000089c3fc0000 0x89c3fc0000 0x89c403ffff Private Memory rw True False False -
private_0x00000089c4040000 0x89c4040000 0x89c40bffff Private Memory rw True False False -
pagefile_0x00000089c40c0000 0x89c40c0000 0x89c40e9fff Pagefile Backed Memory rw True False False -
pagefile_0x00000089c40f0000 0x89c40f0000 0x89c40f0fff Pagefile Backed Memory rw True False False -
private_0x00000089c4100000 0x89c4100000 0x89c4106fff Private Memory rw True False False -
private_0x00000089c4110000 0x89c4110000 0x89c418ffff Private Memory rw True False False -
private_0x00000089c4200000 0x89c4200000 0x89c42fffff Private Memory rw True False False -
pagefile_0x00000089c4300000 0x89c4300000 0x89c4487fff Pagefile Backed Memory r True False False -
pagefile_0x00000089c4490000 0x89c4490000 0x89c4610fff Pagefile Backed Memory r True False False -
pagefile_0x00000089c4620000 0x89c4620000 0x89c5a1ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x89c5a20000 0x89c5d56fff Memory Mapped File r False False False -
private_0x00000089c5d60000 0x89c5d60000 0x89c5ddffff Private Memory rw True False False -
private_0x00000089c5de0000 0x89c5de0000 0x89c5e5ffff Private Memory rw True False False -
private_0x00000089c5e60000 0x89c5e60000 0x89c5edffff Private Memory rw True False False -
private_0x00000089c5f50000 0x89c5f50000 0x89c5f56fff Private Memory rw True False False -
private_0x00000089c5f60000 0x89c5f60000 0x89c5fdffff Private Memory rw True False False -
private_0x00000089c6000000 0x89c6000000 0x89c60fffff Private Memory rw True False False -
private_0x00000089c6100000 0x89c6100000 0x89c61fffff Private Memory rw True False False -
pagefile_0x00007df5ff8b0000 0x7df5ff8b0000 0x7ff5ff8affff Pagefile Backed Memory - True False False -
private_0x00007ff6871dc000 0x7ff6871dc000 0x7ff6871ddfff Private Memory rw True False False -
private_0x00007ff6871de000 0x7ff6871de000 0x7ff6871dffff Private Memory rw True False False -
pagefile_0x00007ff6871e0000 0x7ff6871e0000 0x7ff6872dffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6872e0000 0x7ff6872e0000 0x7ff687302fff Pagefile Backed Memory r True False False -
private_0x00007ff687303000 0x7ff687303000 0x7ff687304fff Private Memory rw True False False -
private_0x00007ff687305000 0x7ff687305000 0x7ff687306fff Private Memory rw True False False -
private_0x00007ff687307000 0x7ff687307000 0x7ff687308fff Private Memory rw True False False -
private_0x00007ff687309000 0x7ff687309000 0x7ff68730afff Private Memory rw True False False -
private_0x00007ff68730b000 0x7ff68730b000 0x7ff68730cfff Private Memory rw True False False -
private_0x00007ff68730d000 0x7ff68730d000 0x7ff68730efff Private Memory rw True False False -
private_0x00007ff68730f000 0x7ff68730f000 0x7ff68730ffff Private Memory rw True False False -
runtimebroker.exe 0x7ff688190000 0x7ff6881a5fff Memory Mapped File rwx False False False -
ntoskrnl.exe 0x7ff7ddb50000 0x7ff7de3a1fff Memory Mapped File rwx False False False -
wwapi.dll 0x7ffef6a20000 0x7ffef6a35fff Memory Mapped File rwx False False False -
windows.networking.connectivity.dll 0x7ffef6a40000 0x7ffef6aebfff Memory Mapped File rwx False False False -
tokenbroker.dll 0x7ffef8e20000 0x7ffef8ee5fff Memory Mapped File rwx False False False -
actxprxy.dll 0x7ffef93f0000 0x7ffef9859fff Memory Mapped File rwx False False False -
windows.security.authentication.onlineid.dll 0x7ffefa090000 0x7ffefa142fff Memory Mapped File rwx False False False -
idstore.dll 0x7ffefa720000 0x7ffefa746fff Memory Mapped File rwx False False False -
npmproxy.dll 0x7ffefc1e0000 0x7ffefc1edfff Memory Mapped File rwx False False False -
wininet.dll 0x7ffefc340000 0x7ffefc5e6fff Memory Mapped File rwx False False False -
wlanapi.dll 0x7ffefcd50000 0x7ffefcdaefff Memory Mapped File rwx False False False -
windows.internal.shell.broker.dll 0x7ffefe310000 0x7ffefe3a1fff Memory Mapped File rwx False False False -
authbroker.dll 0x7ffefe630000 0x7ffefe655fff Memory Mapped File rwx False False False -
msauserext.dll 0x7ffefe690000 0x7ffefe6a9fff Memory Mapped File rwx False False False -
samlib.dll 0x7ffeff530000 0x7ffeff54bfff Memory Mapped File rwx False False False -
propsys.dll 0x7ffeff870000 0x7ffeff9f2fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffeffcf0000 0x7ffeffd05fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffeffd80000 0x7ffeffd97fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fff00400000 0x7fff0040afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fff00420000 0x7fff00457fff Memory Mapped File rwx False False False -
windows.ui.immersive.dll 0x7fff00b30000 0x7fff00ce6fff Memory Mapped File rwx False False False -
wintypes.dll 0x7fff00cf0000 0x7fff00e20fff Memory Mapped File rwx False False False -
mrmcorer.dll 0x7fff02250000 0x7fff0235efff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fff033a0000 0x7fff033b2fff Memory Mapped File rwx False False False -
sppc.dll 0x7fff03430000 0x7fff03454fff Memory Mapped File rwx False False False -
slc.dll 0x7fff03460000 0x7fff03485fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fff03600000 0x7fff03695fff Memory Mapped File rwx False False False -
netutils.dll 0x7fff04030000 0x7fff0403bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
userenv.dll 0x7fff04390000 0x7fff043aefff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fff04a00000 0x7fff04a2bfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
msasn1.dll 0x7fff04de0000 0x7fff04df0fff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
powrprof.dll 0x7fff04e20000 0x7fff04e69fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
shcore.dll 0x7fff04e80000 0x7fff04f32fff Memory Mapped File rwx False False False -
crypt32.dll 0x7fff04f40000 0x7fff05100fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7fff05270000 0x7fff05897fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
nsi.dll 0x7fff05a80000 0x7fff05a87fff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fff05d00000 0x7fff05d50fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
imm32.dll 0x7fff06170000 0x7fff061a5fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
ole32.dll 0x7fff06430000 0x7fff06570fff Memory Mapped File rwx False False False -
shell32.dll 0x7fff067d0000 0x7fff07cf4fff Memory Mapped File rwx False False False -
msctf.dll 0x7fff07eb0000 0x7fff0800bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #25: dllhost.exe
0 0
»
Information Value
ID #25
File Name c:\windows\system32\dllhost.exe
Command Line C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:09, Reason: Child Process
Unmonitor End Time: 00:04:36, Reason: Self Terminated
Monitor Duration 00:00:27
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x874
Parent PID 0x244 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 878
0x 888
0x 8A8
0x 8AC
0x 8B0
0x 8B4
0x 8C0
0x 8C4
0x 9BC
0x 9C0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000e2067c0000 0xe2067c0000 0xe2067dffff Private Memory rw True False False -
pagefile_0x000000e2067c0000 0xe2067c0000 0xe2067cffff Pagefile Backed Memory rw True False False -
private_0x000000e2067d0000 0xe2067d0000 0xe2067d6fff Private Memory rw True False False -
pagefile_0x000000e2067e0000 0xe2067e0000 0xe2067f3fff Pagefile Backed Memory r True False False -
private_0x000000e206800000 0xe206800000 0xe2068fffff Private Memory rw True False False -
pagefile_0x000000e206900000 0xe206900000 0xe206903fff Pagefile Backed Memory r True False False -
private_0x000000e206910000 0xe206910000 0xe206911fff Private Memory rw True False False -
locale.nls 0xe206920000 0xe2069ddfff Memory Mapped File r False False False -
pagefile_0x000000e2069e0000 0xe2069e0000 0xe2069e0fff Pagefile Backed Memory r True False False -
private_0x000000e2069f0000 0xe2069f0000 0xe2069f6fff Private Memory rw True False False -
pagefile_0x000000e206a00000 0xe206a00000 0xe206a00fff Pagefile Backed Memory r True False False -
private_0x000000e206a10000 0xe206a10000 0xe206a10fff Private Memory rw True False False -
private_0x000000e206a20000 0xe206a20000 0xe206a20fff Private Memory rw True False False -
pagefile_0x000000e206a30000 0xe206a30000 0xe206a32fff Pagefile Backed Memory r True False False -
pagefile_0x000000e206a40000 0xe206a40000 0xe206a40fff Pagefile Backed Memory rw True False False -
private_0x000000e206a50000 0xe206a50000 0xe206a5ffff Private Memory rw True False False -
private_0x000000e206a60000 0xe206a60000 0xe206b5ffff Private Memory rw True False False -
private_0x000000e206b60000 0xe206b60000 0xe206c5ffff Private Memory rw True False False -
sortdefault.nls 0xe206c60000 0xe206f96fff Memory Mapped File r False False False -
private_0x000000e206fa0000 0xe206fa0000 0xe20709ffff Private Memory rw True False False -
private_0x000000e2070a0000 0xe2070a0000 0xe20719ffff Private Memory rw True False False -
private_0x000000e2071a0000 0xe2071a0000 0xe20729ffff Private Memory rw True False False -
private_0x000000e2072a0000 0xe2072a0000 0xe20739ffff Private Memory rw True False False -
pagefile_0x000000e2073a0000 0xe2073a0000 0xe207527fff Pagefile Backed Memory r True False False -
pagefile_0x000000e207530000 0xe207530000 0xe2076b0fff Pagefile Backed Memory r True False False -
pagefile_0x000000e2076c0000 0xe2076c0000 0xe208abffff Pagefile Backed Memory r True False False -
pagefile_0x000000e208ac0000 0xe208ac0000 0xe208ac1fff Pagefile Backed Memory r True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db 0xe208ae0000 0xe208af2fff Memory Mapped File r True False False -
pagefile_0x000000e208b00000 0xe208b00000 0xe208b00fff Pagefile Backed Memory rw True False False -
private_0x000000e208b90000 0xe208b90000 0xe208b9ffff Private Memory rw True False False -
private_0x000000e208ba0000 0xe208ba0000 0xe208c9ffff Private Memory rw True False False -
private_0x000000e208ca0000 0xe208ca0000 0xe208d9ffff Private Memory rw True False False -
pagefile_0x00007df5ff3f0000 0x7df5ff3f0000 0x7ff5ff3effff Pagefile Backed Memory - True False False -
private_0x00007ff6dd70e000 0x7ff6dd70e000 0x7ff6dd70ffff Private Memory rw True False False -
pagefile_0x00007ff6dd710000 0x7ff6dd710000 0x7ff6dd80ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6dd810000 0x7ff6dd810000 0x7ff6dd832fff Pagefile Backed Memory r True False False -
private_0x00007ff6dd833000 0x7ff6dd833000 0x7ff6dd834fff Private Memory rw True False False -
private_0x00007ff6dd835000 0x7ff6dd835000 0x7ff6dd836fff Private Memory rw True False False -
private_0x00007ff6dd837000 0x7ff6dd837000 0x7ff6dd838fff Private Memory rw True False False -
private_0x00007ff6dd839000 0x7ff6dd839000 0x7ff6dd839fff Private Memory rw True False False -
private_0x00007ff6dd83a000 0x7ff6dd83a000 0x7ff6dd83bfff Private Memory rw True False False -
private_0x00007ff6dd83c000 0x7ff6dd83c000 0x7ff6dd83dfff Private Memory rw True False False -
private_0x00007ff6dd83e000 0x7ff6dd83e000 0x7ff6dd83ffff Private Memory rw True False False -
dllhost.exe 0x7ff6de1e0000 0x7ff6de1e6fff Memory Mapped File rwx False False False -
mfmp4srcsnk.dll 0x7ffef5d80000 0x7ffef5e7ffff Memory Mapped File rwx False False False -
mfsrcsnk.dll 0x7ffef64c0000 0x7ffef65bbfff Memory Mapped File rwx False False False -
thumbcache.dll 0x7ffef7650000 0x7ffef769afff Memory Mapped File rwx False False False -
actxprxy.dll 0x7ffef93f0000 0x7ffef9859fff Memory Mapped File rwx False False False -
photometadatahandler.dll 0x7ffefa150000 0x7ffefa1bafff Memory Mapped File rwx False False False -
comctl32.dll 0x7ffefc790000 0x7ffefca03fff Memory Mapped File rwx False False False -
mfmkvsrcsnk.dll 0x7ffefe630000 0x7ffefe6aafff Memory Mapped File rwx False False False -
msvcp110_win.dll 0x7ffefe790000 0x7ffefe821fff Memory Mapped File rwx False False False -
rtworkq.dll 0x7ffefeab0000 0x7ffefeadffff Memory Mapped File rwx False False False -
mfplat.dll 0x7ffefeae0000 0x7ffefebebfff Memory Mapped File rwx False False False -
avrt.dll 0x7ffeff580000 0x7ffeff58afff Memory Mapped File rwx False False False -
propsys.dll 0x7ffeff870000 0x7ffeff9f2fff Memory Mapped File rwx False False False -
windowscodecs.dll 0x7fff026d0000 0x7fff02881fff Memory Mapped File rwx False False False -
apphelp.dll 0x7fff03530000 0x7fff035a7fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fff03600000 0x7fff03695fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
powrprof.dll 0x7fff04e20000 0x7fff04e69fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
shcore.dll 0x7fff04e80000 0x7fff04f32fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fff05110000 0x7fff05153fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7fff05270000 0x7fff05897fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fff05d00000 0x7fff05d50fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
imm32.dll 0x7fff06170000 0x7fff061a5fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
ole32.dll 0x7fff06430000 0x7fff06570fff Memory Mapped File rwx False False False -
shell32.dll 0x7fff067d0000 0x7fff07cf4fff Memory Mapped File rwx False False False -
msctf.dll 0x7fff07eb0000 0x7fff0800bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #26: explorer.exe
0 0
»
Information Value
ID #26
File Name c:\windows\explorer.exe
Command Line C:\Windows\Explorer.EXE
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:16, Reason: RPC Server
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:07:06
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x164
Parent PID 0x4fc (c:\windows\system32\userinit.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 920
0x 918
0x 90C
0x 908
0x 904
0x 900
0x 8FC
0x 8F8
0x 8F0
0x 8E4
0x 8E0
0x 8DC
0x 8D8
0x 8D4
0x 8D0
0x 8CC
0x 8BC
0x 8B8
0x 8A4
0x 8A0
0x 89C
0x 898
0x 890
0x 88C
0x 884
0x 880
0x 87C
0x 86C
0x 844
0x 82C
0x 828
0x 824
0x 820
0x 81C
0x 80C
0x 804
0x 3F4
0x 7EC
0x 7FC
0x 7F8
0x 408
0x 378
0x 374
0x 60C
0x 734
0x 404
0x 6C4
0x 740
0x 24C
0x 528
0x 1F4
0x 1A4
0x 15C
0x 940
0x A98
0x AAC
0x AB0
0x AB8
0x ABC
0x AC0
0x AC4
0x AC8
0x ACC
0x AD0
0x AD4
0x AEC
0x AF4
0x AFC
0x B38
0x B9C
0x BBC
0x BE0
0x 87C
0x 894
0x 8C0
0x 910
0x 92C
0x 7DC
0x 204
0x B40
0x B04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x00000000000b0000 0x000b0000 0x000bffff Pagefile Backed Memory rw True False False -
private_0x00000000000c0000 0x000c0000 0x000c6fff Private Memory rw True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000e3fff Pagefile Backed Memory r True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
pagefile_0x0000000000170000 0x00170000 0x00173fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000180000 0x00180000 0x00182fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x00191fff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x001a6fff Private Memory rw True False False -
explorer.exe.mui 0x001b0000 0x001b7fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x001c0fff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x001dffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x001e0fff Private Memory rw True False False -
pagefile_0x00000000001f0000 0x001f0000 0x001f0fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000200000 0x00200000 0x00200fff Pagefile Backed Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
locale.nls 0x00310000 0x003cdfff Memory Mapped File r False False False -
private_0x00000000003d0000 0x003d0000 0x0044ffff Private Memory rw True False False -
pagefile_0x0000000000450000 0x00450000 0x005d7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005e0000 0x005e0000 0x00760fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000770000 0x00770000 0x01b6ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b70000 0x01b70000 0x01b70fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b80000 0x01b80000 0x01b80fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b90000 0x01b90000 0x01b92fff Pagefile Backed Memory r True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db 0x01ba0000 0x01bb2fff Memory Mapped File r True False False -
pagefile_0x0000000001bc0000 0x01bc0000 0x01bc0fff Pagefile Backed Memory rw True False False -
private_0x0000000001bd0000 0x01bd0000 0x01c4ffff Private Memory rw True False False -
private_0x0000000001c50000 0x01c50000 0x01ccffff Private Memory rw True False False -
pagefile_0x0000000001cd0000 0x01cd0000 0x01cd3fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001ce0000 0x01ce0000 0x01ce1fff Pagefile Backed Memory r True False False -
private_0x0000000001cf0000 0x01cf0000 0x01cf6fff Private Memory rw True False False -
cversions.1.db 0x01d00000 0x01d03fff Memory Mapped File r True False False -
pagefile_0x0000000001d10000 0x01d10000 0x01d12fff Pagefile Backed Memory r True False False -
private_0x0000000001d20000 0x01d20000 0x01d2ffff Private Memory rw True False False -
sortdefault.nls 0x01d30000 0x02066fff Memory Mapped File r False False False -
private_0x0000000002070000 0x02070000 0x020effff Private Memory rw True False False -
private_0x00000000020f0000 0x020f0000 0x0216ffff Private Memory rw True False False -
shell32.dll.mui 0x02170000 0x021d0fff Memory Mapped File r False False False -
pagefile_0x00000000021e0000 0x021e0000 0x02297fff Pagefile Backed Memory r True False False -
private_0x00000000022a0000 0x022a0000 0x0239ffff Private Memory rw True False False -
pagefile_0x00000000023a0000 0x023a0000 0x023a1fff Pagefile Backed Memory r True False False -
oleaccrc.dll 0x023b0000 0x023b1fff Memory Mapped File r False False False -
oleaccrc.dll.mui 0x023c0000 0x023c4fff Memory Mapped File r False False False -
{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000035.db 0x023d0000 0x023ebfff Memory Mapped File r True False False -
pagefile_0x00000000023f0000 0x023f0000 0x023f2fff Pagefile Backed Memory r True False False -
pagefile_0x0000000002400000 0x02400000 0x02429fff Pagefile Backed Memory rw True False False -
kernelbase.dll.mui 0x02430000 0x0250efff Memory Mapped File r False False False -
private_0x0000000002510000 0x02510000 0x0258ffff Private Memory rw True False False -
private_0x0000000002590000 0x02590000 0x0260ffff Private Memory rw True False False -
private_0x0000000002610000 0x02610000 0x0268ffff Private Memory rw True False False -
private_0x0000000002690000 0x02690000 0x0278ffff Private Memory rw True False False -
private_0x0000000002790000 0x02790000 0x02790fff Private Memory rw True False False -
staticcache.dat 0x027a0000 0x037dffff Memory Mapped File r False False False -
private_0x00000000037e0000 0x037e0000 0x037e0fff Private Memory rw True False False -
private_0x00000000037f0000 0x037f0000 0x037f0fff Private Memory rw True False False -
private_0x0000000003800000 0x03800000 0x03800fff Private Memory rw True False False -
private_0x0000000003810000 0x03810000 0x0388ffff Private Memory rw True False False -
private_0x0000000003890000 0x03890000 0x03891fff Private Memory rw True False False -
private_0x00000000038a0000 0x038a0000 0x038a0fff Private Memory rw True False False -
private_0x00000000038b0000 0x038b0000 0x038b0fff Private Memory rw True False False -
private_0x00000000038c0000 0x038c0000 0x038c0fff Private Memory rw True False False -
pagefile_0x00000000038d0000 0x038d0000 0x038d2fff Pagefile Backed Memory r True False False -
cversions.1.db 0x038e0000 0x038e3fff Memory Mapped File r True False False -
private_0x00000000038f0000 0x038f0000 0x038f0fff Private Memory rw True False False -
pagefile_0x0000000003900000 0x03900000 0x03900fff Pagefile Backed Memory rw True False False -
private_0x0000000003910000 0x03910000 0x03910fff Private Memory rw True False False -
pagefile_0x0000000003920000 0x03920000 0x03922fff Pagefile Backed Memory r True False False -
pagefile_0x0000000003930000 0x03930000 0x03968fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000003970000 0x03970000 0x03972fff Pagefile Backed Memory r True False False -
private_0x0000000003980000 0x03980000 0x03980fff Private Memory rw True False False -
private_0x0000000003990000 0x03990000 0x03990fff Private Memory rw True False False -
private_0x00000000039a0000 0x039a0000 0x03a1ffff Private Memory rw True False False -
private_0x0000000003a20000 0x03a20000 0x03a9ffff Private Memory rw True False False -
cversions.2.db 0x03aa0000 0x03aa3fff Memory Mapped File r True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db 0x03ab0000 0x03af2fff Memory Mapped File r True False False -
cversions.2.db 0x03b00000 0x03b03fff Memory Mapped File r True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db 0x03b10000 0x03b9afff Memory Mapped File r True False False -
private_0x0000000003ba0000 0x03ba0000 0x03c1ffff Private Memory rw True False False -
propsys.dll.mui 0x03c20000 0x03c30fff Memory Mapped File r False False False -
private_0x0000000003c40000 0x03c40000 0x03cbffff Private Memory rw True False False -
private_0x0000000003cc0000 0x03cc0000 0x03d3ffff Private Memory rw True False False -
private_0x0000000003d40000 0x03d40000 0x03d40fff Private Memory rw True False False -
private_0x0000000003d50000 0x03d50000 0x03dcffff Private Memory rw True False False -
private_0x0000000003dd0000 0x03dd0000 0x045cffff Private Memory - True False False -
private_0x00000000045d0000 0x045d0000 0x0464ffff Private Memory rw True False False -
pagefile_0x0000000004650000 0x04650000 0x04b41fff Pagefile Backed Memory rw True False False -
private_0x0000000004b50000 0x04b50000 0x04b50fff Private Memory rw True False False -
private_0x0000000004b60000 0x04b60000 0x04bdffff Private Memory rw True False False -
private_0x0000000004be0000 0x04be0000 0x04c5ffff Private Memory rw True False False -
private_0x0000000004c60000 0x04c60000 0x04cdffff Private Memory rw True False False -
pagefile_0x0000000004ce0000 0x04ce0000 0x04ce2fff Pagefile Backed Memory r True False False -
private_0x0000000004cf0000 0x04cf0000 0x04d6ffff Private Memory rw True False False -
{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000036.db 0x04d70000 0x04d8cfff Memory Mapped File r True False False -
private_0x0000000004d90000 0x04d90000 0x04e0ffff Private Memory rw True False False -
private_0x0000000004e10000 0x04e10000 0x04e8ffff Private Memory rw True False False -
private_0x0000000004e90000 0x04e90000 0x04f0ffff Private Memory rw True False False -
private_0x0000000004f10000 0x04f10000 0x04f8ffff Private Memory rw True False False -
private_0x0000000004f90000 0x04f90000 0x0500ffff Private Memory rw True False False -
winnlsres.dll 0x05010000 0x05014fff Memory Mapped File r False False False -
winnlsres.dll.mui 0x05020000 0x0502ffff Memory Mapped File r False False False -
mswsock.dll.mui 0x05030000 0x05032fff Memory Mapped File r False False False -
pagefile_0x0000000005040000 0x05040000 0x05040fff Pagefile Backed Memory rw True False False -
private_0x0000000005050000 0x05050000 0x05050fff Private Memory rw True False False -
private_0x0000000005060000 0x05060000 0x0515ffff Private Memory rw True False False -
private_0x0000000005160000 0x05160000 0x051a8fff Private Memory rw True False False -
appdb.dat 0x051b0000 0x07531fff Memory Mapped File rw True False False -
pagefile_0x0000000007540000 0x07540000 0x07542fff Pagefile Backed Memory r True False False -
private_0x0000000007550000 0x07550000 0x07573fff Private Memory rw True False False -
private_0x0000000007580000 0x07580000 0x07588fff Private Memory rw True False False -
private_0x0000000007590000 0x07590000 0x07590fff Private Memory rw True False False -
private_0x00000000075a0000 0x075a0000 0x075a3fff Private Memory rw True False False -
thumbcache_idx.db 0x075b0000 0x075b1fff Memory Mapped File rw True False False -
private_0x00000000075c0000 0x075c0000 0x075c8fff Private Memory rw True False False -
private_0x00000000075d0000 0x075d0000 0x076cffff Private Memory rw True False False -
pagefile_0x00000000076d0000 0x076d0000 0x076d2fff Pagefile Backed Memory r True False False -
private_0x00000000076e0000 0x076e0000 0x07715fff Private Memory rw True False False -
private_0x0000000007720000 0x07720000 0x07720fff Private Memory rw True False False -
private_0x0000000007730000 0x07730000 0x07777fff Private Memory rw True False False -
private_0x0000000007780000 0x07780000 0x077fffff Private Memory rw True False False -
thumbcache_48.db 0x07800000 0x078fffff Memory Mapped File rw True False False -
netmsg.dll 0x07900000 0x07900fff Memory Mapped File r False False False -
netmsg.dll.mui 0x07910000 0x07941fff Memory Mapped File r False False False -
private_0x0000000007950000 0x07950000 0x07950fff Private Memory rw True False False -
private_0x0000000007960000 0x07960000 0x079dffff Private Memory rw True False False -
iconcache_idx.db 0x079e0000 0x079e1fff Memory Mapped File rw True False False -
iconcache_48.db 0x079f0000 0x07aeffff Memory Mapped File rw True False False -
private_0x0000000007af0000 0x07af0000 0x07b6ffff Private Memory rw True False False -
private_0x0000000007b70000 0x07b70000 0x07beffff Private Memory rw True False False -
cversions.2.db 0x07bf0000 0x07bf3fff Memory Mapped File r True False False -
thumbcache_idx.db 0x07c10000 0x07c11fff Memory Mapped File rw True False False -
thumbcache_idx.db 0x07c20000 0x07c21fff Memory Mapped File rw True False False -
pagefile_0x0000000007c30000 0x07c30000 0x07c31fff Pagefile Backed Memory r True False False -
pagefile_0x0000000007c70000 0x07c70000 0x07c72fff Pagefile Backed Memory r True False False -
private_0x0000000007c80000 0x07c80000 0x07cb2fff Private Memory rw True False False -
private_0x0000000007cc0000 0x07cc0000 0x07d3ffff Private Memory rw True False False -
private_0x0000000007d40000 0x07d40000 0x07dbffff Private Memory rw True False False -
thumbcache_48.db 0x07dc0000 0x07ebffff Memory Mapped File rw True False False -
private_0x0000000007ec0000 0x07ec0000 0x080bffff Private Memory rw True False False -
thumbcache_48.db 0x080c0000 0x081bffff Memory Mapped File rw True False False -
private_0x00000000081c0000 0x081c0000 0x0823ffff Private Memory rw True False False -
grooveintlresource.dll 0x08240000 0x08ac2fff Memory Mapped File rwx False False False -
private_0x0000000008ad0000 0x08ad0000 0x08b3bfff Private Memory rw True False False -
private_0x0000000008b40000 0x08b40000 0x08bbffff Private Memory rw True False False -
private_0x0000000008bc0000 0x08bc0000 0x08c3ffff Private Memory rw True False False -
private_0x0000000008c40000 0x08c40000 0x08cbffff Private Memory rw True False False -
private_0x0000000008cc0000 0x08cc0000 0x08d3ffff Private Memory rw True False False -
private_0x0000000008d40000 0x08d40000 0x08dbffff Private Memory rw True False False -
private_0x0000000008dc0000 0x08dc0000 0x08e3ffff Private Memory rw True False False -
private_0x0000000008e60000 0x08e60000 0x08edffff Private Memory rw True False False -
private_0x0000000008ee0000 0x08ee0000 0x08f5ffff Private Memory rw True False False -
private_0x0000000008f60000 0x08f60000 0x09451fff Private Memory rw True False False -
For performance reasons, the remaining 471 entries are omitted.
The remaining entries can be found in flog.txt.
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x76f0000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7700000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7710000, size = 210 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7c80000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7c90000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7ca0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7cb0000, size = 142 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x8bc0000, size = 15 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x8bd0000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x8be0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x8bf0000, size = 142 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x8c00000, size = 15 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x8c10000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x8c20000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x8c30000, size = 142 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9060000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9070000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9080000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9090000, size = 142 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x90a0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x90b0000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x90c0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x90d0000, size = 142 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x91e0000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x91f0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9200000, size = 210 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9210000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9220000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9230000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9240000, size = 142 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9250000, size = 10 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9960000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9970000, size = 210 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9980000, size = 7 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9990000, size = 10 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x99a0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x99b0000, size = 142 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x99c0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x99d0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x99e0000, size = 210 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x99f0000, size = 9 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9a00000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9a10000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9a20000, size = 142 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9a30000, size = 8 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9a40000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9a50000, size = 210 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9a60000, size = 14 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9a70000, size = 8 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9a80000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9a90000, size = 142 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9aa0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9ab0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9ac0000, size = 210 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9ad0000, size = 14 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9ae0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9af0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9b00000, size = 142 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9b10000, size = 10 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9b20000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9b30000, size = 210 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9b40000, size = 24 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9b50000, size = 10 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9b60000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9b70000, size = 142 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9b80000, size = 10 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9b90000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9ba0000, size = 210 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9bb0000, size = 14 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9bc0000, size = 10 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9bd0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9be0000, size = 142 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9bf0000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9c00000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9c10000, size = 210 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9c20000, size = 14 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9c30000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9c40000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9c50000, size = 142 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9c60000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9c70000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9c80000, size = 210 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9c90000, size = 16 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9ca0000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9cb0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9cc0000, size = 142 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9cd0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9ce0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9cf0000, size = 210 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9d00000, size = 15 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9d10000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9d20000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9d30000, size = 142 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9d40000, size = 11 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9d50000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9d60000, size = 210 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9d70000, size = 6 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9d80000, size = 11 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9d90000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9da0000, size = 142 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9db0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9dc0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9dd0000, size = 210 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9de0000, size = 15 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9df0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9e00000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9e10000, size = 142 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9e20000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9e30000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9e40000, size = 210 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9e50000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xa560000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xa570000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xa580000, size = 142 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xa590000, size = 10 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xa5a0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xa5b0000, size = 210 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xa5c0000, size = 11 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xa5d0000, size = 10 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xac30000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xac40000, size = 142 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xac50000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xac60000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xac70000, size = 210 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xac80000, size = 5 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xac90000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xaca0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xacb0000, size = 142 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x10410000, size = 458752 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xacc0000, size = 8 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xacd0000, size = 313 True 1
Fn
Data
Process #27: shellexperiencehost.exe
0 0
»
Information Value
ID #27
File Name c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
Command Line "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
Initial Working Directory C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\
Monitor Start Time: 00:04:22, Reason: Child Process
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:07:00
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x97c
Parent PID 0x244 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Low
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 980
0x 98C
0x 990
0x 994
0x 998
0x 99C
0x 9A0
0x 9A4
0x 9A8
0x 9AC
0x 9B0
0x 9B4
0x 9B8
0x 9C4
0x 9C8
0x 9CC
0x 9D0
0x A94
0x A9C
0x AA0
0x AA4
0x AA8
0x AB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000da8af20000 0xda8af20000 0xda8af3ffff Private Memory rw True False False -
pagefile_0x000000da8af20000 0xda8af20000 0xda8af2ffff Pagefile Backed Memory rw True False False -
private_0x000000da8af30000 0xda8af30000 0xda8af30fff Private Memory rw True False False -
pagefile_0x000000da8af40000 0xda8af40000 0xda8af53fff Pagefile Backed Memory r True False False -
private_0x000000da8af60000 0xda8af60000 0xda8b05ffff Private Memory rw True False False -
pagefile_0x000000da8b060000 0xda8b060000 0xda8b063fff Pagefile Backed Memory r True False False -
private_0x000000da8b070000 0xda8b070000 0xda8b071fff Private Memory rw True False False -
s-1-5-21-1462094071-1423818996-289466292-1000.pckgdep 0xda8b080000 0xda8b080fff Memory Mapped File r True False False -
locale.nls 0xda8b090000 0xda8b14dfff Memory Mapped File r False False False -
pagefile_0x000000da8b150000 0xda8b150000 0xda8b179fff Pagefile Backed Memory rw True False False -
pagefile_0x000000da8b180000 0xda8b180000 0xda8b180fff Pagefile Backed Memory r True False False -
pagefile_0x000000da8b190000 0xda8b190000 0xda8b190fff Pagefile Backed Memory rw True False False -
private_0x000000da8b1a0000 0xda8b1a0000 0xda8b1a6fff Private Memory rw True False False -
pagefile_0x000000da8b1b0000 0xda8b1b0000 0xda8b1b0fff Pagefile Backed Memory rw True False False -
2504515037.pri 0xda8b1c0000 0xda8b1cbfff Memory Mapped File r True False False -
pagefile_0x000000da8b1d0000 0xda8b1d0000 0xda8b1d0fff Pagefile Backed Memory rw True False False -
private_0x000000da8b1e0000 0xda8b1e0000 0xda8b1e0fff Private Memory rw True False False -
private_0x000000da8b1f0000 0xda8b1f0000 0xda8b1f0fff Private Memory rw True False False -
private_0x000000da8b200000 0xda8b200000 0xda8b2fffff Private Memory rw True False False -
private_0x000000da8b300000 0xda8b300000 0xda8b3fffff Private Memory rw True False False -
pagefile_0x000000da8b400000 0xda8b400000 0xda8b587fff Pagefile Backed Memory r True False False -
pagefile_0x000000da8b590000 0xda8b590000 0xda8b590fff Pagefile Backed Memory rw True False False -
pagefile_0x000000da8b5a0000 0xda8b5a0000 0xda8b5a0fff Pagefile Backed Memory rw True False False -
private_0x000000da8b5b0000 0xda8b5b0000 0xda8b5b6fff Private Memory rw True False False -
resources.en-us.pri 0xda8b5c0000 0xda8b5ccfff Memory Mapped File r False False False -
pagefile_0x000000da8b5d0000 0xda8b5d0000 0xda8b5d1fff Pagefile Backed Memory rw True False False -
private_0x000000da8b600000 0xda8b600000 0xda8b6fffff Private Memory rw True False False -
pagefile_0x000000da8b700000 0xda8b700000 0xda8b880fff Pagefile Backed Memory r True False False -
pagefile_0x000000da8b890000 0xda8b890000 0xda8cc8ffff Pagefile Backed Memory r True False False -
private_0x000000da8cc90000 0xda8cc90000 0xda8cd8ffff Private Memory rw True False False -
sortdefault.nls 0xda8cd90000 0xda8d0c6fff Memory Mapped File r False False False -
windows.ui.xaml.resources.dll 0xda8d0d0000 0xda8d206fff Memory Mapped File r False False False -
kernelbase.dll.mui 0xda8d210000 0xda8d2eefff Memory Mapped File r False False False -
private_0x000000da8d2f0000 0xda8d2f0000 0xda8d3effff Private Memory rw True False False -
private_0x000000da8d3f0000 0xda8d3f0000 0xda8d4effff Private Memory rw True False False -
private_0x000000da8d4f0000 0xda8d4f0000 0xda8d5effff Private Memory rw True False False -
private_0x000000da8d5f0000 0xda8d5f0000 0xda8d6effff Private Memory rw True False False -
private_0x000000da8d780000 0xda8d780000 0xda8d786fff Private Memory rw True False False -
private_0x000000da8d800000 0xda8d800000 0xda8d8fffff Private Memory rw True False False -
private_0x000000da8d900000 0xda8d900000 0xda8d9fffff Private Memory rw True False False -
private_0x000000da8da00000 0xda8da00000 0xda8e1fffff Private Memory - True False False -
resources.pri 0xda8e200000 0xda8e2d3fff Memory Mapped File r False False False -
private_0x000000da8e2e0000 0xda8e2e0000 0xda8e3dffff Private Memory rw True False False -
private_0x000000da8e3e0000 0xda8e3e0000 0xda8e4dffff Private Memory rw True False False -
private_0x000000da8e4e0000 0xda8e4e0000 0xda8e5dffff Private Memory rw True False False -
private_0x000000da8e600000 0xda8e600000 0xda8e6fffff Private Memory rw True False False -
private_0x000000da8e700000 0xda8e700000 0xda8e7fffff Private Memory rw True False False -
private_0x000000da8e800000 0xda8e800000 0xda8e8fffff Private Memory rw True False False -
private_0x000000da8e900000 0xda8e900000 0xda8e9fffff Private Memory rw True False False -
private_0x000000da8ea00000 0xda8ea00000 0xda8eafffff Private Memory rw True False False -
private_0x000000da8eb00000 0xda8eb00000 0xda8ebfffff Private Memory rw True False False -
private_0x000000da8ec00000 0xda8ec00000 0xda8ecfffff Private Memory rw True False False -
private_0x000000da8ed00000 0xda8ed00000 0xda8edfffff Private Memory rw True False False -
private_0x000000da8ee00000 0xda8ee00000 0xda8eefffff Private Memory rw True False False -
private_0x000000da8ef00000 0xda8ef00000 0xda8effffff Private Memory rw True False False -
private_0x000000da8f000000 0xda8f000000 0xda8f0fffff Private Memory rw True False False -
private_0x000000da8f100000 0xda8f100000 0xda8f1fffff Private Memory rw True False False -
private_0x000000da8f200000 0xda8f200000 0xda8f2fffff Private Memory rw True False False -
private_0x000000da8f300000 0xda8f300000 0xda8f3fffff Private Memory rw True False False -
private_0x000000da8f400000 0xda8f400000 0xda8f4fffff Private Memory rw True False False -
private_0x000000da8f560000 0xda8f560000 0xda8f566fff Private Memory rw True False False -
private_0x000000da8f600000 0xda8f600000 0xda8f6fffff Private Memory rw True False False -
private_0x00007ff72232e000 0x7ff72232e000 0x7ff72232ffff Private Memory rw True False False -
private_0x00007ff72233a000 0x7ff72233a000 0x7ff72233bfff Private Memory rw True False False -
private_0x00007ff72233c000 0x7ff72233c000 0x7ff72233dfff Private Memory rw True False False -
private_0x00007ff72233e000 0x7ff72233e000 0x7ff72233ffff Private Memory rw True False False -
private_0x00007ff722340000 0x7ff722340000 0x7ff722341fff Private Memory rw True False False -
private_0x00007ff722342000 0x7ff722342000 0x7ff722343fff Private Memory rw True False False -
private_0x00007ff722344000 0x7ff722344000 0x7ff722345fff Private Memory rw True False False -
private_0x00007ff722346000 0x7ff722346000 0x7ff722347fff Private Memory rw True False False -
private_0x00007ff722348000 0x7ff722348000 0x7ff722349fff Private Memory rw True False False -
private_0x00007ff72234a000 0x7ff72234a000 0x7ff72234bfff Private Memory rw True False False -
private_0x00007ff72234c000 0x7ff72234c000 0x7ff72234dfff Private Memory rw True False False -
private_0x00007ff72234e000 0x7ff72234e000 0x7ff72234ffff Private Memory rw True False False -
pagefile_0x00007ff722350000 0x7ff722350000 0x7ff72244ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff722450000 0x7ff722450000 0x7ff722472fff Pagefile Backed Memory r True False False -
private_0x00007ff722473000 0x7ff722473000 0x7ff722474fff Private Memory rw True False False -
private_0x00007ff722475000 0x7ff722475000 0x7ff722476fff Private Memory rw True False False -
private_0x00007ff722477000 0x7ff722477000 0x7ff722478fff Private Memory rw True False False -
private_0x00007ff722479000 0x7ff722479000 0x7ff72247afff Private Memory rw True False False -
private_0x00007ff72247b000 0x7ff72247b000 0x7ff72247cfff Private Memory rw True False False -
private_0x00007ff72247d000 0x7ff72247d000 0x7ff72247efff Private Memory rw True False False -
private_0x00007ff72247f000 0x7ff72247f000 0x7ff72247ffff Private Memory rw True False False -
shellexperiencehost.exe 0x7ff722d50000 0x7ff722f3dfff Memory Mapped File rwx False False False -
startui.dll 0x7ffef55a0000 0x7ffef5d46fff Memory Mapped File rwx False False False -
veeventdispatcher.dll 0x7ffef7700000 0x7ffef7748fff Memory Mapped File rwx False False False -
dataexchange.dll 0x7ffef8cf0000 0x7ffef8d35fff Memory Mapped File rwx False False False -
actxprxy.dll 0x7ffef93f0000 0x7ffef9859fff Memory Mapped File rwx False False False -
coreuicomponents.dll 0x7ffef9860000 0x7ffef9ac0fff Memory Mapped File rwx False False False -
dwrite.dll 0x7ffefa780000 0x7ffefa9d8fff Memory Mapped File rwx False False False -
urlmon.dll 0x7ffefc5f0000 0x7ffefc786fff Memory Mapped File rwx False False False -
threadpoolwinrt.dll 0x7ffefe3b0000 0x7ffefe3c4fff Memory Mapped File rwx False False False -
windows.graphics.dll 0x7ffefe3d0000 0x7ffefe429fff Memory Mapped File rwx False False False -
windows.storage.applicationdata.dll 0x7ffefe430000 0x7ffefe482fff Memory Mapped File rwx False False False -
fontgroupsoverride.dll 0x7ffefe490000 0x7ffefe499fff Memory Mapped File rwx False False False -
windows.globalization.dll 0x7ffefe4a0000 0x7ffefe625fff Memory Mapped File rwx False False False -
msvcp110_win.dll 0x7ffefe790000 0x7ffefe821fff Memory Mapped File rwx False False False -
policymanager.dll 0x7ffefe830000 0x7ffefe868fff Memory Mapped File rwx False False False -
xmllite.dll 0x7ffefe9a0000 0x7ffefe9d5fff Memory Mapped File rwx False False False -
propsys.dll 0x7ffeff870000 0x7ffeff9f2fff Memory Mapped File rwx False False False -
d2d1.dll 0x7fff005e0000 0x7fff00b24fff Memory Mapped File rwx False False False -
wintypes.dll 0x7fff00cf0000 0x7fff00e20fff Memory Mapped File rwx False False False -
iertutil.dll 0x7fff00e30000 0x7fff011a5fff Memory Mapped File rwx False False False -
windows.ui.xaml.dll 0x7fff011b0000 0x7fff021a6fff Memory Mapped File rwx False False False -
windows.ui.dll 0x7fff021b0000 0x7fff0224dfff Memory Mapped File rwx False False False -
mrmcorer.dll 0x7fff02250000 0x7fff0235efff Memory Mapped File rwx False False False -
wincorlib.dll 0x7fff02360000 0x7fff023c9fff Memory Mapped File rwx False False False -
windows.globalization.fontgroups.dll 0x7fff02420000 0x7fff02437fff Memory Mapped File rwx False False False -
notificationobjfactory.dll 0x7fff02440000 0x7fff0248dfff Memory Mapped File rwx False False False -
windows.ui.actioncenter.dll 0x7fff02490000 0x7fff026ccfff Memory Mapped File rwx False False False -
d3d10warp.dll 0x7fff02890000 0x7fff02afdfff Memory Mapped File rwx False False False -
dxgi.dll 0x7fff02b00000 0x7fff02b9bfff Memory Mapped File rwx False False False -
d3d11.dll 0x7fff02ba0000 0x7fff02e42fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fff02e50000 0x7fff02e71fff Memory Mapped File rwx False False False -
dcomp.dll 0x7fff02ea0000 0x7fff02f70fff Memory Mapped File rwx False False False -
ninput.dll 0x7fff02f80000 0x7fff02fdbfff Memory Mapped File rwx False False False -
coremessaging.dll 0x7fff02fe0000 0x7fff030a7fff Memory Mapped File rwx False False False -
bcp47langs.dll 0x7fff033c0000 0x7fff03425fff Memory Mapped File rwx False False False -
quickactionsdatamodel.dll 0x7fff03490000 0x7fff034bdfff Memory Mapped File rwx False False False -
quickactions.dll 0x7fff034c0000 0x7fff0352cfff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fff03600000 0x7fff03695fff Memory Mapped File rwx False False False -
twinapi.appcore.dll 0x7fff037a0000 0x7fff0388dfff Memory Mapped File rwx False False False -
rmclient.dll 0x7fff03ae0000 0x7fff03b07fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
userenv.dll 0x7fff04390000 0x7fff043aefff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
powrprof.dll 0x7fff04e20000 0x7fff04e69fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
shcore.dll 0x7fff04e80000 0x7fff04f32fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7fff05270000 0x7fff05897fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fff05d00000 0x7fff05d50fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
imm32.dll 0x7fff06170000 0x7fff061a5fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
ole32.dll 0x7fff06430000 0x7fff06570fff Memory Mapped File rwx False False False -
msctf.dll 0x7fff07eb0000 0x7fff0800bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
For performance reasons, the remaining 9 entries are omitted.
The remaining entries can be found in flog.txt.
Process #28: searchui.exe
0 0
»
Information Value
ID #28
File Name c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe
Command Line "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
Initial Working Directory C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\
Monitor Start Time: 00:04:31, Reason: Child Process
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:06:51
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9e8
Parent PID 0x244 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Low
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9EC
0x 9F8
0x 9FC
0x A00
0x A04
0x A08
0x A0C
0x A10
0x A14
0x A18
0x A1C
0x A20
0x A24
0x A28
0x A34
0x A38
0x A3C
0x A44
0x A48
0x A4C
0x A50
0x A54
0x A58
0x A5C
0x A60
0x A64
0x A68
0x A6C
0x A70
0x A74
0x A78
0x A7C
0x A80
0x A84
0x A88
0x A90
0x B0C
0x B10
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000062692e0000 0x62692e0000 0x62692fffff Private Memory rw True False False -
pagefile_0x00000062692e0000 0x62692e0000 0x62692effff Pagefile Backed Memory rw True False False -
pagefile_0x00000062692f0000 0x62692f0000 0x62692f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000006269300000 0x6269300000 0x6269313fff Pagefile Backed Memory r True False False -
private_0x0000006269320000 0x6269320000 0x626941ffff Private Memory rw True False False -
pagefile_0x0000006269420000 0x6269420000 0x6269423fff Pagefile Backed Memory r True False False -
private_0x0000006269430000 0x6269430000 0x6269431fff Private Memory rw True False False -
s-1-5-21-1462094071-1423818996-289466292-1000.pckgdep 0x6269440000 0x6269440fff Memory Mapped File r True False False -
pagefile_0x0000006269440000 0x6269440000 0x6269469fff Pagefile Backed Memory rw True False False -
private_0x0000006269470000 0x6269470000 0x6269470fff Private Memory rw True False False -
private_0x0000006269480000 0x6269480000 0x6269480fff Private Memory rw True False False -
pagefile_0x0000006269490000 0x6269490000 0x6269490fff Pagefile Backed Memory rw True False False -
pagefile_0x00000062694a0000 0x62694a0000 0x62694a0fff Pagefile Backed Memory rw True False False -
counters.dat 0x62694b0000 0x62694b0fff Memory Mapped File r True False False -
pagefile_0x00000062694c0000 0x62694c0000 0x62694c0fff Pagefile Backed Memory rw True False False -
private_0x00000062694d0000 0x62694d0000 0x62694d6fff Private Memory rw True False False -
2495906576.pri 0x62694e0000 0x62694f3fff Memory Mapped File r True False False -
private_0x0000006269500000 0x6269500000 0x62695fffff Private Memory rw True False False -
locale.nls 0x6269600000 0x62696bdfff Memory Mapped File r False False False -
private_0x00000062696c0000 0x62696c0000 0x62697bffff Private Memory rw True False False -
private_0x00000062697c0000 0x62697c0000 0x62698bffff Private Memory rw True False False -
app.xbf 0x62698c0000 0x62698c0fff Memory Mapped File r False False False -
pagefile_0x00000062698d0000 0x62698d0000 0x62698d0fff Pagefile Backed Memory rw True False False -
private_0x00000062698e0000 0x62698e0000 0x62698e6fff Private Memory rw True False False -
pagefile_0x00000062698f0000 0x62698f0000 0x62698f1fff Pagefile Backed Memory rw True False False -
private_0x0000006269900000 0x6269900000 0x62699fffff Private Memory rw True False False -
sortdefault.nls 0x6269a00000 0x6269d36fff Memory Mapped File r False False False -
private_0x0000006269d40000 0x6269d40000 0x6269e3ffff Private Memory rw True False False -
pagefile_0x0000006269e40000 0x6269e40000 0x6269fc7fff Pagefile Backed Memory r True False False -
pagefile_0x0000006269fd0000 0x6269fd0000 0x626a150fff Pagefile Backed Memory r True False False -
pagefile_0x000000626a160000 0x626a160000 0x626b55ffff Pagefile Backed Memory r True False False -
windows.ui.xaml.resources.dll 0x626b560000 0x626b696fff Memory Mapped File r False False False -
private_0x000000626b6a0000 0x626b6a0000 0x626b79ffff Private Memory rw True False False -
kernelbase.dll.mui 0x626b7a0000 0x626b87efff Memory Mapped File r False False False -
private_0x000000626b880000 0x626b880000 0x626b97ffff Private Memory rw True False False -
private_0x000000626b980000 0x626b980000 0x626ba7ffff Private Memory rw True False False -
private_0x000000626ba80000 0x626ba80000 0x626bb7ffff Private Memory rw True False False -
private_0x000000626bb80000 0x626bb80000 0x626bc7ffff Private Memory rw True False False -
resources.pri 0x626bc80000 0x626bca0fff Memory Mapped File r False False False -
shell32.dll.mui 0x626bcb0000 0x626bd10fff Memory Mapped File r False False False -
pagefile_0x000000626bd20000 0x626bd20000 0x626bd20fff Pagefile Backed Memory rw True False False -
private_0x000000626bd30000 0x626bd30000 0x626bd36fff Private Memory rw True False False -
private_0x000000626bd40000 0x626bd40000 0x626bd40fff Private Memory rw True False False -
private_0x000000626bd50000 0x626bd50000 0x626bd50fff Private Memory rw True False False -
private_0x000000626be00000 0x626be00000 0x626befffff Private Memory rw True False False -
private_0x000000626bf00000 0x626bf00000 0x626bffffff Private Memory rw True False False -
private_0x000000626c000000 0x626c000000 0x626c0fffff Private Memory rw True False False -
private_0x000000626c100000 0x626c100000 0x626c8fffff Private Memory - True False False -
private_0x000000626c900000 0x626c900000 0x626c9fffff Private Memory rw True False False -
private_0x000000626ca00000 0x626ca00000 0x626cafffff Private Memory rw True False False -
private_0x000000626cb00000 0x626cb00000 0x626cbfffff Private Memory rw True False False -
private_0x000000626cc00000 0x626cc00000 0x626ccfffff Private Memory rw True False False -
private_0x000000626cd00000 0x626cd00000 0x626cdfffff Private Memory rw True False False -
private_0x000000626ce00000 0x626ce00000 0x626cefffff Private Memory rw True False False -
private_0x00007ff74740e000 0x7ff74740e000 0x7ff74740ffff Private Memory rw True False False -
private_0x00007ff747410000 0x7ff747410000 0x7ff747411fff Private Memory rw True False False -
private_0x00007ff747412000 0x7ff747412000 0x7ff747413fff Private Memory rw True False False -
private_0x00007ff747414000 0x7ff747414000 0x7ff747415fff Private Memory rw True False False -
private_0x00007ff747416000 0x7ff747416000 0x7ff747417fff Private Memory rw True False False -
private_0x00007ff747418000 0x7ff747418000 0x7ff747419fff Private Memory rw True False False -
private_0x00007ff74741a000 0x7ff74741a000 0x7ff74741bfff Private Memory rw True False False -
private_0x00007ff74741c000 0x7ff74741c000 0x7ff74741dfff Private Memory rw True False False -
private_0x00007ff74741e000 0x7ff74741e000 0x7ff74741ffff Private Memory rw True False False -
pagefile_0x00007ff747420000 0x7ff747420000 0x7ff74751ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff747520000 0x7ff747520000 0x7ff747542fff Pagefile Backed Memory r True False False -
private_0x00007ff747544000 0x7ff747544000 0x7ff747545fff Private Memory rw True False False -
private_0x00007ff747546000 0x7ff747546000 0x7ff747547fff Private Memory rw True False False -
private_0x00007ff747548000 0x7ff747548000 0x7ff747548fff Private Memory rw True False False -
private_0x00007ff74754a000 0x7ff74754a000 0x7ff74754bfff Private Memory rw True False False -
private_0x00007ff74754c000 0x7ff74754c000 0x7ff74754dfff Private Memory rw True False False -
private_0x00007ff74754e000 0x7ff74754e000 0x7ff74754ffff Private Memory rw True False False -
searchui.exe 0x7ff7484e0000 0x7ff748c07fff Memory Mapped File rwx False False False -
cortanaapi.dll 0x7ffef4710000 0x7ffef4d5afff Memory Mapped File rwx False False False -
profext.dll 0x7ffef66c0000 0x7ffef66d4fff Memory Mapped File rwx False False False -
windows.networking.connectivity.dll 0x7ffef6a40000 0x7ffef6aebfff Memory Mapped File rwx False False False -
actxprxy.dll 0x7ffef93f0000 0x7ffef9859fff Memory Mapped File rwx False False False -
coreuicomponents.dll 0x7ffef9860000 0x7ffef9ac0fff Memory Mapped File rwx False False False -
windows.web.http.dll 0x7ffefa1f0000 0x7ffefa33dfff Memory Mapped File rwx False False False -
cryptowinrt.dll 0x7ffefb0f0000 0x7ffefb14ffff Memory Mapped File rwx False False False -
wininet.dll 0x7ffefc340000 0x7ffefc5e6fff Memory Mapped File rwx False False False -
urlmon.dll 0x7ffefc5f0000 0x7ffefc786fff Memory Mapped File rwx False False False -
personax.dll 0x7ffefcef0000 0x7ffefcf1afff Memory Mapped File rwx False False False -
windows.applicationmodel.dll 0x7ffefcf20000 0x7ffefcf53fff Memory Mapped File rwx False False False -
ondemandconnroutehelper.dll 0x7ffefd1c0000 0x7ffefd1d4fff Memory Mapped File rwx False False False -
bingidentitymanagerinternal.dll 0x7ffefd600000 0x7ffefd61dfff Memory Mapped File rwx False False False -
onlineservices.dll 0x7ffefd620000 0x7ffefd650fff Memory Mapped File rwx False False False -
aistokenmanager.dll 0x7ffefd660000 0x7ffefd67bfff Memory Mapped File rwx False False False -
winhttp.dll 0x7ffefdf10000 0x7ffefdfe5fff Memory Mapped File rwx False False False -
cortana.core.dll 0x7ffefe210000 0x7ffefe287fff Memory Mapped File rwx False False False -
windows.cortana.pal.desktop.dll 0x7ffefe2c0000 0x7ffefe2d1fff Memory Mapped File rwx False False False -
bingconfigurationclient.dll 0x7ffefe2e0000 0x7ffefe302fff Memory Mapped File rwx False False False -
threadpoolwinrt.dll 0x7ffefe3b0000 0x7ffefe3c4fff Memory Mapped File rwx False False False -
windows.storage.applicationdata.dll 0x7ffefe430000 0x7ffefe482fff Memory Mapped File rwx False False False -
windows.globalization.dll 0x7ffefe4a0000 0x7ffefe625fff Memory Mapped File rwx False False False -
xmllite.dll 0x7ffefe9a0000 0x7ffefe9d5fff Memory Mapped File rwx False False False -
propsys.dll 0x7ffeff870000 0x7ffeff9f2fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fff00400000 0x7fff0040afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fff00420000 0x7fff00457fff Memory Mapped File rwx False False False -
wintypes.dll 0x7fff00cf0000 0x7fff00e20fff Memory Mapped File rwx False False False -
iertutil.dll 0x7fff00e30000 0x7fff011a5fff Memory Mapped File rwx False False False -
windows.ui.xaml.dll 0x7fff011b0000 0x7fff021a6fff Memory Mapped File rwx False False False -
windows.ui.dll 0x7fff021b0000 0x7fff0224dfff Memory Mapped File rwx False False False -
mrmcorer.dll 0x7fff02250000 0x7fff0235efff Memory Mapped File rwx False False False -
wincorlib.dll 0x7fff02360000 0x7fff023c9fff Memory Mapped File rwx False False False -
dxgi.dll 0x7fff02b00000 0x7fff02b9bfff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fff02e50000 0x7fff02e71fff Memory Mapped File rwx False False False -
ninput.dll 0x7fff02f80000 0x7fff02fdbfff Memory Mapped File rwx False False False -
coremessaging.dll 0x7fff02fe0000 0x7fff030a7fff Memory Mapped File rwx False False False -
bcp47langs.dll 0x7fff033c0000 0x7fff03425fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fff03600000 0x7fff03695fff Memory Mapped File rwx False False False -
twinapi.appcore.dll 0x7fff037a0000 0x7fff0388dfff Memory Mapped File rwx False False False -
rmclient.dll 0x7fff03ae0000 0x7fff03b07fff Memory Mapped File rwx False False False -
ntmarta.dll 0x7fff04120000 0x7fff04151fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
userenv.dll 0x7fff04390000 0x7fff043aefff Memory Mapped File rwx False False False -
logoncli.dll 0x7fff043b0000 0x7fff043edfff Memory Mapped File rwx False False False -
dnsapi.dll 0x7fff043f0000 0x7fff04497fff Memory Mapped File rwx False False False -
mswsock.dll 0x7fff04650000 0x7fff046acfff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
ntasn1.dll 0x7fff048b0000 0x7fff048e5fff Memory Mapped File rwx False False False -
ncrypt.dll 0x7fff048f0000 0x7fff04915fff Memory Mapped File rwx False False False -
sspicli.dll 0x7fff04a00000 0x7fff04a2bfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
msasn1.dll 0x7fff04de0000 0x7fff04df0fff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
powrprof.dll 0x7fff04e20000 0x7fff04e69fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
shcore.dll 0x7fff04e80000 0x7fff04f32fff Memory Mapped File rwx False False False -
crypt32.dll 0x7fff04f40000 0x7fff05100fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7fff05270000 0x7fff05897fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
nsi.dll 0x7fff05a80000 0x7fff05a87fff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fff05d00000 0x7fff05d50fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
imm32.dll 0x7fff06170000 0x7fff061a5fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
shell32.dll 0x7fff067d0000 0x7fff07cf4fff Memory Mapped File rwx False False False -
msctf.dll 0x7fff07eb0000 0x7fff0800bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fff080d0000 0x7fff08138fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
For performance reasons, the remaining 268 entries are omitted.
The remaining entries can be found in flog.txt.
Process #29: dllhost.exe
0 0
»
Information Value
ID #29
File Name c:\windows\system32\dllhost.exe
Command Line C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:44, Reason: Child Process
Unmonitor End Time: 00:04:55, Reason: Self Terminated
Monitor Duration 00:00:11
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb00
Parent PID 0x244 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B04
0x B14
0x B3C
0x B40
0x B44
0x B48
0x B4C
0x B50
0x B54
0x B58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000a39e5e0000 0xa39e5e0000 0xa39e5fffff Private Memory rw True False False -
pagefile_0x000000a39e5e0000 0xa39e5e0000 0xa39e5effff Pagefile Backed Memory rw True False False -
private_0x000000a39e5f0000 0xa39e5f0000 0xa39e5f6fff Private Memory rw True False False -
pagefile_0x000000a39e600000 0xa39e600000 0xa39e613fff Pagefile Backed Memory r True False False -
private_0x000000a39e620000 0xa39e620000 0xa39e71ffff Private Memory rw True False False -
pagefile_0x000000a39e720000 0xa39e720000 0xa39e723fff Pagefile Backed Memory r True False False -
private_0x000000a39e730000 0xa39e730000 0xa39e731fff Private Memory rw True False False -
pagefile_0x000000a39e740000 0xa39e740000 0xa39e740fff Pagefile Backed Memory r True False False -
private_0x000000a39e750000 0xa39e750000 0xa39e756fff Private Memory rw True False False -
pagefile_0x000000a39e760000 0xa39e760000 0xa39e760fff Pagefile Backed Memory r True False False -
private_0x000000a39e770000 0xa39e770000 0xa39e770fff Private Memory rw True False False -
private_0x000000a39e780000 0xa39e780000 0xa39e780fff Private Memory rw True False False -
pagefile_0x000000a39e790000 0xa39e790000 0xa39e792fff Pagefile Backed Memory r True False False -
pagefile_0x000000a39e7a0000 0xa39e7a0000 0xa39e7a0fff Pagefile Backed Memory rw True False False -
pagefile_0x000000a39e7b0000 0xa39e7b0000 0xa39e7b1fff Pagefile Backed Memory r True False False -
private_0x000000a39e7c0000 0xa39e7c0000 0xa39e8bffff Private Memory rw True False False -
locale.nls 0xa39e8c0000 0xa39e97dfff Memory Mapped File r False False False -
private_0x000000a39e980000 0xa39e980000 0xa39ea7ffff Private Memory rw True False False -
private_0x000000a39ea80000 0xa39ea80000 0xa39eb7ffff Private Memory rw True False False -
rw1upsv8sdp.mkv 0xa39eb80000 0xa39eb82fff Memory Mapped File r True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db 0xa39eb90000 0xa39eba2fff Memory Mapped File r True False False -
pagefile_0x000000a39ebb0000 0xa39ebb0000 0xa39ebb0fff Pagefile Backed Memory rw True False False -
private_0x000000a39ec10000 0xa39ec10000 0xa39ec1ffff Private Memory rw True False False -
sortdefault.nls 0xa39ec20000 0xa39ef56fff Memory Mapped File r False False False -
private_0x000000a39ef60000 0xa39ef60000 0xa39f05ffff Private Memory rw True False False -
private_0x000000a39f060000 0xa39f060000 0xa39f15ffff Private Memory rw True False False -
private_0x000000a39f160000 0xa39f160000 0xa39f25ffff Private Memory rw True False False -
pagefile_0x000000a39f260000 0xa39f260000 0xa39f3e7fff Pagefile Backed Memory r True False False -
pagefile_0x000000a39f3f0000 0xa39f3f0000 0xa39f570fff Pagefile Backed Memory r True False False -
pagefile_0x000000a39f580000 0xa39f580000 0xa3a097ffff Pagefile Backed Memory r True False False -
private_0x000000a3a0a70000 0xa3a0a70000 0xa3a0a7ffff Private Memory rw True False False -
private_0x000000a3a0a80000 0xa3a0a80000 0xa3a0b7ffff Private Memory rw True False False -
private_0x000000a3a0b80000 0xa3a0b80000 0xa3a0c7ffff Private Memory rw True False False -
private_0x000000a3a0c80000 0xa3a0c80000 0xa3a0d7ffff Private Memory rw True False False -
pagefile_0x00007df5ff190000 0x7df5ff190000 0x7ff5ff18ffff Pagefile Backed Memory - True False False -
private_0x00007ff6de0aa000 0x7ff6de0aa000 0x7ff6de0abfff Private Memory rw True False False -
private_0x00007ff6de0ac000 0x7ff6de0ac000 0x7ff6de0adfff Private Memory rw True False False -
private_0x00007ff6de0ae000 0x7ff6de0ae000 0x7ff6de0affff Private Memory rw True False False -
pagefile_0x00007ff6de0b0000 0x7ff6de0b0000 0x7ff6de1affff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6de1b0000 0x7ff6de1b0000 0x7ff6de1d2fff Pagefile Backed Memory r True False False -
private_0x00007ff6de1d4000 0x7ff6de1d4000 0x7ff6de1d4fff Private Memory rw True False False -
private_0x00007ff6de1d6000 0x7ff6de1d6000 0x7ff6de1d7fff Private Memory rw True False False -
private_0x00007ff6de1d8000 0x7ff6de1d8000 0x7ff6de1d9fff Private Memory rw True False False -
private_0x00007ff6de1da000 0x7ff6de1da000 0x7ff6de1dbfff Private Memory rw True False False -
private_0x00007ff6de1dc000 0x7ff6de1dc000 0x7ff6de1ddfff Private Memory rw True False False -
private_0x00007ff6de1de000 0x7ff6de1de000 0x7ff6de1dffff Private Memory rw True False False -
dllhost.exe 0x7ff6de1e0000 0x7ff6de1e6fff Memory Mapped File rwx False False False -
mfmkvsrcsnk.dll 0x7ffef1370000 0x7ffef13eafff Memory Mapped File rwx False False False -
mfmp4srcsnk.dll 0x7ffef1490000 0x7ffef158ffff Memory Mapped File rwx False False False -
mfsrcsnk.dll 0x7ffef1a50000 0x7ffef1b4bfff Memory Mapped File rwx False False False -
thumbcache.dll 0x7ffef7650000 0x7ffef769afff Memory Mapped File rwx False False False -
actxprxy.dll 0x7ffef93f0000 0x7ffef9859fff Memory Mapped File rwx False False False -
photometadatahandler.dll 0x7ffefa150000 0x7ffefa1bafff Memory Mapped File rwx False False False -
comctl32.dll 0x7ffefc790000 0x7ffefca03fff Memory Mapped File rwx False False False -
msvcp110_win.dll 0x7ffefe790000 0x7ffefe821fff Memory Mapped File rwx False False False -
rtworkq.dll 0x7ffefeab0000 0x7ffefeadffff Memory Mapped File rwx False False False -
mfplat.dll 0x7ffefeae0000 0x7ffefebebfff Memory Mapped File rwx False False False -
avrt.dll 0x7ffeff580000 0x7ffeff58afff Memory Mapped File rwx False False False -
propsys.dll 0x7ffeff870000 0x7ffeff9f2fff Memory Mapped File rwx False False False -
windowscodecs.dll 0x7fff026d0000 0x7fff02881fff Memory Mapped File rwx False False False -
apphelp.dll 0x7fff03530000 0x7fff035a7fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fff03600000 0x7fff03695fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
powrprof.dll 0x7fff04e20000 0x7fff04e69fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
shcore.dll 0x7fff04e80000 0x7fff04f32fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fff05110000 0x7fff05153fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7fff05270000 0x7fff05897fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fff05d00000 0x7fff05d50fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
imm32.dll 0x7fff06170000 0x7fff061a5fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
ole32.dll 0x7fff06430000 0x7fff06570fff Memory Mapped File rwx False False False -
shell32.dll 0x7fff067d0000 0x7fff07cf4fff Memory Mapped File rwx False False False -
msctf.dll 0x7fff07eb0000 0x7fff0800bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #30: backgroundtaskhost.exe
0 0
»
Information Value
ID #30
File Name c:\windows\system32\backgroundtaskhost.exe
Command Line "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
Initial Working Directory C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\
Monitor Start Time: 00:04:45, Reason: Child Process
Unmonitor End Time: 00:06:46, Reason: Self Terminated
Monitor Duration 00:02:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb28
Parent PID 0x244 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Low
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B2C
0x B30
0x B34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000e235760000 0xe235760000 0xe23577ffff Private Memory rw True False False -
pagefile_0x000000e235760000 0xe235760000 0xe23576ffff Pagefile Backed Memory rw True False False -
pagefile_0x000000e235770000 0xe235770000 0xe235770fff Pagefile Backed Memory r True False False -
pagefile_0x000000e235780000 0xe235780000 0xe235793fff Pagefile Backed Memory r True False False -
private_0x000000e2357a0000 0xe2357a0000 0xe23581ffff Private Memory rw True False False -
pagefile_0x000000e235820000 0xe235820000 0xe235823fff Pagefile Backed Memory r True False False -
private_0x000000e235830000 0xe235830000 0xe235831fff Private Memory rw True False False -
s-1-5-21-1462094071-1423818996-289466292-1000.pckgdep 0xe235840000 0xe235840fff Memory Mapped File r True False False -
private_0x000000e235840000 0xe235840000 0xe235840fff Private Memory rw True False False -
locale.nls 0xe235850000 0xe23590dfff Memory Mapped File r False False False -
pagefile_0x000000e235910000 0xe235910000 0xe235939fff Pagefile Backed Memory rw True False False -
private_0x000000e235940000 0xe235940000 0xe235946fff Private Memory rw True False False -
private_0x000000e235950000 0xe235950000 0xe2359cffff Private Memory rw True False False -
private_0x000000e2359d0000 0xe2359d0000 0xe2359d0fff Private Memory rw True False False -
private_0x000000e235a00000 0xe235a00000 0xe235afffff Private Memory rw True False False -
private_0x000000e235b00000 0xe235b00000 0xe235b7ffff Private Memory rw True False False -
private_0x000000e235bb0000 0xe235bb0000 0xe235bb6fff Private Memory rw True False False -
private_0x000000e235c00000 0xe235c00000 0xe235cfffff Private Memory rw True False False -
pagefile_0x000000e235d00000 0xe235d00000 0xe235e87fff Pagefile Backed Memory r True False False -
pagefile_0x000000e235e90000 0xe235e90000 0xe236010fff Pagefile Backed Memory r True False False -
pagefile_0x000000e236020000 0xe236020000 0xe23741ffff Pagefile Backed Memory r True False False -
pagefile_0x00007df5ff9c0000 0x7df5ff9c0000 0x7ff5ff9bffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7a5d90000 0x7ff7a5d90000 0x7ff7a5e8ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7a5e90000 0x7ff7a5e90000 0x7ff7a5eb2fff Pagefile Backed Memory r True False False -
private_0x00007ff7a5eb8000 0x7ff7a5eb8000 0x7ff7a5eb9fff Private Memory rw True False False -
private_0x00007ff7a5eba000 0x7ff7a5eba000 0x7ff7a5ebbfff Private Memory rw True False False -
private_0x00007ff7a5ebc000 0x7ff7a5ebc000 0x7ff7a5ebcfff Private Memory rw True False False -
private_0x00007ff7a5ebe000 0x7ff7a5ebe000 0x7ff7a5ebffff Private Memory rw True False False -
backgroundtaskhost.exe 0x7ff7a6ba0000 0x7ff7a6ba6fff Memory Mapped File rwx False False False -
wintypes.dll 0x7fff00cf0000 0x7fff00e20fff Memory Mapped File rwx False False False -
twinapi.appcore.dll 0x7fff037a0000 0x7fff0388dfff Memory Mapped File rwx False False False -
userenv.dll 0x7fff04390000 0x7fff043aefff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
imm32.dll 0x7fff06170000 0x7fff061a5fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
msctf.dll 0x7fff07eb0000 0x7fff0800bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #31: mobsync.exe
0 0
»
Information Value
ID #31
File Name c:\windows\system32\mobsync.exe
Command Line C:\Windows\System32\mobsync.exe -Embedding
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:49, Reason: Child Process
Unmonitor End Time: 00:05:01, Reason: Self Terminated
Monitor Duration 00:00:12
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb5c
Parent PID 0x244 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B60
0x B64
0x B68
0x B6C
0x B70
0x B74
0x B78
0x B7C
0x B80
0x B84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000e08e840000 0xe08e840000 0xe08e85ffff Private Memory rw True False False -
pagefile_0x000000e08e840000 0xe08e840000 0xe08e84ffff Pagefile Backed Memory rw True False False -
private_0x000000e08e850000 0xe08e850000 0xe08e856fff Private Memory rw True False False -
pagefile_0x000000e08e860000 0xe08e860000 0xe08e873fff Pagefile Backed Memory r True False False -
private_0x000000e08e880000 0xe08e880000 0xe08e8fffff Private Memory rw True False False -
pagefile_0x000000e08e900000 0xe08e900000 0xe08e903fff Pagefile Backed Memory r True False False -
pagefile_0x000000e08e910000 0xe08e910000 0xe08e912fff Pagefile Backed Memory r True False False -
private_0x000000e08e920000 0xe08e920000 0xe08e921fff Private Memory rw True False False -
locale.nls 0xe08e930000 0xe08e9edfff Memory Mapped File r False False False -
private_0x000000e08e9f0000 0xe08e9f0000 0xe08ea6ffff Private Memory rw True False False -
private_0x000000e08ea70000 0xe08ea70000 0xe08ea76fff Private Memory rw True False False -
private_0x000000e08ea80000 0xe08ea80000 0xe08ea80fff Private Memory rw True False False -
private_0x000000e08ea90000 0xe08ea90000 0xe08ea90fff Private Memory rw True False False -
pagefile_0x000000e08eaa0000 0xe08eaa0000 0xe08eaa0fff Pagefile Backed Memory r True False False -
pagefile_0x000000e08eab0000 0xe08eab0000 0xe08eab0fff Pagefile Backed Memory r True False False -
pagefile_0x000000e08eac0000 0xe08eac0000 0xe08eac2fff Pagefile Backed Memory r True False False -
pagefile_0x000000e08ead0000 0xe08ead0000 0xe08ead3fff Pagefile Backed Memory r True False False -
pagefile_0x000000e08eae0000 0xe08eae0000 0xe08eae1fff Pagefile Backed Memory r True False False -
private_0x000000e08eb10000 0xe08eb10000 0xe08ec0ffff Private Memory rw True False False -
private_0x000000e08ec10000 0xe08ec10000 0xe08ec8ffff Private Memory rw True False False -
private_0x000000e08ecc0000 0xe08ecc0000 0xe08eccffff Private Memory rw True False False -
private_0x000000e08ecd0000 0xe08ecd0000 0xe08ecdffff Private Memory rw True False False -
pagefile_0x000000e08ece0000 0xe08ece0000 0xe08ee67fff Pagefile Backed Memory r True False False -
pagefile_0x000000e08ee70000 0xe08ee70000 0xe08eff0fff Pagefile Backed Memory r True False False -
pagefile_0x000000e08f000000 0xe08f000000 0xe0903fffff Pagefile Backed Memory r True False False -
sortdefault.nls 0xe090400000 0xe090736fff Memory Mapped File r False False False -
private_0x000000e090740000 0xe090740000 0xe0907bffff Private Memory rw True False False -
private_0x000000e0907c0000 0xe0907c0000 0xe09083ffff Private Memory rw True False False -
private_0x000000e090840000 0xe090840000 0xe0908bffff Private Memory rw True False False -
private_0x000000e0908c0000 0xe0908c0000 0xe09093ffff Private Memory rw True False False -
pagefile_0x000000e090940000 0xe090940000 0xe0909f7fff Pagefile Backed Memory r True False False -
private_0x000000e090a00000 0xe090a00000 0xe090a7ffff Private Memory rw True False False -
private_0x000000e090a80000 0xe090a80000 0xe090afffff Private Memory rw True False False -
pagefile_0x00007df5ff930000 0x7df5ff930000 0x7ff5ff92ffff Pagefile Backed Memory - True False False -
private_0x00007ff7275aa000 0x7ff7275aa000 0x7ff7275abfff Private Memory rw True False False -
private_0x00007ff7275ac000 0x7ff7275ac000 0x7ff7275adfff Private Memory rw True False False -
private_0x00007ff7275ae000 0x7ff7275ae000 0x7ff7275affff Private Memory rw True False False -
pagefile_0x00007ff7275b0000 0x7ff7275b0000 0x7ff7276affff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7276b0000 0x7ff7276b0000 0x7ff7276d2fff Pagefile Backed Memory r True False False -
private_0x00007ff7276d3000 0x7ff7276d3000 0x7ff7276d4fff Private Memory rw True False False -
private_0x00007ff7276d5000 0x7ff7276d5000 0x7ff7276d6fff Private Memory rw True False False -
private_0x00007ff7276d7000 0x7ff7276d7000 0x7ff7276d8fff Private Memory rw True False False -
private_0x00007ff7276d9000 0x7ff7276d9000 0x7ff7276dafff Private Memory rw True False False -
private_0x00007ff7276db000 0x7ff7276db000 0x7ff7276dcfff Private Memory rw True False False -
private_0x00007ff7276dd000 0x7ff7276dd000 0x7ff7276ddfff Private Memory rw True False False -
private_0x00007ff7276de000 0x7ff7276de000 0x7ff7276dffff Private Memory rw True False False -
mobsync.exe 0x7ff728170000 0x7ff72818afff Memory Mapped File rwx False False False -
syncinfrastructure.dll 0x7ffef1300000 0x7ffef1369fff Memory Mapped File rwx False False False -
synccenter.dll 0x7ffef16c0000 0x7ffef1a05fff Memory Mapped File rwx False False False -
cscui.dll 0x7ffef1c00000 0x7ffef1cc3fff Memory Mapped File rwx False False False -
actxprxy.dll 0x7ffef93f0000 0x7ffef9859fff Memory Mapped File rwx False False False -
cscdll.dll 0x7ffefb760000 0x7ffefb76cfff Memory Mapped File rwx False False False -
comctl32.dll 0x7ffefc790000 0x7ffefca03fff Memory Mapped File rwx False False False -
propsys.dll 0x7ffeff870000 0x7ffeff9f2fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fff02e50000 0x7fff02e71fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fff033a0000 0x7fff033b2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fff03600000 0x7fff03695fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
winsta.dll 0x7fff044a0000 0x7fff044f7fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
msasn1.dll 0x7fff04de0000 0x7fff04df0fff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
powrprof.dll 0x7fff04e20000 0x7fff04e69fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
shcore.dll 0x7fff04e80000 0x7fff04f32fff Memory Mapped File rwx False False False -
crypt32.dll 0x7fff04f40000 0x7fff05100fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fff05110000 0x7fff05153fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7fff05270000 0x7fff05897fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fff05d00000 0x7fff05d50fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
imm32.dll 0x7fff06170000 0x7fff061a5fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
ole32.dll 0x7fff06430000 0x7fff06570fff Memory Mapped File rwx False False False -
setupapi.dll 0x7fff065e0000 0x7fff067a4fff Memory Mapped File rwx False False False -
shell32.dll 0x7fff067d0000 0x7fff07cf4fff Memory Mapped File rwx False False False -
msctf.dll 0x7fff07eb0000 0x7fff0800bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #32: winamp.exe
90 0
»
Information Value
ID #32
File Name c:\users\ciihmnxmn6ps\appdata\local\winamp.exe
Command Line "C:\Users\CIiHmnxMn6Ps\AppData\Local\winamp.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:53, Reason: Child Process
Unmonitor End Time: 00:05:20, Reason: Self Terminated
Monitor Duration 00:00:27
OS Process Information
»
Information Value
PID 0xb88
Parent PID 0x164 (c:\windows\system32\taskhostw.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B8C
0x B90
0x BDC
0x BEC
0x BF0
0x F0
0x 320
0x F4
0x 330
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
winamp.exe 0x00cf0000 0x00d97fff Memory Mapped File rwx True True False
...
private_0x0000000000da0000 0x00da0000 0x00dbffff Private Memory rw True False False -
pagefile_0x0000000000da0000 0x00da0000 0x00daffff Pagefile Backed Memory rw True False False -
private_0x0000000000db0000 0x00db0000 0x00db3fff Private Memory rw True False False -
private_0x0000000000dc0000 0x00dc0000 0x00dc1fff Private Memory rw True False False -
private_0x0000000000dc0000 0x00dc0000 0x00dc0fff Private Memory rw True False False -
pagefile_0x0000000000dd0000 0x00dd0000 0x00de3fff Pagefile Backed Memory r True False False -
private_0x0000000000df0000 0x00df0000 0x00e2ffff Private Memory rw True False False -
private_0x0000000000e30000 0x00e30000 0x00f2ffff Private Memory rw True False False -
pagefile_0x0000000000f30000 0x00f30000 0x00f33fff Pagefile Backed Memory r True False False -
private_0x0000000000f40000 0x00f40000 0x00f41fff Private Memory rw True False False -
locale.nls 0x00f50000 0x0100dfff Memory Mapped File r False False False -
private_0x0000000001010000 0x01010000 0x0104ffff Private Memory rw True False False -
private_0x0000000001050000 0x01050000 0x0105ffff Private Memory rw True False False -
private_0x0000000001060000 0x01060000 0x01060fff Private Memory rw True False False -
pagefile_0x0000000001070000 0x01070000 0x01070fff Pagefile Backed Memory r True False False -
private_0x0000000001080000 0x01080000 0x010bffff Private Memory rw True False False -
pagefile_0x00000000010c0000 0x010c0000 0x010c0fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000010d0000 0x010d0000 0x010d0fff Pagefile Backed Memory rw True False False -
private_0x00000000010e0000 0x010e0000 0x010effff Private Memory - True False False -
private_0x00000000010f0000 0x010f0000 0x010fffff Private Memory - True False False -
private_0x0000000001100000 0x01100000 0x0110ffff Private Memory rw True False False -
private_0x0000000001110000 0x01110000 0x0111ffff Private Memory - True False False -
private_0x0000000001120000 0x01120000 0x0121ffff Private Memory rw True False False -
private_0x0000000001220000 0x01220000 0x0131ffff Private Memory rw True False False -
private_0x0000000001320000 0x01320000 0x0141ffff Private Memory rw True False False -
private_0x0000000001420000 0x01420000 0x0142ffff Private Memory rw True False False -
pagefile_0x0000000001430000 0x01430000 0x015b7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000015c0000 0x015c0000 0x01740fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001750000 0x01750000 0x02b4ffff Pagefile Backed Memory r True False False -
private_0x0000000002b50000 0x02b50000 0x02b5ffff Private Memory - True False False -
private_0x0000000002b60000 0x02b60000 0x02b6ffff Private Memory - True False False -
private_0x0000000002b70000 0x02b70000 0x02b7ffff Private Memory - True False False -
private_0x0000000002b80000 0x02b80000 0x02bbffff Private Memory rw True False False -
pagefile_0x0000000002bc0000 0x02bc0000 0x02bc0fff Pagefile Backed Memory rw True False False -
private_0x0000000002bd0000 0x02bd0000 0x02c6ffff Private Memory rw True False False -
private_0x0000000002c70000 0x02c70000 0x02caffff Private Memory rw True False False -
private_0x0000000002cb0000 0x02cb0000 0x02cbffff Private Memory rwx True False False -
private_0x0000000002cc0000 0x02cc0000 0x02dbffff Private Memory rw True False False -
private_0x0000000002dc0000 0x02dc0000 0x02deffff Private Memory rw True False False -
pagefile_0x0000000002dc0000 0x02dc0000 0x02dc0fff Pagefile Backed Memory r True False False -
l_intl.nls 0x02dc0000 0x02dc2fff Memory Mapped File r False False False -
private_0x0000000002dd0000 0x02dd0000 0x02ddffff Private Memory - True False False -
private_0x0000000002de0000 0x02de0000 0x02deffff Private Memory rw True False False -
pagefile_0x0000000002df0000 0x02df0000 0x02df0fff Pagefile Backed Memory r True False False -
private_0x0000000002e00000 0x02e00000 0x02e0ffff Private Memory rw True False False -
private_0x0000000002e10000 0x02e10000 0x02e1ffff Private Memory - True False False -
sorttbls.nlp 0x02e20000 0x02e24fff Memory Mapped File r False False False -
private_0x0000000002e30000 0x02e30000 0x02e3ffff Private Memory rw True False False -
sortdefault.nls 0x02e40000 0x03176fff Memory Mapped File r False False False -
private_0x0000000003180000 0x03180000 0x0517ffff Private Memory rw True False False -
private_0x0000000005180000 0x05180000 0x0527ffff Private Memory rw True False False -
sortkey.nlp 0x05280000 0x052c0fff Memory Mapped File r False False False -
private_0x00000000052d0000 0x052d0000 0x052d0fff Private Memory rwx True False False -
pagefile_0x00000000052e0000 0x052e0000 0x0534dfff Pagefile Backed Memory rw True False False -
private_0x0000000005350000 0x05350000 0x0538ffff Private Memory rw True False False -
private_0x00000000053b0000 0x053b0000 0x053bffff Private Memory - True False False -
private_0x00000000053c0000 0x053c0000 0x054bffff Private Memory rw True False False -
wow64cpu.dll 0x51cd0000 0x51cd7fff Memory Mapped File rwx False False False -
wow64.dll 0x51ce0000 0x51d2efff Memory Mapped File rwx False False False -
wow64win.dll 0x51d30000 0x51da2fff Memory Mapped File rwx False False False -
system.ni.dll 0x71d00000 0x724a2fff Memory Mapped File rwx True False False -
mscorlib.ni.dll 0x724b0000 0x72fa9fff Memory Mapped File rwx True False False -
msvcr80.dll 0x72fb0000 0x7304afff Memory Mapped File rwx False False False -
microsoft.visualbasic.ni.dll 0x735c0000 0x73764fff Memory Mapped File rwx True False False -
shfolder.dll 0x73770000 0x73775fff Memory Mapped File rwx False False False -
rsaenh.dll 0x73780000 0x737aefff Memory Mapped File rwx False False False -
cryptsp.dll 0x737b0000 0x737c2fff Memory Mapped File rwx False False False -
bcrypt.dll 0x737d0000 0x737eafff Memory Mapped File rwx False False False -
mscorjit.dll 0x737f0000 0x7384afff Memory Mapped File rwx True False False -
uxtheme.dll 0x73850000 0x738c4fff Memory Mapped File rwx False False False -
mscorwks.dll 0x738d0000 0x73e7ffff Memory Mapped File rwx True False False -
version.dll 0x73e80000 0x73e87fff Memory Mapped File rwx False False False -
mscoreei.dll 0x73e90000 0x73f07fff Memory Mapped File rwx True False False -
apphelp.dll 0x73f10000 0x73fa0fff Memory Mapped File rwx False False False -
mscoree.dll 0x73fb0000 0x74008fff Memory Mapped File rwx True False False -
bcryptprimitives.dll 0x74010000 0x74068fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74070000 0x74079fff Memory Mapped File rwx False False False -
sspicli.dll 0x74080000 0x7409dfff Memory Mapped File rwx False False False -
msctf.dll 0x740a0000 0x741bffff Memory Mapped File rwx False False False -
user32.dll 0x743a0000 0x744dffff Memory Mapped File rwx False False False -
windows.storage.dll 0x74580000 0x74a5cfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x74af0000 0x74b9bfff Memory Mapped File rwx False False False -
oleaut32.dll 0x74ba0000 0x74c31fff Memory Mapped File rwx False False False -
shcore.dll 0x74c40000 0x74cccfff Memory Mapped File rwx False False False -
shell32.dll 0x74cd0000 0x7608efff Memory Mapped File rwx False False False -
advapi32.dll 0x76160000 0x761dafff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x761e0000 0x761ebfff Memory Mapped File rwx False False False -
psapi.dll 0x76510000 0x76515fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76640000 0x766fdfff Memory Mapped File rwx False False False -
shlwapi.dll 0x76700000 0x76743fff Memory Mapped File rwx False False False -
kernel32.dll 0x76750000 0x7683ffff Memory Mapped File rwx False False False -
profapi.dll 0x76840000 0x7684efff Memory Mapped File rwx False False False -
gdi32.dll 0x76850000 0x7699cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x769a0000 0x76b15fff Memory Mapped File rwx False False False -
powrprof.dll 0x76b90000 0x76bd3fff Memory Mapped File rwx False False False -
ole32.dll 0x76c40000 0x76d29fff Memory Mapped File rwx False False False -
sechost.dll 0x76d30000 0x76d72fff Memory Mapped File rwx False False False -
imm32.dll 0x76d80000 0x76daafff Memory Mapped File rwx False False False -
combase.dll 0x76db0000 0x76f69fff Memory Mapped File rwx False False False -
ntdll.dll 0x76f70000 0x770e8fff Memory Mapped File rwx False False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffff Private Memory - True False False -
private_0x0000000080000000 0x80000000 0x8000ffff Private Memory - True False False -
sysmain.sdb 0xfe430000 0xfe7bffff Memory Mapped File r False False False -
private_0x00000000fe7c7000 0xfe7c7000 0xfe7c9fff Private Memory rw True False False -
private_0x00000000fe7ca000 0xfe7ca000 0xfe7ccfff Private Memory rw True False False -
private_0x00000000fe7cd000 0xfe7cd000 0xfe7cffff Private Memory rw True False False -
pagefile_0x00000000fe7d0000 0xfe7d0000 0xfe8cffff Pagefile Backed Memory r True False False -
pagefile_0x00000000fe8d0000 0xfe8d0000 0xfe8f2fff Pagefile Backed Memory r True False False -
private_0x00000000fe8f3000 0xfe8f3000 0xfe8f3fff Private Memory rw True False False -
private_0x00000000fe8f5000 0xfe8f5000 0xfe8f7fff Private Memory rw True False False -
private_0x00000000fe8f8000 0xfe8f8000 0xfe8fafff Private Memory rw True False False -
private_0x00000000fe8fb000 0xfe8fb000 0xfe8fdfff Private Memory rw True False False -
private_0x00000000fe8fe000 0xfe8fe000 0xfe8fefff Private Memory rw True False False -
private_0x00000000fffe0000 0xfffe0000 0x7fff083affff Private Memory r True False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
private_0x00007fff08572000 0x7fff08572000 0x7ffffffeffff Private Memory r True False False -
Host Behavior
File (23)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\winamp.exe desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\cBxBGxB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\cBxBGxB desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\cBxBGxB desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\winamp.exe type = file_attributes True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\winamp.exe type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\winamp.exe type = size, size_out = 0 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\uTorrent.exe type = file_attributes True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\cBxBGxB type = file_type True 6
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\cBxBGxB type = size, size_out = 0 True 2
Fn
Read C:\Users\CIiHmnxMn6Ps\AppData\Local\winamp.exe size = 653824, size_out = 653824 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Local\cBxBGxB size = 438280, size_out = 438280 True 2
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Local\cBxBGxB size = 4096, size_out = 0 True 1
Fn
Write C:\Users\CIiHmnxMn6Ps\AppData\Local\cBxBGxB size = 438280 True 1
Fn
Data
Registry (3)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = winamp.exe, data = 0, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = winamp.exe, data = C:\Users\CIiHmnxMn6Ps\AppData\Local\winamp.exe, size = 94, type = REG_SZ True 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\CIiHmnxMn6Ps\AppData\Local\uTorrent.exe os_pid = 0x7cc, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Module (53)
»
Operation Module Additional Information Success Count Logfile
Load mscorjit.dll base_address = 0x737f0000 True 1
Fn
Load kernel32 base_address = 0x76750000 True 7
Fn
Load ntdll base_address = 0x76f70000 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Local\winamp.exe, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\MSCOREE.DLL, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\KERNEL32.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\KERNELBASE.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\system32\apphelp.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\ADVAPI32.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\msvcrt.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\sechost.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\RPCRT4.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\SspiCli.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\CRYPTBASE.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\bcryptPrimitives.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\SHLWAPI.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\combase.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\GDI32.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\USER32.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\IMM32.DLL, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\MSCTF.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\kernel.appcore.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\VERSION.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9185_none_d0905a48442809b8\MSVCR80.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\shell32.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\windows.storage.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\shcore.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\powrprof.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\profapi.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f87e9c65bcfc0dde0655ce19fb05fe8c\mscorlib.ni.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\ole32.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\system32\uxtheme.dll, size = 2048 True 1
Fn
Get Filename c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System\b0de8183f9e33cd0fbe10c8db1402653\System.ni.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\winamp.exe, file_name_orig = C:\Windows\SYSTEM32\psapi.dll, size = 2048 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll function = getJit, address_out = 0x738393e6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetThreadContext, address_out = 0x7676eb70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteProcessMemory, address_out = 0x76792ae0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtUnmapViewOfSection, address_out = 0x76fd8e80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadProcessMemory, address_out = 0x76791ef0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ResumeThread, address_out = 0x7676a280 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadContext, address_out = 0x76792700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAllocEx, address_out = 0x767929a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtectEx, address_out = 0x76792a00 True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System (4)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 4
Fn
Process #33: runonce.exe
0 0
»
Information Value
ID #33
File Name c:\windows\syswow64\runonce.exe
Command Line C:\Windows\SysWOW64\runonce.exe /Run6432
Initial Working Directory C:\Windows\SysWOW64\
Monitor Start Time: 00:04:56, Reason: Child Process
Unmonitor End Time: 00:05:00, Reason: Self Terminated
Monitor Duration 00:00:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb94
Parent PID 0x164 (c:\windows\system32\taskhostw.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B98
0x BA0
0x BA4
0x BA8
0x BAC
0x BB0
0x BB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
runonce.exe 0x00d80000 0x00d8bfff Memory Mapped File rwx False False False -
pagefile_0x0000000000e40000 0x00e40000 0x04e3ffff Pagefile Backed Memory - True False False -
private_0x0000000004e40000 0x04e40000 0x04e5ffff Private Memory rw True False False -
pagefile_0x0000000004e40000 0x04e40000 0x04e4ffff Pagefile Backed Memory rw True False False -
private_0x0000000004e50000 0x04e50000 0x04e53fff Private Memory rw True False False -
private_0x0000000004e60000 0x04e60000 0x04e60fff Private Memory rw True False False -
pagefile_0x0000000004e70000 0x04e70000 0x04e83fff Pagefile Backed Memory r True False False -
private_0x0000000004e90000 0x04e90000 0x04ecffff Private Memory rw True False False -
private_0x0000000004ed0000 0x04ed0000 0x04f0ffff Private Memory rw True False False -
pagefile_0x0000000004f10000 0x04f10000 0x04f13fff Pagefile Backed Memory r True False False -
pagefile_0x0000000004f20000 0x04f20000 0x04f22fff Pagefile Backed Memory r True False False -
private_0x0000000004f30000 0x04f30000 0x04f31fff Private Memory rw True False False -
private_0x0000000004f40000 0x04f40000 0x04f7ffff Private Memory rw True False False -
private_0x0000000004f80000 0x04f80000 0x04f80fff Private Memory rw True False False -
private_0x0000000004f90000 0x04f90000 0x0508ffff Private Memory rw True False False -
private_0x0000000005090000 0x05090000 0x050cffff Private Memory rw True False False -
private_0x00000000050d0000 0x050d0000 0x050d0fff Private Memory rw True False False -
private_0x00000000050e0000 0x050e0000 0x050effff Private Memory rw True False False -
locale.nls 0x050f0000 0x051adfff Memory Mapped File r False False False -
pagefile_0x00000000051b0000 0x051b0000 0x051b0fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000051c0000 0x051c0000 0x051c1fff Pagefile Backed Memory r True False False -
private_0x00000000051d0000 0x051d0000 0x0520bfff Private Memory rw True False False -
private_0x0000000005210000 0x05210000 0x0524ffff Private Memory rw True False False -
private_0x0000000005250000 0x05250000 0x0528ffff Private Memory rw True False False -
private_0x0000000005290000 0x05290000 0x052cffff Private Memory rw True False False -
private_0x00000000052d0000 0x052d0000 0x0530ffff Private Memory rw True False False -
pagefile_0x0000000005310000 0x05310000 0x05310fff Pagefile Backed Memory r True False False -
private_0x0000000005320000 0x05320000 0x0532ffff Private Memory rw True False False -
pagefile_0x0000000005330000 0x05330000 0x054b7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000054c0000 0x054c0000 0x05640fff Pagefile Backed Memory r True False False -
pagefile_0x0000000005650000 0x05650000 0x06a4ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000006a50000 0x06a50000 0x06a50fff Pagefile Backed Memory r True False False -
cversions.2.db 0x06a60000 0x06a63fff Memory Mapped File r True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db 0x06a70000 0x06a82fff Memory Mapped File r True False False -
pagefile_0x0000000006a90000 0x06a90000 0x06a90fff Pagefile Backed Memory rw True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db 0x06aa0000 0x06ae2fff Memory Mapped File r True False False -
cversions.2.db 0x06af0000 0x06af3fff Memory Mapped File r True False False -
propsys.dll.mui 0x06b00000 0x06b10fff Memory Mapped File r False False False -
private_0x0000000006b20000 0x06b20000 0x06b5ffff Private Memory rw True False False -
windows.storage.dll.mui 0x06b60000 0x06b67fff Memory Mapped File r False False False -
private_0x0000000006b80000 0x06b80000 0x06b8ffff Private Memory rw True False False -
sortdefault.nls 0x06b90000 0x06ec6fff Memory Mapped File r False False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db 0x06ed0000 0x06f5afff Memory Mapped File r True False False -
shell32.dll.mui 0x06f60000 0x06fc0fff Memory Mapped File r False False False -
private_0x0000000006fd0000 0x06fd0000 0x0700ffff Private Memory rw True False False -
private_0x0000000007010000 0x07010000 0x0704ffff Private Memory rw True False False -
private_0x0000000007050000 0x07050000 0x0708ffff Private Memory rw True False False -
private_0x0000000007090000 0x07090000 0x070cffff Private Memory rw True False False -
private_0x00000000070d0000 0x070d0000 0x0710ffff Private Memory rw True False False -
wow64cpu.dll 0x51cd0000 0x51cd7fff Memory Mapped File rwx False False False -
wow64.dll 0x51ce0000 0x51d2efff Memory Mapped File rwx False False False -
wow64win.dll 0x51d30000 0x51da2fff Memory Mapped File rwx False False False -
iertutil.dll 0x73050000 0x73310fff Memory Mapped File rwx False False False -
urlmon.dll 0x73320000 0x7347ffff Memory Mapped File rwx False False False -
rsaenh.dll 0x73480000 0x734aefff Memory Mapped File rwx False False False -
bcrypt.dll 0x734b0000 0x734cafff Memory Mapped File rwx False False False -
cryptsp.dll 0x734d0000 0x734e2fff Memory Mapped File rwx False False False -
propsys.dll 0x734f0000 0x73631fff Memory Mapped File rwx False False False -
uxtheme.dll 0x73640000 0x736b4fff Memory Mapped File rwx False False False -
comctl32.dll 0x736c0000 0x738c8fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74010000 0x74068fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74070000 0x74079fff Memory Mapped File rwx False False False -
sspicli.dll 0x74080000 0x7409dfff Memory Mapped File rwx False False False -
msctf.dll 0x740a0000 0x741bffff Memory Mapped File rwx False False False -
user32.dll 0x743a0000 0x744dffff Memory Mapped File rwx False False False -
windows.storage.dll 0x74580000 0x74a5cfff Memory Mapped File rwx False False False -
clbcatq.dll 0x74a60000 0x74ae1fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x74af0000 0x74b9bfff Memory Mapped File rwx False False False -
oleaut32.dll 0x74ba0000 0x74c31fff Memory Mapped File rwx False False False -
shcore.dll 0x74c40000 0x74cccfff Memory Mapped File rwx False False False -
shell32.dll 0x74cd0000 0x7608efff Memory Mapped File rwx False False False -
advapi32.dll 0x76160000 0x761dafff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x761e0000 0x761ebfff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x765f0000 0x76625fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76640000 0x766fdfff Memory Mapped File rwx False False False -
shlwapi.dll 0x76700000 0x76743fff Memory Mapped File rwx False False False -
kernel32.dll 0x76750000 0x7683ffff Memory Mapped File rwx False False False -
profapi.dll 0x76840000 0x7684efff Memory Mapped File rwx False False False -
gdi32.dll 0x76850000 0x7699cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x769a0000 0x76b15fff Memory Mapped File rwx False False False -
powrprof.dll 0x76b90000 0x76bd3fff Memory Mapped File rwx False False False -
ole32.dll 0x76c40000 0x76d29fff Memory Mapped File rwx False False False -
sechost.dll 0x76d30000 0x76d72fff Memory Mapped File rwx False False False -
imm32.dll 0x76d80000 0x76daafff Memory Mapped File rwx False False False -
combase.dll 0x76db0000 0x76f69fff Memory Mapped File rwx False False False -
ntdll.dll 0x76f70000 0x770e8fff Memory Mapped File rwx False False False -
private_0x000000007ebe1000 0x7ebe1000 0x7ebe3fff Private Memory rw True False False -
private_0x000000007ebe4000 0x7ebe4000 0x7ebe6fff Private Memory rw True False False -
private_0x000000007ebe7000 0x7ebe7000 0x7ebe9fff Private Memory rw True False False -
private_0x000000007ebea000 0x7ebea000 0x7ebecfff Private Memory rw True False False -
private_0x000000007ebed000 0x7ebed000 0x7ebeffff Private Memory rw True False False -
pagefile_0x000000007ebf0000 0x7ebf0000 0x7eceffff Pagefile Backed Memory r True False False -
pagefile_0x000000007ecf0000 0x7ecf0000 0x7ed12fff Pagefile Backed Memory r True False False -
private_0x000000007ed15000 0x7ed15000 0x7ed17fff Private Memory rw True False False -
private_0x000000007ed18000 0x7ed18000 0x7ed18fff Private Memory rw True False False -
private_0x000000007ed1b000 0x7ed1b000 0x7ed1dfff Private Memory rw True False False -
private_0x000000007ed1e000 0x7ed1e000 0x7ed1efff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7dff083affff Private Memory r True False False -
pagefile_0x00007dff083b0000 0x7dff083b0000 0x7fff083affff Pagefile Backed Memory - True False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
private_0x00007fff08572000 0x7fff08572000 0x7ffffffeffff Private Memory r True False False -
Process #34: svchost.exe
359 0
»
Information Value
ID #34
File Name c:\windows\syswow64\install\svchost.exe
Command Line "C:\Windows\System32\install\svchost.exe"
Initial Working Directory C:\Windows\SysWOW64\
Monitor Start Time: 00:04:58, Reason: Child Process
Unmonitor End Time: 00:05:01, Reason: Self Terminated
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0xbc0
Parent PID 0xb94 (c:\windows\syswow64\runonce.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BC4
0x BE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000010000 0x00010000 0x00013fff Private Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory rw True False False -
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory rw True False False -
locale.nls 0x001d0000 0x0028dfff Memory Mapped File r False False False -
private_0x0000000000290000 0x00290000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x002d0fff Private Memory rw True False False -
pagefile_0x00000000002e0000 0x002e0000 0x002e0fff Pagefile Backed Memory r True False False -
private_0x00000000002f0000 0x002f0000 0x002f6fff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
svchost.exe 0x00400000 0x0051efff Memory Mapped File rwx True True False
...
private_0x0000000000600000 0x00600000 0x006fffff Private Memory rw True False False -
private_0x0000000000700000 0x00700000 0x007fffff Private Memory rw True False False -
private_0x0000000000910000 0x00910000 0x00913fff Private Memory rw True False False -
private_0x0000000000970000 0x00970000 0x00973fff Private Memory rw True False False -
private_0x0000000000a00000 0x00a00000 0x00afffff Private Memory rw True False False -
pagefile_0x0000000000b00000 0x00b00000 0x00c87fff Pagefile Backed Memory r True False False -
private_0x0000000000cf0000 0x00cf0000 0x00cf3fff Private Memory rw True False False -
private_0x0000000000d00000 0x00d00000 0x00dfffff Private Memory rw True False False -
pagefile_0x0000000000e00000 0x00e00000 0x00f80fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000f90000 0x00f90000 0x0238ffff Pagefile Backed Memory r True False False -
private_0x0000000002400000 0x02400000 0x024fffff Private Memory rw True False False -
svchost.exe 0x02500000 0x0261efff Memory Mapped File r True True False
...
private_0x0000000002640000 0x02640000 0x02643fff Private Memory rwx True False False -
sortdefault.nls 0x02650000 0x02986fff Memory Mapped File r False False False -
wow64cpu.dll 0x51cd0000 0x51cd7fff Memory Mapped File rwx False False False -
wow64.dll 0x51ce0000 0x51d2efff Memory Mapped File rwx False False False -
wow64win.dll 0x51d30000 0x51da2fff Memory Mapped File rwx False False False -
msvcr80.dll 0x72fb0000 0x7304afff Memory Mapped File rwx False False False -
mscorwks.dll 0x738d0000 0x73e7ffff Memory Mapped File rwx True False False -
version.dll 0x73e80000 0x73e87fff Memory Mapped File rwx False False False -
mscoreei.dll 0x73e90000 0x73f07fff Memory Mapped File rwx True False False -
apphelp.dll 0x73f10000 0x73fa0fff Memory Mapped File rwx False False False -
mscoree.dll 0x73fb0000 0x74008fff Memory Mapped File rwx True False False -
bcryptprimitives.dll 0x74010000 0x74068fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74070000 0x74079fff Memory Mapped File rwx False False False -
sspicli.dll 0x74080000 0x7409dfff Memory Mapped File rwx False False False -
msctf.dll 0x740a0000 0x741bffff Memory Mapped File rwx False False False -
user32.dll 0x743a0000 0x744dffff Memory Mapped File rwx False False False -
rpcrt4.dll 0x74af0000 0x74b9bfff Memory Mapped File rwx False False False -
oleaut32.dll 0x74ba0000 0x74c31fff Memory Mapped File rwx False False False -
advapi32.dll 0x76160000 0x761dafff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x761e0000 0x761ebfff Memory Mapped File rwx False False False -
psapi.dll 0x76510000 0x76515fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76640000 0x766fdfff Memory Mapped File rwx False False False -
shlwapi.dll 0x76700000 0x76743fff Memory Mapped File rwx False False False -
kernel32.dll 0x76750000 0x7683ffff Memory Mapped File rwx False False False -
gdi32.dll 0x76850000 0x7699cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x769a0000 0x76b15fff Memory Mapped File rwx False False False -
ole32.dll 0x76c40000 0x76d29fff Memory Mapped File rwx False False False -
sechost.dll 0x76d30000 0x76d72fff Memory Mapped File rwx False False False -
imm32.dll 0x76d80000 0x76daafff Memory Mapped File rwx False False False -
combase.dll 0x76db0000 0x76f69fff Memory Mapped File rwx False False False -
ntdll.dll 0x76f70000 0x770e8fff Memory Mapped File rwx False False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7fff083affff Private Memory r True False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
private_0x00007fff08572000 0x7fff08572000 0x7ffffffeffff Private Memory r True False False -
Host Behavior
File (329)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Windows\SysWOW64\install\1033\VBC7ui.dll type = file_attributes False 1
Fn
Get Info C:\Windows\SysWOW64\install\9\VBC7ui.dll type = file_attributes False 1
Fn
Get Info C:\Windows\SysWOW64\install\VBC7ui.dll type = file_attributes False 1
Fn
Open STD_OUTPUT_HANDLE - True 164
Fn
Write STD_OUTPUT_HANDLE size = 59 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 56 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 1 True 30
Fn
Data
Write STD_OUTPUT_HANDLE size = 30 True 3
Fn
Data
Write STD_OUTPUT_HANDLE size = 34 True 63
Fn
Data
Write STD_OUTPUT_HANDLE size = 16 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 32 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 57 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 27 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 50 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 44 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 47 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 113 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 25 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 65 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 14 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 93 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 64 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 92 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 60 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 68 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 40 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 20 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 22 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 36 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 28 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 43 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 24 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 39 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 13 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 118 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 10 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 102 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 26 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 35 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 55 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 41 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 18 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 45 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 42 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 19 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 48 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 78 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 120 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 11 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 53 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 79 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 116 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 58 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 67 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 114 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 61 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 49 True 1
Fn
Data
Module (27)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76750000 True 1
Fn
Load version.dll base_address = 0x73e80000 True 1
Fn
Load Kernel32.dll base_address = 0x76750000 True 1
Fn
Load user32.dll base_address = 0x743a0000 True 1
Fn
Get Handle c:\windows\syswow64\install\svchost.exe base_address = 0x400000 True 1
Fn
Get Handle c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll base_address = 0x738d0000 True 1
Fn
Get Filename - process_name = c:\windows\syswow64\install\svchost.exe, file_name_orig = C:\Windows\SysWOW64\install\svchost.exe, size = 260 True 2
Fn
Get Filename - process_name = c:\windows\syswow64\install\svchost.exe, file_name_orig = C:\Windows\SysWOW64\install\svchost.exe, size = 259 True 1
Fn
Get Filename - process_name = c:\windows\syswow64\install\svchost.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll, size = 259 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76769560 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76769660 True 1
Fn
Get Address c:\windows\syswow64\version.dll function = GetFileVersionInfoSizeW, address_out = 0x73e81560 True 1
Fn
Get Address c:\windows\syswow64\version.dll function = GetFileVersionInfoW, address_out = 0x73e81580 True 1
Fn
Get Address c:\windows\syswow64\version.dll function = VerQueryValueW, address_out = 0x73e81500 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x7676a0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultUILanguage, address_out = 0x7676a6f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileAttributesW, address_out = 0x76776340 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoW, address_out = 0x7676c800 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x76776250 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76776290 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x767678d0 True 2
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadStringW, address_out = 0x743bcf10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x76762d80 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 3
Fn
Process #36: dllhost.exe
0 0
»
Information Value
ID #36
File Name c:\windows\system32\dllhost.exe
Command Line C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:05:13, Reason: Child Process
Unmonitor End Time: 00:05:25, Reason: Self Terminated
Monitor Duration 00:00:12
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x578
Parent PID 0x244 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 574
0x 914
0x 92C
0x 7E0
0x 2F8
0x 7D4
0x 734
0x 2F0
0x 334
0x 53C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
sortdefault.nls 0x7880000000 0x7880336fff Memory Mapped File r False False False -
private_0x0000007880340000 0x7880340000 0x788043ffff Private Memory rw True False False -
private_0x0000007880440000 0x7880440000 0x788053ffff Private Memory rw True False False -
private_0x0000007880540000 0x7880540000 0x788063ffff Private Memory rw True False False -
pagefile_0x0000007880640000 0x7880640000 0x78807c7fff Pagefile Backed Memory r True False False -
pagefile_0x00000078807d0000 0x78807d0000 0x7880950fff Pagefile Backed Memory r True False False -
pagefile_0x0000007880960000 0x7880960000 0x7881d5ffff Pagefile Backed Memory r True False False -
private_0x0000007881d60000 0x7881d60000 0x7881e5ffff Private Memory rw True False False -
pagefile_0x0000007881e60000 0x7881e60000 0x7881e62fff Pagefile Backed Memory r True False False -
pagefile_0x0000007881e80000 0x7881e80000 0x7881e81fff Pagefile Backed Memory r True False False -
private_0x00000078ff920000 0x78ff920000 0x78ff93ffff Private Memory rw True False False -
pagefile_0x00000078ff920000 0x78ff920000 0x78ff92ffff Pagefile Backed Memory rw True False False -
private_0x00000078ff930000 0x78ff930000 0x78ff936fff Private Memory rw True False False -
pagefile_0x00000078ff940000 0x78ff940000 0x78ff953fff Pagefile Backed Memory r True False False -
private_0x00000078ff960000 0x78ff960000 0x78ffa5ffff Private Memory rw True False False -
pagefile_0x00000078ffa60000 0x78ffa60000 0x78ffa63fff Pagefile Backed Memory r True False False -
private_0x00000078ffa70000 0x78ffa70000 0x78ffa71fff Private Memory rw True False False -
locale.nls 0x78ffa80000 0x78ffb3dfff Memory Mapped File r False False False -
pagefile_0x00000078ffb40000 0x78ffb40000 0x78ffb40fff Pagefile Backed Memory r True False False -
private_0x00000078ffb50000 0x78ffb50000 0x78ffb56fff Private Memory rw True False False -
pagefile_0x00000078ffb60000 0x78ffb60000 0x78ffb60fff Pagefile Backed Memory r True False False -
private_0x00000078ffb70000 0x78ffb70000 0x78ffb70fff Private Memory rw True False False -
private_0x00000078ffb80000 0x78ffb80000 0x78ffb80fff Private Memory rw True False False -
private_0x00000078ffbb0000 0x78ffbb0000 0x78ffbbffff Private Memory rw True False False -
private_0x00000078ffc10000 0x78ffc10000 0x78ffd0ffff Private Memory rw True False False -
private_0x00000078ffd10000 0x78ffd10000 0x78ffe0ffff Private Memory rw True False False -
private_0x00000078ffe10000 0x78ffe10000 0x78fff0ffff Private Memory rw True False False -
private_0x00000078fffe0000 0x78fffe0000 0x78fffeffff Private Memory rw True False False -
pagefile_0x00007df5ffe20000 0x7df5ffe20000 0x7ff5ffe1ffff Pagefile Backed Memory - True False False -
private_0x00007ff6ddfce000 0x7ff6ddfce000 0x7ff6ddfcffff Private Memory rw True False False -
pagefile_0x00007ff6ddfd0000 0x7ff6ddfd0000 0x7ff6de0cffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6de0d0000 0x7ff6de0d0000 0x7ff6de0f2fff Pagefile Backed Memory r True False False -
private_0x00007ff6de0f3000 0x7ff6de0f3000 0x7ff6de0f4fff Private Memory rw True False False -
private_0x00007ff6de0f5000 0x7ff6de0f5000 0x7ff6de0f6fff Private Memory rw True False False -
private_0x00007ff6de0f7000 0x7ff6de0f7000 0x7ff6de0f7fff Private Memory rw True False False -
private_0x00007ff6de0f8000 0x7ff6de0f8000 0x7ff6de0f9fff Private Memory rw True False False -
private_0x00007ff6de0fa000 0x7ff6de0fa000 0x7ff6de0fbfff Private Memory rw True False False -
private_0x00007ff6de0fc000 0x7ff6de0fc000 0x7ff6de0fdfff Private Memory rw True False False -
private_0x00007ff6de0fe000 0x7ff6de0fe000 0x7ff6de0fffff Private Memory rw True False False -
dllhost.exe 0x7ff6de1e0000 0x7ff6de1e6fff Memory Mapped File rwx False False False -
thumbcache.dll 0x7ffef7650000 0x7ffef769afff Memory Mapped File rwx False False False -
comctl32.dll 0x7ffefc790000 0x7ffefca03fff Memory Mapped File rwx False False False -
propsys.dll 0x7ffeff870000 0x7ffeff9f2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fff03600000 0x7fff03695fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
shcore.dll 0x7fff04e80000 0x7fff04f32fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
imm32.dll 0x7fff06170000 0x7fff061a5fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
msctf.dll 0x7fff07eb0000 0x7fff0800bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #37: utorrent.exe
1538 0
»
Information Value
ID #37
File Name c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe
Command Line C:\Users\CIiHmnxMn6Ps\AppData\Local\uTorrent.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:05:18, Reason: Child Process
Unmonitor End Time: 00:05:31, Reason: Self Terminated
Monitor Duration 00:00:13
OS Process Information
»
Information Value
PID 0x7cc
Parent PID 0xb88 (c:\users\ciihmnxmn6ps\appdata\local\winamp.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7D0
0x 33C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00023fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory rw True False False -
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory rw True False False -
locale.nls 0x001d0000 0x0028dfff Memory Mapped File r False False False -
private_0x0000000000290000 0x00290000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003e0fff Private Memory rw True False False -
utorrent.exe 0x00400000 0x0051efff Memory Mapped File rwx True True False
...
private_0x0000000000400000 0x00400000 0x00470fff Private Memory rwx True False False -
pagefile_0x0000000000480000 0x00480000 0x00607fff Pagefile Backed Memory r True False False -
private_0x0000000000630000 0x00630000 0x0072ffff Private Memory rw True False False -
private_0x0000000000730000 0x00730000 0x0082ffff Private Memory - True False False -
private_0x00000000008b0000 0x008b0000 0x008bffff Private Memory rw True False False -
pagefile_0x00000000008c0000 0x008c0000 0x00a40fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000a50000 0x00a50000 0x01e4ffff Pagefile Backed Memory r True False False -
private_0x0000000001e50000 0x01e50000 0x01f4ffff Private Memory - True False False -
private_0x0000000010410000 0x10410000 0x1047ffff Private Memory rwx True False False -
private_0x0000000010480000 0x10480000 0x104effff Private Memory rwx True False False -
private_0x00000000104f0000 0x104f0000 0x1055ffff Private Memory rwx True False False -
wow64cpu.dll 0x51cd0000 0x51cd7fff Memory Mapped File rwx False False False -
wow64.dll 0x51ce0000 0x51d2efff Memory Mapped File rwx False False False -
wow64win.dll 0x51d30000 0x51da2fff Memory Mapped File rwx False False False -
apphelp.dll 0x73f10000 0x73fa0fff Memory Mapped File rwx False False False -
ntmarta.dll 0x73fe0000 0x74007fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74010000 0x74068fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74070000 0x74079fff Memory Mapped File rwx False False False -
sspicli.dll 0x74080000 0x7409dfff Memory Mapped File rwx False False False -
msctf.dll 0x740a0000 0x741bffff Memory Mapped File rwx False False False -
user32.dll 0x743a0000 0x744dffff Memory Mapped File rwx False False False -
windows.storage.dll 0x74580000 0x74a5cfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x74af0000 0x74b9bfff Memory Mapped File rwx False False False -
oleaut32.dll 0x74ba0000 0x74c31fff Memory Mapped File rwx False False False -
shcore.dll 0x74c40000 0x74cccfff Memory Mapped File rwx False False False -
shell32.dll 0x74cd0000 0x7608efff Memory Mapped File rwx False False False -
advapi32.dll 0x76160000 0x761dafff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x761e0000 0x761ebfff Memory Mapped File rwx False False False -
msvcrt.dll 0x76640000 0x766fdfff Memory Mapped File rwx False False False -
shlwapi.dll 0x76700000 0x76743fff Memory Mapped File rwx False False False -
kernel32.dll 0x76750000 0x7683ffff Memory Mapped File rwx False False False -
profapi.dll 0x76840000 0x7684efff Memory Mapped File rwx False False False -
gdi32.dll 0x76850000 0x7699cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x769a0000 0x76b15fff Memory Mapped File rwx False False False -
powrprof.dll 0x76b90000 0x76bd3fff Memory Mapped File rwx False False False -
sechost.dll 0x76d30000 0x76d72fff Memory Mapped File rwx False False False -
imm32.dll 0x76d80000 0x76daafff Memory Mapped File rwx False False False -
combase.dll 0x76db0000 0x76f69fff Memory Mapped File rwx False False False -
ntdll.dll 0x76f70000 0x770e8fff Memory Mapped File rwx False False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7fff083affff Private Memory r True False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
private_0x00007fff08572000 0x7fff08572000 0x7ffffffeffff Private Memory r True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\CIiHmnxMn6Ps\AppData\Local\uTorrent.exe 1.12 MB MD5: e618b1550d4ccf3a62dd471bb87ef834
SHA1: a552f7f4f0bd46ae187820ef8ad884e292bbb57b
SHA256: f1b531118f5522b898b9fcda838032d4fdcfec9d7ba4592946a5cbb987baeb52
SSDeep: 24576:Up2silPhMAXGWClfuRcUqIJUKB5QskQZL:Up2sMOjVzUXJDB5QEZL 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Local\uTorrent.exe 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep: 3:: 		False
...
Host Behavior
File (16)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps2.txt desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\install\ - True 1
Fn
Get Info C:\Windows\system32\install\ type = file_attributes True 1
Fn
Get Info C:\Windows\system32\install\svchost.exe type = file_attributes True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\install\ type = file_attributes False 2
Fn
Get Info C:\ type = file_attributes True 1
Fn
Get Info C:\Users\ type = file_attributes True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\ type = file_attributes True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\ type = file_attributes True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\ type = file_attributes True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\install\ type = file_attributes True 1
Fn
Copy C:\Windows\system32\install\svchost.exe source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\uTorrent.exe False 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\install\svchost.exe source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\uTorrent.exe True 1
Fn
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps2.txt size = 394358 True 1
Fn
Data
Delete C:\Windows\system32\install\svchost.exe - False 1
Fn
Registry (30)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - True 1
Fn
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} - False 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\ - True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = Startup, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = Startup, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = C:\Windows\system32\install\svchost.exe, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = C:\Windows\system32\install\svchost.exe, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = C:\Windows\system32\install\svchost.exe, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKCU, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKCU, data = C:\Windows\system32\install\svchost.exe, type = REG_EXPAND_SZ True 1
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 7538360, size = 57, type = REG_EXPAND_SZ False 1
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 7538532, size = 57, type = REG_EXPAND_SZ False 1
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = 7538700, size = 57, type = REG_EXPAND_SZ False 1
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKCU, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\install\svchost.exe, size = 57, type = REG_EXPAND_SZ True 1
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = 7539196, size = 66, type = REG_SZ False 1
Fn
Delete Key HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} - False 1
Fn
Process (3)
»
Operation Process Additional Information Success Count Logfile
Create explorer.exe os_pid = 0x338, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Create explorer.exe os_pid = 0xb58, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Open c:\windows\system32\taskhostw.exe desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Thread (111)
»
Operation Process Additional Information Success Count Logfile
Create c:\windows\system32\taskhostw.exe proc_address = 0x7710000, proc_parameter = 124780544, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x7cb0000, proc_parameter = 130678784, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x8bf0000, proc_parameter = 146669568, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x8c30000, proc_parameter = 146931712, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9090000, proc_parameter = 151519232, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x90d0000, proc_parameter = 151781376, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9200000, proc_parameter = 153026560, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9240000, proc_parameter = 153288704, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9970000, proc_parameter = 160825344, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x99b0000, proc_parameter = 161087488, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x99e0000, proc_parameter = 161284096, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9a20000, proc_parameter = 161546240, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9a50000, proc_parameter = 161742848, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9a90000, proc_parameter = 162004992, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9ac0000, proc_parameter = 162201600, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9b00000, proc_parameter = 162463744, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9b30000, proc_parameter = 162660352, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9b70000, proc_parameter = 162922496, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9ba0000, proc_parameter = 163119104, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9be0000, proc_parameter = 163381248, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9c10000, proc_parameter = 163577856, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9c50000, proc_parameter = 163840000, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9c80000, proc_parameter = 164036608, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9cc0000, proc_parameter = 164298752, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9cf0000, proc_parameter = 164495360, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9d30000, proc_parameter = 164757504, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9d60000, proc_parameter = 164954112, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9da0000, proc_parameter = 165216256, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9dd0000, proc_parameter = 165412864, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9e10000, proc_parameter = 165675008, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0x9e40000, proc_parameter = 165871616, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0xa580000, proc_parameter = 173473792, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0xa5b0000, proc_parameter = 173670400, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0xac40000, proc_parameter = 180551680, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0xac70000, proc_parameter = 180748288, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0xacb0000, proc_parameter = 181010432, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create c:\windows\system32\taskhostw.exe proc_address = 0xacd0000, proc_parameter = 181141504, flags = THREAD_RUNS_IMMEDIATELY False 1
Fn
Create explorer.exe proc_address = 0x490000, proc_parameter = 4718592, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x550000, proc_parameter = 5505024, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x590000, proc_parameter = 5767168, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x5d0000, proc_parameter = 6029312, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x990000, proc_parameter = 9961472, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x9d0000, proc_parameter = 10223616, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0xa00000, proc_parameter = 10420224, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0xdf0000, proc_parameter = 14548992, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0xe20000, proc_parameter = 14745600, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x66c0000, proc_parameter = 107675648, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x66f0000, proc_parameter = 107872256, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6b00000, proc_parameter = 112132096, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6b30000, proc_parameter = 112328704, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6bf0000, proc_parameter = 113115136, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6c20000, proc_parameter = 113311744, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6ce0000, proc_parameter = 114098176, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6d10000, proc_parameter = 114294784, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6dd0000, proc_parameter = 115081216, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6e00000, proc_parameter = 115277824, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6ec0000, proc_parameter = 116064256, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6ef0000, proc_parameter = 116260864, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6fb0000, proc_parameter = 117047296, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6fe0000, proc_parameter = 117243904, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x70a0000, proc_parameter = 118030336, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x70d0000, proc_parameter = 118226944, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7190000, proc_parameter = 119013376, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x71c0000, proc_parameter = 119209984, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7280000, proc_parameter = 119996416, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x72b0000, proc_parameter = 120193024, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7370000, proc_parameter = 120979456, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x73a0000, proc_parameter = 121176064, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7460000, proc_parameter = 121962496, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7490000, proc_parameter = 122159104, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7550000, proc_parameter = 122945536, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7580000, proc_parameter = 123142144, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7640000, proc_parameter = 123928576, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7660000, proc_parameter = 124059648, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7e0000, proc_parameter = 8192000, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x8a0000, proc_parameter = 8978432, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x8e0000, proc_parameter = 9240576, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x920000, proc_parameter = 9502720, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0xbe0000, proc_parameter = 12386304, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0xc30000, proc_parameter = 12713984, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0xc60000, proc_parameter = 12910592, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0xd30000, proc_parameter = 13434880, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0xd60000, proc_parameter = 13959168, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0xe20000, proc_parameter = 14745600, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6c90000, proc_parameter = 113770496, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6d50000, proc_parameter = 114556928, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6d80000, proc_parameter = 114753536, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6e40000, proc_parameter = 115539968, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6e70000, proc_parameter = 115736576, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6f30000, proc_parameter = 116523008, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x6f60000, proc_parameter = 116719616, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7020000, proc_parameter = 117506048, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7050000, proc_parameter = 117702656, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7110000, proc_parameter = 118489088, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7140000, proc_parameter = 118685696, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7200000, proc_parameter = 119472128, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7230000, proc_parameter = 119668736, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x72f0000, proc_parameter = 120455168, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7320000, proc_parameter = 120651776, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x73e0000, proc_parameter = 121438208, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7410000, proc_parameter = 121634816, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x74d0000, proc_parameter = 122421248, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7500000, proc_parameter = 122617856, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x75c0000, proc_parameter = 123404288, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x75f0000, proc_parameter = 123600896, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x76b0000, proc_parameter = 124387328, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x76e0000, proc_parameter = 124583936, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x77a0000, proc_parameter = 125370368, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x77d0000, proc_parameter = 125566976, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x7890000, proc_parameter = 126353408, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create explorer.exe proc_address = 0x78b0000, proc_parameter = 126484480, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Memory (786)
»
Operation Process Additional Information Success Count Logfile
Allocate c:\windows\system32\taskhostw.exe address = 0x10410000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 458752 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x76f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x7700000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x7710000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x7c80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x7c90000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x7ca0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x7cb0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x8bc0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x8bd0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x8be0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x8bf0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x8c00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x8c10000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x8c20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x8c30000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9060000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9070000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9080000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9090000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x90a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x90b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x90c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x90d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x91e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x91f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9200000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9210000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9220000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9230000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9240000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9250000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9960000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9970000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9980000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 7 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9990000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x99a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x99b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x99c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x99d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x99e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x99f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 9 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9a00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9a10000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9a20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9a30000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 8 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9a40000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9a50000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9a60000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9a70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 8 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9a80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9a90000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9aa0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9ab0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9ac0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9ad0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9ae0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9af0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9b00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9b10000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9b20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9b30000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9b40000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 24 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9b50000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9b60000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9b70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9b80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9b90000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9ba0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9bb0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9bc0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9bd0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9be0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9bf0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9c00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9c10000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9c20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9c30000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9c40000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9c50000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9c60000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9c70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9c80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9c90000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9ca0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9cb0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9cc0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9cd0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9ce0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9cf0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9d00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9d10000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9d20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9d30000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9d40000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 11 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9d50000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9d60000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9d70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 6 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9d80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 11 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9d90000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9da0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9db0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9dc0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9dd0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9de0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9df0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9e00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9e10000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9e20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9e30000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9e40000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0x9e50000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0xa560000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0xa570000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0xa580000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0xa590000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0xa5a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0xa5b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0xa5c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 11 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0xa5d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0xac30000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0xac40000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0xac50000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0xac60000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0xac70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0xac80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 5 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0xac90000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0xaca0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0xacb0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0xacc0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 8 True 1
Fn
Allocate c:\windows\system32\taskhostw.exe address = 0xacd0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 313 True 1
Fn
Allocate explorer.exe address = 0x10480000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 458752 True 1
Fn
Allocate explorer.exe address = 0x470000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x480000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x490000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x520000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x530000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x540000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x550000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x560000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate explorer.exe address = 0x570000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x580000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x590000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x5a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate explorer.exe address = 0x5b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x5c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x5d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x960000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x970000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x980000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x990000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x9a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x9b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x9c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x9d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x9e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x9f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0xa00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0xa90000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0xdd0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0xde0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0xdf0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0xe00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0xe10000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0xe20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0xe30000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 7 True 1
Fn
Allocate explorer.exe address = 0x66a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x66b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x66c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x66d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x66e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x66f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x6780000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 9 True 1
Fn
Allocate explorer.exe address = 0x6790000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6af0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x6b00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x6b10000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 8 True 1
Fn
Allocate explorer.exe address = 0x6b20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6b30000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x6bc0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate explorer.exe address = 0x6bd0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 8 True 1
Fn
Allocate explorer.exe address = 0x6be0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x6bf0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x6c00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6c10000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6c20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x6cb0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate explorer.exe address = 0x6cc0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6cd0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x6ce0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x6cf0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x6d00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6d10000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x6da0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 24 True 1
Fn
Allocate explorer.exe address = 0x6db0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x6dc0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x6dd0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x6de0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x6df0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6e00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x6e90000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate explorer.exe address = 0x6ea0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x6eb0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x6ec0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x6ed0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x6ee0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6ef0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x6f80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate explorer.exe address = 0x6f90000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x6fa0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x6fb0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x6fc0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x6fd0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6fe0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7070000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16 True 1
Fn
Allocate explorer.exe address = 0x7080000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x7090000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x70a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x70b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x70c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x70d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7160000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate explorer.exe address = 0x7170000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7180000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7190000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x71a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 11 True 1
Fn
Allocate explorer.exe address = 0x71b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x71c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7250000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 6 True 1
Fn
Allocate explorer.exe address = 0x7260000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 11 True 1
Fn
Allocate explorer.exe address = 0x7270000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7280000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7290000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x72a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x72b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7340000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate explorer.exe address = 0x7350000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7360000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7370000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7380000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7390000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x73a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7430000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x7440000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7450000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7460000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7470000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x7480000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7490000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7520000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 11 True 1
Fn
Allocate explorer.exe address = 0x7530000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x7540000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7550000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7560000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7570000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7580000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7610000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 5 True 1
Fn
Allocate explorer.exe address = 0x7620000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7630000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7640000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7650000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 8 True 1
Fn
Allocate explorer.exe address = 0x7660000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 313 True 1
Fn
Allocate explorer.exe address = 0x104f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 458752 True 1
Fn
Allocate explorer.exe address = 0x7c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x7d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x870000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x880000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x890000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x8a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x8b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate explorer.exe address = 0x8c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x8d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x8e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x8f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate explorer.exe address = 0x900000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x910000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x920000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0xbb0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0xbc0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0xbd0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0xbe0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0xbf0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0xc10000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0xc20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0xc30000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0xc40000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0xc50000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0xc60000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0xcb0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0xcc0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0xcd0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0xd30000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0xd40000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0xd50000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0xd60000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0xdf0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 7 True 1
Fn
Allocate explorer.exe address = 0xe00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0xe10000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0xe20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0xe30000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6c80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6c90000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x6d20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 9 True 1
Fn
Allocate explorer.exe address = 0x6d30000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6d40000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x6d50000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x6d60000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 8 True 1
Fn
Allocate explorer.exe address = 0x6d70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6d80000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x6e10000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate explorer.exe address = 0x6e20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 8 True 1
Fn
Allocate explorer.exe address = 0x6e30000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x6e40000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x6e50000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6e60000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6e70000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x6f00000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate explorer.exe address = 0x6f10000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6f20000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x6f30000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x6f40000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x6f50000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x6f60000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x6ff0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 24 True 1
Fn
Allocate explorer.exe address = 0x7000000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x7010000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7020000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7030000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x7040000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7050000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x70e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate explorer.exe address = 0x70f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x7100000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7110000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7120000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x7130000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7140000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x71d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 14 True 1
Fn
Allocate explorer.exe address = 0x71e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x71f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7200000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7210000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x7220000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7230000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x72c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 16 True 1
Fn
Allocate explorer.exe address = 0x72d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x72e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x72f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x7300000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7310000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7320000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x73b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate explorer.exe address = 0x73c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x73d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x73e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x73f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 11 True 1
Fn
Allocate explorer.exe address = 0x7400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7410000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x74a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 6 True 1
Fn
Allocate explorer.exe address = 0x74b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 11 True 1
Fn
Allocate explorer.exe address = 0x74c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x74d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x74e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x74f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7500000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7590000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 15 True 1
Fn
Allocate explorer.exe address = 0x75a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x75b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x75c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x75d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x75e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x75f0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7680000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 13 True 1
Fn
Allocate explorer.exe address = 0x7690000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x76a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x76b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x76c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x76d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x76e0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7770000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 11 True 1
Fn
Allocate explorer.exe address = 0x7780000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 10 True 1
Fn
Allocate explorer.exe address = 0x7790000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x77a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x77b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x77c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x77d0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 210 True 1
Fn
Allocate explorer.exe address = 0x7860000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 5 True 1
Fn
Allocate explorer.exe address = 0x7870000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 12 True 1
Fn
Allocate explorer.exe address = 0x7880000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 20 True 1
Fn
Allocate explorer.exe address = 0x7890000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 142 True 1
Fn
Allocate explorer.exe address = 0x78a0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 8 True 1
Fn
Allocate explorer.exe address = 0x78b0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 313 True 1
Fn
Write c:\windows\system32\taskhostw.exe address = 0x76f0000, size = 13 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x7700000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x7710000, size = 210 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x7c80000, size = 13 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x7c90000, size = 13 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x7ca0000, size = 20 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x7cb0000, size = 142 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x8bc0000, size = 15 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x8bd0000, size = 13 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x8be0000, size = 20 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x8bf0000, size = 142 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x8c00000, size = 15 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x8c10000, size = 13 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x8c20000, size = 20 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x8c30000, size = 142 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9060000, size = 13 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9070000, size = 13 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9080000, size = 20 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9090000, size = 142 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x90a0000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x90b0000, size = 13 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x90c0000, size = 20 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x90d0000, size = 142 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x91e0000, size = 13 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x91f0000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9200000, size = 210 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9210000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9220000, size = 13 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9230000, size = 20 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9240000, size = 142 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9250000, size = 10 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9960000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9970000, size = 210 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9980000, size = 7 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9990000, size = 10 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x99a0000, size = 20 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x99b0000, size = 142 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x99c0000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x99d0000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x99e0000, size = 210 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x99f0000, size = 9 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9a00000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9a10000, size = 20 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9a20000, size = 142 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9a30000, size = 8 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9a40000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9a50000, size = 210 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9a60000, size = 14 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9a70000, size = 8 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9a80000, size = 20 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9a90000, size = 142 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9aa0000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9ab0000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9ac0000, size = 210 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9ad0000, size = 14 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9ae0000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9af0000, size = 20 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9b00000, size = 142 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9b10000, size = 10 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9b20000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9b30000, size = 210 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9b40000, size = 24 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9b50000, size = 10 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9b60000, size = 20 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9b70000, size = 142 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9b80000, size = 10 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9b90000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9ba0000, size = 210 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9bb0000, size = 14 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9bc0000, size = 10 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9bd0000, size = 20 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9be0000, size = 142 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9bf0000, size = 13 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9c00000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9c10000, size = 210 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9c20000, size = 14 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9c30000, size = 13 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9c40000, size = 20 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9c50000, size = 142 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9c60000, size = 13 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9c70000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9c80000, size = 210 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9c90000, size = 16 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9ca0000, size = 13 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9cb0000, size = 20 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9cc0000, size = 142 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9cd0000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9ce0000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9cf0000, size = 210 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9d00000, size = 15 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9d10000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9d20000, size = 20 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9d30000, size = 142 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9d40000, size = 11 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9d50000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9d60000, size = 210 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9d70000, size = 6 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9d80000, size = 11 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9d90000, size = 20 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9da0000, size = 142 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9db0000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9dc0000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9dd0000, size = 210 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9de0000, size = 15 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9df0000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9e00000, size = 20 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9e10000, size = 142 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9e20000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9e30000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9e40000, size = 210 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x9e50000, size = 13 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0xa560000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0xa570000, size = 20 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0xa580000, size = 142 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0xa590000, size = 10 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0xa5a0000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0xa5b0000, size = 210 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0xa5c0000, size = 11 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0xa5d0000, size = 10 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0xac30000, size = 20 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0xac40000, size = 142 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0xac50000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0xac60000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0xac70000, size = 210 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0xac80000, size = 5 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0xac90000, size = 12 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0xaca0000, size = 20 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0xacb0000, size = 142 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0x10410000, size = 458752 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0xacc0000, size = 8 True 1
Fn
Data
Write c:\windows\system32\taskhostw.exe address = 0xacd0000, size = 313 True 1
Fn
Data
Write explorer.exe address = 0x470000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x480000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x490000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x520000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x530000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x540000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x550000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x560000, size = 15 True 1
Fn
Data
Write explorer.exe address = 0x570000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x580000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x590000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x5a0000, size = 15 True 1
Fn
Data
Write explorer.exe address = 0x5b0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x5c0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x5d0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x960000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x970000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x980000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x990000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x9a0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x9b0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x9c0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x9d0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x9e0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x9f0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0xa00000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0xa90000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0xdd0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0xde0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0xdf0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0xe00000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0xe10000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0xe20000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0xe30000, size = 7 True 1
Fn
Data
Write explorer.exe address = 0x66a0000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x66b0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x66c0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x66d0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x66e0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x66f0000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x6780000, size = 9 True 1
Fn
Data
Write explorer.exe address = 0x6790000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6af0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x6b00000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x6b10000, size = 8 True 1
Fn
Data
Write explorer.exe address = 0x6b20000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6b30000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x6bc0000, size = 14 True 1
Fn
Data
Write explorer.exe address = 0x6bd0000, size = 8 True 1
Fn
Data
Write explorer.exe address = 0x6be0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x6bf0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x6c00000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6c10000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6c20000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x6cb0000, size = 14 True 1
Fn
Data
Write explorer.exe address = 0x6cc0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6cd0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x6ce0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x6cf0000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x6d00000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6d10000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x6da0000, size = 24 True 1
Fn
Data
Write explorer.exe address = 0x6db0000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x6dc0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x6dd0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x6de0000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x6df0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6e00000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x6e90000, size = 14 True 1
Fn
Data
Write explorer.exe address = 0x6ea0000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x6eb0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x6ec0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x6ed0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x6ee0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6ef0000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x6f80000, size = 14 True 1
Fn
Data
Write explorer.exe address = 0x6f90000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x6fa0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x6fb0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x6fc0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x6fd0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6fe0000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7070000, size = 16 True 1
Fn
Data
Write explorer.exe address = 0x7080000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x7090000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x70a0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x70b0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x70c0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x70d0000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7160000, size = 15 True 1
Fn
Data
Write explorer.exe address = 0x7170000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7180000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7190000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x71a0000, size = 11 True 1
Fn
Data
Write explorer.exe address = 0x71b0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x71c0000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7250000, size = 6 True 1
Fn
Data
Write explorer.exe address = 0x7260000, size = 11 True 1
Fn
Data
Write explorer.exe address = 0x7270000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7280000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7290000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x72a0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x72b0000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7340000, size = 15 True 1
Fn
Data
Write explorer.exe address = 0x7350000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7360000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7370000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7380000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7390000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x73a0000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7430000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x7440000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7450000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7460000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7470000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x7480000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7490000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7520000, size = 11 True 1
Fn
Data
Write explorer.exe address = 0x7530000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x7540000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7550000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7560000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7570000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7580000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7610000, size = 5 True 1
Fn
Data
Write explorer.exe address = 0x7620000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7630000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7640000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x10480000, size = 458752 True 1
Fn
Data
Write explorer.exe address = 0x7650000, size = 8 True 1
Fn
Data
Write explorer.exe address = 0x7660000, size = 313 True 1
Fn
Data
Write explorer.exe address = 0x7c0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x7d0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7e0000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x870000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x880000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x890000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x8a0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x8b0000, size = 15 True 1
Fn
Data
Write explorer.exe address = 0x8c0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x8d0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x8e0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x8f0000, size = 15 True 1
Fn
Data
Write explorer.exe address = 0x900000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x910000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x920000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0xbb0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0xbc0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0xbd0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0xbe0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0xbf0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0xc10000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0xc20000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0xc30000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0xc40000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0xc50000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0xc60000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0xcb0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0xcc0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0xcd0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0xd30000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0xd40000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0xd50000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0xd60000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0xdf0000, size = 7 True 1
Fn
Data
Write explorer.exe address = 0xe00000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0xe10000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0xe20000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0xe30000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6c80000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6c90000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x6d20000, size = 9 True 1
Fn
Data
Write explorer.exe address = 0x6d30000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6d40000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x6d50000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x6d60000, size = 8 True 1
Fn
Data
Write explorer.exe address = 0x6d70000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6d80000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x6e10000, size = 14 True 1
Fn
Data
Write explorer.exe address = 0x6e20000, size = 8 True 1
Fn
Data
Write explorer.exe address = 0x6e30000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x6e40000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x6e50000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6e60000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6e70000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x6f00000, size = 14 True 1
Fn
Data
Write explorer.exe address = 0x6f10000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6f20000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x6f30000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x6f40000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x6f50000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x6f60000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x6ff0000, size = 24 True 1
Fn
Data
Write explorer.exe address = 0x7000000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x7010000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7020000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7030000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x7040000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7050000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x70e0000, size = 14 True 1
Fn
Data
Write explorer.exe address = 0x70f0000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x7100000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7110000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7120000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x7130000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7140000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x71d0000, size = 14 True 1
Fn
Data
Write explorer.exe address = 0x71e0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x71f0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7200000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7210000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x7220000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7230000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x72c0000, size = 16 True 1
Fn
Data
Write explorer.exe address = 0x72d0000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x72e0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x72f0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x7300000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7310000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7320000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x73b0000, size = 15 True 1
Fn
Data
Write explorer.exe address = 0x73c0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x73d0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x73e0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x73f0000, size = 11 True 1
Fn
Data
Write explorer.exe address = 0x7400000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7410000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x74a0000, size = 6 True 1
Fn
Data
Write explorer.exe address = 0x74b0000, size = 11 True 1
Fn
Data
Write explorer.exe address = 0x74c0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x74d0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x74e0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x74f0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7500000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7590000, size = 15 True 1
Fn
Data
Write explorer.exe address = 0x75a0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x75b0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x75c0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x75d0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x75e0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x75f0000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7680000, size = 13 True 1
Fn
Data
Write explorer.exe address = 0x7690000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x76a0000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x76b0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x76c0000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x76d0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x76e0000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7770000, size = 11 True 1
Fn
Data
Write explorer.exe address = 0x7780000, size = 10 True 1
Fn
Data
Write explorer.exe address = 0x7790000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x77a0000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x77b0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x77c0000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x77d0000, size = 210 True 1
Fn
Data
Write explorer.exe address = 0x7860000, size = 5 True 1
Fn
Data
Write explorer.exe address = 0x7870000, size = 12 True 1
Fn
Data
Write explorer.exe address = 0x7880000, size = 20 True 1
Fn
Data
Write explorer.exe address = 0x7890000, size = 142 True 1
Fn
Data
Write explorer.exe address = 0x104f0000, size = 458752 True 1
Fn
Data
Write explorer.exe address = 0x78a0000, size = 8 True 1
Fn
Data
Write explorer.exe address = 0x78b0000, size = 313 True 1
Fn
Data
Module (560)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76750000 True 2
Fn
Get Handle c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe base_address = 0x400000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76750000 True 276
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Local\uTorrent.exe, size = 261 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemDirectoryA, address_out = 0x7676f5c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathA, address_out = 0x76776410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x767677b0 True 48
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x7676d8d0 True 48
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x76769640 True 60
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76767940 True 60
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitThread, address_out = 0x76fd2570 True 60
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Find - class_name = Shell_TrayWnd True 1
Fn
Keyboard (1)
»
Operation Additional Information Success Count Logfile
Get Info type = 0, result_out = 4 True 1
Fn
System (9)
»
Operation Additional Information Success Count Logfile
Sleep duration = 1000 milliseconds (1.000 seconds) True 2
Fn
Sleep duration = 2000 milliseconds (2.000 seconds) True 1
Fn
Get Time type = Ticks, time = 178343 True 1
Fn
Get Time type = Ticks, time = 185000 True 1
Fn
Get Time type = Ticks, time = 187578 True 1
Fn
Get Info type = Operating System True 2
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Mutex (3)
»
Operation Additional Information Success Count Logfile
Create mutex_name = CIiHmnxMn6Ps5 True 1
Fn
Create mutex_name = SWE2F15657A4JJ True 1
Fn
Create mutex_name = SWE2F15657A4JJCIiHmnxMn6Ps15 True 1
Fn
Process #38: explorer.exe
2955 0
»
Information Value
ID #38
File Name c:\windows\syswow64\explorer.exe
Command Line explorer.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:05:22, Reason: Child Process
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:06:00
OS Process Information
»
Information Value
PID 0x338
Parent PID 0x7cc (c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 2F4
0x 7C8
0x 7C4
0x 324
0x 2E8
0x 7D8
0x 2D8
0x 2D4
0x 9C0
0x 9BC
0x 6C4
0x 84
0x 948
0x 944
0x 94C
0x 950
0x 960
0x 95C
0x 958
0x 954
0x 840
0x 8B4
0x 8B0
0x 878
0x 8A8
0x 8AC
0x 8C4
0x 888
0x 450
0x A8C
0x 874
0x 4A4
0x 168
0x 794
0x 890
0x 8A4
0x AD4
0x 7DC
0x 200
0x 204
0x AEC
0x B4C
0x 7A0
0x 118
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000370000 0x00370000 0x0038ffff Private Memory rw True False False -
pagefile_0x0000000000370000 0x00370000 0x0037ffff Pagefile Backed Memory rw True False False -
private_0x0000000000380000 0x00380000 0x00383fff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x00391fff Private Memory rw True False False -
explorer.exe.mui 0x00390000 0x00397fff Memory Mapped File r False False False -
pagefile_0x00000000003a0000 0x003a0000 0x003b3fff Pagefile Backed Memory r True False False -
private_0x00000000003c0000 0x003c0000 0x003fffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0043ffff Private Memory rw True False False -
pagefile_0x0000000000440000 0x00440000 0x00443fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000450000 0x00450000 0x00452fff Pagefile Backed Memory r True False False -
private_0x0000000000460000 0x00460000 0x00461fff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x00470fff Private Memory rwx True False False -
private_0x0000000000480000 0x00480000 0x00480fff Private Memory rwx True False False -
private_0x0000000000490000 0x00490000 0x00490fff Private Memory rwx True False False -
private_0x00000000004a0000 0x004a0000 0x004dffff Private Memory rw True False False -
private_0x00000000004e0000 0x004e0000 0x0051ffff Private Memory rw True False False -
private_0x0000000000520000 0x00520000 0x00520fff Private Memory rwx True False False -
private_0x0000000000530000 0x00530000 0x00530fff Private Memory rwx True False False -
private_0x0000000000540000 0x00540000 0x00540fff Private Memory rwx True False False -
private_0x0000000000550000 0x00550000 0x00550fff Private Memory rwx True False False -
private_0x0000000000560000 0x00560000 0x0059ffff Private Memory rw True False False -
private_0x0000000000560000 0x00560000 0x00560fff Private Memory rwx True False False -
private_0x0000000000570000 0x00570000 0x00570fff Private Memory rwx True False False -
private_0x0000000000580000 0x00580000 0x00580fff Private Memory rwx True False False -
private_0x0000000000590000 0x00590000 0x00590fff Private Memory rwx True False False -
private_0x00000000005a0000 0x005a0000 0x005dffff Private Memory rw True False False -
private_0x00000000005a0000 0x005a0000 0x005a0fff Private Memory rwx True False False -
private_0x00000000005b0000 0x005b0000 0x005b0fff Private Memory rwx True False False -
private_0x00000000005c0000 0x005c0000 0x005c0fff Private Memory rwx True False False -
private_0x00000000005d0000 0x005d0000 0x005d0fff Private Memory rwx True False False -
private_0x00000000005e0000 0x005e0000 0x0061ffff Private Memory rw True False False -
private_0x0000000000620000 0x00620000 0x0065ffff Private Memory rw True False False -
private_0x0000000000660000 0x00660000 0x0066ffff Private Memory rw True False False -
locale.nls 0x00670000 0x0072dfff Memory Mapped File r False False False -
private_0x0000000000730000 0x00730000 0x0076ffff Private Memory rw True False False -
private_0x0000000000770000 0x00770000 0x007affff Private Memory rw True False False -
private_0x00000000007b0000 0x007b0000 0x007effff Private Memory rw True False False -
private_0x00000000007f0000 0x007f0000 0x007f0fff Private Memory rw True False False -
private_0x0000000000800000 0x00800000 0x00800fff Private Memory rw True False False -
private_0x0000000000810000 0x00810000 0x00813fff Private Memory rw True False False -
private_0x0000000000820000 0x00820000 0x0091ffff Private Memory rw True False False -
private_0x0000000000920000 0x00920000 0x0095ffff Private Memory rw True False False -
private_0x0000000000960000 0x00960000 0x0099ffff Private Memory rw True False False -
private_0x0000000000960000 0x00960000 0x00960fff Private Memory rwx True False False -
private_0x0000000000970000 0x00970000 0x00970fff Private Memory rwx True False False -
private_0x0000000000980000 0x00980000 0x00980fff Private Memory rwx True False False -
private_0x0000000000990000 0x00990000 0x00990fff Private Memory rwx True False False -
private_0x00000000009a0000 0x009a0000 0x009dffff Private Memory rw True False False -
private_0x00000000009a0000 0x009a0000 0x009a0fff Private Memory rwx True False False -
private_0x00000000009b0000 0x009b0000 0x009b0fff Private Memory rwx True False False -
private_0x00000000009c0000 0x009c0000 0x009c0fff Private Memory rwx True False False -
private_0x00000000009d0000 0x009d0000 0x009d0fff Private Memory rwx True False False -
private_0x00000000009e0000 0x009e0000 0x00a1ffff Private Memory rw True False False -
private_0x00000000009e0000 0x009e0000 0x009e0fff Private Memory rwx True False False -
private_0x00000000009f0000 0x009f0000 0x009f0fff Private Memory rwx True False False -
private_0x0000000000a00000 0x00a00000 0x00a00fff Private Memory rwx True False False -
private_0x0000000000a10000 0x00a10000 0x00a4ffff Private Memory rw True False False -
private_0x0000000000a20000 0x00a20000 0x00a5ffff Private Memory rw True False False -
private_0x0000000000a50000 0x00a50000 0x00a8ffff Private Memory rw True False False -
private_0x0000000000a90000 0x00a90000 0x00a90fff Private Memory rwx True False False -
private_0x0000000000aa0000 0x00aa0000 0x00aaffff Private Memory rw True False False -
pagefile_0x0000000000ab0000 0x00ab0000 0x00c37fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000c40000 0x00c40000 0x00dc0fff Pagefile Backed Memory r True False False -
private_0x0000000000dd0000 0x00dd0000 0x00dd0fff Private Memory rwx True False False -
private_0x0000000000de0000 0x00de0000 0x00de0fff Private Memory rwx True False False -
private_0x0000000000df0000 0x00df0000 0x00df0fff Private Memory rwx True False False -
private_0x0000000000e00000 0x00e00000 0x00e3ffff Private Memory rw True False False -
private_0x0000000000e00000 0x00e00000 0x00e00fff Private Memory rwx True False False -
private_0x0000000000e10000 0x00e10000 0x00e10fff Private Memory rwx True False False -
private_0x0000000000e20000 0x00e20000 0x00e20fff Private Memory rwx True False False -
private_0x0000000000e30000 0x00e30000 0x00e30fff Private Memory rwx True False False -
explorer.exe 0x00e40000 0x01216fff Memory Mapped File rwx False False False -
pagefile_0x0000000001220000 0x01220000 0x0521ffff Pagefile Backed Memory - True False False -
pagefile_0x0000000005220000 0x05220000 0x0661ffff Pagefile Backed Memory r True False False -
private_0x0000000006620000 0x06620000 0x0665ffff Private Memory rw True False False -
private_0x0000000006660000 0x06660000 0x0669ffff Private Memory rw True False False -
private_0x00000000066a0000 0x066a0000 0x066a0fff Private Memory rwx True False False -
private_0x00000000066b0000 0x066b0000 0x066b0fff Private Memory rwx True False False -
private_0x00000000066c0000 0x066c0000 0x066c0fff Private Memory rwx True False False -
private_0x00000000066d0000 0x066d0000 0x0670ffff Private Memory rw True False False -
private_0x00000000066d0000 0x066d0000 0x066d0fff Private Memory rwx True False False -
private_0x00000000066e0000 0x066e0000 0x066e0fff Private Memory rwx True False False -
private_0x00000000066f0000 0x066f0000 0x066f0fff Private Memory rwx True False False -
private_0x0000000006700000 0x06700000 0x0673ffff Private Memory rw True False False -
private_0x0000000006710000 0x06710000 0x0674ffff Private Memory rw True False False -
private_0x0000000006740000 0x06740000 0x0677ffff Private Memory rw True False False -
private_0x0000000006780000 0x06780000 0x06780fff Private Memory rwx True False False -
private_0x0000000006790000 0x06790000 0x06790fff Private Memory rwx True False False -
private_0x00000000067a0000 0x067a0000 0x067affff Private Memory rw True False False -
sortdefault.nls 0x067b0000 0x06ae6fff Memory Mapped File r False False False -
private_0x0000000006af0000 0x06af0000 0x06af0fff Private Memory rwx True False False -
private_0x0000000006b00000 0x06b00000 0x06b00fff Private Memory rwx True False False -
private_0x0000000006b10000 0x06b10000 0x06b4ffff Private Memory rw True False False -
private_0x0000000006b50000 0x06b50000 0x06b8ffff Private Memory rw True False False -
private_0x0000000010480000 0x10480000 0x104effff Private Memory rwx True False False -
wow64cpu.dll 0x51cd0000 0x51cd7fff Memory Mapped File rwx False False False -
wow64.dll 0x51ce0000 0x51d2efff Memory Mapped File rwx False False False -
wow64win.dll 0x51d30000 0x51da2fff Memory Mapped File rwx False False False -
dxgi.dll 0x738f0000 0x7396dfff Memory Mapped File rwx False False False -
dcomp.dll 0x73970000 0x73a0bfff Memory Mapped File rwx False False False -
sppc.dll 0x73a10000 0x73a2cfff Memory Mapped File rwx False False False -
slc.dll 0x73a30000 0x73a50fff Memory Mapped File rwx False False False -
twinapi.dll 0x73a60000 0x73af8fff Memory Mapped File rwx False False False -
userenv.dll 0x73b00000 0x73b18fff Memory Mapped File rwx False False False -
d3d11.dll 0x73b20000 0x73d32fff Memory Mapped File rwx False False False -
uxtheme.dll 0x73d40000 0x73db4fff Memory Mapped File rwx False False False -
propsys.dll 0x73dc0000 0x73f01fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73fc0000 0x73fdcfff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74010000 0x74068fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74070000 0x74079fff Memory Mapped File rwx False False False -
sspicli.dll 0x74080000 0x7409dfff Memory Mapped File rwx False False False -
msctf.dll 0x740a0000 0x741bffff Memory Mapped File rwx False False False -
crypt32.dll 0x741c0000 0x74334fff Memory Mapped File rwx False False False -
user32.dll 0x743a0000 0x744dffff Memory Mapped File rwx False False False -
windows.storage.dll 0x74580000 0x74a5cfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x74af0000 0x74b9bfff Memory Mapped File rwx False False False -
oleaut32.dll 0x74ba0000 0x74c31fff Memory Mapped File rwx False False False -
shcore.dll 0x74c40000 0x74cccfff Memory Mapped File rwx False False False -
shell32.dll 0x74cd0000 0x7608efff Memory Mapped File rwx False False False -
advapi32.dll 0x76160000 0x761dafff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x761e0000 0x761ebfff Memory Mapped File rwx False False False -
msasn1.dll 0x76520000 0x7652dfff Memory Mapped File rwx False False False -
msvcrt.dll 0x76640000 0x766fdfff Memory Mapped File rwx False False False -
shlwapi.dll 0x76700000 0x76743fff Memory Mapped File rwx False False False -
kernel32.dll 0x76750000 0x7683ffff Memory Mapped File rwx False False False -
profapi.dll 0x76840000 0x7684efff Memory Mapped File rwx False False False -
gdi32.dll 0x76850000 0x7699cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x769a0000 0x76b15fff Memory Mapped File rwx False False False -
powrprof.dll 0x76b90000 0x76bd3fff Memory Mapped File rwx False False False -
sechost.dll 0x76d30000 0x76d72fff Memory Mapped File rwx False False False -
imm32.dll 0x76d80000 0x76daafff Memory Mapped File rwx False False False -
combase.dll 0x76db0000 0x76f69fff Memory Mapped File rwx False False False -
ntdll.dll 0x76f70000 0x770e8fff Memory Mapped File rwx False False False -
private_0x000000007f471000 0x7f471000 0x7f473fff Private Memory rw True False False -
private_0x000000007f474000 0x7f474000 0x7f476fff Private Memory rw True False False -
private_0x000000007f477000 0x7f477000 0x7f479fff Private Memory rw True False False -
private_0x000000007f47a000 0x7f47a000 0x7f47cfff Private Memory rw True False False -
private_0x000000007f47d000 0x7f47d000 0x7f47ffff Private Memory rw True False False -
pagefile_0x000000007f480000 0x7f480000 0x7f57ffff Pagefile Backed Memory r True False False -
pagefile_0x000000007f580000 0x7f580000 0x7f5a2fff Pagefile Backed Memory r True False False -
private_0x000000007f5a4000 0x7f5a4000 0x7f5a6fff Private Memory rw True False False -
private_0x000000007f5a7000 0x7f5a7000 0x7f5a7fff Private Memory rw True False False -
private_0x000000007f5a9000 0x7f5a9000 0x7f5abfff Private Memory rw True False False -
private_0x000000007f5ac000 0x7f5ac000 0x7f5aefff Private Memory rw True False False -
private_0x000000007f5af000 0x7f5af000 0x7f5affff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7dff083affff Private Memory r True False False -
pagefile_0x00007dff083b0000 0x7dff083b0000 0x7fff083affff Pagefile Backed Memory - True False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
private_0x00007fff08572000 0x7fff08572000 0x7ffffffeffff Private Memory r True False False -
For performance reasons, the remaining 185 entries are omitted.
The remaining entries can be found in flog.txt.
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x470000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x480000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x490000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x490000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x520000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x530000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x540000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x550000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x550000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x560000, size = 15 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x570000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x580000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x590000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x590000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x5a0000, size = 15 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x5b0000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x5c0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x5d0000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x5d0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x960000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x970000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x980000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x990000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x990000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9a0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9b0000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9c0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9d0000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9d0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9e0000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x9f0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xa00000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xa00000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xa90000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xdd0000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xde0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xdf0000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xdf0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xe00000, size = 10 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xe10000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xe20000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xe20000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xe30000, size = 7 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x66a0000, size = 10 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x66b0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x66c0000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x66c0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x66d0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x66e0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x66f0000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x66f0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6780000, size = 9 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6790000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6af0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6b00000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6b00000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6b10000, size = 8 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6b20000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6b30000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6b30000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6bc0000, size = 14 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6bd0000, size = 8 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6be0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6bf0000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6bf0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6c00000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6c10000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6c20000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6c20000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6cb0000, size = 14 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6cc0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6cd0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6ce0000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6ce0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6cf0000, size = 10 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6d00000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6d10000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6d10000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6da0000, size = 24 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6db0000, size = 10 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6dc0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6dd0000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6dd0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6de0000, size = 10 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6df0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6e00000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6e00000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6e90000, size = 14 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6ea0000, size = 10 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6eb0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6ec0000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6ec0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6ed0000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6ee0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6ef0000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6ef0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6f80000, size = 14 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6f90000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6fa0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6fb0000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6fb0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6fc0000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6fd0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6fe0000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6fe0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7070000, size = 16 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7080000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7090000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x70a0000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x70a0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x70b0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x70c0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x70d0000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x70d0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7160000, size = 15 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7170000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7180000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7190000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7190000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x71a0000, size = 11 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x71b0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x71c0000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x71c0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7250000, size = 6 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7260000, size = 11 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7270000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7280000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7280000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7290000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x72a0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x72b0000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x72b0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7340000, size = 15 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7350000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7360000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7370000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7370000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7380000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7390000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x73a0000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x73a0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7430000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7440000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7450000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7460000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7460000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7470000, size = 10 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7480000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7490000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7490000 True 1
Fn
Host Behavior
File (6)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps2.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\install\svchost.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps2.txt type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\install\svchost.exe type = size True 1
Fn
Read C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps2.txt size = 394358, size_out = 394358 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\install\svchost.exe size = 1171592, size_out = 1171592 True 1
Fn
Registry (1605)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run - True 64
Fn
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - True 64
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - True 64
Fn
Create Key HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} - True 64
Fn
Open Key HKEY_CURRENT_USER\Software\Borland\Locales - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Borland\Locales - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Borland\Delphi\Locales - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\ - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run - True 64
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 64
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - True 64
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run - True 64
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} - True 64
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\ - True 64
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = 0, type = REG_EXPAND_SZ True 64
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = C:\Windows\system32\install\svchost.exe, type = REG_EXPAND_SZ True 64
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKCU, data = 0, type = REG_EXPAND_SZ True 64
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKCU, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\install\svchost.exe, type = REG_EXPAND_SZ True 64
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 0, type = REG_EXPAND_SZ True 64
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = C:\Windows\system32\install\svchost.exe, type = REG_EXPAND_SZ True 64
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 0, type = REG_EXPAND_SZ True 64
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = C:\Windows\system32\install\svchost.exe, type = REG_EXPAND_SZ True 64
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = 0, type = REG_EXPAND_SZ True 64
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = C:\Windows\system32\install\svchost.exe, type = REG_EXPAND_SZ True 64
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = 8653808, size = 57, type = REG_EXPAND_SZ False 4
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8654208, size = 57, type = REG_EXPAND_SZ False 3
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8655088, size = 57, type = REG_EXPAND_SZ False 5
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = 8655408, size = 57, type = REG_EXPAND_SZ False 7
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = 8654688, size = 57, type = REG_EXPAND_SZ False 5
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8654288, size = 57, type = REG_EXPAND_SZ False 4
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8655248, size = 57, type = REG_EXPAND_SZ False 8
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = 8654048, size = 57, type = REG_EXPAND_SZ False 8
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = 8653648, size = 57, type = REG_EXPAND_SZ False 3
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8653808, size = 57, type = REG_EXPAND_SZ False 3
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8654608, size = 57, type = REG_EXPAND_SZ False 6
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = 8655248, size = 57, type = REG_EXPAND_SZ False 2
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = 8655328, size = 57, type = REG_EXPAND_SZ False 3
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8655408, size = 57, type = REG_EXPAND_SZ False 3
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = 8653808, size = 57, type = REG_EXPAND_SZ False 3
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = 8654608, size = 57, type = REG_EXPAND_SZ False 7
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8654048, size = 57, type = REG_EXPAND_SZ False 5
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8655328, size = 57, type = REG_EXPAND_SZ False 5
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = 8655408, size = 57, type = REG_EXPAND_SZ False 5
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8653648, size = 57, type = REG_EXPAND_SZ False 4
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8654768, size = 57, type = REG_EXPAND_SZ False 6
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = 8655088, size = 57, type = REG_EXPAND_SZ False 4
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8655328, size = 57, type = REG_EXPAND_SZ False 4
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8654448, size = 57, type = REG_EXPAND_SZ False 2
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = 8655488, size = 57, type = REG_EXPAND_SZ False 7
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8655088, size = 57, type = REG_EXPAND_SZ False 4
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = 8653728, size = 57, type = REG_EXPAND_SZ False 6
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8654448, size = 57, type = REG_EXPAND_SZ False 6
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8654368, size = 57, type = REG_EXPAND_SZ False 6
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = 8654688, size = 57, type = REG_EXPAND_SZ False 3
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = 8654768, size = 57, type = REG_EXPAND_SZ False 3
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8655248, size = 57, type = REG_EXPAND_SZ False 7
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8654288, size = 57, type = REG_EXPAND_SZ False 4
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8654768, size = 57, type = REG_EXPAND_SZ False 3
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = 8654288, size = 57, type = REG_EXPAND_SZ False 4
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8654208, size = 57, type = REG_EXPAND_SZ False 5
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = 8655248, size = 57, type = REG_EXPAND_SZ False 4
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8653728, size = 57, type = REG_EXPAND_SZ False 2
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = 8654368, size = 57, type = REG_EXPAND_SZ False 4
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8655568, size = 57, type = REG_EXPAND_SZ False 5
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8653728, size = 57, type = REG_EXPAND_SZ False 3
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8654608, size = 57, type = REG_EXPAND_SZ False 4
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = 8654288, size = 57, type = REG_EXPAND_SZ False 5
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8655408, size = 57, type = REG_EXPAND_SZ False 3
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = 8654768, size = 57, type = REG_EXPAND_SZ False 3
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8653808, size = 57, type = REG_EXPAND_SZ False 3
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = 8655328, size = 57, type = REG_EXPAND_SZ False 3
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8654688, size = 57, type = REG_EXPAND_SZ False 3
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = 8655488, size = 57, type = REG_EXPAND_SZ False 8
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = 8654368, size = 57, type = REG_EXPAND_SZ False 3
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = 8655088, size = 57, type = REG_EXPAND_SZ False 2
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = 8654208, size = 57, type = REG_EXPAND_SZ False 2
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = 8654448, size = 57, type = REG_EXPAND_SZ False 2
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = 8654448, size = 57, type = REG_EXPAND_SZ False 2
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8654368, size = 57, type = REG_EXPAND_SZ False 3
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = 8654048, size = 57, type = REG_EXPAND_SZ False 4
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8654688, size = 57, type = REG_EXPAND_SZ False 2
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8655488, size = 57, type = REG_EXPAND_SZ False 1
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8655568, size = 57, type = REG_EXPAND_SZ False 2
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = 8655568, size = 57, type = REG_EXPAND_SZ False 2
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8654048, size = 57, type = REG_EXPAND_SZ False 1
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = 8654608, size = 57, type = REG_EXPAND_SZ False 2
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = 8654208, size = 57, type = REG_EXPAND_SZ False 2
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = 8655568, size = 57, type = REG_EXPAND_SZ False 2
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8653648, size = 57, type = REG_EXPAND_SZ False 1
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} value_name = StubPath, data = 8653648, size = 57, type = REG_EXPAND_SZ False 3
Fn
Write Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run value_name = HKLM, data = 8653728, size = 57, type = REG_EXPAND_SZ False 1
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run value_name = Policies, data = 8655488, size = 57, type = REG_EXPAND_SZ False 2
Fn
Delete Key HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} - False 65
Fn
Module (361)
»
Operation Module Additional Information Success Count Logfile
Load KERNEL32.DLL base_address = 0x76750000 True 4
Fn
Load advapi32.dll base_address = 0x76160000 True 4
Fn
Load gdi32.dll base_address = 0x76850000 True 2
Fn
Load gdiplus.dll base_address = 0x73780000 True 2
Fn
Load mpr.dll base_address = 0x73760000 True 2
Fn
Load msacm32.dll base_address = 0x73740000 True 2
Fn
Load ntdll.dll base_address = 0x76f70000 True 2
Fn
Load ole32.dll base_address = 0x76c40000 True 3
Fn
Load oleaut32.dll base_address = 0x74ba0000 True 2
Fn
Load powrprof.dll base_address = 0x76b90000 True 2
Fn
Load shell32.dll base_address = 0x74cd0000 True 5
Fn
Load user32.dll base_address = 0x743a0000 True 3
Fn
Load version.dll base_address = 0x73fb0000 True 2
Fn
Load wininet.dll base_address = 0x734b0000 True 2
Fn
Load winmm.dll base_address = 0x73480000 True 2
Fn
Load wsock32.dll base_address = 0x73470000 True 2
Fn
Load iphlpapi.dll base_address = 0x73440000 True 1
Fn
Load kernel32.dll base_address = 0x76750000 True 2
Fn
Load Crypt32.dll base_address = 0x741c0000 True 1
Fn
Load Advapi32.dll base_address = 0x76160000 True 7
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76750000 True 5
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x76160000 True 1
Fn
Get Handle c:\windows\syswow64\gdi32.dll base_address = 0x76850000 True 1
Fn
Get Handle gdiplus.dll base_address = 0x0 False 1
Fn
Get Handle mpr.dll base_address = 0x73760000 True 1
Fn
Get Handle msacm32.dll base_address = 0x73740000 True 1
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x76f70000 True 1
Fn
Get Handle ole32.dll base_address = 0x76c40000 True 1
Fn
Get Handle c:\windows\syswow64\oleaut32.dll base_address = 0x74ba0000 True 1
Fn
Get Handle c:\windows\syswow64\powrprof.dll base_address = 0x76b90000 True 1
Fn
Get Handle c:\windows\syswow64\shell32.dll base_address = 0x74cd0000 True 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x743a0000 True 1
Fn
Get Handle version.dll base_address = 0x73fb0000 True 1
Fn
Get Handle wininet.dll base_address = 0x734b0000 True 1
Fn
Get Handle winmm.dll base_address = 0x73480000 True 1
Fn
Get Handle wsock32.dll base_address = 0x73470000 True 1
Fn
Get Filename - process_name = c:\windows\syswow64\explorer.exe, size = 261 False 1
Fn
Get Filename Unknown module name process_name = c:\windows\syswow64\explorer.exe, file_name_orig = C:\Windows\SysWOW64\explorer.exe, size = 261 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x7676d8d0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76767940 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76768c50 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76768b70 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76768c70 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyA, address_out = 0x761831a0 True 2
Fn
Get Address c:\windows\syswow64\gdi32.dll function = BitBlt, address_out = 0x768d2170 True 2
Fn
Get Address Unknown module name function = GdipFree, address_out = 0x0 False 1
Fn
Get Address Unknown module name function = WNetOpenEnumA, address_out = 0x7376d6c0 True 2
Fn
Get Address Unknown module name function = acmStreamSize, address_out = 0x7374ace0 True 2
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwSetInformationProcess, address_out = 0x76fd8da0 True 2
Fn
Get Address Unknown module name function = CoTaskMemFree, address_out = 0x76e3cf40 True 2
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SysFreeString, address_out = 0x74bb9230 True 2
Fn
Get Address c:\windows\syswow64\powrprof.dll function = SetSuspendState, address_out = 0x76b99ab0 True 2
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFileInfoA, address_out = 0x74e6f7f0 True 2
Fn
Get Address c:\windows\syswow64\user32.dll function = GetDC, address_out = 0x743d4dd0 True 1
Fn
Get Address Unknown module name function = VerQueryValueA, address_out = 0x73fb14c0 True 1
Fn
Get Address Unknown module name function = FtpOpenFileA, address_out = 0x735f9a80 True 1
Fn
Get Address Unknown module name function = waveInOpen, address_out = 0x7348cc80 True 1
Fn
Get Address Unknown module name function = send, address_out = 0x7659ce20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76761b90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedDecrement, address_out = 0x76767560 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x76767520 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x767675a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76762d60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x76773a30 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynA, address_out = 0x7676f7b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExA, address_out = 0x76769f60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetThreadLocale, address_out = 0x7676a4e0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoA, address_out = 0x76769730 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoA, address_out = 0x7676e240 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76762db0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileA, address_out = 0x76776210 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x767761d0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x767774f0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x76769700 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76776590 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x767928e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x76776530 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEndOfFile, address_out = 0x767764f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76769a80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x767764a0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76769ec0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x7676a060 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x76776360 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTime, address_out = 0x76774a60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76776390 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76776170 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76775f20 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x7676a3c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76761da0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76761ba0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76769930 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76769a70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x767687c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x76768840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x76769640 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x7676a040 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x767698f0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x767625e0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x76fabae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x76fada90 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76767910 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpA, address_out = 0x7676c1f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteProcessMemory, address_out = 0x76792ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WinExec, address_out = 0x76790170 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76776110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAllocEx, address_out = 0x767929a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateThread, address_out = 0x7676fcb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x7676fbc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x767677b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadPriority, address_out = 0x76769490 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadLocale, address_out = 0x7676a310 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetNamedPipeHandleState, address_out = 0x76792600 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileTime, address_out = 0x76776550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileAttributesA, address_out = 0x76776500 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76768bf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RemoveDirectoryA, address_out = 0x767764d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x767692b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileA, address_out = 0x7676c240 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsBadReadPtr, address_out = 0x76761ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalUnlock, address_out = 0x76762a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalSize, address_out = 0x767677c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalReAlloc, address_out = 0x76762ba0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalMemoryStatus, address_out = 0x767692d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalHandle, address_out = 0x7676e030 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalLock, address_out = 0x76761bc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalFree, address_out = 0x76773a70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x76769600 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVolumeInformationA, address_out = 0x76776430 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76769fe0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x767757f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemInfo, address_out = 0x7676a1f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetPrivateProfileStringA, address_out = 0x76770280 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetPrivateProfileIntA, address_out = 0x76770200 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalDriveStringsA, address_out = 0x7678e9a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocalTime, address_out = 0x76769a60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileAttributesA, address_out = 0x76776310 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x7676f6f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x7676a390 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeA, address_out = 0x767762f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76761d90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76762da0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameA, address_out = 0x7676f4b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileA, address_out = 0x76776270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FileTimeToLocalFileTime, address_out = 0x767761c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FileTimeToDosDateTime, address_out = 0x76772360 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x767761a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateRemoteThread, address_out = 0x76790a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76790960 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreatePipe, address_out = 0x76760570 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexA, address_out = 0x76775fb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventA, address_out = 0x76775f70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x76776140 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileA, address_out = 0x7676c510 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExW, address_out = 0x7676a2a0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExA, address_out = 0x76180750 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExA, address_out = 0x7617ee40 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExA, address_out = 0x7617f000 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumValueA, address_out = 0x76182540 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumKeyExA, address_out = 0x76182520 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegDeleteValueA, address_out = 0x76180fb0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegDeleteKeyA, address_out = 0x7617fc50 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyA, address_out = 0x76183150 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x7617efa0 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenProcessToken, address_out = 0x7617ee90 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = LookupPrivilegeValueA, address_out = 0x76193e70 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameA, address_out = 0x761836d0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AdjustTokenPrivileges, address_out = 0x76180680 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = StartServiceA, address_out = 0x76196a40 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = QueryServiceStatus, address_out = 0x761839f0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenServiceA, address_out = 0x76196590 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenSCManagerA, address_out = 0x76180f30 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = EnumServicesStatusA, address_out = 0x761aad50 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = DeleteService, address_out = 0x76195e30 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CreateServiceA, address_out = 0x76195670 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ControlService, address_out = 0x761955f0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CloseServiceHandle, address_out = 0x761806a0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetTextColor, address_out = 0x768d1c80 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetBkColor, address_out = 0x768d1da0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SelectObject, address_out = 0x768cfc80 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetObjectA, address_out = 0x768e0530 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetDeviceCaps, address_out = 0x768d0820 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetDIBits, address_out = 0x768d0dc0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = DeleteObject, address_out = 0x768d0050 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = DeleteDC, address_out = 0x768d0550 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateSolidBrush, address_out = 0x768d23d0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateFontA, address_out = 0x76901180 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateCompatibleDC, address_out = 0x768d1f90 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateCompatibleBitmap, address_out = 0x768d22d0 True 1
Fn
Get Address Unknown module name function = GdipGetImageEncoders, address_out = 0x737df380 True 1
Fn
Get Address Unknown module name function = GdipGetImageEncodersSize, address_out = 0x737df520 True 1
Fn
Get Address Unknown module name function = GdipDrawImageRectI, address_out = 0x737c7180 True 1
Fn
Get Address Unknown module name function = GdipSetInterpolationMode, address_out = 0x737c5ad0 True 1
Fn
Get Address Unknown module name function = GdipDeleteGraphics, address_out = 0x737a92d0 True 1
Fn
Get Address Unknown module name function = GdipCreateBitmapFromScan0, address_out = 0x737c31c0 True 1
Fn
Get Address Unknown module name function = GdipCreateBitmapFromFileICM, address_out = 0x73814560 True 1
Fn
Get Address Unknown module name function = GdipCreateBitmapFromStreamICM, address_out = 0x738146f0 True 1
Fn
Get Address Unknown module name function = GdipCreateBitmapFromFile, address_out = 0x737e32f0 True 1
Fn
Get Address Unknown module name function = GdipCreateBitmapFromStream, address_out = 0x737e9f10 True 1
Fn
Get Address Unknown module name function = GdipGetImagePixelFormat, address_out = 0x737ed9f0 True 1
Fn
Get Address Unknown module name function = GdipGetImageGraphicsContext, address_out = 0x737c3300 True 1
Fn
Get Address Unknown module name function = GdipSaveImageToStream, address_out = 0x737e4bd0 True 1
Fn
Get Address Unknown module name function = GdipDisposeImage, address_out = 0x737e91c0 True 1
Fn
Get Address Unknown module name function = GdiplusShutdown, address_out = 0x737ea7c0 True 1
Fn
Get Address Unknown module name function = GdiplusStartup, address_out = 0x737eab50 True 1
Fn
Get Address Unknown module name function = GdipFree, address_out = 0x737c3810 True 1
Fn
Get Address Unknown module name function = GdipAlloc, address_out = 0x737c3840 True 1
Fn
Get Address Unknown module name function = WNetEnumResourceA, address_out = 0x7376cc80 True 1
Fn
Get Address Unknown module name function = WNetCloseEnum, address_out = 0x73763710 True 1
Fn
Get Address Unknown module name function = acmStreamUnprepareHeader, address_out = 0x7374ade0 True 1
Fn
Get Address Unknown module name function = acmStreamPrepareHeader, address_out = 0x7374ab20 True 1
Fn
Get Address Unknown module name function = acmStreamConvert, address_out = 0x7374a440 True 1
Fn
Get Address Unknown module name function = acmStreamReset, address_out = 0x7374ac70 True 1
Fn
Get Address Unknown module name function = acmStreamClose, address_out = 0x7374a2f0 True 1
Fn
Get Address Unknown module name function = acmStreamOpen, address_out = 0x7374a630 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueryInformationProcess, address_out = 0x76fd8d50 True 1
Fn
Get Address Unknown module name function = CLSIDFromString, address_out = 0x76e61390 True 1
Fn
Get Address Unknown module name function = StringFromCLSID, address_out = 0x76e21020 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SysReAllocStringLen, address_out = 0x74bc3ee0 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SysAllocStringLen, address_out = 0x74bb91a0 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExA, address_out = 0x74f32190 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = DragQueryFileA, address_out = 0x74f1f900 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderPathA, address_out = 0x74f74f00 True 3
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExA, address_out = 0x743d4720 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wvsprintfA, address_out = 0x743cea20 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = mouse_event, address_out = 0x7441fd40 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = keybd_event, address_out = 0x7441fcf0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x743c7020 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UnregisterClassA, address_out = 0x743d0b00 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x743bb9d0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ToUnicodeEx, address_out = 0x7441f4c0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SystemParametersInfoA, address_out = 0x743d0860 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x743d52a0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowTextA, address_out = 0x743c45e0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowPos, address_out = 0x743d4f70 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowLongA, address_out = 0x743d0c20 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetTimer, address_out = 0x743bcd50 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetPropA, address_out = 0x743d0e50 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetForegroundWindow, address_out = 0x743bdf70 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetCursor, address_out = 0x743d4ed0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetClipboardData, address_out = 0x743d13e0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageTimeoutA, address_out = 0x743cdc40 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageA, address_out = 0x743c1460 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ScreenToClient, address_out = 0x743b56d0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RemovePropA, address_out = 0x743d1000 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ReleaseDC, address_out = 0x743b89f0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassA, address_out = 0x743d3e50 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostQuitMessage, address_out = 0x743d2430 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostMessageA, address_out = 0x743cce20 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PeekMessageA, address_out = 0x743baa70 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = OpenClipboard, address_out = 0x743d1770 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MsgWaitForMultipleObjects, address_out = 0x743ba2f0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x7441cf50 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MapVirtualKeyExA, address_out = 0x74427440 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MapVirtualKeyA, address_out = 0x743d1fb0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadIconA, address_out = 0x743d1ec0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorA, address_out = 0x743d1e90 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsWindowVisible, address_out = 0x743c6e80 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsWindow, address_out = 0x743b7130 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = InvalidateRect, address_out = 0x743d4d70 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowThreadProcessId, address_out = 0x743bba70 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowTextLengthA, address_out = 0x743c1670 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowTextA, address_out = 0x743c4690 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowRect, address_out = 0x743b5930 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowLongA, address_out = 0x743ccc90 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSystemMetrics, address_out = 0x743b55d0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSystemMenu, address_out = 0x743d5330 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSysColor, address_out = 0x743bc900 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetPropA, address_out = 0x743ce230 True 1
Fn
Get Address Unknown module name function = AllocateAndGetTcpExTableFromStack, address_out = 0x0 False 1
Fn
Get Address Unknown module name function = AllocateAndGetUdpExTableFromStack, address_out = 0x0 False 1
Fn
Get Address Unknown module name function = SetTcpEntry, address_out = 0x73462050 True 1
Fn
Get Address Unknown module name function = GetExtendedTcpTable, address_out = 0x7344b880 True 1
Fn
Get Address Unknown module name function = GetExtendedUdpTable, address_out = 0x7344c0d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathA, address_out = 0x76776410 True 2
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptUnprotectData, address_out = 0x7420af50 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CredEnumerateA, address_out = 0x76195710 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextA, address_out = 0x76180c00 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptCreateHash, address_out = 0x7617f930 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptHashData, address_out = 0x7617f950 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetHashParam, address_out = 0x7617f530 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyHash, address_out = 0x7617fbf0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x76180ad0 True 1
Fn
Get Address Unknown module name function = OleInitialize, address_out = 0x76c69c50 True 1
Fn
Get Address Unknown module name function = CoCreateInstance, address_out = 0x76e58200 True 1
Fn
System (147)
»
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 16
Fn
Sleep duration = 5000 milliseconds (5.000 seconds) True 64
Fn
Sleep duration = 5000 milliseconds (5.000 seconds) False 1
Fn
Get Time type = Ticks, time = 185515 True 1
Fn
Get Time type = Ticks, time = 190531 True 1
Fn
Get Time type = Ticks, time = 195546 True 1
Fn
Get Time type = Ticks, time = 200546 True 1
Fn
Get Time type = Ticks, time = 205546 True 1
Fn
Get Time type = Ticks, time = 210562 True 1
Fn
Get Time type = Ticks, time = 215578 True 1
Fn
Get Time type = Ticks, time = 220578 True 1
Fn
Get Time type = Ticks, time = 225593 True 1
Fn
Get Time type = Ticks, time = 230593 True 1
Fn
Get Time type = Ticks, time = 235609 True 1
Fn
Get Time type = Ticks, time = 240609 True 1
Fn
Get Time type = Ticks, time = 245609 True 1
Fn
Get Time type = Ticks, time = 250625 True 1
Fn
Get Time type = Ticks, time = 255625 True 1
Fn
Get Time type = Ticks, time = 260656 True 1
Fn
Get Time type = Ticks, time = 265656 True 1
Fn
Get Time type = Ticks, time = 270671 True 1
Fn
Get Time type = Ticks, time = 275671 True 1
Fn
Get Time type = Ticks, time = 280671 True 1
Fn
Get Time type = Ticks, time = 285687 True 1
Fn
Get Time type = Ticks, time = 290687 True 1
Fn
Get Time type = Ticks, time = 295687 True 1
Fn
Get Time type = Ticks, time = 300718 True 1
Fn
Get Time type = Ticks, time = 305718 True 1
Fn
Get Time type = Ticks, time = 310734 True 1
Fn
Get Time type = Ticks, time = 315750 True 1
Fn
Get Time type = Ticks, time = 320750 True 1
Fn
Get Time type = Ticks, time = 325765 True 1
Fn
Get Time type = Ticks, time = 330781 True 1
Fn
Get Time type = Ticks, time = 335796 True 1
Fn
Get Time type = Ticks, time = 340843 True 1
Fn
Get Time type = Ticks, time = 345859 True 1
Fn
Get Time type = Ticks, time = 350875 True 1
Fn
Get Time type = Ticks, time = 355953 True 1
Fn
Get Time type = Ticks, time = 360968 True 1
Fn
Get Time type = Ticks, time = 365968 True 1
Fn
Get Time type = Ticks, time = 370984 True 1
Fn
Get Time type = Ticks, time = 375984 True 1
Fn
Get Time type = Ticks, time = 381000 True 1
Fn
Get Time type = Ticks, time = 386000 True 1
Fn
Get Time type = Ticks, time = 391015 True 1
Fn
Get Time type = Ticks, time = 396031 True 1
Fn
Get Time type = Ticks, time = 401031 True 1
Fn
Get Time type = Ticks, time = 406031 True 1
Fn
Get Time type = Ticks, time = 411062 True 1
Fn
Get Time type = Ticks, time = 416062 True 1
Fn
Get Time type = Ticks, time = 421078 True 1
Fn
Get Time type = Ticks, time = 426078 True 1
Fn
Get Time type = Ticks, time = 431093 True 1
Fn
Get Time type = Ticks, time = 436093 True 1
Fn
Get Time type = Ticks, time = 441093 True 1
Fn
Get Time type = Ticks, time = 446109 True 1
Fn
Get Time type = Ticks, time = 452031 True 1
Fn
Get Time type = Ticks, time = 457031 True 1
Fn
Get Time type = Ticks, time = 462046 True 1
Fn
Get Time type = Ticks, time = 467046 True 1
Fn
Get Time type = Ticks, time = 472046 True 1
Fn
Get Time type = Ticks, time = 477062 True 1
Fn
Get Time type = Ticks, time = 482078 True 1
Fn
Get Time type = Ticks, time = 487078 True 1
Fn
Get Time type = Ticks, time = 492093 True 1
Fn
Get Time type = Ticks, time = 497156 True 1
Fn
Get Time type = Ticks, time = 502171 True 1
Fn
Get Time type = Ticks, time = 507171 True 1
Fn
Get Info type = Operating System True 1
Fn
Mutex (193)
»
Operation Additional Information Success Count Logfile
Create mutex_name = SWE2F15657A4JJCIiHmnxMn6Ps15 True 1
Fn
Create mutex_name = SWE2F15657A4JJ_SAIR True 128
Fn
Create mutex_name = SWE2F15657A4JJ True 64
Fn
Process #39: explorer.exe
200015 9
»
Information Value
ID #39
File Name c:\windows\syswow64\explorer.exe
Command Line explorer.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:05:28, Reason: Child Process
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:05:54
OS Process Information
»
Information Value
PID 0xb58
Parent PID 0x7cc (c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B54
0x B80
0x B84
0x B48
0x B44
0x B04
0x B3C
0x B40
0x B50
0x B14
0x 658
0x B00
0x AF4
0x 1FC
0x B9C
0x 23C
0x 3CC
0x 344
0x 318
0x 3D4
0x 35C
0x 8A0
0x BCC
0x BA4
0x BB0
0x BB4
0x B98
0x BAC
0x BA8
0x BA0
0x 8F4
0x B70
0x B74
0x B60
0x B68
0x B6C
0x B78
0x B7C
0x B64
0x 270
0x 618
0x 660
0x BD4
0x BE4
0x BC4
0x BD8
0x BD0
0x B94
0x BEC
0x 5C4
0x 3C4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x00000000006c0000 0x006c0000 0x006dffff Private Memory rw True False False -
pagefile_0x00000000006c0000 0x006c0000 0x006cffff Pagefile Backed Memory rw True False False -
private_0x00000000006d0000 0x006d0000 0x006d3fff Private Memory rw True False False -
private_0x00000000006e0000 0x006e0000 0x006e1fff Private Memory rw True False False -
explorer.exe.mui 0x006e0000 0x006e7fff Memory Mapped File r False False False -
pagefile_0x00000000006f0000 0x006f0000 0x00703fff Pagefile Backed Memory r True False False -
private_0x0000000000710000 0x00710000 0x0074ffff Private Memory rw True False False -
private_0x0000000000750000 0x00750000 0x0078ffff Private Memory rw True False False -
pagefile_0x0000000000790000 0x00790000 0x00793fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007a0000 0x007a0000 0x007a2fff Pagefile Backed Memory r True False False -
private_0x00000000007b0000 0x007b0000 0x007b1fff Private Memory rw True False False -
private_0x00000000007c0000 0x007c0000 0x007c0fff Private Memory rwx True False False -
private_0x00000000007d0000 0x007d0000 0x007d0fff Private Memory rwx True False False -
private_0x00000000007e0000 0x007e0000 0x007e0fff Private Memory rwx True False False -
private_0x00000000007f0000 0x007f0000 0x0082ffff Private Memory rw True False False -
private_0x0000000000830000 0x00830000 0x0086ffff Private Memory rw True False False -
private_0x0000000000870000 0x00870000 0x00870fff Private Memory rwx True False False -
private_0x0000000000880000 0x00880000 0x00880fff Private Memory rwx True False False -
private_0x0000000000890000 0x00890000 0x00890fff Private Memory rwx True False False -
private_0x00000000008a0000 0x008a0000 0x008a0fff Private Memory rwx True False False -
private_0x00000000008b0000 0x008b0000 0x008effff Private Memory rw True False False -
private_0x00000000008b0000 0x008b0000 0x008b0fff Private Memory rwx True False False -
private_0x00000000008c0000 0x008c0000 0x008c0fff Private Memory rwx True False False -
private_0x00000000008d0000 0x008d0000 0x008d0fff Private Memory rwx True False False -
private_0x00000000008e0000 0x008e0000 0x008e0fff Private Memory rwx True False False -
private_0x00000000008f0000 0x008f0000 0x0092ffff Private Memory rw True False False -
private_0x00000000008f0000 0x008f0000 0x008f0fff Private Memory rwx True False False -
private_0x0000000000900000 0x00900000 0x00900fff Private Memory rwx True False False -
private_0x0000000000910000 0x00910000 0x00910fff Private Memory rwx True False False -
private_0x0000000000920000 0x00920000 0x00920fff Private Memory rwx True False False -
private_0x0000000000930000 0x00930000 0x0093ffff Private Memory rw True False False -
locale.nls 0x00940000 0x009fdfff Memory Mapped File r False False False -
private_0x0000000000a00000 0x00a00000 0x00a3ffff Private Memory rw True False False -
private_0x0000000000a40000 0x00a40000 0x00a7ffff Private Memory rw True False False -
private_0x0000000000a80000 0x00a80000 0x00a80fff Private Memory rw True False False -
private_0x0000000000a90000 0x00a90000 0x00a90fff Private Memory rw True False False -
private_0x0000000000aa0000 0x00aa0000 0x00aa3fff Private Memory rw True False False -
private_0x0000000000ab0000 0x00ab0000 0x00baffff Private Memory rw True False False -
private_0x0000000000bb0000 0x00bb0000 0x00beffff Private Memory rw True False False -
private_0x0000000000bb0000 0x00bb0000 0x00bb0fff Private Memory rwx True False False -
private_0x0000000000bc0000 0x00bc0000 0x00bc0fff Private Memory rwx True False False -
private_0x0000000000bd0000 0x00bd0000 0x00bd0fff Private Memory rwx True False False -
private_0x0000000000be0000 0x00be0000 0x00be0fff Private Memory rwx True False False -
private_0x0000000000bf0000 0x00bf0000 0x00bf0fff Private Memory rwx True False False -
private_0x0000000000c00000 0x00c00000 0x00c0ffff Private Memory rw True False False -
private_0x0000000000c10000 0x00c10000 0x00c4ffff Private Memory rw True False False -
private_0x0000000000c10000 0x00c10000 0x00c10fff Private Memory rwx True False False -
private_0x0000000000c20000 0x00c20000 0x00c20fff Private Memory rwx True False False -
private_0x0000000000c30000 0x00c30000 0x00c30fff Private Memory rwx True False False -
private_0x0000000000c40000 0x00c40000 0x00c7ffff Private Memory rw True False False -
private_0x0000000000c40000 0x00c40000 0x00c40fff Private Memory rwx True False False -
private_0x0000000000c50000 0x00c50000 0x00c8ffff Private Memory rw True False False -
private_0x0000000000c50000 0x00c50000 0x00c50fff Private Memory rwx True False False -
private_0x0000000000c60000 0x00c60000 0x00c60fff Private Memory rwx True False False -
private_0x0000000000c70000 0x00c70000 0x00caffff Private Memory rw True False False -
private_0x0000000000c80000 0x00c80000 0x00cbffff Private Memory rw True False False -
private_0x0000000000cb0000 0x00cb0000 0x00cb0fff Private Memory rwx True False False -
private_0x0000000000cc0000 0x00cc0000 0x00cc0fff Private Memory rwx True False False -
private_0x0000000000cd0000 0x00cd0000 0x00cd0fff Private Memory rwx True False False -
private_0x0000000000ce0000 0x00ce0000 0x00ceffff Private Memory rw True False False -
private_0x0000000000cf0000 0x00cf0000 0x00d2ffff Private Memory rw True False False -
private_0x0000000000d30000 0x00d30000 0x00d30fff Private Memory rwx True False False -
private_0x0000000000d40000 0x00d40000 0x00d7ffff Private Memory rw True False False -
private_0x0000000000d40000 0x00d40000 0x00d40fff Private Memory rwx True False False -
private_0x0000000000d50000 0x00d50000 0x00d50fff Private Memory rwx True False False -
private_0x0000000000d60000 0x00d60000 0x00d60fff Private Memory rwx True False False -
private_0x0000000000d70000 0x00d70000 0x00daffff Private Memory rw True False False -
private_0x0000000000d80000 0x00d80000 0x00dbffff Private Memory rw True False False -
private_0x0000000000db0000 0x00db0000 0x00deffff Private Memory rw True False False -
private_0x0000000000df0000 0x00df0000 0x00df0fff Private Memory rwx True False False -
private_0x0000000000e00000 0x00e00000 0x00e00fff Private Memory rwx True False False -
private_0x0000000000e10000 0x00e10000 0x00e10fff Private Memory rwx True False False -
private_0x0000000000e20000 0x00e20000 0x00e20fff Private Memory rwx True False False -
private_0x0000000000e30000 0x00e30000 0x00e30fff Private Memory rwx True False False -
explorer.exe 0x00e40000 0x01216fff Memory Mapped File rwx False False False -
pagefile_0x0000000001220000 0x01220000 0x0521ffff Pagefile Backed Memory - True False False -
pagefile_0x0000000005220000 0x05220000 0x053a7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000053b0000 0x053b0000 0x05530fff Pagefile Backed Memory r True False False -
pagefile_0x0000000005540000 0x05540000 0x0693ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x06940000 0x06c76fff Memory Mapped File r False False False -
private_0x0000000006c80000 0x06c80000 0x06cbffff Private Memory rw True False False -
private_0x0000000006c80000 0x06c80000 0x06c80fff Private Memory rwx True False False -
private_0x0000000006c90000 0x06c90000 0x06c90fff Private Memory rwx True False False -
private_0x0000000006ca0000 0x06ca0000 0x06cdffff Private Memory rw True False False -
private_0x0000000006cc0000 0x06cc0000 0x06cfffff Private Memory rw True False False -
private_0x0000000006ce0000 0x06ce0000 0x06d1ffff Private Memory rw True False False -
private_0x0000000006d20000 0x06d20000 0x06d20fff Private Memory rwx True False False -
private_0x0000000006d30000 0x06d30000 0x06d30fff Private Memory rwx True False False -
private_0x0000000006d40000 0x06d40000 0x06d40fff Private Memory rwx True False False -
private_0x0000000006d50000 0x06d50000 0x06d50fff Private Memory rwx True False False -
private_0x0000000006d60000 0x06d60000 0x06d9ffff Private Memory rw True False False -
private_0x0000000006d60000 0x06d60000 0x06d60fff Private Memory rwx True False False -
private_0x0000000006d70000 0x06d70000 0x06d70fff Private Memory rwx True False False -
private_0x0000000006da0000 0x06da0000 0x06ddffff Private Memory rw True False False -
private_0x00000000104f0000 0x104f0000 0x1055ffff Private Memory rwx True False False -
wow64cpu.dll 0x51cd0000 0x51cd7fff Memory Mapped File rwx False False False -
wow64.dll 0x51ce0000 0x51d2efff Memory Mapped File rwx False False False -
wow64win.dll 0x51d30000 0x51da2fff Memory Mapped File rwx False False False -
gdiplus.dll 0x73780000 0x738eafff Memory Mapped File rwx False False False -
dxgi.dll 0x738f0000 0x7396dfff Memory Mapped File rwx False False False -
dcomp.dll 0x73970000 0x73a0bfff Memory Mapped File rwx False False False -
sppc.dll 0x73a10000 0x73a2cfff Memory Mapped File rwx False False False -
slc.dll 0x73a30000 0x73a50fff Memory Mapped File rwx False False False -
twinapi.dll 0x73a60000 0x73af8fff Memory Mapped File rwx False False False -
userenv.dll 0x73b00000 0x73b18fff Memory Mapped File rwx False False False -
d3d11.dll 0x73b20000 0x73d32fff Memory Mapped File rwx False False False -
uxtheme.dll 0x73d40000 0x73db4fff Memory Mapped File rwx False False False -
propsys.dll 0x73dc0000 0x73f01fff Memory Mapped File rwx False False False -
dwmapi.dll 0x73fc0000 0x73fdcfff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74010000 0x74068fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74070000 0x74079fff Memory Mapped File rwx False False False -
sspicli.dll 0x74080000 0x7409dfff Memory Mapped File rwx False False False -
msctf.dll 0x740a0000 0x741bffff Memory Mapped File rwx False False False -
crypt32.dll 0x741c0000 0x74334fff Memory Mapped File rwx False False False -
user32.dll 0x743a0000 0x744dffff Memory Mapped File rwx False False False -
windows.storage.dll 0x74580000 0x74a5cfff Memory Mapped File rwx False False False -
rpcrt4.dll 0x74af0000 0x74b9bfff Memory Mapped File rwx False False False -
oleaut32.dll 0x74ba0000 0x74c31fff Memory Mapped File rwx False False False -
shcore.dll 0x74c40000 0x74cccfff Memory Mapped File rwx False False False -
shell32.dll 0x74cd0000 0x7608efff Memory Mapped File rwx False False False -
advapi32.dll 0x76160000 0x761dafff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x761e0000 0x761ebfff Memory Mapped File rwx False False False -
msasn1.dll 0x76520000 0x7652dfff Memory Mapped File rwx False False False -
msvcrt.dll 0x76640000 0x766fdfff Memory Mapped File rwx False False False -
shlwapi.dll 0x76700000 0x76743fff Memory Mapped File rwx False False False -
kernel32.dll 0x76750000 0x7683ffff Memory Mapped File rwx False False False -
profapi.dll 0x76840000 0x7684efff Memory Mapped File rwx False False False -
gdi32.dll 0x76850000 0x7699cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x769a0000 0x76b15fff Memory Mapped File rwx False False False -
powrprof.dll 0x76b90000 0x76bd3fff Memory Mapped File rwx False False False -
sechost.dll 0x76d30000 0x76d72fff Memory Mapped File rwx False False False -
imm32.dll 0x76d80000 0x76daafff Memory Mapped File rwx False False False -
combase.dll 0x76db0000 0x76f69fff Memory Mapped File rwx False False False -
ntdll.dll 0x76f70000 0x770e8fff Memory Mapped File rwx False False False -
pagefile_0x000000007e6d0000 0x7e6d0000 0x7e7cffff Pagefile Backed Memory r True False False -
private_0x000000007e7d1000 0x7e7d1000 0x7e7d3fff Private Memory rw True False False -
private_0x000000007e7d4000 0x7e7d4000 0x7e7d6fff Private Memory rw True False False -
private_0x000000007e7d7000 0x7e7d7000 0x7e7d9fff Private Memory rw True False False -
private_0x000000007e7da000 0x7e7da000 0x7e7dcfff Private Memory rw True False False -
private_0x000000007e7dd000 0x7e7dd000 0x7e7dffff Private Memory rw True False False -
pagefile_0x000000007e7e0000 0x7e7e0000 0x7e802fff Pagefile Backed Memory r True False False -
private_0x000000007e804000 0x7e804000 0x7e806fff Private Memory rw True False False -
private_0x000000007e807000 0x7e807000 0x7e809fff Private Memory rw True False False -
private_0x000000007e80a000 0x7e80a000 0x7e80afff Private Memory rw True False False -
private_0x000000007e80d000 0x7e80d000 0x7e80dfff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7dff083affff Private Memory r True False False -
pagefile_0x00007dff083b0000 0x7dff083b0000 0x7fff083affff Pagefile Backed Memory - True False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
private_0x00007fff08572000 0x7fff08572000 0x7ffffffeffff Private Memory r True False False -
For performance reasons, the remaining 199 entries are omitted.
The remaining entries can be found in flog.txt.
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7c0000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7d0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7e0000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7e0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x870000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x880000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x890000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x8a0000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x8a0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x8b0000, size = 15 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x8c0000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x8d0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x8e0000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x8e0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x8f0000, size = 15 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x900000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x910000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x920000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x920000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xbb0000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xbc0000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xbd0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xbe0000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xbe0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xbf0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xc10000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xc20000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xc30000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xc30000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xc40000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xc50000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xc60000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xc60000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xcb0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xcc0000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xcd0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xd30000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xd30000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xd40000, size = 10 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xd50000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xd60000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xd60000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xdf0000, size = 7 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xe00000, size = 10 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xe10000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xe20000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xe20000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0xe30000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6c80000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6c90000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6c90000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6d20000, size = 9 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6d30000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6d40000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6d50000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6d50000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6d60000, size = 8 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6d70000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6d80000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6d80000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6e10000, size = 14 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6e20000, size = 8 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6e30000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6e40000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6e40000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6e50000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6e60000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6e70000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6e70000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6f00000, size = 14 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6f10000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6f20000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6f30000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6f30000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6f40000, size = 10 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6f50000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6f60000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6f60000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x6ff0000, size = 24 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7000000, size = 10 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7010000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7020000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7020000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7030000, size = 10 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7040000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7050000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7050000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x70e0000, size = 14 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x70f0000, size = 10 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7100000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7110000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7110000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7120000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7130000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7140000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7140000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x71d0000, size = 14 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x71e0000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x71f0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7200000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7200000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7210000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7220000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7230000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7230000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x72c0000, size = 16 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x72d0000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x72e0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x72f0000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x72f0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7300000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7310000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7320000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7320000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x73b0000, size = 15 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x73c0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x73d0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x73e0000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x73e0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x73f0000, size = 11 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7400000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7410000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7410000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x74a0000, size = 6 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x74b0000, size = 11 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x74c0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x74d0000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x74d0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x74e0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x74f0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7500000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7500000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7590000, size = 15 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x75a0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x75b0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x75c0000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x75c0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x75d0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x75e0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x75f0000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x75f0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7680000, size = 13 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x7690000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x76a0000, size = 20 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x76b0000, size = 142 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x76b0000 True 1
Fn
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x76c0000, size = 10 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x76d0000, size = 12 True 1
Fn
Data
Modify Memory #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x76e0000, size = 210 True 1
Fn
Data
Create Remote Thread #37: c:\users\ciihmnxmn6ps\appdata\local\utorrent.exe 0x7d0 address = 0x76e0000 True 1
Fn
Host Behavior
File (64784)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps2.txt desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\install\svchost.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\install\ desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\D2CA4DEF\ desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ True 1
Fn
Create - desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\D2CA4DEF\ak.tmp desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE True 403
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps8 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps8 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps8 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE True 15769
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps8 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE True 6
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps8 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE True 8
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps8 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE True 4
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\D2CA4DEF\ - False 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps2.txt type = size True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\install\svchost.exe type = file_attributes True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 type = file_attributes True 16172
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps8 type = file_attributes True 21
Fn
Read C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps2.txt size = 394358, size_out = 394358 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\D2CA4DEF\ak.tmp size = 50 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 size = 8 True 403
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps8 size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps8 size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps8 size = 8 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 size = 8 True 15769
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps8 size = 8 True 6
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps8 size = 8 True 8
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps8 size = 8 True 4
Fn
Data
Delete C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps2.txt - True 1
Fn
Delete C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps7 - True 16172
Fn
Delete C:\Users\CIIHMN~1\AppData\Local\Temp\CIiHmnxMn6Ps8 - True 21
Fn
Registry (25)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\remote - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Borland\Locales - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Borland\Locales - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Borland\Delphi\Locales - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\ - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\remote - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\remote - True 3
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\remote value_name = FirstExecution, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\remote value_name = FirstExecution, data = 21/11/2018 -- 03:24, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\remote value_name = FirstExecution, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\remote value_name = FirstExecution, data = 21/11/2018 -- 03:24, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\remote value_name = NewIdentification, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\remote value_name = NewIdentification, data = remote, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\remote value_name = NewGroup, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\remote value_name = NewGroup, type = REG_EXPAND_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\remote value_name = NewGroup, size = 0, type = REG_EXPAND_SZ True 1
Fn
Delete Key HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\\{3HG21N73-YORJ-B011-YIQ6-T2M8WYWY35PU} - False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Get Info c:\windows\syswow64\explorer.exe type = PROCESS_PRIORITY_BOOST True 1
Fn
Module (373)
»
Operation Module Additional Information Success Count Logfile
Load KERNEL32.DLL base_address = 0x76750000 True 4
Fn
Load advapi32.dll base_address = 0x76160000 True 4
Fn
Load gdi32.dll base_address = 0x76850000 True 2
Fn
Load gdiplus.dll base_address = 0x73780000 True 2
Fn
Load mpr.dll base_address = 0x73760000 True 2
Fn
Load msacm32.dll base_address = 0x73740000 True 2
Fn
Load ntdll.dll base_address = 0x76f70000 True 2
Fn
Load ole32.dll base_address = 0x76c40000 True 3
Fn
Load oleaut32.dll base_address = 0x74ba0000 True 2
Fn
Load powrprof.dll base_address = 0x76b90000 True 2
Fn
Load shell32.dll base_address = 0x74cd0000 True 5
Fn
Load user32.dll base_address = 0x743a0000 True 3
Fn
Load version.dll base_address = 0x73fb0000 True 2
Fn
Load wininet.dll base_address = 0x734b0000 True 2
Fn
Load winmm.dll base_address = 0x73480000 True 2
Fn
Load wsock32.dll base_address = 0x73470000 True 2
Fn
Load iphlpapi.dll base_address = 0x73440000 True 1
Fn
Load kernel32.dll base_address = 0x76750000 True 7
Fn
Load Crypt32.dll base_address = 0x741c0000 True 1
Fn
Load Advapi32.dll base_address = 0x76160000 True 7
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76750000 True 5
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x76160000 True 1
Fn
Get Handle c:\windows\syswow64\gdi32.dll base_address = 0x76850000 True 1
Fn
Get Handle c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll base_address = 0x73780000 True 1
Fn
Get Handle mpr.dll base_address = 0x73760000 True 1
Fn
Get Handle msacm32.dll base_address = 0x73740000 True 1
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x76f70000 True 1
Fn
Get Handle ole32.dll base_address = 0x76c40000 True 1
Fn
Get Handle c:\windows\syswow64\oleaut32.dll base_address = 0x74ba0000 True 1
Fn
Get Handle c:\windows\syswow64\powrprof.dll base_address = 0x76b90000 True 1
Fn
Get Handle c:\windows\syswow64\shell32.dll base_address = 0x74cd0000 True 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x743a0000 True 1
Fn
Get Handle version.dll base_address = 0x73fb0000 True 1
Fn
Get Handle wininet.dll base_address = 0x734b0000 True 1
Fn
Get Handle winmm.dll base_address = 0x73480000 True 1
Fn
Get Handle wsock32.dll base_address = 0x73470000 True 1
Fn
Get Filename - process_name = c:\windows\syswow64\explorer.exe, file_name_orig = “nüv, size = 261 False 1
Fn
Get Filename - process_name = c:\windows\syswow64\explorer.exe, file_name_orig = C:\Windows\SysWOW64\explorer.exe, size = 261 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x7676d8d0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76767940 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76768c50 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76768b70 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76768c70 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyA, address_out = 0x761831a0 True 2
Fn
Get Address c:\windows\syswow64\gdi32.dll function = BitBlt, address_out = 0x768d2170 True 2
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipFree, address_out = 0x737c3810 True 2
Fn
Get Address Unknown module name function = WNetOpenEnumA, address_out = 0x7376d6c0 True 2
Fn
Get Address Unknown module name function = acmStreamSize, address_out = 0x7374ace0 True 2
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwSetInformationProcess, address_out = 0x76fd8da0 True 2
Fn
Get Address Unknown module name function = CoTaskMemFree, address_out = 0x76e3cf40 True 2
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SysFreeString, address_out = 0x74bb9230 True 2
Fn
Get Address c:\windows\syswow64\powrprof.dll function = SetSuspendState, address_out = 0x76b99ab0 True 2
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFileInfoA, address_out = 0x74e6f7f0 True 2
Fn
Get Address c:\windows\syswow64\user32.dll function = GetDC, address_out = 0x743d4dd0 True 1
Fn
Get Address Unknown module name function = VerQueryValueA, address_out = 0x73fb14c0 True 1
Fn
Get Address Unknown module name function = FtpOpenFileA, address_out = 0x735f9a80 True 1
Fn
Get Address Unknown module name function = waveInOpen, address_out = 0x7348cc80 True 1
Fn
Get Address Unknown module name function = send, address_out = 0x7659ce20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76761b90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedDecrement, address_out = 0x76767560 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedIncrement, address_out = 0x76767520 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x767675a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76762d60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x76773a30 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynA, address_out = 0x7676f7b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExA, address_out = 0x76769f60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetThreadLocale, address_out = 0x7676a4e0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoA, address_out = 0x76769730 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoA, address_out = 0x7676e240 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76762db0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileA, address_out = 0x76776210 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x767761d0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x767774f0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x76769700 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76776590 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x767928e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x76776530 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEndOfFile, address_out = 0x767764f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76769a80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x767764a0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76769ec0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x7676a060 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x76776360 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTime, address_out = 0x76774a60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76776390 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76776170 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76775f20 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x7676a3c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76761da0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76761ba0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76769930 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76769a70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x767687c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x76768840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x76769640 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x7676a040 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x767698f0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x767625e0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x76fabae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x76fada90 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76767910 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpA, address_out = 0x7676c1f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteProcessMemory, address_out = 0x76792ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WinExec, address_out = 0x76790170 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76776110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAllocEx, address_out = 0x767929a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateThread, address_out = 0x7676fcb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x7676fbc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x767677b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadPriority, address_out = 0x76769490 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadLocale, address_out = 0x7676a310 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetNamedPipeHandleState, address_out = 0x76792600 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileTime, address_out = 0x76776550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileAttributesA, address_out = 0x76776500 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76768bf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RemoveDirectoryA, address_out = 0x767764d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x767692b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileA, address_out = 0x7676c240 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsBadReadPtr, address_out = 0x76761ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalUnlock, address_out = 0x76762a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalSize, address_out = 0x767677c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalReAlloc, address_out = 0x76762ba0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalMemoryStatus, address_out = 0x767692d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalHandle, address_out = 0x7676e030 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalLock, address_out = 0x76761bc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalFree, address_out = 0x76773a70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x76769600 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVolumeInformationA, address_out = 0x76776430 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76769fe0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x767757f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemInfo, address_out = 0x7676a1f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetPrivateProfileStringA, address_out = 0x76770280 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetPrivateProfileIntA, address_out = 0x76770200 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalDriveStringsA, address_out = 0x7678e9a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocalTime, address_out = 0x76769a60 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileAttributesA, address_out = 0x76776310 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x7676f6f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x7676a390 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeA, address_out = 0x767762f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76761d90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76762da0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameA, address_out = 0x7676f4b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileA, address_out = 0x76776270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FileTimeToLocalFileTime, address_out = 0x767761c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FileTimeToDosDateTime, address_out = 0x76772360 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x767761a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateRemoteThread, address_out = 0x76790a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76790960 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreatePipe, address_out = 0x76760570 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexA, address_out = 0x76775fb0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventA, address_out = 0x76775f70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x76776140 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileA, address_out = 0x7676c510 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExW, address_out = 0x7676a2a0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExA, address_out = 0x76180750 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExA, address_out = 0x7617ee40 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExA, address_out = 0x7617f000 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumValueA, address_out = 0x76182540 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumKeyExA, address_out = 0x76182520 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegDeleteValueA, address_out = 0x76180fb0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegDeleteKeyA, address_out = 0x7617fc50 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyA, address_out = 0x76183150 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x7617efa0 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenProcessToken, address_out = 0x7617ee90 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = LookupPrivilegeValueA, address_out = 0x76193e70 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameA, address_out = 0x761836d0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AdjustTokenPrivileges, address_out = 0x76180680 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = StartServiceA, address_out = 0x76196a40 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = QueryServiceStatus, address_out = 0x761839f0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenServiceA, address_out = 0x76196590 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenSCManagerA, address_out = 0x76180f30 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = EnumServicesStatusA, address_out = 0x761aad50 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = DeleteService, address_out = 0x76195e30 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CreateServiceA, address_out = 0x76195670 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ControlService, address_out = 0x761955f0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CloseServiceHandle, address_out = 0x761806a0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetTextColor, address_out = 0x768d1c80 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetBkColor, address_out = 0x768d1da0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SelectObject, address_out = 0x768cfc80 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetObjectA, address_out = 0x768e0530 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetDeviceCaps, address_out = 0x768d0820 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = GetDIBits, address_out = 0x768d0dc0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = DeleteObject, address_out = 0x768d0050 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = DeleteDC, address_out = 0x768d0550 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateSolidBrush, address_out = 0x768d23d0 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateFontA, address_out = 0x76901180 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateCompatibleDC, address_out = 0x768d1f90 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateCompatibleBitmap, address_out = 0x768d22d0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipGetImageEncoders, address_out = 0x737df380 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipGetImageEncodersSize, address_out = 0x737df520 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipDrawImageRectI, address_out = 0x737c7180 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipSetInterpolationMode, address_out = 0x737c5ad0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipDeleteGraphics, address_out = 0x737a92d0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipCreateBitmapFromScan0, address_out = 0x737c31c0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipCreateBitmapFromFileICM, address_out = 0x73814560 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipCreateBitmapFromStreamICM, address_out = 0x738146f0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipCreateBitmapFromFile, address_out = 0x737e32f0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipCreateBitmapFromStream, address_out = 0x737e9f10 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipGetImagePixelFormat, address_out = 0x737ed9f0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipGetImageGraphicsContext, address_out = 0x737c3300 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipSaveImageToStream, address_out = 0x737e4bd0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipDisposeImage, address_out = 0x737e91c0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdiplusShutdown, address_out = 0x737ea7c0 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdiplusStartup, address_out = 0x737eab50 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll function = GdipAlloc, address_out = 0x737c3840 True 1
Fn
Get Address Unknown module name function = WNetEnumResourceA, address_out = 0x7376cc80 True 1
Fn
Get Address Unknown module name function = WNetCloseEnum, address_out = 0x73763710 True 1
Fn
Get Address Unknown module name function = acmStreamUnprepareHeader, address_out = 0x7374ade0 True 1
Fn
Get Address Unknown module name function = acmStreamPrepareHeader, address_out = 0x7374ab20 True 1
Fn
Get Address Unknown module name function = acmStreamConvert, address_out = 0x7374a440 True 1
Fn
Get Address Unknown module name function = acmStreamReset, address_out = 0x7374ac70 True 1
Fn
Get Address Unknown module name function = acmStreamClose, address_out = 0x7374a2f0 True 1
Fn
Get Address Unknown module name function = acmStreamOpen, address_out = 0x7374a630 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueryInformationProcess, address_out = 0x76fd8d50 True 1
Fn
Get Address Unknown module name function = CLSIDFromString, address_out = 0x76e61390 True 1
Fn
Get Address Unknown module name function = StringFromCLSID, address_out = 0x76e21020 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SysReAllocStringLen, address_out = 0x74bc3ee0 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SysAllocStringLen, address_out = 0x74bb91a0 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExA, address_out = 0x74f32190 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = DragQueryFileA, address_out = 0x74f1f900 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderPathA, address_out = 0x74f74f00 True 3
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExA, address_out = 0x743d4720 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wvsprintfA, address_out = 0x743cea20 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = mouse_event, address_out = 0x7441fd40 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = keybd_event, address_out = 0x7441fcf0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x743c7020 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UnregisterClassA, address_out = 0x743d0b00 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x743bb9d0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ToUnicodeEx, address_out = 0x7441f4c0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SystemParametersInfoA, address_out = 0x743d0860 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x743d52a0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowTextA, address_out = 0x743c45e0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowPos, address_out = 0x743d4f70 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowLongA, address_out = 0x743d0c20 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetTimer, address_out = 0x743bcd50 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetPropA, address_out = 0x743d0e50 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetForegroundWindow, address_out = 0x743bdf70 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetCursor, address_out = 0x743d4ed0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetClipboardData, address_out = 0x743d13e0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageTimeoutA, address_out = 0x743cdc40 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageA, address_out = 0x743c1460 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ScreenToClient, address_out = 0x743b56d0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RemovePropA, address_out = 0x743d1000 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ReleaseDC, address_out = 0x743b89f0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassA, address_out = 0x743d3e50 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostQuitMessage, address_out = 0x743d2430 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostMessageA, address_out = 0x743cce20 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PeekMessageA, address_out = 0x743baa70 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = OpenClipboard, address_out = 0x743d1770 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MsgWaitForMultipleObjects, address_out = 0x743ba2f0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x7441cf50 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MapVirtualKeyExA, address_out = 0x74427440 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MapVirtualKeyA, address_out = 0x743d1fb0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadIconA, address_out = 0x743d1ec0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorA, address_out = 0x743d1e90 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsWindowVisible, address_out = 0x743c6e80 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsWindow, address_out = 0x743b7130 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = InvalidateRect, address_out = 0x743d4d70 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowThreadProcessId, address_out = 0x743bba70 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowTextLengthA, address_out = 0x743c1670 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowTextA, address_out = 0x743c4690 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowRect, address_out = 0x743b5930 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowLongA, address_out = 0x743ccc90 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSystemMetrics, address_out = 0x743b55d0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSystemMenu, address_out = 0x743d5330 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSysColor, address_out = 0x743bc900 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetPropA, address_out = 0x743ce230 True 1
Fn
Get Address Unknown module name function = AllocateAndGetTcpExTableFromStack, address_out = 0x0 False 1
Fn
Get Address Unknown module name function = AllocateAndGetUdpExTableFromStack, address_out = 0x0 False 1
Fn
Get Address Unknown module name function = SetTcpEntry, address_out = 0x73462050 True 1
Fn
Get Address Unknown module name function = GetExtendedTcpTable, address_out = 0x7344b880 True 1
Fn
Get Address Unknown module name function = GetExtendedUdpTable, address_out = 0x7344c0d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathA, address_out = 0x76776410 True 5
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptUnprotectData, address_out = 0x7420af50 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CredEnumerateA, address_out = 0x76195710 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextA, address_out = 0x76180c00 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptCreateHash, address_out = 0x7617f930 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptHashData, address_out = 0x7617f950 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetHashParam, address_out = 0x7617f530 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyHash, address_out = 0x7617fbf0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x76180ad0 True 1
Fn
Get Address Unknown module name function = OleInitialize, address_out = 0x76c69c50 True 1
Fn
Get Address Unknown module name function = CoCreateInstance, address_out = 0x76e58200 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetWindowsDirectoryA, address_out = 0x7676f8e0 True 2
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Keyboard (3237)
»
Operation Additional Information Success Count Logfile
Read virtual_key_code = VK_BACK, result_out = 0 True 26
Fn
Read virtual_key_code = VK_TAB, result_out = 0 True 26
Fn
Read virtual_key_code = Undefined, result_out = 0 True 624
Fn
Read virtual_key_code = VK_CLEAR, result_out = 0 True 26
Fn
Read virtual_key_code = VK_RETURN, result_out = 0 True 26
Fn
Read virtual_key_code = VK_SHIFT, result_out = 0 True 26
Fn
Read virtual_key_code = VK_CONTROL, result_out = 0 True 26
Fn
Read virtual_key_code = VK_MENU, result_out = 0 True 26
Fn
Read virtual_key_code = VK_PAUSE, result_out = 0 True 26
Fn
Read virtual_key_code = VK_CAPITAL, result_out = 0 True 26
Fn
Read virtual_key_code = VK_HANGUL, result_out = 0 True 26
Fn
Read virtual_key_code = VK_JUNJA, result_out = 0 True 26
Fn
Read virtual_key_code = VK_FINAL, result_out = 0 True 26
Fn
Read virtual_key_code = VK_HANJA, result_out = 0 True 26
Fn
Read virtual_key_code = VK_ESCAPE, result_out = 0 True 26
Fn
Read virtual_key_code = VK_CONVERT, result_out = 0 True 26
Fn
Read virtual_key_code = VK_NONCONVERT, result_out = 0 True 26
Fn
Read virtual_key_code = VK_ACCEPT, result_out = 0 True 26
Fn
Read virtual_key_code = VK_MODECHANGE, result_out = 0 True 26
Fn
Read virtual_key_code = VK_SPACE, result_out = 0 True 26
Fn
Read virtual_key_code = VK_PRIOR, result_out = 0 True 26
Fn
Read virtual_key_code = VK_NEXT, result_out = 0 True 26
Fn
Read virtual_key_code = VK_END, result_out = 0 True 26
Fn
Read virtual_key_code = VK_HOME, result_out = 0 True 26
Fn
Read virtual_key_code = VK_LEFT, result_out = 0 True 26
Fn
Read virtual_key_code = VK_UP, result_out = 0 True 26
Fn
Read virtual_key_code = VK_RIGHT, result_out = 0 True 26
Fn
Read virtual_key_code = VK_DOWN, result_out = 0 True 26
Fn
Read virtual_key_code = VK_SELECT, result_out = 0 True 26
Fn
Read virtual_key_code = VK_PRINT, result_out = 0 True 13
Fn
Read virtual_key_code = VK_EXECUTE, result_out = 0 True 13
Fn
Read virtual_key_code = VK_SNAPSHOT, result_out = 0 True 13
Fn
Read virtual_key_code = VK_INSERT, result_out = 0 True 13
Fn
Read virtual_key_code = VK_DELETE, result_out = 0 True 13
Fn
Read virtual_key_code = VK_HELP, result_out = 0 True 13
Fn
Read virtual_key_code = 0 key, result_out = 0 True 13
Fn
Read virtual_key_code = 1 key, result_out = 0 True 13
Fn
Read virtual_key_code = 2 key, result_out = 0 True 13
Fn
Read virtual_key_code = 3 key, result_out = 0 True 13
Fn
Read virtual_key_code = 4 key, result_out = 0 True 13
Fn
Read virtual_key_code = 5 key, result_out = 0 True 13
Fn
Read virtual_key_code = 6 key, result_out = 0 True 13
Fn
Read virtual_key_code = 7 key, result_out = 0 True 13
Fn
Read virtual_key_code = 8 key, result_out = 0 True 13
Fn
Read virtual_key_code = 9 key, result_out = 0 True 13
Fn
Read virtual_key_code = A key, result_out = 0 True 13
Fn
Read virtual_key_code = B key, result_out = 0 True 13
Fn
Read virtual_key_code = C key, result_out = 0 True 13
Fn
Read virtual_key_code = D key, result_out = 0 True 13
Fn
Read virtual_key_code = E key, result_out = 0 True 13
Fn
Read virtual_key_code = F key, result_out = 0 True 13
Fn
Read virtual_key_code = G key, result_out = 0 True 13
Fn
Read virtual_key_code = H key, result_out = 0 True 13
Fn
Read virtual_key_code = I key, result_out = 0 True 13
Fn
Read virtual_key_code = J key, result_out = 0 True 13
Fn
Read virtual_key_code = K key, result_out = 0 True 13
Fn
Read virtual_key_code = L key, result_out = 0 True 13
Fn
Read virtual_key_code = M key, result_out = 0 True 13
Fn
Read virtual_key_code = N key, result_out = 0 True 13
Fn
Read virtual_key_code = O key, result_out = 0 True 13
Fn
Read virtual_key_code = P key, result_out = 0 True 13
Fn
Read virtual_key_code = Q key, result_out = 0 True 13
Fn
Read virtual_key_code = R key, result_out = 0 True 13
Fn
Read virtual_key_code = S key, result_out = 0 True 13
Fn
Read virtual_key_code = T key, result_out = 0 True 13
Fn
Read virtual_key_code = U key, result_out = 0 True 13
Fn
Read virtual_key_code = V key, result_out = 0 True 13
Fn
Read virtual_key_code = W key, result_out = 0 True 13
Fn
Read virtual_key_code = X key, result_out = 0 True 13
Fn
Read virtual_key_code = Y key, result_out = 0 True 13
Fn
Read virtual_key_code = Z key, result_out = 0 True 13
Fn
Read virtual_key_code = VK_LWIN, result_out = 0 True 13
Fn
Read virtual_key_code = VK_RWIN, result_out = 0 True 13
Fn
Read virtual_key_code = VK_APPS, result_out = 0 True 13
Fn
Read virtual_key_code = VK_SLEEP, result_out = 0 True 13
Fn
Read virtual_key_code = VK_NUMPAD0, result_out = 0 True 13
Fn
Read virtual_key_code = VK_NUMPAD1, result_out = 0 True 13
Fn
Read virtual_key_code = VK_NUMPAD2, result_out = 0 True 13
Fn
Read virtual_key_code = VK_NUMPAD3, result_out = 0 True 13
Fn
Read virtual_key_code = VK_NUMPAD4, result_out = 0 True 13
Fn
Read virtual_key_code = VK_NUMPAD5, result_out = 0 True 13
Fn
Read virtual_key_code = VK_NUMPAD6, result_out = 0 True 13
Fn
Read virtual_key_code = VK_NUMPAD7, result_out = 0 True 13
Fn
Read virtual_key_code = VK_NUMPAD8, result_out = 0 True 13
Fn
Read virtual_key_code = VK_NUMPAD9, result_out = 0 True 13
Fn
Read virtual_key_code = VK_MULTIPLY, result_out = 0 True 13
Fn
Read virtual_key_code = VK_ADD, result_out = 0 True 13
Fn
Read virtual_key_code = VK_SEPARATOR, result_out = 0 True 13
Fn
Read virtual_key_code = VK_SUBTRACT, result_out = 0 True 13
Fn
Read virtual_key_code = VK_DECIMAL, result_out = 0 True 13
Fn
Read virtual_key_code = VK_DIVIDE, result_out = 0 True 13
Fn
Read virtual_key_code = VK_F1, result_out = 0 True 13
Fn
Read virtual_key_code = VK_F2, result_out = 0 True 13
Fn
Read virtual_key_code = VK_F3, result_out = 0 True 13
Fn
Read virtual_key_code = VK_F4, result_out = 0 True 13
Fn
Read virtual_key_code = VK_F5, result_out = 0 True 13
Fn
Read virtual_key_code = VK_F6, result_out = 0 True 13
Fn
Read virtual_key_code = VK_F7, result_out = 0 True 13
Fn
Read virtual_key_code = VK_F8, result_out = 0 True 13
Fn
Read virtual_key_code = VK_F9, result_out = 0 True 13
Fn
Read virtual_key_code = VK_F10, result_out = 0 True 13
Fn
Read virtual_key_code = VK_F11, result_out = 0 True 13
Fn
Read virtual_key_code = VK_F12, result_out = 0 True 13
Fn
Read virtual_key_code = VK_F13, result_out = 0 True 13
Fn
Read virtual_key_code = VK_F14, result_out = 0 True 13
Fn
Read virtual_key_code = VK_F15, result_out = 0 True 13
Fn
Read virtual_key_code = VK_F16, result_out = 0 True 13
Fn
Read result_out = 0 True 13
Fn
Read virtual_key_code = VK_F18, result_out = 0 True 13
Fn
Read virtual_key_code = VK_F19, result_out = 0 True 13
Fn
Read virtual_key_code = VK_F20, result_out = 0 True 13
Fn
Read virtual_key_code = VK_F21, result_out = 0 True 13
Fn
Read virtual_key_code = VK_F22, result_out = 0 True 13
Fn
Read virtual_key_code = VK_F23, result_out = 0 True 13
Fn
Read virtual_key_code = VK_F24, result_out = 0 True 13
Fn
Read virtual_key_code = Unassigned, result_out = 0 True 221
Fn
Read virtual_key_code = VK_NUMLOCK, result_out = 0 True 13
Fn
Read virtual_key_code = VK_SCROLL, result_out = 0 True 13
Fn
Read virtual_key_code = OEM specific, result_out = 0 True 65
Fn
Read virtual_key_code = VK_LSHIFT, result_out = 0 True 13
Fn
Read virtual_key_code = VK_RSHIFT, result_out = 0 True 13
Fn
Read virtual_key_code = VK_LCONTROL, result_out = 0 True 13
Fn
Read virtual_key_code = VK_RCONTROL, result_out = 0 True 13
Fn
Read virtual_key_code = VK_LMENU, result_out = 0 True 13
Fn
Read virtual_key_code = VK_RMENU, result_out = 0 True 13
Fn
Read virtual_key_code = VK_BROWSER_BACK, result_out = 0 True 13
Fn
Read virtual_key_code = VK_BROWSER_FORWARD, result_out = 0 True 13
Fn
Read virtual_key_code = VK_BROWSER_REFRESH, result_out = 0 True 13
Fn
Read virtual_key_code = VK_BROWSER_STOP, result_out = 0 True 13
Fn
Read virtual_key_code = VK_BROWSER_SEARCH, result_out = 0 True 13
Fn
Read virtual_key_code = VK_BROWSER_FAVORITES, result_out = 0 True 13
Fn
Read virtual_key_code = VK_BROWSER_HOME, result_out = 0 True 13
Fn
Read virtual_key_code = VK_VOLUME_MUTE, result_out = 0 True 13
Fn
Read virtual_key_code = VK_VOLUME_DOWN, result_out = 0 True 13
Fn
Read virtual_key_code = VK_VOLUME_UP, result_out = 0 True 13
Fn
Read virtual_key_code = VK_MEDIA_NEXT_TRACK, result_out = 0 True 13
Fn
Read virtual_key_code = VK_MEDIA_PREV_TRACK, result_out = 0 True 13
Fn
Read virtual_key_code = VK_MEDIA_STOP, result_out = 0 True 13
Fn
Read virtual_key_code = VK_MEDIA_PLAY_PAUSE, result_out = 0 True 13
Fn
Read virtual_key_code = VK_LAUNCH_MAIL, result_out = 0 True 13
Fn
Read virtual_key_code = VK_LAUNCH_MEDIA_SELECT, result_out = 0 True 13
Fn
Read virtual_key_code = VK_LAUNCH_APP1, result_out = 0 True 13
Fn
Read virtual_key_code = VK_LAUNCH_APP2, result_out = 0 True 13
Fn
Read virtual_key_code = VK_OEM_1, result_out = 0 True 13
Fn
Read virtual_key_code = VK_OEM_PLUS, result_out = 0 True 13
Fn
Read virtual_key_code = VK_OEM_COMMA, result_out = 0 True 13
Fn
Read virtual_key_code = VK_OEM_MINUS, result_out = 0 True 13
Fn
Read virtual_key_code = VK_OEM_PERIOD, result_out = 0 True 13
Fn
Read virtual_key_code = VK_OEM_2, result_out = 0 True 13
Fn
Read virtual_key_code = VK_OEM_3, result_out = 0 True 13
Fn
Read virtual_key_code = VK_OEM_4, result_out = 0 True 13
Fn
Read virtual_key_code = VK_OEM_5, result_out = 0 True 13
Fn
Read virtual_key_code = VK_OEM_6, result_out = 0 True 13
Fn
Read virtual_key_code = VK_OEM_7, result_out = 0 True 13
Fn
System (29345)
»
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 16
Fn
Sleep duration = 1 milliseconds (0.001 seconds) True 1
Fn
Sleep duration = 20 milliseconds (0.020 seconds) True 8991
Fn
Sleep duration = 5 milliseconds (0.005 seconds) True 16171
Fn
Sleep duration = 5000 milliseconds (5.000 seconds) True 21
Fn
Sleep duration = 100 milliseconds (0.100 seconds) False 1
Fn
Sleep duration = 10000 milliseconds (10.000 seconds) True 1
Fn
Sleep duration = 50 milliseconds (0.050 seconds) True 180
Fn
Sleep duration = 100 milliseconds (0.100 seconds) True 19
Fn
Sleep duration = 5 milliseconds (0.005 seconds) False 1
Fn
Sleep duration = 20 milliseconds (0.020 seconds) False 1
Fn
Get Time type = System Time, time = 2018-11-20 05:27:41 (UTC) True 1
Fn
Get Time type = Local Time, time = 2018-11-20 16:27:41 (Local Time) True 173
Fn
Get Time type = Ticks, time = 187890 True 2
Fn
Get Time type = Ticks, time = 187906 True 2
Fn
Get Time type = Ticks, time = 187921 True 1
Fn
Get Time type = Ticks, time = 187937 True 2
Fn
Get Time type = Ticks, time = 187953 True 1
Fn
Get Time type = Ticks, time = 187968 True 1
Fn
Get Time type = Ticks, time = 187984 True 1
Fn
Get Time type = Ticks, time = 188000 True 2
Fn
Get Time type = Ticks, time = 188015 True 1
Fn
Get Time type = Ticks, time = 188031 True 2
Fn
Get Time type = Ticks, time = 188046 True 1
Fn
Get Time type = Ticks, time = 188062 True 2
Fn
Get Time type = Ticks, time = 188078 True 1
Fn
Get Time type = Ticks, time = 188093 True 2
Fn
Get Time type = Ticks, time = 188109 True 1
Fn
Get Time type = Ticks, time = 188125 True 2
Fn
Get Time type = Ticks, time = 188140 True 1
Fn
Get Time type = Ticks, time = 188156 True 2
Fn
Get Time type = Ticks, time = 188171 True 1
Fn
Get Time type = Ticks, time = 188187 True 2
Fn
Get Time type = Ticks, time = 188203 True 1
Fn
Get Time type = Ticks, time = 188218 True 2
Fn
Get Time type = Ticks, time = 188250 True 2
Fn
Get Time type = Ticks, time = 188265 True 1
Fn
Get Time type = Ticks, time = 188281 True 2
Fn
Get Time type = Ticks, time = 188296 True 1
Fn
Get Time type = Ticks, time = 188312 True 2
Fn
Get Time type = Ticks, time = 188328 True 1
Fn
Get Time type = Ticks, time = 188343 True 2
Fn
Get Time type = Ticks, time = 188406 True 2
Fn
Get Time type = Ticks, time = 188421 True 1
Fn
Get Time type = Ticks, time = 188437 True 2
Fn
Get Time type = Ticks, time = 188453 True 1
Fn
Get Time type = Ticks, time = 188468 True 2
Fn
Get Time type = Ticks, time = 188484 True 1
Fn
Get Time type = Ticks, time = 188500 True 2
Fn
Get Time type = Ticks, time = 188515 True 1
Fn
Get Time type = Ticks, time = 188531 True 2
Fn
Get Time type = Ticks, time = 188562 True 2
Fn
Get Time type = Ticks, time = 188578 True 2
Fn
Get Time type = Ticks, time = 188593 True 1
Fn
Get Time type = Ticks, time = 188609 True 2
Fn
Get Time type = Ticks, time = 188625 True 1
Fn
Get Time type = Ticks, time = 188640 True 2
Fn
Get Time type = Ticks, time = 188656 True 1
Fn
Get Time type = Ticks, time = 188671 True 2
Fn
Get Time type = Ticks, time = 188687 True 1
Fn
Get Time type = Ticks, time = 188703 True 1
Fn
Get Time type = Ticks, time = 188718 True 1
Fn
Get Time type = Ticks, time = 188734 True 2
Fn
Get Time type = Ticks, time = 188750 True 1
Fn
Get Time type = Ticks, time = 188765 True 2
Fn
Get Time type = Ticks, time = 188781 True 1
Fn
Get Time type = Ticks, time = 188796 True 2
Fn
Get Time type = Ticks, time = 188812 True 1
Fn
Get Time type = Ticks, time = 188828 True 2
Fn
Get Time type = Local Time, time = 2018-11-20 16:27:42 (Local Time) True 165
Fn
Get Time type = Ticks, time = 188843 True 1
Fn
Get Time type = Ticks, time = 188859 True 2
Fn
Get Time type = Ticks, time = 188875 True 1
Fn
Get Time type = Ticks, time = 188890 True 2
Fn
Get Time type = Ticks, time = 188906 True 1
Fn
Get Time type = Ticks, time = 188921 True 2
Fn
Get Time type = Ticks, time = 188937 True 1
Fn
Get Time type = Ticks, time = 188953 True 2
Fn
Get Time type = Ticks, time = 188968 True 1
Fn
Get Time type = Ticks, time = 188984 True 2
Fn
Get Time type = Ticks, time = 189000 True 1
Fn
Get Time type = Ticks, time = 189015 True 2
Fn
Get Time type = Ticks, time = 189046 True 1
Fn
Get Time type = Ticks, time = 189062 True 1
Fn
Get Time type = Ticks, time = 189078 True 2
Fn
Get Time type = Ticks, time = 189093 True 1
Fn
Get Time type = Ticks, time = 189109 True 2
Fn
Get Time type = Ticks, time = 189125 True 1
Fn
Get Time type = Ticks, time = 189140 True 2
Fn
Get Time type = Ticks, time = 189156 True 1
Fn
Get Time type = Ticks, time = 189171 True 2
Fn
Get Time type = Ticks, time = 189187 True 1
Fn
Get Time type = Ticks, time = 189203 True 2
Fn
Get Time type = Ticks, time = 189218 True 1
Fn
Get Time type = Ticks, time = 189234 True 2
Fn
Get Time type = Ticks, time = 189250 True 1
Fn
Get Time type = Ticks, time = 189265 True 2
Fn
Get Time type = Ticks, time = 189281 True 1
Fn
Get Time type = Ticks, time = 189296 True 2
Fn
Get Time type = Ticks, time = 189312 True 1
Fn
Get Time type = Ticks, time = 189328 True 2
Fn
Get Time type = Ticks, time = 189343 True 1
Fn
Get Time type = Ticks, time = 189359 True 2
Fn
Get Time type = Ticks, time = 189375 True 1
Fn
Get Time type = Ticks, time = 189421 True 1
Fn
Get Time type = Ticks, time = 189437 True 1
Fn
Get Time type = Ticks, time = 189453 True 2
Fn
Get Time type = Ticks, time = 189468 True 1
Fn
Get Time type = Ticks, time = 189484 True 2
Fn
Get Time type = Ticks, time = 189500 True 1
Fn
Get Time type = Ticks, time = 189515 True 2
Fn
Get Time type = Ticks, time = 189531 True 1
Fn
Get Time type = Ticks, time = 189546 True 1
Fn
Get Time type = Ticks, time = 189562 True 1
Fn
Get Time type = Ticks, time = 189578 True 2
Fn
Get Time type = Ticks, time = 189593 True 1
Fn
Get Time type = Ticks, time = 189609 True 2
Fn
Get Time type = Ticks, time = 189625 True 1
Fn
Get Time type = Ticks, time = 189640 True 2
Fn
Get Time type = Ticks, time = 189656 True 1
Fn
Get Time type = Ticks, time = 189671 True 1
Fn
Get Time type = Ticks, time = 189703 True 2
Fn
Get Time type = Ticks, time = 189718 True 1
Fn
Get Time type = Ticks, time = 189734 True 2
Fn
Get Time type = Ticks, time = 189765 True 2
Fn
Get Time type = Ticks, time = 189781 True 1
Fn
Get Time type = Ticks, time = 189796 True 2
Fn
Get Time type = Ticks, time = 189812 True 1
Fn
Get Time type = Ticks, time = 189828 True 2
Fn
Get Time type = Local Time, time = 2018-11-20 16:27:43 (Local Time) True 150
Fn
Get Time type = Ticks, time = 189843 True 1
Fn
Get Time type = Ticks, time = 189859 True 2
Fn
Get Time type = Ticks, time = 189875 True 1
Fn
Get Time type = Ticks, time = 189890 True 2
Fn
Get Time type = Ticks, time = 189921 True 2
Fn
Get Time type = Ticks, time = 189937 True 1
Fn
Get Time type = Ticks, time = 189953 True 2
Fn
Get Time type = Ticks, time = 189968 True 1
Fn
Get Time type = Ticks, time = 189984 True 2
Fn
Get Time type = Ticks, time = 190000 True 1
Fn
Get Time type = Ticks, time = 190015 True 2
Fn
Get Time type = Ticks, time = 190031 True 1
Fn
Get Time type = Ticks, time = 190046 True 2
Fn
Get Time type = Ticks, time = 190062 True 1
Fn
Get Time type = Ticks, time = 190078 True 2
Fn
Get Time type = Ticks, time = 190093 True 1
Fn
Get Time type = Ticks, time = 190109 True 1
Fn
Get Time type = Ticks, time = 190125 True 1
Fn
Get Time type = Ticks, time = 190140 True 2
Fn
Get Time type = Ticks, time = 190156 True 1
Fn
Get Time type = Ticks, time = 190171 True 2
Fn
Get Time type = Ticks, time = 190187 True 1
Fn
Get Time type = Ticks, time = 190203 True 2
Fn
Get Time type = Ticks, time = 190234 True 2
Fn
Get Time type = Ticks, time = 190250 True 1
Fn
Get Time type = Ticks, time = 190265 True 1
Fn
Get Time type = Ticks, time = 190281 True 1
Fn
Get Time type = Ticks, time = 190296 True 2
Fn
Get Time type = Ticks, time = 190312 True 1
Fn
Get Time type = Ticks, time = 190343 True 2
Fn
Get Time type = Ticks, time = 190375 True 2
Fn
Get Time type = Ticks, time = 190421 True 2
Fn
Get Time type = Ticks, time = 190437 True 1
Fn
Get Time type = Ticks, time = 190453 True 2
Fn
Get Time type = Ticks, time = 190484 True 2
Fn
Get Time type = Ticks, time = 190500 True 1
Fn
Get Time type = Ticks, time = 190515 True 2
Fn
Get Time type = Ticks, time = 190531 True 1
Fn
Get Time type = Ticks, time = 190562 True 2
Fn
Get Time type = Ticks, time = 190578 True 1
Fn
Get Time type = Ticks, time = 190593 True 2
Fn
Get Time type = Ticks, time = 190609 True 1
Fn
Get Time type = Ticks, time = 190640 True 2
Fn
Get Time type = Ticks, time = 190656 True 1
Fn
Get Time type = Ticks, time = 190671 True 2
Fn
Get Time type = Ticks, time = 190687 True 1
Fn
Get Time type = Ticks, time = 190750 True 2
Fn
Get Time type = Ticks, time = 190765 True 1
Fn
Get Time type = Ticks, time = 190781 True 2
Fn
Get Time type = Ticks, time = 190796 True 1
Fn
Get Time type = Ticks, time = 190812 True 2
Fn
Get Time type = Local Time, time = 2018-11-20 16:27:44 (Local Time) True 117
Fn
Get Time type = Ticks, time = 190828 True 1
Fn
Get Time type = Ticks, time = 190843 True 2
Fn
Get Time type = Ticks, time = 190859 True 1
Fn
Get Time type = Ticks, time = 190875 True 2
Fn
Get Time type = Ticks, time = 190890 True 1
Fn
Get Time type = Ticks, time = 190906 True 2
Fn
Get Time type = Ticks, time = 190921 True 1
Fn
Get Time type = Ticks, time = 190937 True 2
Fn
Get Time type = Ticks, time = 190953 True 1
Fn
Get Time type = Ticks, time = 190968 True 2
Fn
Get Time type = Ticks, time = 190984 True 1
Fn
Get Time type = Ticks, time = 191000 True 2
Fn
Get Time type = Ticks, time = 191015 True 1
Fn
Get Time type = Ticks, time = 191031 True 2
Fn
Get Time type = Ticks, time = 191046 True 1
Fn
Get Time type = Ticks, time = 191062 True 2
Fn
Get Time type = Ticks, time = 191078 True 1
Fn
Get Time type = Ticks, time = 191093 True 2
Fn
Get Time type = Ticks, time = 191109 True 1
Fn
Get Time type = Ticks, time = 191125 True 2
Fn
Get Time type = Ticks, time = 191140 True 1
Fn
Get Time type = Ticks, time = 191156 True 2
Fn
Get Time type = Ticks, time = 191171 True 1
Fn
Get Time type = Ticks, time = 191187 True 2
Fn
Get Time type = Ticks, time = 191203 True 1
Fn
Get Time type = Ticks, time = 191218 True 2
Fn
Get Time type = Ticks, time = 191234 True 1
Fn
Get Time type = Ticks, time = 191250 True 2
Fn
Get Time type = Ticks, time = 191281 True 1
Fn
Get Time type = Ticks, time = 191312 True 2
Fn
Get Time type = Ticks, time = 191328 True 1
Fn
Get Time type = Ticks, time = 191343 True 2
Fn
Get Time type = Ticks, time = 191359 True 1
Fn
Get Time type = Ticks, time = 191375 True 2
Fn
Get Time type = Ticks, time = 191500 True 2
Fn
Get Time type = Ticks, time = 191546 True 1
Fn
Get Time type = Ticks, time = 191562 True 1
Fn
Get Time type = Ticks, time = 191593 True 1
Fn
Get Time type = Ticks, time = 191656 True 1
Fn
Get Time type = Ticks, time = 191671 True 1
Fn
Get Time type = Ticks, time = 191734 True 1
Fn
Get Time type = Ticks, time = 191796 True 2
Fn
Get Time type = Local Time, time = 2018-11-20 16:27:45 (Local Time) True 81
Fn
Get Time type = Ticks, time = 191843 True 1
Fn
Get Time type = Ticks, time = 191875 True 1
Fn
Get Time type = Ticks, time = 191890 True 1
Fn
Get Time type = Ticks, time = 191921 True 2
Fn
Get Time type = Ticks, time = 191937 True 1
Fn
Get Time type = Ticks, time = 191953 True 2
Fn
Get Time type = Ticks, time = 191968 True 1
Fn
Get Time type = Ticks, time = 192093 True 2
Fn
Get Time type = Ticks, time = 192109 True 1
Fn
Get Time type = Ticks, time = 192125 True 2
Fn
Get Time type = Ticks, time = 192140 True 1
Fn
Get Time type = Ticks, time = 192156 True 2
Fn
Get Time type = Ticks, time = 192171 True 1
Fn
Get Time type = Ticks, time = 192203 True 2
Fn
Get Time type = Ticks, time = 192218 True 1
Fn
Get Time type = Ticks, time = 192234 True 2
Fn
Get Time type = Ticks, time = 192250 True 1
Fn
Get Time type = Ticks, time = 192265 True 2
Fn
Get Time type = Ticks, time = 192296 True 1
Fn
Get Time type = Ticks, time = 192328 True 1
Fn
Get Time type = Ticks, time = 192359 True 1
Fn
Get Time type = Ticks, time = 192453 True 2
Fn
Get Time type = Ticks, time = 192468 True 1
Fn
Get Time type = Ticks, time = 192484 True 2
Fn
Get Time type = Ticks, time = 192500 True 1
Fn
Get Time type = Ticks, time = 192593 True 2
Fn
Get Time type = Ticks, time = 192609 True 1
Fn
Get Time type = Ticks, time = 192625 True 2
Fn
Get Time type = Ticks, time = 192640 True 1
Fn
Get Time type = Ticks, time = 192656 True 1
Fn
Get Time type = Ticks, time = 192703 True 1
Fn
Get Time type = Ticks, time = 192765 True 1
Fn
Get Time type = Ticks, time = 192828 True 1
Fn
Get Time type = Ticks, time = 192859 True 1
Fn
Get Time type = Local Time, time = 2018-11-20 16:27:46 (Local Time) True 12
Fn
Get Time type = Ticks, time = 192875 True 1
Fn
Get Time type = Ticks, time = 192921 True 1
Fn
Get Time type = Ticks, time = 193000 True 3
Fn
Get Time type = Ticks, time = 193125 True 1
Fn
Get Time type = Ticks, time = 193187 True 1
Fn
Get Time type = Ticks, time = 193250 True 1
Fn
Get Time type = Ticks, time = 193281 True 1
Fn
Get Time type = Ticks, time = 193312 True 1
Fn
Get Time type = Ticks, time = 193359 True 1
Fn
Get Time type = Ticks, time = 193468 True 1
Fn
Get Time type = Ticks, time = 193500 True 1
Fn
Get Time type = Ticks, time = 193531 True 1
Fn
Get Time type = Ticks, time = 193562 True 1
Fn
Get Time type = Ticks, time = 193593 True 1
Fn
Get Time type = Ticks, time = 193625 True 1
Fn
Get Time type = Ticks, time = 193656 True 1
Fn
Get Time type = Ticks, time = 193687 True 1
Fn
Get Time type = Ticks, time = 193718 True 1
Fn
Get Time type = Ticks, time = 193750 True 1
Fn
Get Time type = Ticks, time = 193781 True 1
Fn
Get Time type = Ticks, time = 193812 True 1
Fn
Get Time type = Ticks, time = 193843 True 1
Fn
Get Time type = Ticks, time = 193875 True 1
Fn
Get Time type = Ticks, time = 193921 True 1
Fn
Get Time type = Ticks, time = 193953 True 1
Fn
Get Time type = Ticks, time = 194000 True 1
Fn
Get Time type = Ticks, time = 194031 True 1
Fn
Get Time type = Ticks, time = 194062 True 1
Fn
Get Time type = Ticks, time = 194718 True 1
Fn
Get Time type = Ticks, time = 194796 True 1
Fn
Get Time type = Ticks, time = 194859 True 1
Fn
Get Time type = Ticks, time = 194890 True 1
Fn
Get Time type = Ticks, time = 194921 True 1
Fn
Get Time type = Ticks, time = 194953 True 1
Fn
Get Time type = Ticks, time = 195000 True 1
Fn
Get Time type = Ticks, time = 195031 True 1
Fn
Get Time type = Ticks, time = 195062 True 1
Fn
Get Time type = Ticks, time = 195093 True 1
Fn
Get Time type = Ticks, time = 195125 True 1
Fn
Get Time type = Ticks, time = 195156 True 1
Fn
Get Time type = Ticks, time = 195187 True 1
Fn
Get Time type = Ticks, time = 195218 True 1
Fn
Get Time type = Ticks, time = 195265 True 1
Fn
Get Time type = Ticks, time = 195296 True 1
Fn
Get Time type = Ticks, time = 195328 True 1
Fn
Get Time type = Ticks, time = 195359 True 1
Fn
Get Time type = Ticks, time = 195390 True 1
Fn
Get Time type = Ticks, time = 195421 True 1
Fn
Get Time type = Ticks, time = 195453 True 1
Fn
Get Time type = Ticks, time = 195484 True 1
Fn
Get Time type = Ticks, time = 195515 True 1
Fn
Get Time type = Ticks, time = 195546 True 1
Fn
Get Time type = Ticks, time = 195578 True 1
Fn
Get Time type = Ticks, time = 195609 True 1
Fn
Get Time type = Ticks, time = 195640 True 1
Fn
Get Time type = Ticks, time = 195671 True 1
Fn
Get Time type = Ticks, time = 195703 True 1
Fn
Get Time type = Ticks, time = 195734 True 1
Fn
Get Time type = Ticks, time = 195765 True 1
Fn
Get Time type = Ticks, time = 195796 True 1
Fn
Get Time type = Ticks, time = 195843 True 1
Fn
Get Time type = Ticks, time = 195875 True 1
Fn
Get Time type = Ticks, time = 195906 True 1
Fn
Get Time type = Ticks, time = 195953 True 1
Fn
Get Time type = Ticks, time = 196015 True 1
Fn
Get Time type = Ticks, time = 196046 True 1
Fn
Get Time type = Ticks, time = 196093 True 1
Fn
Get Time type = Ticks, time = 196125 True 1
Fn
Get Time type = Ticks, time = 196171 True 1
Fn
Get Time type = Ticks, time = 196203 True 1
Fn
Get Time type = Ticks, time = 196281 True 1
Fn
Get Time type = Ticks, time = 196343 True 1
Fn
Get Time type = Ticks, time = 196500 True 1
Fn
Get Time type = Ticks, time = 196531 True 1
Fn
Get Time type = Ticks, time = 196562 True 1
Fn
Get Time type = Ticks, time = 196609 True 1
Fn
Get Time type = Ticks, time = 196640 True 1
Fn
Get Time type = Ticks, time = 196671 True 1
Fn
Get Time type = Ticks, time = 196703 True 1
Fn
Get Time type = Ticks, time = 196734 True 1
Fn
Get Time type = Ticks, time = 196765 True 1
Fn
Get Time type = Ticks, time = 196796 True 1
Fn
Get Time type = Ticks, time = 196828 True 1
Fn
Get Time type = Ticks, time = 196859 True 1
Fn
Get Time type = Ticks, time = 196890 True 1
Fn
Get Time type = Ticks, time = 196921 True 1
Fn
Get Time type = Ticks, time = 196953 True 1
Fn
Get Time type = Ticks, time = 197015 True 1
Fn
Get Time type = Ticks, time = 197046 True 1
Fn
Get Time type = Ticks, time = 197078 True 1
Fn
Get Time type = Ticks, time = 197109 True 1
Fn
Get Time type = Ticks, time = 197140 True 1
Fn
Get Time type = Ticks, time = 197171 True 1
Fn
Get Time type = Ticks, time = 197203 True 1
Fn
Get Time type = Ticks, time = 197234 True 1
Fn
Get Time type = Ticks, time = 197265 True 1
Fn
Get Time type = Ticks, time = 197296 True 1
Fn
Get Time type = Ticks, time = 197328 True 1
Fn
Get Time type = Ticks, time = 197359 True 1
Fn
Get Time type = Ticks, time = 197390 True 1
Fn
Get Time type = Ticks, time = 197421 True 1
Fn
Get Time type = Ticks, time = 197453 True 1
Fn
Get Time type = Ticks, time = 197484 True 1
Fn
Get Time type = Ticks, time = 197515 True 1
Fn
Get Time type = Ticks, time = 197546 True 1
Fn
Get Time type = Ticks, time = 197562 True 1
Fn
Get Time type = Ticks, time = 197593 True 1
Fn
Get Time type = Ticks, time = 197625 True 1
Fn
Get Time type = Ticks, time = 197656 True 1
Fn
Get Time type = Ticks, time = 197687 True 1
Fn
Get Time type = Ticks, time = 197718 True 1
Fn
Get Time type = Ticks, time = 197750 True 1
Fn
Get Time type = Ticks, time = 197781 True 1
Fn
Get Time type = Ticks, time = 197812 True 1
Fn
Get Time type = Ticks, time = 197843 True 1
Fn
Get Time type = Ticks, time = 197875 True 1
Fn
Get Time type = Ticks, time = 197906 True 1
Fn
Get Time type = Ticks, time = 197953 True 1
Fn
Get Time type = Ticks, time = 198015 True 1
Fn
Get Time type = Ticks, time = 198046 True 1
Fn
Get Time type = Ticks, time = 198062 True 1
Fn
Get Time type = Ticks, time = 198078 True 1
Fn
Get Time type = Ticks, time = 198109 True 1
Fn
Get Time type = Ticks, time = 198125 True 1
Fn
Get Time type = Ticks, time = 198140 True 1
Fn
Get Time type = Ticks, time = 198171 True 1
Fn
Get Time type = Ticks, time = 198187 True 1
Fn
Get Time type = Ticks, time = 198203 True 1
Fn
Get Time type = Ticks, time = 198234 True 1
Fn
Get Time type = Ticks, time = 198250 True 1
Fn
Get Time type = Ticks, time = 198265 True 1
Fn
Get Time type = Ticks, time = 198296 True 1
Fn
Get Time type = Ticks, time = 198312 True 1
Fn
Get Time type = Ticks, time = 198328 True 1
Fn
Get Time type = Ticks, time = 198359 True 1
Fn
Get Time type = Ticks, time = 198375 True 1
Fn
Get Time type = Ticks, time = 198390 True 1
Fn
Get Time type = Ticks, time = 198437 True 2
Fn
Get Time type = Ticks, time = 198468 True 1
Fn
Get Time type = Ticks, time = 198515 True 2
Fn
Get Time type = Ticks, time = 198562 True 1
Fn
Get Time type = Ticks, time = 198578 True 1
Fn
Get Time type = Ticks, time = 198609 True 1
Fn
Get Time type = Ticks, time = 198640 True 2
Fn
Get Time type = Ticks, time = 198671 True 1
Fn
Get Time type = Ticks, time = 198750 True 2
Fn
Get Time type = Ticks, time = 198781 True 1
Fn
Get Time type = Ticks, time = 198812 True 2
Fn
Get Time type = Ticks, time = 198843 True 1
Fn
Get Time type = Ticks, time = 198875 True 2
Fn
Get Time type = Ticks, time = 198906 True 1
Fn
Get Time type = Ticks, time = 198937 True 2
Fn
Get Time type = Ticks, time = 198953 True 1
Fn
Get Time type = Ticks, time = 198984 True 1
Fn
Get Time type = Ticks, time = 199031 True 2
Fn
Get Time type = Ticks, time = 199062 True 1
Fn
Get Time type = Ticks, time = 199093 True 2
Fn
Get Time type = Ticks, time = 199109 True 1
Fn
Get Time type = Ticks, time = 199140 True 2
Fn
Get Time type = Ticks, time = 199171 True 1
Fn
Get Time type = Ticks, time = 199203 True 2
Fn
Get Time type = Ticks, time = 199234 True 1
Fn
Get Time type = Ticks, time = 199265 True 2
Fn
Get Time type = Ticks, time = 199296 True 1
Fn
Get Time type = Ticks, time = 199328 True 1
Fn
Get Time type = Ticks, time = 199359 True 1
Fn
Get Time type = Ticks, time = 199375 True 1
Fn
Get Time type = Ticks, time = 199656 True 1
Fn
Get Time type = Ticks, time = 199687 True 1
Fn
Get Time type = Ticks, time = 199718 True 1
Fn
Get Time type = Ticks, time = 199781 True 1
Fn
Get Time type = Ticks, time = 199812 True 1
Fn
Get Time type = Ticks, time = 199843 True 1
Fn
Get Time type = Ticks, time = 199875 True 1
Fn
Get Time type = Ticks, time = 199906 True 1
Fn
Get Time type = Ticks, time = 199937 True 1
Fn
Get Time type = Ticks, time = 199968 True 1
Fn
Get Time type = Ticks, time = 200000 True 1
Fn
Get Time type = Ticks, time = 200031 True 1
Fn
Get Time type = Ticks, time = 200062 True 1
Fn
Get Time type = Ticks, time = 200093 True 1
Fn
Get Time type = Ticks, time = 200125 True 1
Fn
Get Time type = Ticks, time = 200156 True 1
Fn
Get Time type = Ticks, time = 200187 True 1
Fn
Get Time type = Ticks, time = 200265 True 1
Fn
Get Time type = Ticks, time = 200296 True 1
Fn
Get Time type = Ticks, time = 200328 True 1
Fn
Get Time type = Ticks, time = 200359 True 1
Fn
Get Time type = Ticks, time = 200390 True 1
Fn
Get Time type = Ticks, time = 200421 True 1
Fn
Get Time type = Ticks, time = 200453 True 1
Fn
Get Time type = Ticks, time = 200484 True 1
Fn
Get Time type = Ticks, time = 200515 True 1
Fn
Get Time type = Ticks, time = 200546 True 1
Fn
Get Time type = Ticks, time = 200578 True 1
Fn
Get Time type = Ticks, time = 200609 True 1
Fn
Get Time type = Ticks, time = 200640 True 1
Fn
Get Time type = Ticks, time = 200671 True 1
Fn
Get Time type = Ticks, time = 200703 True 1
Fn
Get Time type = Ticks, time = 200734 True 1
Fn
Get Time type = Local Time, time = 2018-11-20 16:27:53 (Local Time) True 3
Fn
Get Time type = Ticks, time = 200750 True 1
Fn
Get Time type = Ticks, time = 200781 True 1
Fn
Get Time type = Ticks, time = 200812 True 1
Fn
Get Time type = Ticks, time = 200843 True 1
Fn
Get Time type = Ticks, time = 200875 True 1
Fn
Get Time type = Ticks, time = 200906 True 1
Fn
Get Time type = Ticks, time = 200937 True 1
Fn
Get Time type = Ticks, time = 200984 True 1
Fn
Get Time type = Ticks, time = 201015 True 1
Fn
Get Time type = Ticks, time = 201046 True 1
Fn
Get Time type = Ticks, time = 201078 True 1
Fn
Get Time type = Ticks, time = 201109 True 1
Fn
Get Time type = Ticks, time = 201140 True 1
Fn
Get Time type = Ticks, time = 201171 True 1
Fn
Get Time type = Ticks, time = 201203 True 1
Fn
Get Time type = Ticks, time = 201234 True 1
Fn
Get Time type = Ticks, time = 201281 True 1
Fn
Get Time type = Ticks, time = 201312 True 1
Fn
Get Time type = Ticks, time = 201343 True 1
Fn
Get Time type = Ticks, time = 201375 True 1
Fn
Get Time type = Ticks, time = 201406 True 1
Fn
Get Time type = Ticks, time = 201437 True 1
Fn
Get Time type = Ticks, time = 201468 True 1
Fn
Get Time type = Ticks, time = 201500 True 1
Fn
Get Time type = Ticks, time = 201531 True 1
Fn
Get Time type = Ticks, time = 201562 True 1
Fn
Get Time type = Ticks, time = 201593 True 1
Fn
Get Time type = Ticks, time = 201640 True 1
Fn
Get Time type = Ticks, time = 201671 True 1
Fn
Get Time type = Ticks, time = 201703 True 1
Fn
Get Time type = Ticks, time = 201781 True 1
Fn
Get Time type = Ticks, time = 201812 True 1
Fn
Get Time type = Ticks, time = 201843 True 1
Fn
Get Time type = Ticks, time = 201875 True 1
Fn
Get Time type = Ticks, time = 201906 True 1
Fn
Get Time type = Ticks, time = 201937 True 1
Fn
Get Time type = Ticks, time = 201968 True 1
Fn
Get Time type = Ticks, time = 202000 True 1
Fn
Get Time type = Ticks, time = 202031 True 1
Fn
Get Time type = Ticks, time = 202062 True 1
Fn
Get Time type = Ticks, time = 202093 True 1
Fn
Get Time type = Ticks, time = 202125 True 1
Fn
Get Time type = Ticks, time = 202156 True 1
Fn
Get Time type = Ticks, time = 202187 True 1
Fn
Get Time type = Ticks, time = 202218 True 1
Fn
Get Time type = Ticks, time = 202265 True 1
Fn
Get Time type = Ticks, time = 202296 True 1
Fn
Get Time type = Ticks, time = 202328 True 1
Fn
Get Time type = Ticks, time = 202359 True 1
Fn
Get Time type = Ticks, time = 202390 True 1
Fn
Get Time type = Ticks, time = 202421 True 1
Fn
Get Time type = Ticks, time = 202453 True 1
Fn
Get Time type = Ticks, time = 202484 True 1
Fn
Get Time type = Ticks, time = 202515 True 1
Fn
Get Time type = Ticks, time = 202546 True 1
Fn
Get Time type = Ticks, time = 202578 True 1
Fn
Get Time type = Ticks, time = 202609 True 1
Fn
Get Time type = Ticks, time = 202640 True 1
Fn
Get Time type = Ticks, time = 202671 True 1
Fn
Get Time type = Ticks, time = 202703 True 1
Fn
Get Time type = Ticks, time = 202734 True 1
Fn
Get Time type = Ticks, time = 202765 True 1
Fn
Get Time type = Ticks, time = 202796 True 1
Fn
Get Time type = Ticks, time = 202828 True 1
Fn
Get Time type = Ticks, time = 202859 True 1
Fn
Get Time type = Ticks, time = 202890 True 1
Fn
Get Time type = Ticks, time = 202921 True 1
Fn
Get Time type = Ticks, time = 202953 True 1
Fn
Get Time type = Ticks, time = 202984 True 1
Fn
Get Time type = Ticks, time = 203000 True 1
Fn
Get Time type = Local Time, time = 2018-11-20 16:27:56 (Local Time) True 144
Fn
Get Time type = Ticks, time = 203015 True 3
Fn
Get Time type = Ticks, time = 203031 True 2
Fn
Get Time type = Ticks, time = 203046 True 3
Fn
Get Time type = Ticks, time = 203062 True 2
Fn
Get Time type = Ticks, time = 203078 True 3
Fn
Get Time type = Ticks, time = 203093 True 2
Fn
Get Time type = Ticks, time = 203109 True 3
Fn
Get Time type = Ticks, time = 203125 True 2
Fn
Get Time type = Ticks, time = 203140 True 3
Fn
Get Time type = Ticks, time = 203156 True 2
Fn
Get Time type = Ticks, time = 203171 True 3
Fn
Get Time type = Ticks, time = 203187 True 2
Fn
Get Time type = Ticks, time = 203203 True 3
Fn
Get Time type = Ticks, time = 203218 True 2
Fn
Get Time type = Ticks, time = 203234 True 3
Fn
Get Time type = Ticks, time = 203281 True 3
Fn
Get Time type = Ticks, time = 203312 True 3
Fn
Get Time type = Ticks, time = 203328 True 2
Fn
Get Time type = Ticks, time = 203343 True 3
Fn
Get Time type = Ticks, time = 203359 True 2
Fn
Get Time type = Ticks, time = 203375 True 3
Fn
Get Time type = Ticks, time = 203390 True 2
Fn
Get Time type = Ticks, time = 203406 True 3
Fn
Get Time type = Ticks, time = 203453 True 5
Fn
Get Time type = Ticks, time = 203468 True 2
Fn
Get Time type = Ticks, time = 203484 True 3
Fn
Get Time type = Ticks, time = 203500 True 2
Fn
Get Time type = Ticks, time = 203515 True 3
Fn
Get Time type = Ticks, time = 203531 True 2
Fn
Get Time type = Ticks, time = 203546 True 3
Fn
Get Time type = Ticks, time = 203578 True 5
Fn
Get Time type = Ticks, time = 203593 True 2
Fn
Get Time type = Ticks, time = 203609 True 3
Fn
Get Time type = Ticks, time = 203625 True 2
Fn
Get Time type = Ticks, time = 203640 True 3
Fn
Get Time type = Ticks, time = 203656 True 2
Fn
Get Time type = Ticks, time = 203671 True 3
Fn
Get Time type = Ticks, time = 203687 True 2
Fn
Get Time type = Ticks, time = 203703 True 3
Fn
Get Time type = Ticks, time = 203718 True 2
Fn
Get Time type = Ticks, time = 203734 True 2
Fn
Get Time type = Ticks, time = 203750 True 3
Fn
Get Time type = Ticks, time = 203765 True 2
Fn
Get Time type = Ticks, time = 203781 True 3
Fn
Get Time type = Ticks, time = 203796 True 2
Fn
Get Time type = Ticks, time = 203812 True 3
Fn
Get Time type = Local Time, time = 2018-11-20 16:27:57 (Local Time) True 186
Fn
Get Time type = Ticks, time = 203828 True 2
Fn
Get Time type = Ticks, time = 203843 True 3
Fn
Get Time type = Ticks, time = 203859 True 2
Fn
Get Time type = Ticks, time = 203875 True 3
Fn
Get Time type = Ticks, time = 203890 True 2
Fn
Get Time type = Ticks, time = 203906 True 3
Fn
Get Time type = Ticks, time = 203921 True 2
Fn
Get Time type = Ticks, time = 203937 True 3
Fn
Get Time type = Ticks, time = 203953 True 2
Fn
Get Time type = Ticks, time = 203968 True 3
Fn
Get Time type = Ticks, time = 203984 True 2
Fn
Get Time type = Ticks, time = 204000 True 3
Fn
Get Time type = Ticks, time = 204015 True 2
Fn
Get Time type = Ticks, time = 204031 True 3
Fn
Get Time type = Ticks, time = 204046 True 2
Fn
Get Time type = Ticks, time = 204062 True 3
Fn
Get Time type = Ticks, time = 204078 True 2
Fn
Get Time type = Ticks, time = 204093 True 3
Fn
Get Time type = Ticks, time = 204109 True 2
Fn
Get Time type = Ticks, time = 204125 True 3
Fn
Get Time type = Ticks, time = 204140 True 2
Fn
Get Time type = Ticks, time = 204156 True 3
Fn
Get Time type = Ticks, time = 204171 True 2
Fn
Get Time type = Ticks, time = 204187 True 3
Fn
Get Time type = Ticks, time = 204203 True 2
Fn
Get Time type = Ticks, time = 204218 True 3
Fn
Get Time type = Ticks, time = 204234 True 2
Fn
Get Time type = Ticks, time = 204250 True 3
Fn
Get Time type = Ticks, time = 204265 True 2
Fn
Get Time type = Ticks, time = 204312 True 3
Fn
Get Time type = Ticks, time = 204328 True 2
Fn
Get Time type = Ticks, time = 204343 True 3
Fn
Get Time type = Ticks, time = 204359 True 2
Fn
Get Time type = Ticks, time = 204375 True 3
Fn
Get Time type = Ticks, time = 204390 True 2
Fn
Get Time type = Ticks, time = 204406 True 3
Fn
Get Time type = Ticks, time = 204421 True 2
Fn
Get Time type = Ticks, time = 204437 True 3
Fn
Get Time type = Ticks, time = 204468 True 5
Fn
Get Time type = Ticks, time = 204484 True 2
Fn
Get Time type = Ticks, time = 204500 True 3
Fn
Get Time type = Ticks, time = 204515 True 2
Fn
Get Time type = Ticks, time = 204531 True 3
Fn
Get Time type = Ticks, time = 204546 True 2
Fn
Get Time type = Ticks, time = 204562 True 3
Fn
Get Time type = Ticks, time = 204578 True 2
Fn
Get Time type = Ticks, time = 204593 True 3
Fn
Get Time type = Ticks, time = 204609 True 2
Fn
Get Time type = Ticks, time = 204625 True 3
Fn
Get Time type = Ticks, time = 204640 True 2
Fn
Get Time type = Ticks, time = 204656 True 3
Fn
Get Time type = Ticks, time = 204671 True 2
Fn
Get Time type = Ticks, time = 204687 True 3
Fn
Get Time type = Ticks, time = 204703 True 2
Fn
Get Time type = Ticks, time = 204734 True 5
Fn
Get Time type = Ticks, time = 204750 True 3
Fn
Get Time type = Ticks, time = 204765 True 2
Fn
Get Time type = Ticks, time = 204781 True 3
Fn
Get Time type = Ticks, time = 204796 True 2
Fn
Get Time type = Ticks, time = 204812 True 3
Fn
Get Time type = Local Time, time = 2018-11-20 16:27:58 (Local Time) True 186
Fn
Get Time type = Ticks, time = 204828 True 2
Fn
Get Time type = Ticks, time = 204843 True 3
Fn
Get Time type = Ticks, time = 204859 True 2
Fn
Get Time type = Ticks, time = 204875 True 3
Fn
Get Time type = Ticks, time = 204890 True 2
Fn
Get Time type = Ticks, time = 204906 True 3
Fn
Get Time type = Ticks, time = 204921 True 2
Fn
Get Time type = Ticks, time = 204953 True 5
Fn
Get Time type = Ticks, time = 204968 True 3
Fn
Get Time type = Ticks, time = 204984 True 2
Fn
Get Time type = Ticks, time = 205000 True 3
Fn
Get Time type = Ticks, time = 205015 True 2
Fn
Get Time type = Ticks, time = 205031 True 3
Fn
Get Time type = Ticks, time = 205046 True 2
Fn
Get Time type = Ticks, time = 205062 True 3
Fn
Get Time type = Ticks, time = 205078 True 2
Fn
Get Time type = Ticks, time = 205093 True 3
Fn
Get Time type = Ticks, time = 205109 True 2
Fn
Get Time type = Ticks, time = 205125 True 3
Fn
Get Time type = Ticks, time = 205140 True 2
Fn
Get Time type = Ticks, time = 205156 True 3
Fn
Get Time type = Ticks, time = 205171 True 2
Fn
Get Time type = Ticks, time = 205187 True 3
Fn
Get Time type = Ticks, time = 205203 True 2
Fn
Get Time type = Ticks, time = 205218 True 3
Fn
Get Time type = Ticks, time = 205234 True 2
Fn
Get Time type = Ticks, time = 205250 True 3
Fn
Get Time type = Ticks, time = 205265 True 2
Fn
Get Time type = Ticks, time = 205281 True 3
Fn
Get Time type = Ticks, time = 205296 True 2
Fn
Get Time type = Ticks, time = 205312 True 3
Fn
Get Time type = Ticks, time = 205359 True 3
Fn
Get Time type = Ticks, time = 205375 True 2
Fn
Get Time type = Ticks, time = 205390 True 3
Fn
Get Time type = Ticks, time = 205406 True 2
Fn
Get Time type = Ticks, time = 205421 True 3
Fn
Get Time type = Ticks, time = 205437 True 2
Fn
Get Time type = Ticks, time = 205453 True 3
Fn
Get Time type = Ticks, time = 205468 True 2
Fn
Get Time type = Ticks, time = 205484 True 3
Fn
Get Time type = Ticks, time = 205500 True 2
Fn
Get Time type = Ticks, time = 205515 True 3
Fn
Get Time type = Ticks, time = 205531 True 2
Fn
Get Time type = Ticks, time = 205546 True 3
Fn
Get Time type = Ticks, time = 205562 True 2
Fn
Get Time type = Ticks, time = 205578 True 3
Fn
Get Time type = Ticks, time = 205593 True 2
Fn
Get Time type = Ticks, time = 205609 True 3
Fn
Get Time type = Ticks, time = 205625 True 2
Fn
Get Time type = Ticks, time = 205640 True 3
Fn
Get Time type = Ticks, time = 205656 True 2
Fn
Get Time type = Ticks, time = 205671 True 3
Fn
Get Time type = Ticks, time = 205687 True 2
Fn
Get Time type = Ticks, time = 205703 True 3
Fn
Get Time type = Ticks, time = 205734 True 6
Fn
Get Time type = Ticks, time = 205750 True 2
Fn
Get Time type = Ticks, time = 205765 True 3
Fn
Get Time type = Ticks, time = 205781 True 2
Fn
Get Time type = Ticks, time = 205796 True 3
Fn
Get Time type = Ticks, time = 205812 True 2
Fn
Get Time type = Ticks, time = 205828 True 3
Fn
Get Time type = Local Time, time = 2018-11-20 16:27:59 (Local Time) True 45
Fn
Get Time type = Ticks, time = 205843 True 3
Fn
Get Time type = Ticks, time = 205937 True 5
Fn
Get Time type = Ticks, time = 206046 True 3
Fn
Get Time type = Ticks, time = 206156 True 1
Fn
Get Time type = Ticks, time = 206187 True 1
Fn
Get Time type = Ticks, time = 206406 True 3
Fn
Get Time type = Ticks, time = 206421 True 2
Fn
Get Time type = Ticks, time = 206437 True 3
Fn
Get Time type = Ticks, time = 206515 True 5
Fn
Get Time type = Ticks, time = 206531 True 2
Fn
Get Time type = Ticks, time = 206718 True 3
Fn
Get Time type = Ticks, time = 206734 True 2
Fn
Get Time type = Ticks, time = 206750 True 3
Fn
Get Time type = Ticks, time = 206765 True 2
Fn
Get Time type = Local Time, time = 2018-11-20 16:28:00 (Local Time) True 183
Fn
Get Time type = Ticks, time = 206828 True 5
Fn
Get Time type = Ticks, time = 206843 True 3
Fn
Get Time type = Ticks, time = 206859 True 2
Fn
Get Time type = Ticks, time = 206875 True 3
Fn
Get Time type = Ticks, time = 206906 True 5
Fn
Get Time type = Ticks, time = 206921 True 2
Fn
Get Time type = Ticks, time = 206937 True 3
Fn
Get Time type = Ticks, time = 206953 True 2
Fn
Get Time type = Ticks, time = 206968 True 3
Fn
Get Time type = Ticks, time = 206984 True 2
Fn
Get Time type = Ticks, time = 207000 True 3
Fn
Get Time type = Ticks, time = 207015 True 2
Fn
Get Time type = Ticks, time = 207031 True 3
Fn
Get Time type = Ticks, time = 207078 True 3
Fn
Get Time type = Ticks, time = 207093 True 2
Fn
Get Time type = Ticks, time = 207109 True 3
Fn
Get Time type = Ticks, time = 207125 True 2
Fn
Get Time type = Ticks, time = 207140 True 3
Fn
Get Time type = Ticks, time = 207156 True 2
Fn
Get Time type = Ticks, time = 207171 True 3
Fn
Get Time type = Ticks, time = 207187 True 2
Fn
Get Time type = Ticks, time = 207203 True 3
Fn
Get Time type = Ticks, time = 207218 True 2
Fn
Get Time type = Ticks, time = 207234 True 3
Fn
Get Time type = Ticks, time = 207250 True 2
Fn
Get Time type = Ticks, time = 207265 True 3
Fn
Get Time type = Ticks, time = 207281 True 2
Fn
Get Time type = Ticks, time = 207296 True 3
Fn
Get Time type = Ticks, time = 207312 True 2
Fn
Get Time type = Ticks, time = 207328 True 3
Fn
Get Time type = Ticks, time = 207343 True 2
Fn
Get Time type = Ticks, time = 207359 True 3
Fn
Get Time type = Ticks, time = 207375 True 2
Fn
Get Time type = Ticks, time = 207390 True 3
Fn
Get Time type = Ticks, time = 207406 True 2
Fn
Get Time type = Ticks, time = 207421 True 3
Fn
Get Time type = Ticks, time = 207437 True 2
Fn
Get Time type = Ticks, time = 207453 True 3
Fn
Get Time type = Ticks, time = 207468 True 2
Fn
Get Time type = Ticks, time = 207484 True 3
Fn
Get Time type = Ticks, time = 207500 True 2
Fn
Get Time type = Ticks, time = 207515 True 3
Fn
Get Time type = Ticks, time = 207531 True 2
Fn
Get Time type = Ticks, time = 207546 True 3
Fn
Get Time type = Ticks, time = 207562 True 2
Fn
Get Time type = Ticks, time = 207578 True 3
Fn
Get Time type = Ticks, time = 207593 True 2
Fn
Get Time type = Ticks, time = 207609 True 3
Fn
Get Time type = Ticks, time = 207656 True 3
Fn
Get Time type = Ticks, time = 207687 True 3
Fn
Get Time type = Ticks, time = 207703 True 2
Fn
Get Time type = Ticks, time = 207718 True 3
Fn
Get Time type = Ticks, time = 207734 True 2
Fn
Get Time type = Ticks, time = 207750 True 3
Fn
Get Time type = Ticks, time = 207765 True 2
Fn
Get Time type = Ticks, time = 207781 True 3
Fn
Get Time type = Ticks, time = 207796 True 2
Fn
Get Time type = Ticks, time = 207812 True 3
Fn
Get Time type = Ticks, time = 207828 True 2
Fn
Get Time type = Local Time, time = 2018-11-20 16:28:01 (Local Time) True 177
Fn
Get Time type = Ticks, time = 207843 True 3
Fn
Get Time type = Ticks, time = 207859 True 2
Fn
Get Time type = Ticks, time = 207875 True 3
Fn
Get Time type = Ticks, time = 207890 True 2
Fn
Get Time type = Ticks, time = 207906 True 3
Fn
Get Time type = Ticks, time = 207921 True 2
Fn
Get Time type = Ticks, time = 207937 True 3
Fn
Get Time type = Ticks, time = 207953 True 2
Fn
Get Time type = Ticks, time = 207968 True 3
Fn
Get Time type = Ticks, time = 207984 True 2
Fn
Get Time type = Ticks, time = 208000 True 3
Fn
Get Time type = Ticks, time = 208015 True 2
Fn
Get Time type = Ticks, time = 208031 True 3
Fn
Get Time type = Ticks, time = 208078 True 3
Fn
Get Time type = Ticks, time = 208093 True 2
Fn
Get Time type = Ticks, time = 208109 True 3
Fn
Get Time type = Ticks, time = 208125 True 2
Fn
Get Time type = Ticks, time = 208140 True 3
Fn
Get Time type = Ticks, time = 208156 True 2
Fn
Get Time type = Ticks, time = 208171 True 3
Fn
Get Time type = Ticks, time = 208187 True 2
Fn
Get Time type = Ticks, time = 208203 True 3
Fn
Get Time type = Ticks, time = 208218 True 2
Fn
Get Time type = Ticks, time = 208234 True 3
Fn
Get Time type = Ticks, time = 208250 True 2
Fn
Get Time type = Ticks, time = 208265 True 3
Fn
Get Time type = Ticks, time = 208281 True 2
Fn
Get Time type = Ticks, time = 208296 True 3
Fn
Get Time type = Ticks, time = 208312 True 2
Fn
Get Time type = Ticks, time = 208328 True 3
Fn
Get Time type = Ticks, time = 208343 True 2
Fn
Get Time type = Ticks, time = 208359 True 3
Fn
Get Time type = Ticks, time = 208375 True 2
Fn
Get Time type = Ticks, time = 208390 True 3
Fn
Get Time type = Ticks, time = 208406 True 2
Fn
Get Time type = Ticks, time = 208421 True 3
Fn
Get Time type = Ticks, time = 208437 True 2
Fn
Get Time type = Ticks, time = 208453 True 3
Fn
Get Time type = Ticks, time = 208468 True 2
Fn
Get Time type = Ticks, time = 208484 True 3
Fn
Get Time type = Ticks, time = 208500 True 3
Fn
Get Time type = Ticks, time = 208515 True 2
Fn
Get Time type = Ticks, time = 208531 True 2
Fn
Get Time type = Ticks, time = 208546 True 3
Fn
Get Time type = Ticks, time = 208562 True 2
Fn
Get Time type = Ticks, time = 208578 True 3
Fn
Get Time type = Ticks, time = 208609 True 3
Fn
Get Time type = Ticks, time = 208625 True 2
Fn
Get Time type = Ticks, time = 208640 True 3
Fn
Get Time type = Ticks, time = 208671 True 3
Fn
Get Time type = Ticks, time = 208687 True 2
Fn
Get Time type = Ticks, time = 208703 True 3
Fn
Get Time type = Ticks, time = 208718 True 2
Fn
Get Time type = Ticks, time = 208734 True 3
Fn
Get Time type = Ticks, time = 208750 True 2
Fn
Get Time type = Ticks, time = 208765 True 3
Fn
Get Time type = Ticks, time = 208781 True 2
Fn
Get Time type = Ticks, time = 208796 True 3
Fn
Get Time type = Ticks, time = 208812 True 2
Fn
Get Time type = Local Time, time = 2018-11-20 16:28:02 (Local Time) True 135
Fn
Get Time type = Ticks, time = 208828 True 3
Fn
Get Time type = Ticks, time = 208843 True 2
Fn
Get Time type = Ticks, time = 208859 True 3
Fn
Get Time type = Ticks, time = 208875 True 2
Fn
Get Time type = Ticks, time = 208890 True 3
Fn
Get Time type = Ticks, time = 208906 True 2
Fn
Get Time type = Ticks, time = 208921 True 3
Fn
Get Time type = Ticks, time = 208937 True 2
Fn
Get Time type = Ticks, time = 208953 True 3
Fn
Get Time type = Ticks, time = 208984 True 3
Fn
Get Time type = Ticks, time = 209000 True 2
Fn
Get Time type = Ticks, time = 209015 True 3
Fn
Get Time type = Ticks, time = 209031 True 2
Fn
Get Time type = Ticks, time = 209078 True 3
Fn
Get Time type = Ticks, time = 209093 True 2
Fn
Get Time type = Ticks, time = 209109 True 3
Fn
Get Time type = Ticks, time = 209125 True 2
Fn
Get Time type = Ticks, time = 209140 True 3
Fn
Get Time type = Ticks, time = 209156 True 2
Fn
Get Time type = Ticks, time = 209171 True 3
Fn
Get Time type = Ticks, time = 209187 True 2
Fn
Get Time type = Ticks, time = 209203 True 3
Fn
Get Time type = Ticks, time = 209218 True 2
Fn
Get Time type = Ticks, time = 209281 True 3
Fn
Get Time type = Ticks, time = 209296 True 2
Fn
Get Time type = Ticks, time = 209312 True 3
Fn
Get Time type = Ticks, time = 209328 True 2
Fn
Get Time type = Ticks, time = 209359 True 1
Fn
Get Time type = Ticks, time = 209390 True 1
Fn
Get Time type = Ticks, time = 209421 True 1
Fn
Get Time type = Ticks, time = 209453 True 1
Fn
Get Time type = Ticks, time = 209484 True 1
Fn
Get Time type = Ticks, time = 209515 True 1
Fn
Get Time type = Ticks, time = 209531 True 2
Fn
Get Time type = Ticks, time = 209546 True 3
Fn
Get Time type = Ticks, time = 209562 True 2
Fn
Get Time type = Ticks, time = 209578 True 3
Fn
Get Time type = Ticks, time = 209593 True 2
Fn
Get Time type = Ticks, time = 209609 True 3
Fn
Get Time type = Ticks, time = 209625 True 2
Fn
Get Time type = Ticks, time = 209640 True 3
Fn
Get Time type = Ticks, time = 209656 True 2
Fn
Get Time type = Ticks, time = 209671 True 3
Fn
Get Time type = Ticks, time = 209687 True 2
Fn
Get Time type = Ticks, time = 209703 True 3
Fn
Get Time type = Ticks, time = 209718 True 2
Fn
Get Time type = Ticks, time = 209750 True 3
Fn
Get Time type = Ticks, time = 209765 True 2
Fn
Get Time type = Ticks, time = 209781 True 3
Fn
Get Time type = Ticks, time = 209796 True 2
Fn
Get Time type = Ticks, time = 209812 True 3
Fn
Get Time type = Local Time, time = 2018-11-20 16:28:03 (Local Time) True 171
Fn
Get Time type = Ticks, time = 209828 True 2
Fn
Get Time type = Ticks, time = 209843 True 3
Fn
Get Time type = Ticks, time = 209859 True 2
Fn
Get Time type = Ticks, time = 209875 True 3
Fn
Get Time type = Ticks, time = 209890 True 2
Fn
Get Time type = Ticks, time = 209906 True 3
Fn
Get Time type = Ticks, time = 209921 True 2
Fn
Get Time type = Ticks, time = 209937 True 3
Fn
Get Time type = Ticks, time = 209953 True 2
Fn
Get Time type = Ticks, time = 209968 True 3
Fn
Get Time type = Ticks, time = 209984 True 2
Fn
Get Time type = Ticks, time = 210000 True 3
Fn
Get Time type = Ticks, time = 210015 True 2
Fn
Get Time type = Ticks, time = 210031 True 3
Fn
Get Time type = Ticks, time = 210046 True 2
Fn
Get Time type = Ticks, time = 210093 True 3
Fn
Get Time type = Ticks, time = 210109 True 2
Fn
Get Time type = Ticks, time = 210125 True 3
Fn
Get Time type = Ticks, time = 210140 True 2
Fn
Get Time type = Ticks, time = 210156 True 3
Fn
Get Time type = Ticks, time = 210171 True 2
Fn
Get Time type = Ticks, time = 210187 True 3
Fn
Get Time type = Ticks, time = 210203 True 2
Fn
Get Time type = Ticks, time = 210218 True 3
Fn
Get Time type = Ticks, time = 210234 True 2
Fn
Get Time type = Ticks, time = 210250 True 3
Fn
Get Time type = Ticks, time = 210265 True 2
Fn
Get Time type = Ticks, time = 210281 True 3
Fn
Get Time type = Ticks, time = 210296 True 2
Fn
Get Time type = Ticks, time = 210312 True 3
Fn
Get Time type = Ticks, time = 210328 True 2
Fn
Get Time type = Ticks, time = 210343 True 3
Fn
Get Time type = Ticks, time = 210359 True 2
Fn
Get Time type = Ticks, time = 210375 True 3
Fn
Get Time type = Ticks, time = 210390 True 2
Fn
Get Time type = Ticks, time = 210406 True 3
Fn
Get Time type = Ticks, time = 210453 True 3
Fn
Get Time type = Ticks, time = 210468 True 2
Fn
Get Time type = Ticks, time = 210484 True 3
Fn
Get Time type = Ticks, time = 210500 True 2
Fn
Get Time type = Ticks, time = 210515 True 1
Fn
Get Time type = Ticks, time = 210546 True 3
Fn
Get Time type = Ticks, time = 210562 True 2
Fn
Get Time type = Ticks, time = 210578 True 3
Fn
Get Time type = Ticks, time = 210593 True 2
Fn
Get Time type = Ticks, time = 210609 True 3
Fn
Get Time type = Ticks, time = 210625 True 2
Fn
Get Time type = Ticks, time = 210640 True 3
Fn
Get Time type = Ticks, time = 210656 True 2
Fn
Get Time type = Ticks, time = 210671 True 3
Fn
Get Time type = Ticks, time = 210687 True 2
Fn
Get Time type = Ticks, time = 210703 True 3
Fn
Get Time type = Ticks, time = 210718 True 2
Fn
Get Time type = Ticks, time = 210734 True 3
Fn
Get Time type = Ticks, time = 210750 True 2
Fn
Get Time type = Ticks, time = 210765 True 3
Fn
Get Time type = Ticks, time = 210781 True 2
Fn
Get Time type = Ticks, time = 210796 True 3
Fn
Get Time type = Ticks, time = 210859 True 3
Fn
Get Time type = Local Time, time = 2018-11-20 16:28:04 (Local Time) True 168
Fn
Get Time type = Ticks, time = 210875 True 2
Fn
Get Time type = Ticks, time = 210890 True 3
Fn
Get Time type = Ticks, time = 210906 True 2
Fn
Get Time type = Ticks, time = 210921 True 3
Fn
Get Time type = Ticks, time = 210937 True 2
Fn
Get Time type = Ticks, time = 210953 True 3
Fn
Get Time type = Ticks, time = 210968 True 2
Fn
Get Time type = Ticks, time = 210984 True 3
Fn
Get Time type = Ticks, time = 211000 True 2
Fn
Get Time type = Ticks, time = 211015 True 3
Fn
Get Time type = Ticks, time = 211031 True 2
Fn
Get Time type = Ticks, time = 211046 True 3
Fn
Get Time type = Ticks, time = 211093 True 3
Fn
Get Time type = Ticks, time = 211109 True 2
Fn
Get Time type = Ticks, time = 211125 True 3
Fn
Get Time type = Ticks, time = 211140 True 2
Fn
Get Time type = Ticks, time = 211156 True 3
Fn
Get Time type = Ticks, time = 211171 True 2
Fn
Get Time type = Ticks, time = 211187 True 3
Fn
Get Time type = Ticks, time = 211203 True 2
Fn
Get Time type = Ticks, time = 211218 True 3
Fn
Get Time type = Ticks, time = 211250 True 3
Fn
Get Time type = Ticks, time = 211265 True 2
Fn
Get Time type = Ticks, time = 211281 True 3
Fn
Get Time type = Ticks, time = 211296 True 2
Fn
Get Time type = Ticks, time = 211312 True 3
Fn
Get Time type = Ticks, time = 211328 True 2
Fn
Get Time type = Ticks, time = 211343 True 3
Fn
Get Time type = Ticks, time = 211359 True 2
Fn
Get Time type = Ticks, time = 211375 True 3
Fn
Get Time type = Ticks, time = 211390 True 2
Fn
Get Time type = Ticks, time = 211406 True 3
Fn
Get Time type = Ticks, time = 211421 True 2
Fn
Get Time type = Ticks, time = 211437 True 3
Fn
Get Time type = Ticks, time = 211453 True 2
Fn
Get Time type = Ticks, time = 211468 True 3
Fn
Get Time type = Ticks, time = 211484 True 2
Fn
Get Time type = Ticks, time = 211500 True 3
Fn
Get Time type = Ticks, time = 211515 True 2
Fn
Get Time type = Ticks, time = 211531 True 3
Fn
Get Time type = Ticks, time = 211546 True 2
Fn
Get Time type = Ticks, time = 211562 True 3
Fn
Get Time type = Ticks, time = 211578 True 2
Fn
Get Time type = Ticks, time = 211593 True 3
Fn
Get Time type = Ticks, time = 211609 True 2
Fn
Get Time type = Ticks, time = 211625 True 3
Fn
Get Time type = Ticks, time = 211640 True 2
Fn
Get Time type = Ticks, time = 211656 True 1
Fn
Get Time type = Ticks, time = 211687 True 1
Fn
Get Time type = Ticks, time = 211703 True 2
Fn
Get Time type = Ticks, time = 211718 True 3
Fn
For performance reasons, the remaining 13 entries are omitted.
The remaining entries can be found in glog.xml.
Mutex (41)
»
Operation Additional Information Success Count Logfile
Create mutex_name = SWE2F15657A4JJCIiHmnxMn6Ps15 True 1
Fn
Create mutex_name = SWE2F15657A4JJ True 1
Fn
Create mutex_name = xXx_key_xXx True 1
Fn
Create mutex_name = SWE2F15657A4JJ_SAIR True 1
Fn
Create mutex_name = SWE2F15657A4JJ_RESTART True 1
Fn
Create mutex_name = SWE2F15657A4JJ_SAIR True 5
Fn
Create mutex_name = SWE2F15657A4JJ_RESTART True 5
Fn
Create mutex_name = SWE2F15657A4JJ_SAIR True 8
Fn
Create mutex_name = SWE2F15657A4JJ_RESTART True 8
Fn
Create mutex_name = SWE2F15657A4JJ_SAIR True 1
Fn
Create mutex_name = SWE2F15657A4JJ_RESTART True 1
Fn
Create mutex_name = SWE2F15657A4JJ_SAIR True 4
Fn
Create mutex_name = SWE2F15657A4JJ_RESTART True 4
Fn
Network Behavior
DNS (9)
»
Operation Additional Information Success Count Logfile
Resolve Name host = koko35.ddns.net, address_out = 109.60.97.243 True 9
Fn
Process #40: svchost.exe
0 0
»
Information Value
ID #40
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\System32\svchost.exe -k NetworkService
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:05:32, Reason: Autostart
Unmonitor End Time: 00:05:43, Reason: Self Terminated
Monitor Duration 00:00:11
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x7f0
Parent PID 0x1e4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Network Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7E4
0x 500
0x 87C
0x 894
0x 8C0
0x 910
0x 670
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000005238500000 0x5238500000 0x523851ffff Private Memory rw True False False -
pagefile_0x0000005238500000 0x5238500000 0x523850ffff Pagefile Backed Memory rw True False False -
svchost.exe.mui 0x5238510000 0x5238510fff Memory Mapped File r False False False -
pagefile_0x0000005238520000 0x5238520000 0x5238533fff Pagefile Backed Memory r True False False -
private_0x0000005238540000 0x5238540000 0x52385bffff Private Memory rw True False False -
pagefile_0x00000052385c0000 0x52385c0000 0x52385c3fff Pagefile Backed Memory r True False False -
pagefile_0x00000052385d0000 0x52385d0000 0x52385d0fff Pagefile Backed Memory r True False False -
private_0x00000052385e0000 0x52385e0000 0x52385e1fff Private Memory rw True False False -
private_0x00000052385f0000 0x52385f0000 0x523866ffff Private Memory rw True False False -
private_0x0000005238670000 0x5238670000 0x5238670fff Private Memory rw True False False -
private_0x0000005238680000 0x5238680000 0x5238680fff Private Memory rw True False False -
private_0x0000005238690000 0x5238690000 0x5238696fff Private Memory rw True False False -
pagefile_0x00000052386a0000 0x52386a0000 0x52386a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000052386b0000 0x52386b0000 0x52386b0fff Pagefile Backed Memory rw True False False -
private_0x0000005238700000 0x5238700000 0x52387fffff Private Memory rw True False False -
locale.nls 0x5238800000 0x52388bdfff Memory Mapped File r False False False -
pagefile_0x00000052388c0000 0x52388c0000 0x523897ffff Pagefile Backed Memory r True False False -
private_0x0000005238980000 0x5238980000 0x52389fffff Private Memory rw True False False -
private_0x0000005238a20000 0x5238a20000 0x5238a26fff Private Memory rw True False False -
private_0x0000005238b00000 0x5238b00000 0x5238bfffff Private Memory rw True False False -
pagefile_0x0000005238c00000 0x5238c00000 0x5238d87fff Pagefile Backed Memory r True False False -
pagefile_0x0000005238d90000 0x5238d90000 0x5238f10fff Pagefile Backed Memory r True False False -
private_0x0000005238f20000 0x5238f20000 0x523901ffff Private Memory rw True False False -
sortdefault.nls 0x5239020000 0x5239356fff Memory Mapped File r False False False -
private_0x0000005239360000 0x5239360000 0x523945ffff Private Memory rw True False False -
private_0x0000005239460000 0x5239460000 0x523955ffff Private Memory rw True False False -
private_0x0000005239560000 0x5239560000 0x523965ffff Private Memory rw True False False -
pagefile_0x00007df5ff2f0000 0x7df5ff2f0000 0x7ff5ff2effff Pagefile Backed Memory - True False False -
private_0x00007ff6bac2c000 0x7ff6bac2c000 0x7ff6bac2dfff Private Memory rw True False False -
private_0x00007ff6bac2e000 0x7ff6bac2e000 0x7ff6bac2ffff Private Memory rw True False False -
pagefile_0x00007ff6bac30000 0x7ff6bac30000 0x7ff6bad2ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6bad30000 0x7ff6bad30000 0x7ff6bad52fff Pagefile Backed Memory r True False False -
private_0x00007ff6bad54000 0x7ff6bad54000 0x7ff6bad55fff Private Memory rw True False False -
private_0x00007ff6bad56000 0x7ff6bad56000 0x7ff6bad57fff Private Memory rw True False False -
private_0x00007ff6bad58000 0x7ff6bad58000 0x7ff6bad59fff Private Memory rw True False False -
private_0x00007ff6bad5a000 0x7ff6bad5a000 0x7ff6bad5bfff Private Memory rw True False False -
private_0x00007ff6bad5c000 0x7ff6bad5c000 0x7ff6bad5cfff Private Memory rw True False False -
private_0x00007ff6bad5e000 0x7ff6bad5e000 0x7ff6bad5ffff Private Memory rw True False False -
svchost.exe 0x7ff6bbac0000 0x7ff6bbaccfff Memory Mapped File rwx False False False -
mapsbtsvc.dll 0x7ffef0cf0000 0x7ffef0d0ffff Memory Mapped File rwx False False False -
moshost.dll 0x7ffef0d10000 0x7ffef0d23fff Memory Mapped File rwx False False False -
ztrace_maps.dll 0x7ffef12a0000 0x7ffef12adfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
powrprof.dll 0x7fff04e20000 0x7fff04e69fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
shcore.dll 0x7fff04e80000 0x7fff04f32fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7fff05270000 0x7fff05897fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fff05d00000 0x7fff05d50fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #41: svchost.exe
0 0
»
Information Value
ID #41
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:05:37, Reason: Autostart
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:05:45
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x57c
Parent PID 0x1e4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 4CC
0x 580
0x 4B4
0x 914
0x 704
0x 844
0x 1A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000059d47d0000 0x59d47d0000 0x59d47effff Private Memory rw True False False -
pagefile_0x00000059d47d0000 0x59d47d0000 0x59d47dffff Pagefile Backed Memory rw True False False -
svchost.exe.mui 0x59d47e0000 0x59d47e0fff Memory Mapped File r False False False -
pagefile_0x00000059d47f0000 0x59d47f0000 0x59d4803fff Pagefile Backed Memory r True False False -
private_0x00000059d4810000 0x59d4810000 0x59d488ffff Private Memory rw True False False -
pagefile_0x00000059d4890000 0x59d4890000 0x59d4893fff Pagefile Backed Memory r True False False -
pagefile_0x00000059d48a0000 0x59d48a0000 0x59d48a0fff Pagefile Backed Memory r True False False -
private_0x00000059d48b0000 0x59d48b0000 0x59d48b1fff Private Memory rw True False False -
private_0x00000059d48c0000 0x59d48c0000 0x59d48c0fff Private Memory rw True False False -
private_0x00000059d48d0000 0x59d48d0000 0x59d48d6fff Private Memory rw True False False -
private_0x00000059d48e0000 0x59d48e0000 0x59d48e0fff Private Memory rw True False False -
phoneutilres.dll 0x59d48f0000 0x59d48f0fff Memory Mapped File r False False False -
private_0x00000059d4900000 0x59d4900000 0x59d49fffff Private Memory rw True False False -
locale.nls 0x59d4a00000 0x59d4abdfff Memory Mapped File r False False False -
private_0x00000059d4ac0000 0x59d4ac0000 0x59d4b3ffff Private Memory rw True False False -
private_0x00000059d4b40000 0x59d4b40000 0x59d4c3ffff Private Memory rw True False False -
private_0x00000059d4c40000 0x59d4c40000 0x59d4c40fff Private Memory rw True False False -
pagefile_0x00000059d4c50000 0x59d4c50000 0x59d4c50fff Pagefile Backed Memory r True False False -
pagefile_0x00000059d4c60000 0x59d4c60000 0x59d4c60fff Pagefile Backed Memory r True False False -
private_0x00000059d4c70000 0x59d4c70000 0x59d4c76fff Private Memory rw True False False -
private_0x00000059d4c80000 0x59d4c80000 0x59d4cfffff Private Memory rw True False False -
private_0x00000059d4d00000 0x59d4d00000 0x59d4dfffff Private Memory rw True False False -
pagefile_0x00000059d4e00000 0x59d4e00000 0x59d4f87fff Pagefile Backed Memory r True False False -
pagefile_0x00000059d4f90000 0x59d4f90000 0x59d5110fff Pagefile Backed Memory r True False False -
pagefile_0x00000059d5120000 0x59d5120000 0x59d651ffff Pagefile Backed Memory r True False False -
private_0x00000059d6520000 0x59d6520000 0x59d661ffff Private Memory rw True False False -
pagefile_0x00007df5ff6e0000 0x7df5ff6e0000 0x7ff5ff6dffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff6bb7a0000 0x7ff6bb7a0000 0x7ff6bb89ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6bb8a0000 0x7ff6bb8a0000 0x7ff6bb8c2fff Pagefile Backed Memory r True False False -
private_0x00007ff6bb8c7000 0x7ff6bb8c7000 0x7ff6bb8c8fff Private Memory rw True False False -
private_0x00007ff6bb8c9000 0x7ff6bb8c9000 0x7ff6bb8c9fff Private Memory rw True False False -
private_0x00007ff6bb8ca000 0x7ff6bb8ca000 0x7ff6bb8cbfff Private Memory rw True False False -
private_0x00007ff6bb8cc000 0x7ff6bb8cc000 0x7ff6bb8cdfff Private Memory rw True False False -
private_0x00007ff6bb8ce000 0x7ff6bb8ce000 0x7ff6bb8cffff Private Memory rw True False False -
svchost.exe 0x7ff6bbac0000 0x7ff6bbaccfff Memory Mapped File rwx False False False -
phoneutil.dll 0x7ffef0740000 0x7ffef0780fff Memory Mapped File rwx False False False -
pimstore.dll 0x7ffef0790000 0x7ffef0900fff Memory Mapped File rwx False False False -
syncutil.dll 0x7ffef0ad0000 0x7ffef0b16fff Memory Mapped File rwx False False False -
userdataplatformhelperutil.dll 0x7ffef0b20000 0x7ffef0b35fff Memory Mapped File rwx False False False -
networkhelper.dll 0x7ffef0b40000 0x7ffef0b56fff Memory Mapped File rwx False False False -
aphostservice.dll 0x7ffef0b60000 0x7ffef0badfff Memory Mapped File rwx False False False -
inproclogger.dll 0x7ffef1240000 0x7ffef124cfff Memory Mapped File rwx False False False -
mccspal.dll 0x7ffef12b0000 0x7ffef12bafff Memory Mapped File rwx False False False -
userdatatimeutil.dll 0x7ffef5f10000 0x7ffef5f30fff Memory Mapped File rwx False False False -
accountaccessor.dll 0x7ffef5f40000 0x7ffef5f75fff Memory Mapped File rwx False False False -
userdatalanguageutil.dll 0x7ffef5f80000 0x7ffef5f90fff Memory Mapped File rwx False False False -
cemapi.dll 0x7ffef5fa0000 0x7ffef5fdffff Memory Mapped File rwx False False False -
aphostclient.dll 0x7ffef5fe0000 0x7ffef5feffff Memory Mapped File rwx False False False -
synccontroller.dll 0x7ffef5ff0000 0x7ffef605bfff Memory Mapped File rwx False False False -
vaultcli.dll 0x7ffef66e0000 0x7ffef6727fff Memory Mapped File rwx False False False -
userdatatypehelperutil.dll 0x7ffef9b00000 0x7ffef9b10fff Memory Mapped File rwx False False False -
dsclient.dll 0x7ffefb090000 0x7ffefb09bfff Memory Mapped File rwx False False False -
esent.dll 0x7ffefd800000 0x7ffefdae1fff Memory Mapped File rwx False False False -
winhttp.dll 0x7ffefdf10000 0x7ffefdfe5fff Memory Mapped File rwx False False False -
nlaapi.dll 0x7fff00470000 0x7fff00487fff Memory Mapped File rwx False False False -
wintypes.dll 0x7fff00cf0000 0x7fff00e20fff Memory Mapped File rwx False False False -
iertutil.dll 0x7fff00e30000 0x7fff011a5fff Memory Mapped File rwx False False False -
ntmarta.dll 0x7fff04120000 0x7fff04151fff Memory Mapped File rwx False False False -
ntlmshared.dll 0x7fff045e0000 0x7fff045eafff Memory Mapped File rwx False False False -
msv1_0.dll 0x7fff045f0000 0x7fff0464efff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptdll.dll 0x7fff04800000 0x7fff04813fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fff04a00000 0x7fff04a2bfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
powrprof.dll 0x7fff04e20000 0x7fff04e69fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
shcore.dll 0x7fff04e80000 0x7fff04f32fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
imm32.dll 0x7fff06170000 0x7fff061a5fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
msctf.dll 0x7fff07eb0000 0x7fff0800bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #42: mpcmdrun.exe
0 0
»
Information Value
ID #42
File Name c:\program files\windows defender\mpcmdrun.exe
Command Line "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:06:38, Reason: Child Process
Unmonitor End Time: 00:06:40, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x950
Parent PID 0x360 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Local Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 95C
0x 794
0x 8A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000064410f0000 0x64410f0000 0x644110ffff Private Memory rw True False False -
pagefile_0x00000064410f0000 0x64410f0000 0x64410fffff Pagefile Backed Memory rw True False False -
private_0x0000006441100000 0x6441100000 0x6441106fff Private Memory rw True False False -
pagefile_0x0000006441110000 0x6441110000 0x6441123fff Pagefile Backed Memory r True False False -
private_0x0000006441130000 0x6441130000 0x64411affff Private Memory rw True False False -
pagefile_0x00000064411b0000 0x64411b0000 0x64411b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000064411c0000 0x64411c0000 0x64411c0fff Pagefile Backed Memory r True False False -
private_0x00000064411d0000 0x64411d0000 0x64411d1fff Private Memory rw True False False -
locale.nls 0x64411e0000 0x644129dfff Memory Mapped File r False False False -
private_0x00000064412a0000 0x64412a0000 0x644131ffff Private Memory rw True False False -
private_0x0000006441320000 0x6441320000 0x6441326fff Private Memory rw True False False -
private_0x0000006441330000 0x6441330000 0x644142ffff Private Memory rw True False False -
pagefile_0x0000006441430000 0x6441430000 0x64415b7fff Pagefile Backed Memory r True False False -
private_0x00000064415c0000 0x64415c0000 0x64415c0fff Private Memory rw True False False -
private_0x00000064415d0000 0x64415d0000 0x64415d0fff Private Memory rw True False False -
private_0x00000064415f0000 0x64415f0000 0x64415fffff Private Memory rw True False False -
pagefile_0x0000006441600000 0x6441600000 0x6441780fff Pagefile Backed Memory r True False False -
pagefile_0x0000006441790000 0x6441790000 0x644184ffff Pagefile Backed Memory r True False False -
pagefile_0x00007df5ffed0000 0x7df5ffed0000 0x7ff5ffecffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7e5530000 0x7ff7e5530000 0x7ff7e562ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7e5630000 0x7ff7e5630000 0x7ff7e5652fff Pagefile Backed Memory r True False False -
private_0x00007ff7e565a000 0x7ff7e565a000 0x7ff7e565bfff Private Memory rw True False False -
private_0x00007ff7e565c000 0x7ff7e565c000 0x7ff7e565cfff Private Memory rw True False False -
private_0x00007ff7e565e000 0x7ff7e565e000 0x7ff7e565ffff Private Memory rw True False False -
mpcmdrun.exe 0x7ff7e5ad0000 0x7ff7e5b26fff Memory Mapped File rwx False False False -
version.dll 0x7ffefc300000 0x7ffefc309fff Memory Mapped File rwx False False False -
secur32.dll 0x7ffefd250000 0x7ffefd25bfff Memory Mapped File rwx False False False -
cabinet.dll 0x7ffefe6b0000 0x7ffefe6d6fff Memory Mapped File rwx False False False -
mpclient.dll 0x7ffefec10000 0x7ffefece9fff Memory Mapped File rwx False False False -
userenv.dll 0x7fff04390000 0x7fff043aefff Memory Mapped File rwx False False False -
sspicli.dll 0x7fff04a00000 0x7fff04a2bfff Memory Mapped File rwx False False False -
msasn1.dll 0x7fff04de0000 0x7fff04df0fff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
crypt32.dll 0x7fff04f40000 0x7fff05100fff Memory Mapped File rwx False False False -
wintrust.dll 0x7fff05210000 0x7fff05263fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
ole32.dll 0x7fff06430000 0x7fff06570fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #44: backgroundtaskhost.exe
0 0
»
Information Value
ID #44
File Name c:\windows\system32\backgroundtaskhost.exe
Command Line "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
Initial Working Directory C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\
Monitor Start Time: 00:06:45, Reason: Child Process
Unmonitor End Time: 00:06:46, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb14
Parent PID 0x244 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Low
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000067dcb80000 0x67dcb80000 0x67dcb9ffff Private Memory rw True False False -
pagefile_0x00000067dcba0000 0x67dcba0000 0x67dcbb3fff Pagefile Backed Memory r True False False -
private_0x00000067dcbc0000 0x67dcbc0000 0x67dcc3ffff Private Memory rw True False False -
pagefile_0x00000067dcc40000 0x67dcc40000 0x67dcc43fff Pagefile Backed Memory r True False False -
private_0x00000067dcc50000 0x67dcc50000 0x67dcc51fff Private Memory rw True False False -
s-1-5-21-1462094071-1423818996-289466292-1000.pckgdep 0x67dcc60000 0x67dcc60fff Memory Mapped File r True False False -
pagefile_0x00007df5ff820000 0x7df5ff820000 0x7ff5ff81ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7a64b0000 0x7ff7a64b0000 0x7ff7a64d2fff Pagefile Backed Memory r True False False -
private_0x00007ff7a64d4000 0x7ff7a64d4000 0x7ff7a64d4fff Private Memory rw True False False -
private_0x00007ff7a64de000 0x7ff7a64de000 0x7ff7a64dffff Private Memory rw True False False -
backgroundtaskhost.exe 0x7ff7a6ba0000 0x7ff7a6ba6fff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #45: backgroundtaskhost.exe
0 0
»
Information Value
ID #45
File Name c:\windows\system32\backgroundtaskhost.exe
Command Line "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
Initial Working Directory C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\
Monitor Start Time: 00:06:45, Reason: Child Process
Unmonitor End Time: 00:06:46, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8a0
Parent PID 0x244 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Low
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BA4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000006d2ef30000 0x6d2ef30000 0x6d2ef4ffff Private Memory rw True False False -
pagefile_0x0000006d2ef50000 0x6d2ef50000 0x6d2ef63fff Pagefile Backed Memory r True False False -
private_0x0000006d2ef70000 0x6d2ef70000 0x6d2efeffff Private Memory rw True False False -
pagefile_0x0000006d2eff0000 0x6d2eff0000 0x6d2eff3fff Pagefile Backed Memory r True False False -
private_0x0000006d2f000000 0x6d2f000000 0x6d2f001fff Private Memory rw True False False -
s-1-5-21-1462094071-1423818996-289466292-1000.pckgdep 0x6d2f010000 0x6d2f010fff Memory Mapped File r True False False -
pagefile_0x00007df5ff010000 0x7df5ff010000 0x7ff5ff00ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7a65b0000 0x7ff7a65b0000 0x7ff7a65d2fff Pagefile Backed Memory r True False False -
private_0x00007ff7a65dc000 0x7ff7a65dc000 0x7ff7a65dcfff Private Memory rw True False False -
private_0x00007ff7a65de000 0x7ff7a65de000 0x7ff7a65dffff Private Memory rw True False False -
backgroundtaskhost.exe 0x7ff7a6ba0000 0x7ff7a6ba6fff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #46: wmiadap.exe
0 0
»
Information Value
ID #46
File Name c:\windows\system32\wbem\wmiadap.exe
Command Line wmiadap.exe /F /T /R
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:07:15, Reason: Child Process
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:04:07
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb70
Parent PID 0x354 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x B60
0x B6C
0x B7C
0x 33C
0x 740
0x 89C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000066b8f0000 0x66b8f0000 0x66b90ffff Private Memory rw True False False -
pagefile_0x000000066b8f0000 0x66b8f0000 0x66b8fffff Pagefile Backed Memory rw True False False -
private_0x000000066b900000 0x66b900000 0x66b906fff Private Memory rw True False False -
pagefile_0x000000066b910000 0x66b910000 0x66b923fff Pagefile Backed Memory r True False False -
private_0x000000066b930000 0x66b930000 0x66b9affff Private Memory rw True False False -
pagefile_0x000000066b9b0000 0x66b9b0000 0x66b9b3fff Pagefile Backed Memory r True False False -
pagefile_0x000000066b9c0000 0x66b9c0000 0x66b9c0fff Pagefile Backed Memory r True False False -
private_0x000000066b9d0000 0x66b9d0000 0x66b9d1fff Private Memory rw True False False -
private_0x000000066b9e0000 0x66b9e0000 0x66badffff Private Memory rw True False False -
locale.nls 0x66bae0000 0x66bb9dfff Memory Mapped File r False False False -
private_0x000000066bba0000 0x66bba0000 0x66bc1ffff Private Memory rw True False False -
private_0x000000066bc20000 0x66bc20000 0x66bc26fff Private Memory rw True False False -
private_0x000000066bc30000 0x66bc30000 0x66bcaffff Private Memory rw True False False -
private_0x000000066bcb0000 0x66bcb0000 0x66bcb0fff Private Memory rw True False False -
private_0x000000066bcc0000 0x66bcc0000 0x66bcc0fff Private Memory rw True False False -
private_0x000000066bcd0000 0x66bcd0000 0x66bcdffff Private Memory rw True False False -
pagefile_0x000000066bce0000 0x66bce0000 0x66be67fff Pagefile Backed Memory r True False False -
pagefile_0x000000066be70000 0x66be70000 0x66bff0fff Pagefile Backed Memory r True False False -
pagefile_0x000000066c000000 0x66c000000 0x66c0bffff Pagefile Backed Memory r True False False -
pagefile_0x000000066c0c0000 0x66c0c0000 0x66c0c0fff Pagefile Backed Memory r True False False -
pagefile_0x000000066c0d0000 0x66c0d0000 0x66c0d0fff Pagefile Backed Memory r True False False -
sortdefault.nls 0x66c0e0000 0x66c416fff Memory Mapped File r False False False -
private_0x000000066c420000 0x66c420000 0x66c49ffff Private Memory rw True False False -
private_0x000000066c4a0000 0x66c4a0000 0x66c51ffff Private Memory rw True False False -
private_0x000000066c520000 0x66c520000 0x66c59ffff Private Memory rw True False False -
pagefile_0x00007df5ff2a0000 0x7df5ff2a0000 0x7ff5ff29ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff782730000 0x7ff782730000 0x7ff78282ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff782830000 0x7ff782830000 0x7ff782852fff Pagefile Backed Memory r True False False -
private_0x00007ff782853000 0x7ff782853000 0x7ff782854fff Private Memory rw True False False -
private_0x00007ff782855000 0x7ff782855000 0x7ff782856fff Private Memory rw True False False -
private_0x00007ff782857000 0x7ff782857000 0x7ff782858fff Private Memory rw True False False -
private_0x00007ff782859000 0x7ff782859000 0x7ff782859fff Private Memory rw True False False -
private_0x00007ff78285a000 0x7ff78285a000 0x7ff78285bfff Private Memory rw True False False -
private_0x00007ff78285c000 0x7ff78285c000 0x7ff78285dfff Private Memory rw True False False -
private_0x00007ff78285e000 0x7ff78285e000 0x7ff78285ffff Private Memory rw True False False -
wmiadap.exe 0x7ff783050000 0x7ff78307efff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7ffefb740000 0x7ffefb753fff Memory Mapped File rwx False False False -
fastprox.dll 0x7ffefb800000 0x7ffefb8f7fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7ffefbb60000 0x7ffefbb70fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7ffefde40000 0x7ffefdebefff Memory Mapped File rwx False False False -
loadperf.dll 0x7ffefe630000 0x7ffefe654fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
nsi.dll 0x7fff05a80000 0x7fff05a87fff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
psapi.dll 0x7fff08020000 0x7fff08027fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fff080d0000 0x7fff08138fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #47: wmiprvse.exe
0 0
»
Information Value
ID #47
File Name c:\windows\system32\wbem\wmiprvse.exe
Command Line C:\Windows\system32\wbem\wmiprvse.exe -Embedding
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:07:16, Reason: Child Process
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:04:06
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x5d0
Parent PID 0x244 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 5EC
0x 5E8
0x 5C0
0x 598
0x 5BC
0x 5A4
0x 5B8
0x 8B8
0x 87C
0x 82C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000cc156f0000 0xcc156f0000 0xcc1570ffff Private Memory rw True False False -
pagefile_0x000000cc156f0000 0xcc156f0000 0xcc156fffff Pagefile Backed Memory rw True False False -
private_0x000000cc15700000 0xcc15700000 0xcc15706fff Private Memory rw True False False -
pagefile_0x000000cc15710000 0xcc15710000 0xcc15723fff Pagefile Backed Memory r True False False -
private_0x000000cc15730000 0xcc15730000 0xcc157affff Private Memory rw True False False -
pagefile_0x000000cc157b0000 0xcc157b0000 0xcc157b3fff Pagefile Backed Memory r True False False -
pagefile_0x000000cc157c0000 0xcc157c0000 0xcc157c0fff Pagefile Backed Memory r True False False -
private_0x000000cc157d0000 0xcc157d0000 0xcc157d1fff Private Memory rw True False False -
locale.nls 0xcc157e0000 0xcc1589dfff Memory Mapped File r False False False -
private_0x000000cc158a0000 0xcc158a0000 0xcc1599ffff Private Memory rw True False False -
private_0x000000cc159a0000 0xcc159a0000 0xcc15a1ffff Private Memory rw True False False -
private_0x000000cc15a20000 0xcc15a20000 0xcc15a26fff Private Memory rw True False False -
private_0x000000cc15a30000 0xcc15a30000 0xcc15a30fff Private Memory rw True False False -
private_0x000000cc15a40000 0xcc15a40000 0xcc15a40fff Private Memory rw True False False -
user32.dll.mui 0xcc15a50000 0xcc15a54fff Memory Mapped File r False False False -
private_0x000000cc15a60000 0xcc15a60000 0xcc15a6ffff Private Memory rw True False False -
sortdefault.nls 0xcc15a70000 0xcc15da6fff Memory Mapped File r False False False -
pagefile_0x000000cc15db0000 0xcc15db0000 0xcc15f37fff Pagefile Backed Memory r True False False -
pagefile_0x000000cc15f40000 0xcc15f40000 0xcc160c0fff Pagefile Backed Memory r True False False -
pagefile_0x000000cc160d0000 0xcc160d0000 0xcc1618ffff Pagefile Backed Memory r True False False -
pagefile_0x000000cc16190000 0xcc16190000 0xcc16190fff Pagefile Backed Memory rw True False False -
private_0x000000cc161a0000 0xcc161a0000 0xcc1621ffff Private Memory rw True False False -
private_0x000000cc16220000 0xcc16220000 0xcc1631ffff Private Memory rw True False False -
pagefile_0x000000cc16320000 0xcc16320000 0xcc16320fff Pagefile Backed Memory r True False False -
pagefile_0x000000cc16330000 0xcc16330000 0xcc16330fff Pagefile Backed Memory r True False False -
private_0x000000cc16340000 0xcc16340000 0xcc163bffff Private Memory rw True False False -
private_0x000000cc163c0000 0xcc163c0000 0xcc1643ffff Private Memory rw True False False -
private_0x000000cc16440000 0xcc16440000 0xcc164bffff Private Memory rw True False False -
private_0x000000cc164c0000 0xcc164c0000 0xcc1653ffff Private Memory rw True False False -
private_0x000000cc16540000 0xcc16540000 0xcc165bffff Private Memory rw True False False -
private_0x000000cc165c0000 0xcc165c0000 0xcc1663ffff Private Memory rw True False False -
advapi32.dll.mui 0xcc16640000 0xcc16687fff Memory Mapped File r False False False -
pagefile_0x00007df5ff4b0000 0x7df5ff4b0000 0x7ff5ff4affff Pagefile Backed Memory - True False False -
private_0x00007ff7125ca000 0x7ff7125ca000 0x7ff7125cbfff Private Memory rw True False False -
private_0x00007ff7125cc000 0x7ff7125cc000 0x7ff7125cdfff Private Memory rw True False False -
private_0x00007ff7125ce000 0x7ff7125ce000 0x7ff7125cffff Private Memory rw True False False -
pagefile_0x00007ff7125d0000 0x7ff7125d0000 0x7ff7126cffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7126d0000 0x7ff7126d0000 0x7ff7126f2fff Pagefile Backed Memory r True False False -
private_0x00007ff7126f3000 0x7ff7126f3000 0x7ff7126f4fff Private Memory rw True False False -
private_0x00007ff7126f5000 0x7ff7126f5000 0x7ff7126f6fff Private Memory rw True False False -
private_0x00007ff7126f7000 0x7ff7126f7000 0x7ff7126f8fff Private Memory rw True False False -
private_0x00007ff7126f9000 0x7ff7126f9000 0x7ff7126fafff Private Memory rw True False False -
private_0x00007ff7126fb000 0x7ff7126fb000 0x7ff7126fcfff Private Memory rw True False False -
private_0x00007ff7126fd000 0x7ff7126fd000 0x7ff7126fefff Private Memory rw True False False -
private_0x00007ff7126ff000 0x7ff7126ff000 0x7ff7126fffff Private Memory rw True False False -
wmiprvse.exe 0x7ff7129d0000 0x7ff712a4efff Memory Mapped File rwx False False False -
mofd.dll 0x7ffef60f0000 0x7ffef6130fff Memory Mapped File rwx False False False -
wmiprov.dll 0x7ffef6140000 0x7ffef617cfff Memory Mapped File rwx False False False -
ncobjapi.dll 0x7ffefb550000 0x7ffefb565fff Memory Mapped File rwx False False False -
wmiutils.dll 0x7ffefb710000 0x7ffefb734fff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7ffefb740000 0x7ffefb753fff Memory Mapped File rwx False False False -
fastprox.dll 0x7ffefb800000 0x7ffefb8f7fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7ffefbb60000 0x7ffefbb70fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7ffefde40000 0x7ffefdebefff Memory Mapped File rwx False False False -
wmiclnt.dll 0x7fff00190000 0x7fff001a0fff Memory Mapped File rwx False False False -
ntmarta.dll 0x7fff04120000 0x7fff04151fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
nsi.dll 0x7fff05a80000 0x7fff05a87fff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
ws2_32.dll 0x7fff080d0000 0x7fff08138fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #48: taskeng.exe
0 0
»
Information Value
ID #48
File Name c:\windows\system32\taskeng.exe
Command Line taskeng.exe {ED7B4F34-E0D4-424B-A7F2-947F125DE242} S-1-5-18:NT AUTHORITY\System:Service:
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:08:54, Reason: Child Process
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:02:28
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb5c
Parent PID 0x354 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 868
0x 578
0x 500
0x 7F0
0x 330
0x 430
0x 750
0x F4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000006da35d0000 0x6da35d0000 0x6da35effff Private Memory rw True False False -
pagefile_0x0000006da35d0000 0x6da35d0000 0x6da35dffff Pagefile Backed Memory rw True False False -
private_0x0000006da35e0000 0x6da35e0000 0x6da35e6fff Private Memory rw True False False -
pagefile_0x0000006da35f0000 0x6da35f0000 0x6da3603fff Pagefile Backed Memory r True False False -
private_0x0000006da3610000 0x6da3610000 0x6da368ffff Private Memory rw True False False -
pagefile_0x0000006da3690000 0x6da3690000 0x6da3693fff Pagefile Backed Memory r True False False -
pagefile_0x0000006da36a0000 0x6da36a0000 0x6da36a0fff Pagefile Backed Memory r True False False -
private_0x0000006da36b0000 0x6da36b0000 0x6da36b1fff Private Memory rw True False False -
locale.nls 0x6da36c0000 0x6da377dfff Memory Mapped File r False False False -
private_0x0000006da3780000 0x6da3780000 0x6da37fffff Private Memory rw True False False -
private_0x0000006da3800000 0x6da3800000 0x6da3806fff Private Memory rw True False False -
taskeng.exe.mui 0x6da3810000 0x6da3810fff Memory Mapped File r False False False -
private_0x0000006da3820000 0x6da3820000 0x6da3820fff Private Memory rw True False False -
private_0x0000006da3830000 0x6da3830000 0x6da383ffff Private Memory rw True False False -
private_0x0000006da3840000 0x6da3840000 0x6da3840fff Private Memory rw True False False -
pagefile_0x0000006da3850000 0x6da3850000 0x6da3850fff Pagefile Backed Memory r True False False -
private_0x0000006da3860000 0x6da3860000 0x6da3866fff Private Memory rw True False False -
private_0x0000006da3880000 0x6da3880000 0x6da397ffff Private Memory rw True False False -
private_0x0000006da3980000 0x6da3980000 0x6da39fffff Private Memory rw True False False -
private_0x0000006da3a20000 0x6da3a20000 0x6da3a2ffff Private Memory rw True False False -
pagefile_0x0000006da3a30000 0x6da3a30000 0x6da3bb7fff Pagefile Backed Memory r True False False -
pagefile_0x0000006da3bc0000 0x6da3bc0000 0x6da3d40fff Pagefile Backed Memory r True False False -
pagefile_0x0000006da3d50000 0x6da3d50000 0x6da3e0ffff Pagefile Backed Memory r True False False -
private_0x0000006da3e10000 0x6da3e10000 0x6da3f0ffff Private Memory rw True False False -
sortdefault.nls 0x6da3f10000 0x6da4246fff Memory Mapped File r False False False -
private_0x0000006da4250000 0x6da4250000 0x6da42cffff Private Memory rw True False False -
private_0x0000006da42d0000 0x6da42d0000 0x6da434ffff Private Memory rw True False False -
private_0x0000006da4350000 0x6da4350000 0x6da43cffff Private Memory rw True False False -
private_0x0000006da43d0000 0x6da43d0000 0x6da444ffff Private Memory rw True False False -
private_0x0000006da4450000 0x6da4450000 0x6da44cffff Private Memory rw True False False -
pagefile_0x00007df5ff7f0000 0x7df5ff7f0000 0x7ff5ff7effff Pagefile Backed Memory - True False False -
private_0x00007ff7523cc000 0x7ff7523cc000 0x7ff7523cdfff Private Memory rw True False False -
private_0x00007ff7523ce000 0x7ff7523ce000 0x7ff7523cffff Private Memory rw True False False -
pagefile_0x00007ff7523d0000 0x7ff7523d0000 0x7ff7524cffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7524d0000 0x7ff7524d0000 0x7ff7524f2fff Pagefile Backed Memory r True False False -
private_0x00007ff7524f3000 0x7ff7524f3000 0x7ff7524f4fff Private Memory rw True False False -
private_0x00007ff7524f5000 0x7ff7524f5000 0x7ff7524f6fff Private Memory rw True False False -
private_0x00007ff7524f7000 0x7ff7524f7000 0x7ff7524f7fff Private Memory rw True False False -
private_0x00007ff7524f8000 0x7ff7524f8000 0x7ff7524f9fff Private Memory rw True False False -
private_0x00007ff7524fa000 0x7ff7524fa000 0x7ff7524fbfff Private Memory rw True False False -
private_0x00007ff7524fc000 0x7ff7524fc000 0x7ff7524fdfff Private Memory rw True False False -
private_0x00007ff7524fe000 0x7ff7524fe000 0x7ff7524fffff Private Memory rw True False False -
taskeng.exe 0x7ff752900000 0x7ff75294cfff Memory Mapped File rwx False False False -
xmllite.dll 0x7ffefe9a0000 0x7ffefe9d5fff Memory Mapped File rwx False False False -
tschannel.dll 0x7ffefeef0000 0x7ffefeef8fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fff04a00000 0x7fff04a2bfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #49: taskhostw.exe
0 0
»
Information Value
ID #49
File Name c:\windows\system32\taskhostw.exe
Command Line taskhostw.exe Logon
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:08:55, Reason: Child Process
Unmonitor End Time: 00:08:56, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x30c
Parent PID 0x354 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BC0
0x 79C
0x 2BC
0x 464
0x B88
0x 6AC
0x 670
0x 894
0x 7E4
0x 8C0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000005f92f60000 0x5f92f60000 0x5f92f7ffff Private Memory rw True False False -
pagefile_0x0000005f92f60000 0x5f92f60000 0x5f92f6ffff Pagefile Backed Memory rw True False False -
private_0x0000005f92f70000 0x5f92f70000 0x5f92f76fff Private Memory rw True False False -
pagefile_0x0000005f92f80000 0x5f92f80000 0x5f92f93fff Pagefile Backed Memory r True False False -
private_0x0000005f92fa0000 0x5f92fa0000 0x5f9301ffff Private Memory rw True False False -
pagefile_0x0000005f93020000 0x5f93020000 0x5f93023fff Pagefile Backed Memory r True False False -
pagefile_0x0000005f93030000 0x5f93030000 0x5f93030fff Pagefile Backed Memory r True False False -
private_0x0000005f93040000 0x5f93040000 0x5f93041fff Private Memory rw True False False -
private_0x0000005f93050000 0x5f93050000 0x5f930cffff Private Memory rw True False False -
private_0x0000005f930d0000 0x5f930d0000 0x5f930d6fff Private Memory rw True False False -
taskhostw.exe.mui 0x5f930e0000 0x5f930e0fff Memory Mapped File r False False False -
private_0x0000005f930f0000 0x5f930f0000 0x5f931effff Private Memory rw True False False -
locale.nls 0x5f931f0000 0x5f932adfff Memory Mapped File r False False False -
private_0x0000005f932b0000 0x5f932b0000 0x5f932b0fff Private Memory rw True False False -
private_0x0000005f932c0000 0x5f932c0000 0x5f932c0fff Private Memory rw True False False -
pagefile_0x0000005f932d0000 0x5f932d0000 0x5f932d3fff Pagefile Backed Memory r True False False -
pagefile_0x0000005f932e0000 0x5f932e0000 0x5f932e0fff Pagefile Backed Memory r True False False -
private_0x0000005f932f0000 0x5f932f0000 0x5f932fffff Private Memory rw True False False -
pagefile_0x0000005f93300000 0x5f93300000 0x5f93300fff Pagefile Backed Memory r True False False -
private_0x0000005f93320000 0x5f93320000 0x5f9332ffff Private Memory rw True False False -
private_0x0000005f93330000 0x5f93330000 0x5f933affff Private Memory rw True False False -
pagefile_0x0000005f933b0000 0x5f933b0000 0x5f93537fff Pagefile Backed Memory r True False False -
pagefile_0x0000005f93540000 0x5f93540000 0x5f936c0fff Pagefile Backed Memory r True False False -
pagefile_0x0000005f936d0000 0x5f936d0000 0x5f94acffff Pagefile Backed Memory r True False False -
pagefile_0x0000005f94ad0000 0x5f94ad0000 0x5f94b87fff Pagefile Backed Memory r True False False -
private_0x0000005f94b90000 0x5f94b90000 0x5f94c0ffff Private Memory rw True False False -
sortdefault.nls 0x5f94c10000 0x5f94f46fff Memory Mapped File r False False False -
private_0x0000005f94f50000 0x5f94f50000 0x5f94fcffff Private Memory rw True False False -
private_0x0000005f94fd0000 0x5f94fd0000 0x5f9504ffff Private Memory rw True False False -
private_0x0000005f95050000 0x5f95050000 0x5f950cffff Private Memory rw True False False -
private_0x0000005f950d0000 0x5f950d0000 0x5f9514ffff Private Memory rw True False False -
pagefile_0x00007df5ffc60000 0x7df5ffc60000 0x7ff5ffc5ffff Pagefile Backed Memory - True False False -
private_0x00007ff79cb6c000 0x7ff79cb6c000 0x7ff79cb6dfff Private Memory rw True False False -
private_0x00007ff79cb6e000 0x7ff79cb6e000 0x7ff79cb6ffff Private Memory rw True False False -
pagefile_0x00007ff79cb70000 0x7ff79cb70000 0x7ff79cc6ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff79cc70000 0x7ff79cc70000 0x7ff79cc92fff Pagefile Backed Memory r True False False -
private_0x00007ff79cc93000 0x7ff79cc93000 0x7ff79cc94fff Private Memory rw True False False -
private_0x00007ff79cc95000 0x7ff79cc95000 0x7ff79cc95fff Private Memory rw True False False -
private_0x00007ff79cc96000 0x7ff79cc96000 0x7ff79cc97fff Private Memory rw True False False -
private_0x00007ff79cc98000 0x7ff79cc98000 0x7ff79cc99fff Private Memory rw True False False -
private_0x00007ff79cc9a000 0x7ff79cc9a000 0x7ff79cc9bfff Private Memory rw True False False -
private_0x00007ff79cc9c000 0x7ff79cc9c000 0x7ff79cc9dfff Private Memory rw True False False -
private_0x00007ff79cc9e000 0x7ff79cc9e000 0x7ff79cc9ffff Private Memory rw True False False -
taskhostw.exe 0x7ff79cd00000 0x7ff79cd18fff Memory Mapped File rwx False False False -
workfoldersshell.dll 0x7ffef5010000 0x7ffef5048fff Memory Mapped File rwx False False False -
taskschdps.dll 0x7ffefe690000 0x7ffefe6a1fff Memory Mapped File rwx False False False -
propsys.dll 0x7ffeff870000 0x7ffeff9f2fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fff02e50000 0x7fff02e71fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fff03600000 0x7fff03695fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fff042a0000 0x7fff042d2fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fff046b0000 0x7fff046c6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fff04820000 0x7fff0482afff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
powrprof.dll 0x7fff04e20000 0x7fff04e69fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
shcore.dll 0x7fff04e80000 0x7fff04f32fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7fff05270000 0x7fff05897fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fff05d00000 0x7fff05d50fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
imm32.dll 0x7fff06170000 0x7fff061a5fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
ole32.dll 0x7fff06430000 0x7fff06570fff Memory Mapped File rwx False False False -
shell32.dll 0x7fff067d0000 0x7fff07cf4fff Memory Mapped File rwx False False False -
msctf.dll 0x7fff07eb0000 0x7fff0800bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #50: officec2rclient.exe
0 0
»
Information Value
ID #50
File Name c:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe
Command Line "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:09:52, Reason: Child Process
Unmonitor End Time: 00:11:22, Reason: Terminated by Timeout
Monitor Duration 00:01:30
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x6dc
Parent PID 0xb5c (c:\windows\system32\mobsync.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 5E0
0x 5FC
0x 600
0x 524
0x 720
0x 754
0x 744
0x BFC
0x 92C
0x 8F8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000011a7c70000 0x11a7c70000 0x11a7c8ffff Private Memory rw True False False -
pagefile_0x00000011a7c70000 0x11a7c70000 0x11a7c7ffff Pagefile Backed Memory rw True False False -
private_0x00000011a7c80000 0x11a7c80000 0x11a7c86fff Private Memory rw True False False -
pagefile_0x00000011a7c90000 0x11a7c90000 0x11a7ca3fff Pagefile Backed Memory r True False False -
private_0x00000011a7cb0000 0x11a7cb0000 0x11a7daffff Private Memory rw True False False -
pagefile_0x00000011a7db0000 0x11a7db0000 0x11a7db3fff Pagefile Backed Memory r True False False -
pagefile_0x00000011a7dc0000 0x11a7dc0000 0x11a7dc0fff Pagefile Backed Memory r True False False -
private_0x00000011a7dd0000 0x11a7dd0000 0x11a7dd1fff Private Memory rw True False False -
locale.nls 0x11a7de0000 0x11a7e9dfff Memory Mapped File r False False False -
private_0x00000011a7ea0000 0x11a7ea0000 0x11a7ea6fff Private Memory rw True False False -
private_0x00000011a7eb0000 0x11a7eb0000 0x11a7eb0fff Private Memory rw True False False -
private_0x00000011a7ec0000 0x11a7ec0000 0x11a7ec0fff Private Memory rw True False False -
private_0x00000011a7ed0000 0x11a7ed0000 0x11a7ed0fff Private Memory rw True False False -
private_0x00000011a7ee0000 0x11a7ee0000 0x11a7ee0fff Private Memory rw True False False -
private_0x00000011a7ef0000 0x11a7ef0000 0x11a7efffff Private Memory - True False False -
pagefile_0x00000011a7f00000 0x11a7f00000 0x11a7f01fff Pagefile Backed Memory r True False False -
private_0x00000011a7f30000 0x11a7f30000 0x11a7f3ffff Private Memory rw True False False -
private_0x00000011a7f50000 0x11a7f50000 0x11a804ffff Private Memory rw True False False -
private_0x00000011a8050000 0x11a8050000 0x11a814ffff Private Memory rw True False False -
private_0x00000011a8150000 0x11a8150000 0x11a824ffff Private Memory rw True False False -
pagefile_0x00000011a8250000 0x11a8250000 0x11a83d7fff Pagefile Backed Memory r True False False -
private_0x00000011a8420000 0x11a8420000 0x11a842ffff Private Memory rw True False False -
pagefile_0x00000011a8430000 0x11a8430000 0x11a85b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000011a85c0000 0x11a85c0000 0x11a867ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x11a8680000 0x11a89b6fff Memory Mapped File r False False False -
private_0x00000011a89c0000 0x11a89c0000 0x11a8abffff Private Memory rw True False False -
private_0x00000011a8ad0000 0x11a8ad0000 0x11a8adffff Private Memory rw True False False -
pagefile_0x00007df5ff890000 0x7df5ff890000 0x7ff5ff88ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff72ce60000 0x7ff72ce60000 0x7ff72cf5ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff72cf60000 0x7ff72cf60000 0x7ff72cf82fff Pagefile Backed Memory r True False False -
private_0x00007ff72cf88000 0x7ff72cf88000 0x7ff72cf89fff Private Memory rw True False False -
private_0x00007ff72cf8a000 0x7ff72cf8a000 0x7ff72cf8bfff Private Memory rw True False False -
private_0x00007ff72cf8c000 0x7ff72cf8c000 0x7ff72cf8cfff Private Memory rw True False False -
private_0x00007ff72cf8e000 0x7ff72cf8e000 0x7ff72cf8ffff Private Memory rw True False False -
officec2rclient.exe 0x7ff72de50000 0x7ff72f573fff Memory Mapped File rwx False False False -
wer.dll 0x7ffef0c00000 0x7ffef0c9dfff Memory Mapped File rwx False False False -
comctl32.dll 0x7ffef6920000 0x7ffef69c9fff Memory Mapped File rwx False False False -
msi.dll 0x7ffefca10000 0x7ffefcd4cfff Memory Mapped File rwx False False False -
apiclient.dll 0x7ffefdd40000 0x7ffefdd79fff Memory Mapped File rwx False False False -
msvcp140.dll 0x7ffefdd80000 0x7ffefde1efff Memory Mapped File rwx False False False -
vcruntime140.dll 0x7ffefde20000 0x7ffefde35fff Memory Mapped File rwx False False False -
hlink.dll 0x7ffefe690000 0x7ffefe6aefff Memory Mapped File rwx False False False -
cabinet.dll 0x7ffefe6b0000 0x7ffefe6d6fff Memory Mapped File rwx False False False -
msimg32.dll 0x7ffefed40000 0x7ffefed46fff Memory Mapped File rwx False False False -
ucrtbase.dll 0x7ffefed50000 0x7ffefee41fff Memory Mapped File rwx False False False -
d2d1.dll 0x7fff005e0000 0x7fff00b24fff Memory Mapped File rwx False False False -
dxgi.dll 0x7fff02b00000 0x7fff02b9bfff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fff02e50000 0x7fff02e71fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fff033a0000 0x7fff033b2fff Memory Mapped File rwx False False False -
sppc.dll 0x7fff03430000 0x7fff03454fff Memory Mapped File rwx False False False -
slc.dll 0x7fff03460000 0x7fff03485fff Memory Mapped File rwx False False False -
winsta.dll 0x7fff044a0000 0x7fff044f7fff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fff04c00000 0x7fff04c27fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
msasn1.dll 0x7fff04de0000 0x7fff04df0fff Memory Mapped File rwx False False False -
profapi.dll 0x7fff04e00000 0x7fff04e12fff Memory Mapped File rwx False False False -
powrprof.dll 0x7fff04e20000 0x7fff04e69fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
shcore.dll 0x7fff04e80000 0x7fff04f32fff Memory Mapped File rwx False False False -
crypt32.dll 0x7fff04f40000 0x7fff05100fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fff05110000 0x7fff05153fff Memory Mapped File rwx False False False -
wintrust.dll 0x7fff05210000 0x7fff05263fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7fff05270000 0x7fff05897fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7fff05d00000 0x7fff05d50fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
advapi32.dll 0x7fff05f30000 0x7fff05fd5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
ole32.dll 0x7fff06430000 0x7fff06570fff Memory Mapped File rwx False False False -
setupapi.dll 0x7fff065e0000 0x7fff067a4fff Memory Mapped File rwx False False False -
shell32.dll 0x7fff067d0000 0x7fff07cf4fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Process #51: schtasks.exe
16 0
»
Information Value
ID #51
File Name c:\windows\system32\schtasks.exe
Command Line schtasks.exe /change /tn "Microsoft\Office\Office ClickToRun Service Monitor" /enable
Initial Working Directory C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
Monitor Start Time: 00:10:34, Reason: Child Process
Unmonitor End Time: 00:10:36, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xbc8
Parent PID 0x548 (c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 870
0x 84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000576ca10000 0x576ca10000 0x576ca2ffff Private Memory rw True False False -
pagefile_0x000000576ca10000 0x576ca10000 0x576ca1ffff Pagefile Backed Memory rw True False False -
private_0x000000576ca20000 0x576ca20000 0x576ca26fff Private Memory rw True False False -
pagefile_0x000000576ca30000 0x576ca30000 0x576ca43fff Pagefile Backed Memory r True False False -
private_0x000000576ca50000 0x576ca50000 0x576cacffff Private Memory rw True False False -
pagefile_0x000000576cad0000 0x576cad0000 0x576cad3fff Pagefile Backed Memory r True False False -
pagefile_0x000000576cae0000 0x576cae0000 0x576cae0fff Pagefile Backed Memory r True False False -
private_0x000000576caf0000 0x576caf0000 0x576caf1fff Private Memory rw True False False -
locale.nls 0x576cb00000 0x576cbbdfff Memory Mapped File r False False False -
private_0x000000576cbc0000 0x576cbc0000 0x576ccbffff Private Memory rw True False False -
private_0x000000576ccc0000 0x576ccc0000 0x576cd3ffff Private Memory rw True False False -
private_0x000000576cd40000 0x576cd40000 0x576cd46fff Private Memory rw True False False -
schtasks.exe.mui 0x576cd50000 0x576cd62fff Memory Mapped File r False False False -
rpcss.dll 0x576cd70000 0x576ce45fff Memory Mapped File r False False False -
pagefile_0x000000576cd70000 0x576cd70000 0x576ce2ffff Pagefile Backed Memory r True False False -
private_0x000000576ce30000 0x576ce30000 0x576ce30fff Private Memory rw True False False -
private_0x000000576ce40000 0x576ce40000 0x576ce40fff Private Memory rw True False False -
pagefile_0x000000576ce50000 0x576ce50000 0x576ce50fff Pagefile Backed Memory r True False False -
pagefile_0x000000576ce60000 0x576ce60000 0x576ce60fff Pagefile Backed Memory r True False False -
private_0x000000576cef0000 0x576cef0000 0x576cefffff Private Memory rw True False False -
sortdefault.nls 0x576cf00000 0x576d236fff Memory Mapped File r False False False -
pagefile_0x000000576d240000 0x576d240000 0x576d3c7fff Pagefile Backed Memory r True False False -
pagefile_0x000000576d3d0000 0x576d3d0000 0x576d550fff Pagefile Backed Memory r True False False -
pagefile_0x00007df5ff9e0000 0x7df5ff9e0000 0x7ff5ff9dffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7f1f20000 0x7ff7f1f20000 0x7ff7f201ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7f2020000 0x7ff7f2020000 0x7ff7f2042fff Pagefile Backed Memory r True False False -
private_0x00007ff7f204b000 0x7ff7f204b000 0x7ff7f204cfff Private Memory rw True False False -
private_0x00007ff7f204d000 0x7ff7f204d000 0x7ff7f204efff Private Memory rw True False False -
private_0x00007ff7f204f000 0x7ff7f204f000 0x7ff7f204ffff Private Memory rw True False False -
schtasks.exe 0x7ff7f2f60000 0x7ff7f2f9cfff Memory Mapped File rwx True False False -
taskschd.dll 0x7fff00300000 0x7fff003bffff Memory Mapped File rwx False False False -
sspicli.dll 0x7fff04a00000 0x7fff04a2bfff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Host Behavior
COM (3)
»
Operation Class Interface Additional Information Success Count Logfile
Create TaskScheduler ITaskService cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Execute TaskScheduler ITaskService method_name = Connect True 1
Fn
Execute TaskScheduler ITaskService method_name = GetFolder, new_interface = ITaskFolder True 1
Fn
File (12)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_OUTPUT_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 6
Fn
Write STD_OUTPUT_HANDLE size = 100 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 114 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\schtasks.exe base_address = 0x7ff7f2f60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\schtasks.exe, file_name_orig = C:\Windows\system32\schtasks.exe, size = 260 True 2
Fn
Process #53: schtasks.exe
10 0
»
Information Value
ID #53
File Name c:\windows\system32\schtasks.exe
Command Line schtasks.exe /change /tn "Microsoft\Office\Office Automatic Updates" /enable
Initial Working Directory C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
Monitor Start Time: 00:10:35, Reason: Child Process
Unmonitor End Time: 00:10:36, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x9c0
Parent PID 0x548 (c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x B48
0x 8AC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000043221b0000 0x43221b0000 0x43221cffff Private Memory rw True False False -
pagefile_0x00000043221b0000 0x43221b0000 0x43221bffff Pagefile Backed Memory rw True False False -
private_0x00000043221c0000 0x43221c0000 0x43221c6fff Private Memory rw True False False -
pagefile_0x00000043221d0000 0x43221d0000 0x43221e3fff Pagefile Backed Memory r True False False -
private_0x00000043221f0000 0x43221f0000 0x432226ffff Private Memory rw True False False -
pagefile_0x0000004322270000 0x4322270000 0x4322273fff Pagefile Backed Memory r True False False -
pagefile_0x0000004322280000 0x4322280000 0x4322280fff Pagefile Backed Memory r True False False -
private_0x0000004322290000 0x4322290000 0x4322291fff Private Memory rw True False False -
locale.nls 0x43222a0000 0x432235dfff Memory Mapped File r False False False -
private_0x0000004322360000 0x4322360000 0x4322366fff Private Memory rw True False False -
schtasks.exe.mui 0x4322370000 0x4322382fff Memory Mapped File r False False False -
private_0x0000004322390000 0x4322390000 0x432248ffff Private Memory rw True False False -
private_0x0000004322490000 0x4322490000 0x432250ffff Private Memory rw True False False -
rpcss.dll 0x4322510000 0x43225e5fff Memory Mapped File r False False False -
pagefile_0x0000004322510000 0x4322510000 0x43225cffff Pagefile Backed Memory r True False False -
private_0x00000043225d0000 0x43225d0000 0x43225d0fff Private Memory rw True False False -
private_0x00000043225e0000 0x43225e0000 0x43225e0fff Private Memory rw True False False -
pagefile_0x00000043225f0000 0x43225f0000 0x43225f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000004322600000 0x4322600000 0x4322600fff Pagefile Backed Memory r True False False -
private_0x0000004322680000 0x4322680000 0x432268ffff Private Memory rw True False False -
sortdefault.nls 0x4322690000 0x43229c6fff Memory Mapped File r False False False -
pagefile_0x00000043229d0000 0x43229d0000 0x4322b57fff Pagefile Backed Memory r True False False -
pagefile_0x0000004322b60000 0x4322b60000 0x4322ce0fff Pagefile Backed Memory r True False False -
pagefile_0x00007df5ff210000 0x7df5ff210000 0x7ff5ff20ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7f2500000 0x7ff7f2500000 0x7ff7f25fffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7f2600000 0x7ff7f2600000 0x7ff7f2622fff Pagefile Backed Memory r True False False -
private_0x00007ff7f2623000 0x7ff7f2623000 0x7ff7f2623fff Private Memory rw True False False -
private_0x00007ff7f262c000 0x7ff7f262c000 0x7ff7f262dfff Private Memory rw True False False -
private_0x00007ff7f262e000 0x7ff7f262e000 0x7ff7f262ffff Private Memory rw True False False -
schtasks.exe 0x7ff7f2f60000 0x7ff7f2f9cfff Memory Mapped File rwx True False False -
taskschd.dll 0x7fff00300000 0x7fff003bffff Memory Mapped File rwx False False False -
sspicli.dll 0x7fff04a00000 0x7fff04a2bfff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Host Behavior
COM (3)
»
Operation Class Interface Additional Information Success Count Logfile
Create TaskScheduler ITaskService cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Execute TaskScheduler ITaskService method_name = Connect True 1
Fn
Execute TaskScheduler ITaskService method_name = GetFolder, new_interface = ITaskFolder True 1
Fn
File (6)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_ERROR_HANDLE type = file_type True 2
Fn
Open STD_ERROR_HANDLE - True 3
Fn
Write STD_ERROR_HANDLE size = 105 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\schtasks.exe base_address = 0x7ff7f2f60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\schtasks.exe, file_name_orig = C:\Windows\system32\schtasks.exe, size = 260 True 2
Fn
Process #55: schtasks.exe
16 0
»
Information Value
ID #55
File Name c:\windows\system32\schtasks.exe
Command Line schtasks.exe /change /tn "Microsoft\Office\Office Automatic Updates 2.0" /enable
Initial Working Directory C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
Monitor Start Time: 00:10:35, Reason: Child Process
Unmonitor End Time: 00:10:37, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x8a4
Parent PID 0x548 (c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x A8C
0x B30
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000dd0b960000 0xdd0b960000 0xdd0b97ffff Private Memory rw True False False -
pagefile_0x000000dd0b960000 0xdd0b960000 0xdd0b96ffff Pagefile Backed Memory rw True False False -
private_0x000000dd0b970000 0xdd0b970000 0xdd0b976fff Private Memory rw True False False -
pagefile_0x000000dd0b980000 0xdd0b980000 0xdd0b993fff Pagefile Backed Memory r True False False -
private_0x000000dd0b9a0000 0xdd0b9a0000 0xdd0ba1ffff Private Memory rw True False False -
pagefile_0x000000dd0ba20000 0xdd0ba20000 0xdd0ba23fff Pagefile Backed Memory r True False False -
pagefile_0x000000dd0ba30000 0xdd0ba30000 0xdd0ba30fff Pagefile Backed Memory r True False False -
private_0x000000dd0ba40000 0xdd0ba40000 0xdd0ba41fff Private Memory rw True False False -
locale.nls 0xdd0ba50000 0xdd0bb0dfff Memory Mapped File r False False False -
private_0x000000dd0bb10000 0xdd0bb10000 0xdd0bb8ffff Private Memory rw True False False -
private_0x000000dd0bb90000 0xdd0bb90000 0xdd0bb96fff Private Memory rw True False False -
schtasks.exe.mui 0xdd0bba0000 0xdd0bbb2fff Memory Mapped File r False False False -
private_0x000000dd0bbc0000 0xdd0bbc0000 0xdd0bbc0fff Private Memory rw True False False -
private_0x000000dd0bbd0000 0xdd0bbd0000 0xdd0bbd0fff Private Memory rw True False False -
pagefile_0x000000dd0bbe0000 0xdd0bbe0000 0xdd0bbe0fff Pagefile Backed Memory r True False False -
pagefile_0x000000dd0bbf0000 0xdd0bbf0000 0xdd0bbf0fff Pagefile Backed Memory r True False False -
private_0x000000dd0bc20000 0xdd0bc20000 0xdd0bd1ffff Private Memory rw True False False -
rpcss.dll 0xdd0bd20000 0xdd0bdf5fff Memory Mapped File r False False False -
pagefile_0x000000dd0bd20000 0xdd0bd20000 0xdd0bea7fff Pagefile Backed Memory r True False False -
private_0x000000dd0bf00000 0xdd0bf00000 0xdd0bf0ffff Private Memory rw True False False -
sortdefault.nls 0xdd0bf10000 0xdd0c246fff Memory Mapped File r False False False -
pagefile_0x000000dd0c250000 0xdd0c250000 0xdd0c3d0fff Pagefile Backed Memory r True False False -
pagefile_0x000000dd0c3e0000 0xdd0c3e0000 0xdd0c49ffff Pagefile Backed Memory r True False False -
pagefile_0x00007df5ff1d0000 0x7df5ff1d0000 0x7ff5ff1cffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7f21a0000 0x7ff7f21a0000 0x7ff7f229ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7f22a0000 0x7ff7f22a0000 0x7ff7f22c2fff Pagefile Backed Memory r True False False -
private_0x00007ff7f22cb000 0x7ff7f22cb000 0x7ff7f22cbfff Private Memory rw True False False -
private_0x00007ff7f22cc000 0x7ff7f22cc000 0x7ff7f22cdfff Private Memory rw True False False -
private_0x00007ff7f22ce000 0x7ff7f22ce000 0x7ff7f22cffff Private Memory rw True False False -
schtasks.exe 0x7ff7f2f60000 0x7ff7f2f9cfff Memory Mapped File rwx True False False -
taskschd.dll 0x7fff00300000 0x7fff003bffff Memory Mapped File rwx False False False -
sspicli.dll 0x7fff04a00000 0x7fff04a2bfff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fff04c30000 0x7fff04c9afff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7fff04e70000 0x7fff04e7efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fff058a0000 0x7fff05a7cfff Memory Mapped File rwx False False False -
sechost.dll 0x7fff05a90000 0x7fff05aeafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7fff05bd0000 0x7fff05cf5fff Memory Mapped File rwx False False False -
kernel32.dll 0x7fff05d60000 0x7fff05e0cfff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fff05e10000 0x7fff05ecdfff Memory Mapped File rwx False False False -
gdi32.dll 0x7fff05fe0000 0x7fff06164fff Memory Mapped File rwx False False False -
combase.dll 0x7fff061b0000 0x7fff0642bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7fff08030000 0x7fff080ccfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7fff081b0000 0x7fff08254fff Memory Mapped File rwx False False False -
user32.dll 0x7fff08260000 0x7fff083adfff Memory Mapped File rwx False False False -
ntdll.dll 0x7fff083b0000 0x7fff08571fff Memory Mapped File rwx False False False -
Host Behavior
COM (3)
»
Operation Class Interface Additional Information Success Count Logfile
Create TaskScheduler ITaskService cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Execute TaskScheduler ITaskService method_name = Connect True 1
Fn
Execute TaskScheduler ITaskService method_name = GetFolder, new_interface = ITaskFolder True 1
Fn
File (12)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_OUTPUT_HANDLE type = file_type True 4
Fn
Open STD_OUTPUT_HANDLE - True 6
Fn
Write STD_OUTPUT_HANDLE size = 95 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 109 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\schtasks.exe base_address = 0x7ff7f2f60000 True 1
Fn
Get Filename - process_name = c:\windows\system32\schtasks.exe, file_name_orig = C:\Windows\system32\schtasks.exe, size = 260 True 2
Fn
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image