Obfuscated AutoIt Malware Injects Executables to Steal Passwords and Browser Data

Involved Hosts

Hostname	IP Addresses	Country	City	Protocols	Has Blacklisted URL
jluxi.dynu.com	185.62.188.68	NL		DNS, TCP

Monitored Processes

Behavior Information - Grouped by Category

Process #1: 9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe

(Host: 4170, Network: 0)

Information	Value
ID	#1
File Name	c:\users\eebsym5\desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe
Command Line	"C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe"
Initial Working Directory	C:\Users\EEBsYm5\Desktop\
Monitor	Start Time: 00:00:10, Reason: Analysis Target
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:02:01

OS Process Information

Information	Value
PID	0xa00
Parent PID	0x658 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A04 0x A0C 0x A14 0x A18

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x0012ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000130000	0x00130000	0x00133fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00142fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000160000	0x00160000	0x00166fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000170000	0x00170000	0x00171fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000180000	0x00180000	0x00181fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x001affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001b0000	0x001b0000	0x002affff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x002b0000	0x00316fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000320000	0x00320000	0x003e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003f0000	0x003f0000	0x003f0fff	Pagefile Backed Memory	Readable	Region Actions
9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	0x00400000	0x00432fff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x0000000000440000	0x00440000	0x00540fff	Pagefile Backed Memory	Readable	Region Actions
rpcss.dll	0x00550000	0x005abfff	Memory Mapped File	Readable	Region Actions
rpcss.dll	0x00550000	0x005abfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000550000	0x00550000	0x005fffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000550000	0x00550000	0x00550fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000560000	0x00560000	0x00561fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000570000	0x00570000	0x00571fff	Pagefile Backed Memory	Readable	Region Actions
msctf.dll.mui	0x00570000	0x00570fff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x0000000000580000	0x00580000	0x00581fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000580000	0x00580000	0x00580fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cversions.1.db	0x00590000	0x00593fff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x00590000	0x00593fff	Memory Mapped File	Readable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000013.db	0x005a0000	0x005b4fff	Memory Mapped File	Readable	Region Actions
private_0x00000000005c0000	0x005c0000	0x005fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000600000	0x00600000	0x0060ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000610000	0x00610000	0x0120ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001210000	0x01210000	0x012eefff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x012f0000	0x015befff	Memory Mapped File	Readable	Region Actions
private_0x00000000015c0000	0x015c0000	0x0163ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000015c0000	0x015c0000	0x015c0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db	0x015d0000	0x015fffff	Memory Mapped File	Readable	Region Actions
private_0x0000000001600000	0x01600000	0x0163ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001640000	0x01640000	0x01a32fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001a40000	0x01a40000	0x01abffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001ac0000	0x01ac0000	0x01bc0fff	Private Memory	Readable, Writable	Region Actions Download Dump
staticcache.dat	0x01ac0000	0x023effff	Memory Mapped File	Readable	Region Actions
private_0x00000000023f0000	0x023f0000	0x024f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000023f0000	0x023f0000	0x027f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000023f0000	0x023f0000	0x027f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
cversions.2.db	0x023f0000	0x023f3fff	Memory Mapped File	Readable	Region Actions
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x02400000	0x02465fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002470000	0x02470000	0x0256ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002570000	0x02570000	0x0266ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000002670000	0x02670000	0x02670fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000002680000	0x02680000	0x0277ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002800000	0x02800000	0x02900fff	Private Memory	Readable, Writable	Region Actions Download Dump
riched20.dll	0x6d740000	0x6d7b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
tiptsf.dll	0x6e5a0000	0x6e5f7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shdocvw.dll	0x6ec20000	0x6ec4dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x70f80000	0x70fcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
riched32.dll	0x72980000	0x72985fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x73a70000	0x73a82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73dc0000	0x73dfffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x73e40000	0x73e60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x73ed0000	0x73fc4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x740c0000	0x7425dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75070000	0x7508afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75090000	0x7509bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75110000	0x7511afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75180000	0x7518bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x75190000	0x751b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x751c0000	0x752dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x752e0000	0x75329fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x75360000	0x75371fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75410000	0x75545fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75550000	0x7559dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x755a0000	0x75668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x756b0000	0x75706fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75710000	0x7572efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75730000	0x757fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75810000	0x7589efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x758a0000	0x75922fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x75930000	0x75974fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75980000	0x765c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x765e0000	0x7667cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76680000	0x767dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x76840000	0x76934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76940000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x769e0000	0x76ab3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76ac0000	0x76b60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x76b70000	0x76d0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76d10000	0x76dbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x76dc0000	0x76fbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76fc0000	0x770fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77110000	0x77128fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77160000	0x77169fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77170000	0x771eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77200000	0x77200fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Created Files

Filename	File Size	Hash Values	Actions
c:\users\eebsym5\appdata\local\temp\60484525\__tmp_rar_sfx_access_check_18052931	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\eebsym5\appdata\local\temp\60484525\hin.ppt	753.11 KB (771181 bytes)	MD5: b4069d0c0e00f8266018f1263d28314a SHA1: da9e1711e225aa694f28ac81677f0a8840acbd56 SHA256: 017a11f2c47b3329116d74da098437fef15a0283fd7df5b5cf16e167a74bf4bf	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\cvn-nhc	2.88 MB (3022508 bytes)	MD5: de1a6fbf02c16cacd54d414ed4e6f73e SHA1: 645a49fb10d04c18348e6614c3640cb2d732d7e2 SHA256: f0b7de110217d22b745eb45ad6c808974c667bb77dabdf824c7a439bb254d49d	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	732.73 KB (750320 bytes)	MD5: 71d8f6d5dc35517275bc38ebcc815f9f SHA1: cae4e8c730de5a01d30aabeb3e5cb2136090ed8d SHA256: fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\jdl.jpg	0.58 KB (593 bytes)	MD5: 4cf50661adbe97e9144a1ae14e0cc2d4 SHA1: 6cfecd4625e5cac62f73cd766c0695545615a80e SHA256: 01da59d2d9a62cc31d8a28f02e58762f775783d072dc92cd4882472991c6c489	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\vqm.xl	0.51 KB (525 bytes)	MD5: 39f5c28a7805e6993c878e2445b6de4f SHA1: b1a4702db810d76ca9dab4a40b464161447a8485 SHA256: 2fb689a6de68f133a7baab6c6f6458fae38c6dae4d90f62da2b90641a048fc2a	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\bcu.mp4	0.51 KB (521 bytes)	MD5: e800b240b278b15f7e04a9aa5aad5a94 SHA1: 5c57cfd08c138ecb8aaf08638ff708ed0fc11e9c SHA256: d4c33eed67247dbddc3dcd7400bd24fd7209a597f468978f014568c2ee0a7fd1	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\rnr.mp3	0.54 KB (556 bytes)	MD5: a1c50816b65f30e2260479114d0bcab6 SHA1: 74c73a920cbd9ef1057d4d8d7589363d14e4a55b SHA256: c18f5a54575e9b56f95bbeb353318cba41fefbadc7f101589d5fc0df3fd56141	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\cvg.mp4	0.49 KB (505 bytes)	MD5: da230cfbc8a80e350c87d894eebb76b9 SHA1: ea6d7ae1dc826a9344c00a01d47e92ee60bd6d61 SHA256: bdfc89fb5460d262442882b76f31f9853370abd79e86be034afb53e2be694118	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\chm.docx	0.60 KB (614 bytes)	MD5: 84d55a12fc2416df5c1553ee17ad0992 SHA1: b402fc11ff5ef3552be26235e9fd016c7fe912b2 SHA256: 918778adbeba224f4b9dd8910b717cf706563c35e06fbe0d04dfb00ced8678ee	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\vua.jpg	0.50 KB (509 bytes)	MD5: 6dd73a9654139bb6529a72207ddfde0f SHA1: bd67f636d12ed1c4cff28f6a9a84e28b97d7f1a5 SHA256: 42220eec08a393cd359ec79cb610d2a845926b8d8119eb505276564aa25698c9	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\oxl.ico	0.51 KB (520 bytes)	MD5: 22c528e901375639d3a014f6fe12ed43 SHA1: 74f6a3c188759980c3e7dc9de94642f86a18fb59 SHA256: 1af85ae13aa9aa6114ec4c03cfd840fb8222eeceb611aac530411979bd9bede9	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\fun.mp4	0.62 KB (633 bytes)	MD5: 41db425bddeb6edff3829ede53e4b059 SHA1: 8355713e8ff5b27cc72f2a784d597be7d02e3c26 SHA256: 668dff85c71ac5142e3105426be365b7834e1dd8e3e0043674a272af26138f35	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\fqv.xl	0.55 KB (567 bytes)	MD5: 2a8d81d0726edc11e6e4f75207fee58c SHA1: 041b9554b7a23b86240e82c0c18e0c34cfdd4ae1 SHA256: bc2d0c9ff398b2883465e9c5963d0a8933b034ae43f6002481f674b5ade6c839	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\hgu.ico	0.56 KB (569 bytes)	MD5: e9a2566e0a5296cf122c7089e0558baf SHA1: e7d3001b6b6ebf6928e942f4c8343f4f551e0284 SHA256: 418946d3f5ab5a04d537045108c4e8db6dcb48bb465e2d0a01f91723b7948e49	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\brh.ppt	0.58 KB (597 bytes)	MD5: fda5e079dbe06cc05c59ba4e27fa48c2 SHA1: 88181205ec8323e457d5bcd4e7a03cea28ad47c7 SHA256: 75cfe292e1d9d6bd3bdadfe1ce6bef7a57bfc2a6bb7ce6fecd497bf4ec583c37	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\xqa.mp4	0.54 KB (551 bytes)	MD5: d46dd879f8205faa467df9c9a0019a9d SHA1: 25631b0a07e69d1dc8e93e5e51946a27f98d2b17 SHA256: aa93b72e74034ed72878672e776fbe7fa55e93f78e485a337cbeae4bd18f4917	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\jub.bmp	0.56 KB (574 bytes)	MD5: 81932b74d719d9feaee98fd12634ac5b SHA1: a7283637bc88dacb689b39cebfc28a91e32f1e03 SHA256: 1c9ccc3a409e293eadbb70410de3c3405da55ceb47d36a639054b6f5c10a3c91	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\jgu.bmp	0.52 KB (532 bytes)	MD5: 2a84b8aefabec88301c0f50f7cfb46f6 SHA1: e4b2c15448b6dace8cfa8227784b3f9396a2f498 SHA256: ef754e4a3efc638823684023ef2ddbbcdaf1354c290e4c33ef394df4c2a8d2ca	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\tik.icm	0.54 KB (550 bytes)	MD5: 74efb6a98e74a829daafef9945004dca SHA1: c5102cd3b0d7602f51099a27657b37a3bf787561 SHA256: bf1ab35f7bd5d5fc365d2c176bb5c5374e578b8424ed0fde82f55d1eae1d350d	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\wjv.pdf	0.53 KB (539 bytes)	MD5: 1474405a725bc37f9fea9479c11a78bf SHA1: b57f9f373b5323f3b701bf350fd98cf8a827b3ff SHA256: d83ec42f0ff63cf14851f789e85f2dc33d76cb4c2409e1488f7474df2086033f	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\nvl.xl	0.51 KB (526 bytes)	MD5: 90ca387ad342c41ae796173d560ccf84 SHA1: eb03b500bbf683a889c4758d228b55cedddd4c30 SHA256: 0ecf3eb5d0f794e7e32a941580da8641bff3bf248a68df43a35ae16d77eda192	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\xfg.dat	0.51 KB (520 bytes)	MD5: c82da2a4e862c90a2d961098b1d64956 SHA1: 7edf516e6c807d8fa5aa912e23d9460721769207 SHA256: db7f2a223fef17affd13a518ac21c7675942bd475bc416dd78c7c6c186548b64	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\aqa.bmp	0.54 KB (557 bytes)	MD5: f8b9deca33aba33d64623f47e7c88855 SHA1: a70b7a6327133486d04d4d3c57bd8930a3e3a698 SHA256: 449952af1c2bd2a2e1878b3a81044793305185a7d27f0066521645906a5040c7	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\rnj.mp3	0.53 KB (547 bytes)	MD5: 6effc77853a885dd155870e04545880b SHA1: 98ebfdb5b3ef2c2db538a290a0a26bc6cf885916 SHA256: 89b82044c02980606c7d6b39aa2cf08b66ca0db7e1b5ad23a7c0d64e056340d2	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\eff.icm	0.51 KB (522 bytes)	MD5: c2f588f89c85d3c2c97e128f27234f2c SHA1: b2b64e8b77e831f3a16fdd1da61f8f64f514b19e SHA256: 1e8e0cc104f8c880f3a6d312f6bdc99c5f3f4fd3ee081eee7e2534ed511209fd	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\isi.xl	0.50 KB (507 bytes)	MD5: 469067bf5a94e9002cf154a81f397c6a SHA1: 737b86b50e3998052920f02bde3ad487743f1a6a SHA256: 6b418ce9673895fb76b32b67faf05073e577444d82bf42ff21733e1f057c3d60	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\upe.mp3	0.56 KB (578 bytes)	MD5: 62bd082578b0e38bc2b6b731b4a5ec49 SHA1: 3f6c8024888bf3caa19e6ad7db4a8f29859bdaa9 SHA256: 00a79f22f8ed82f6ea362254d04578bfa498dfed0d2ab8f733e6fbace1c2c078	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\fpo.xl	0.57 KB (581 bytes)	MD5: ff594e995d9f6268a047cc2e269eb2b9 SHA1: a0a8692e4560d122d0dd359157544b32fdc57cd0 SHA256: 6cc6a2d2a8196b938e5e332df30d025374d6c98a18c5e707021141966203d7e1	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\wlk.pdf	0.52 KB (536 bytes)	MD5: 747d40f9300dbb3ba36d7310b5ee40da SHA1: 90d715455eb32004107a92bf810df71371ed4047 SHA256: cef051d14bcbc14e12f9d130f71e8b285b37117cd20c23678419b9ab8659300d	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\nlb.pdf	0.53 KB (541 bytes)	MD5: a49efa6c9f872faad2232a4b6a2394a7 SHA1: c8dff7972de40ab025314a8c74b5bb8e1552170e SHA256: 97b1b6f6884f0f92342576a9667c5cb3c1b61fabc8a0b1b23d1f57582b0624d3	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\emv.bmp	0.50 KB (511 bytes)	MD5: 04f1e686525064abfdb4bfd7ff29a0b5 SHA1: 47748ea5978245b49c8136d9e147059afeb06ffe SHA256: 8e3de8ce80c00091cb1aaa93f590226c7ac53a509926cdd815301237dd8e9e1b	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\raq.jpg	0.50 KB (514 bytes)	MD5: e5d188010c3203e2d37d4225d6cae53b SHA1: 430d4c308efdb225a74e10d3facefa8e44252be1 SHA256: 93846c06cef1c5515a1f78e95c040be5c75d3b6c78bf6438cf12fd7345d3c1c8	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\nep.mp4	0.58 KB (589 bytes)	MD5: 498138dfbfbe52214e73e9c1141aa981 SHA1: bc7166b6abe72bb216d77d48185330668186bb88 SHA256: b1b69fb21d93d6bae3fbcf8338aa66ee2791362ec5f918bd9dc45c1c14d4749c	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\neo.ico	0.54 KB (551 bytes)	MD5: a128399da3f11bda3f2164a97cb2b531 SHA1: 0d00f9e17e6445805ef34c8fdb68fe8e38ab4868 SHA256: dcf09d4181263a2a3b0787085f7b8dc8913245c0d6ac535e16f8a77ba17ecc91	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\wxv.mp4	0.51 KB (526 bytes)	MD5: 924bdfca849290fd510d72a39da75d43 SHA1: b5c18c00e3596b8a87d068f67e59f46aba6509da SHA256: b32f0a65698effe8c62e482bf9b6aec6f5fd496d52da525dca2078988956d3d9	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\beb.ppt	0.52 KB (530 bytes)	MD5: afcc6587b4839826588ae54512851ef8 SHA1: e55525356075eba71766e12d7db9d67ef4cdd8cc SHA256: 5fdfa5c8afbda02553bbf95969ca4434c57456b4e51a56330fddd770d9f84277	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\als.txt	0.50 KB (512 bytes)	MD5: a81eeaae706a9e8ab123d3ed140d837e SHA1: 3f0feac929dd6f1f5776298da84a14298f12cb10 SHA256: 169b9a0889e98c8e239c472e3041fccb2433c668f269782b28c74648c5135ba7	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\jkg.txt	0.57 KB (588 bytes)	MD5: 0f7278aeb0c194405013a9963334e38c SHA1: 2b7dab89793af056f56e84b9a1040c2c3e01f5a9 SHA256: 0c9293277fd0325971a2cf297d88460ad8df83d40f09f947fb36a50c59ad9c31	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\idv.xl	0.54 KB (550 bytes)	MD5: 307fe5bd3f52c0aefb503401e2b08505 SHA1: 67ef51104877c6e6ca67e868b2a5d589e415a255 SHA256: 79bb5d0d7e6e403335b863935f832da481a550f7174e77f56a112d5a1f7bff8f	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\erk.ico	0.56 KB (576 bytes)	MD5: 0a5b38cbc77ff6bfd9ca434eb372e88e SHA1: a093894e555294518d98937f61e1eac26298539b SHA256: a3cc42516891627a6ff9dcc5dcca3a4deaefbbf2f9a5411a644a34242b57f6f7	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\jfo.dat	0.54 KB (556 bytes)	MD5: faf4d8efca05d9b305d0970a8417274c SHA1: 847aff73ea3889518231b2a8e5aa2befd843f48b SHA256: 4f081e6dfab65d9c1910303f41fafac0e3652e2af3713140d8cc30d79aed912e	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\pac.ppt	0.55 KB (564 bytes)	MD5: bc062df0b1cf65138efbd74028d417ee SHA1: 4e3254580fc0eea7fcd2daa270b5e94e7fca7560 SHA256: b007b3703bec0526df06de06a88e97f706f09554ac2eb930cad38a80a3c663f7	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\okk.pdf	0.53 KB (538 bytes)	MD5: 7c65637227835e997638cdbbdda237db SHA1: ddd80c708a202210df0c6bab2d53fad31510c77a SHA256: 26f1259b8d53d6b4a43da7ebf431f4aff6617bbad13a188e9b4f534e21fd94b5	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\dxj.docx	0.64 KB (651 bytes)	MD5: 1690024ca4904bc8664deb3b5c046a09 SHA1: d78d488168c4a91dfb4883107bb0b344e47f6103 SHA256: dc2a1291b72a6b56d6acf1a4d52278ff82a9ac18d20f650d7bf1c1527a0675d1	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\tob.ico	0.56 KB (575 bytes)	MD5: 5d4a58ea600887506e113f87226108a7 SHA1: 6fd6c6d7b08df98858f8cd8bab2a8ddbaef39b78 SHA256: f6b0188a75c7fa2bcc06eb7d5de15a84facab9b2e2cc8d54aa7708833888d49b	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\guv.xl	0.54 KB (550 bytes)	MD5: df21088736f29414e1aeacbea6dd4adb SHA1: 2444bd270127ae12148eaf048fe82021f5580952 SHA256: 0bb6caa082e474fd47bdb620aa88536820e95f84cef92dcbda4fb686f29b3c3a	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\hjd.mp4	0.53 KB (543 bytes)	MD5: ce4596068d05d9436fa2512cfe90a81a SHA1: 4e209aede4adcee82bb4a8008291069a3a558f5c SHA256: 54f750492edac60c64348bf5131e7ec5c2e60aa796d80194b673b9e632c9c9cd	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\ain.icm	0.52 KB (532 bytes)	MD5: d997ac87e2adca0fe86fb0ba4a628299 SHA1: 14cae556c130ac9c5fa65168e9680893a4c73899 SHA256: c4a221aabd4c8dbc1ba62bd28e79af98b2e7a2c5d624c5f5c889352499bb47af	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\ugv.icm	0.54 KB (549 bytes)	MD5: a8ca3dd1e20cbeba4c51df819b7bb68e SHA1: 36d2b3b494d42d9958553cad17fa04819dfa2883 SHA256: d7820ee70bff4ff3f6922ab56d97c88aa79eb8591311d3a6c58b33c1c289d14a	File Actions Show Properties Download

Host Behavior

File (2166)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	__tmp_rar_sfx_access_check_18052931	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	hin.ppt	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	cvn-nhc	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	cih.exe	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	jdl.jpg	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	vqm.xl	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	bcu.mp4	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	rnr.mp3	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	cvg.mp4	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	chm.docx	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	vua.jpg	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	oxl.ico	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	fun.mp4	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	fqv.xl	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	hgu.ico	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	brh.ppt	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	xqa.mp4	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	jub.bmp	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	jgu.bmp	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	tik.icm	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	wjv.pdf	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	nvl.xl	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	xfg.dat	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	aqa.bmp	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	rnj.mp3	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	eff.icm	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	isi.xl	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	upe.mp3	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	fpo.xl	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	wlk.pdf	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	nlb.pdf	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	emv.bmp	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	raq.jpg	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	nep.mp4	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	neo.ico	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	wxv.mp4	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	beb.ppt	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	als.txt	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	jkg.txt	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	idv.xl	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	erk.ico	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	jfo.dat	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	pac.ppt	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	okk.pdf	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	dxj.docx	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	tob.ico	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	guv.xl	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	hjd.mp4	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	ain.icm	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	ugv.icm	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create Directory	C:		1	Fn
Create Directory	C:\Users		1	Fn
Create Directory	C:\Users\EEBsYm5		1	Fn
Create Directory	C:\Users\EEBsYm5\AppData		1	Fn
Create Directory	C:\Users\EEBsYm5\AppData\Local		1	Fn
Create Directory	C:\Users\EEBsYm5\AppData\Local\Temp		1	Fn
Create Directory	C:\Users\EEBsYm5\AppData\Local\Temp\60484525		1	Fn
Add Search Path			1	Fn
Get Info	hin.ppt	type = file_attributes	1	Fn
Get Info	hin.ppt	type = file_type	1	Fn
Get Info	cvn-nhc	type = file_attributes	1	Fn
Get Info	cvn-nhc	type = file_type	1	Fn
Get Info	cih.exe	type = file_attributes	1	Fn
Get Info	cih.exe	type = file_type	1	Fn
Get Info	jdl.jpg	type = file_attributes	1	Fn
Get Info	jdl.jpg	type = file_type	1	Fn
Get Info	vqm.xl	type = file_attributes	1	Fn
Get Info	vqm.xl	type = file_type	1	Fn
Get Info	bcu.mp4	type = file_attributes	1	Fn
Get Info	bcu.mp4	type = file_type	1	Fn
Get Info	rnr.mp3	type = file_attributes	1	Fn
Get Info	rnr.mp3	type = file_type	1	Fn
Get Info	cvg.mp4	type = file_attributes	1	Fn
Get Info	cvg.mp4	type = file_type	1	Fn
Get Info	chm.docx	type = file_attributes	1	Fn
Get Info	chm.docx	type = file_type	1	Fn
Get Info	vua.jpg	type = file_attributes	1	Fn
Get Info	vua.jpg	type = file_type	1	Fn
Get Info	oxl.ico	type = file_attributes	1	Fn
Get Info	oxl.ico	type = file_type	1	Fn
Get Info	fun.mp4	type = file_attributes	1	Fn
Get Info	fun.mp4	type = file_type	1	Fn
Get Info	fqv.xl	type = file_attributes	1	Fn
Get Info	fqv.xl	type = file_type	1	Fn
Get Info	hgu.ico	type = file_attributes	1	Fn
Get Info	hgu.ico	type = file_type	1	Fn
Get Info	brh.ppt	type = file_attributes	1	Fn
Get Info	brh.ppt	type = file_type	1	Fn
Get Info	xqa.mp4	type = file_attributes	1	Fn
Get Info	xqa.mp4	type = file_type	1	Fn
Get Info	jub.bmp	type = file_attributes	1	Fn
Get Info	jub.bmp	type = file_type	1	Fn
Get Info	jgu.bmp	type = file_attributes	1	Fn
Get Info	jgu.bmp	type = file_type	1	Fn
Get Info	tik.icm	type = file_attributes	1	Fn
Get Info	tik.icm	type = file_type	1	Fn
Get Info	wjv.pdf	type = file_attributes	1	Fn
Get Info	wjv.pdf	type = file_type	1	Fn
Get Info	nvl.xl	type = file_attributes	1	Fn
Get Info	nvl.xl	type = file_type	1	Fn
Get Info	xfg.dat	type = file_attributes	1	Fn
Get Info	xfg.dat	type = file_type	1	Fn
Get Info	aqa.bmp	type = file_attributes	1	Fn
Get Info	aqa.bmp	type = file_type	1	Fn
Get Info	rnj.mp3	type = file_attributes	1	Fn
Get Info	rnj.mp3	type = file_type	1	Fn
Get Info	eff.icm	type = file_attributes	1	Fn
Get Info	eff.icm	type = file_type	1	Fn
Get Info	isi.xl	type = file_attributes	1	Fn
Get Info	isi.xl	type = file_type	1	Fn
Get Info	upe.mp3	type = file_attributes	1	Fn
Get Info	upe.mp3	type = file_type	1	Fn
Get Info	fpo.xl	type = file_attributes	1	Fn
Get Info	fpo.xl	type = file_type	1	Fn
Get Info	wlk.pdf	type = file_attributes	1	Fn
Get Info	wlk.pdf	type = file_type	1	Fn
Get Info	nlb.pdf	type = file_attributes	1	Fn
Get Info	nlb.pdf	type = file_type	1	Fn
Get Info	emv.bmp	type = file_attributes	1	Fn
Get Info	emv.bmp	type = file_type	1	Fn
Get Info	raq.jpg	type = file_attributes	1	Fn
Get Info	raq.jpg	type = file_type	1	Fn
Get Info	nep.mp4	type = file_attributes	1	Fn
Get Info	nep.mp4	type = file_type	1	Fn
Get Info	neo.ico	type = file_attributes	1	Fn
Get Info	neo.ico	type = file_type	1	Fn
Get Info	wxv.mp4	type = file_attributes	1	Fn
Get Info	wxv.mp4	type = file_type	1	Fn
Get Info	beb.ppt	type = file_attributes	1	Fn
Get Info	beb.ppt	type = file_type	1	Fn
Get Info	als.txt	type = file_attributes	1	Fn
Get Info	als.txt	type = file_type	1	Fn
Get Info	jkg.txt	type = file_attributes	1	Fn
Get Info	jkg.txt	type = file_type	1	Fn
Get Info	idv.xl	type = file_attributes	1	Fn
Get Info	idv.xl	type = file_type	1	Fn
Get Info	erk.ico	type = file_attributes	1	Fn
Get Info	erk.ico	type = file_type	1	Fn
Get Info	jfo.dat	type = file_attributes	1	Fn
Get Info	jfo.dat	type = file_type	1	Fn
Get Info	pac.ppt	type = file_attributes	1	Fn
Get Info	pac.ppt	type = file_type	1	Fn
Get Info	okk.pdf	type = file_attributes	1	Fn
Get Info	okk.pdf	type = file_type	1	Fn
Get Info	dxj.docx	type = file_attributes	1	Fn
Get Info	dxj.docx	type = file_type	1	Fn
Get Info	tob.ico	type = file_attributes	1	Fn
Get Info	tob.ico	type = file_type	1	Fn
Get Info	guv.xl	type = file_attributes	1	Fn
Get Info	guv.xl	type = file_type	1	Fn
Get Info	hjd.mp4	type = file_attributes	1	Fn
Get Info	hjd.mp4	type = file_type	1	Fn
Get Info	ain.icm	type = file_attributes	1	Fn
Get Info	ain.icm	type = file_type	1	Fn
Get Info	ugv.icm	type = file_attributes	1	Fn
Get Info	ugv.icm	type = file_type	1	Fn
Get Info	cih.exe	type = file_attributes	1	Fn
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 8192, size_out = 8192	12	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 7, size_out = 7	6	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 1048560, size_out = 934137	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 6, size_out = 6	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 28, size_out = 28	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 37, size_out = 37	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 2708, size_out = 2708	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 0, size_out = 0	17	Fn
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 7, size_out = 7	56	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 1048560, size_out = 934137	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 6, size_out = 6	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 28, size_out = 28	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 37, size_out = 37	40	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 32768, size_out = 32768	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 32736, size_out = 32736	22	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 10894, size_out = 10894	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 0, size_out = 0	1706	Fn
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 9115, size_out = 9115	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 32, size_out = 32	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 5087, size_out = 5087	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 476, size_out = 476	3	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 36, size_out = 36	7	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 427, size_out = 427	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 425, size_out = 425	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 452, size_out = 452	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 411, size_out = 411	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 38, size_out = 38	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 499, size_out = 499	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 416, size_out = 416	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 506, size_out = 506	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 459, size_out = 459	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 486, size_out = 486	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 446, size_out = 446	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 469, size_out = 469	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 432, size_out = 432	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 449, size_out = 449	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 437, size_out = 437	3	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 428, size_out = 428	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 424, size_out = 424	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 445, size_out = 445	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 426, size_out = 426	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 412, size_out = 412	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 470, size_out = 470	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 468, size_out = 468	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 435, size_out = 435	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 419, size_out = 419	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 444, size_out = 444	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 429, size_out = 429	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 421, size_out = 421	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 467, size_out = 467	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 448, size_out = 448	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 456, size_out = 456	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 439, size_out = 439	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 526, size_out = 526	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 462, size_out = 462	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 447, size_out = 447	1	Fn Data
Write	hin.ppt	size = 771181	1	Fn Data
Write	cvn-nhc	size = 3022508	1	Fn
Write	cih.exe	size = 65536	8	Fn Data
Write	cih.exe	size = 2560	2	Fn Data
Write	cih.exe	size = 1792	1	Fn Data
Write	cih.exe	size = 5888	1	Fn Data
Write	cih.exe	size = 768	1	Fn Data
Write	cih.exe	size = 37632	1	Fn Data
Write	cih.exe	size = 8960	1	Fn Data
Write	cih.exe	size = 1536	1	Fn Data
Write	cih.exe	size = 256	1	Fn Data
Write	cih.exe	size = 1024	3	Fn Data
Write	cih.exe	size = 28672	1	Fn Data
Write	cih.exe	size = 95232	1	Fn Data
Write	cih.exe	size = 512	1	Fn Data
Write	cih.exe	size = 7168	1	Fn Data
Write	cih.exe	size = 16896	1	Fn Data
Write	cih.exe	size = 4864	1	Fn Data
Write	cih.exe	size = 7664	1	Fn Data
Write	jdl.jpg	size = 593	1	Fn Data
Write	vqm.xl	size = 525	1	Fn Data
Write	bcu.mp4	size = 521	1	Fn Data
Write	rnr.mp3	size = 556	1	Fn Data
Write	cvg.mp4	size = 505	1	Fn Data
Write	chm.docx	size = 614	1	Fn Data
Write	vua.jpg	size = 509	1	Fn Data
Write	oxl.ico	size = 520	1	Fn Data
Write	fun.mp4	size = 633	1	Fn Data
Write	fqv.xl	size = 567	1	Fn Data
Write	hgu.ico	size = 569	1	Fn Data
Write	brh.ppt	size = 597	1	Fn Data
Write	xqa.mp4	size = 551	1	Fn Data
Write	jub.bmp	size = 574	1	Fn Data
Write	jgu.bmp	size = 532	1	Fn Data
Write	tik.icm	size = 550	1	Fn Data
Write	wjv.pdf	size = 539	1	Fn Data
Write	nvl.xl	size = 526	1	Fn Data
Write	xfg.dat	size = 520	1	Fn Data
Write	aqa.bmp	size = 557	1	Fn Data
Write	rnj.mp3	size = 547	1	Fn Data
Write	eff.icm	size = 522	1	Fn Data
Write	isi.xl	size = 507	1	Fn Data
Write	upe.mp3	size = 578	1	Fn Data
Write	fpo.xl	size = 581	1	Fn Data
Write	wlk.pdf	size = 536	1	Fn Data
Write	nlb.pdf	size = 541	1	Fn Data
Write	emv.bmp	size = 511	1	Fn Data
Write	raq.jpg	size = 514	1	Fn Data
Write	nep.mp4	size = 589	1	Fn Data
Write	neo.ico	size = 551	1	Fn Data
Write	wxv.mp4	size = 526	1	Fn Data
Write	beb.ppt	size = 530	1	Fn Data
Write	als.txt	size = 512	1	Fn Data
Write	jkg.txt	size = 588	1	Fn Data
Write	idv.xl	size = 550	1	Fn Data
Write	erk.ico	size = 576	1	Fn Data
Write	jfo.dat	size = 556	1	Fn Data
Write	pac.ppt	size = 564	1	Fn Data
Write	okk.pdf	size = 538	1	Fn Data
Write	dxj.docx	size = 651	1	Fn Data
Write	tob.ico	size = 575	1	Fn Data
Write	guv.xl	size = 550	1	Fn Data
Write	hjd.mp4	size = 543	1	Fn Data
Write	ain.icm	size = 532	1	Fn Data
Write	ugv.icm	size = 549	1	Fn Data
Delete	__tmp_rar_sfx_access_check_18052931		1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe	show_window = SW_SHOWNORMAL		1	Fn

Module (7)

Operation	Module	Additional Information	Count	Logfile
Load	riched32.dll	base_address = 0x72980000	1	Fn
Load	riched20.dll	base_address = 0x6d740000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x769e0000	1	Fn
Get Handle	c:\users\eebsym5\desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	base_address = 0x400000	2	Fn
Get Filename		process_name = c:\users\eebsym5\desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 1024	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetDllDirectoryW, address_out = 0x76a6c7cf	1	Fn

Window (2)

Operation	Window Name	Additional Information	Success	Count	Logfile
Set Attribute		index = 18446744073709551600, new_long = 1342341248		1	Fn

System (1877)

Operation	Additional Information	Count	Logfile
Get Time	type = Ticks, time = 52868	20	Fn
Get Time	type = Ticks, time = 52931	1	Fn
Get Time	type = System Time, time = 2017-10-04 02:23:35 (UTC)	1	Fn
Get Time	type = Ticks, time = 53024	4	Fn
Get Time	type = Ticks, time = 53040	30	Fn
Get Time	type = Ticks, time = 53055	1	Fn
Get Time	type = Ticks, time = 53071	63	Fn
Get Time	type = Ticks, time = 53087	109	Fn
Get Time	type = Ticks, time = 53149	1	Fn
Get Time	type = Ticks, time = 53196	4	Fn
Get Time	type = Ticks, time = 53211	37	Fn
Get Time	type = Ticks, time = 53227	19	Fn
Get Time	type = Ticks, time = 53243	37	Fn
Get Time	type = Ticks, time = 53258	72	Fn
Get Time	type = Ticks, time = 53274	61	Fn
Get Time	type = Ticks, time = 53289	32	Fn
Get Time	type = Ticks, time = 53305	68	Fn
Get Time	type = Ticks, time = 53321	76	Fn
Get Time	type = Ticks, time = 53336	66	Fn
Get Time	type = Ticks, time = 53352	70	Fn
Get Time	type = Ticks, time = 53367	60	Fn
Get Time	type = Ticks, time = 53383	79	Fn
Get Time	type = Ticks, time = 53399	71	Fn
Get Time	type = Ticks, time = 53414	33	Fn
Get Time	type = Ticks, time = 53430	71	Fn
Get Time	type = Ticks, time = 53445	66	Fn
Get Time	type = Ticks, time = 53461	69	Fn
Get Time	type = Ticks, time = 53477	70	Fn
Get Time	type = Ticks, time = 53492	69	Fn
Get Time	type = Ticks, time = 53508	34	Fn
Get Time	type = Ticks, time = 53523	61	Fn
Get Time	type = Ticks, time = 53539	47	Fn
Get Time	type = Ticks, time = 53555	67	Fn
Get Time	type = Ticks, time = 53570	19	Fn
Get Time	type = Ticks, time = 53586	73	Fn
Get Time	type = Ticks, time = 53601	83	Fn
Get Time	type = Ticks, time = 53617	68	Fn
Get Time	type = Ticks, time = 53633	64	Fn
Get Info	type = Operating System	1	Fn

Environment (2)

Operation	Additional Information	Success	Count	Logfile
Set Environment String	name = sfxcmd, value = "C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe"		1	Fn
Set Environment String	name = sfxname, value = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe		1	Fn

Process #2: cih.exe

(Host: 256, Network: 0)

Information	Value
ID	#2
File Name	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe
Command Line	"C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe" cvn-nhc
Initial Working Directory	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor	Start Time: 00:00:16, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:55

OS Process Information

Information	Value
PID	0xa20
Parent PID	0xa00 (c:\users\eebsym5\desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A24 0x A28 0x A2C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000080000	0x00080000	0x00081fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000090000	0x00090000	0x0048ffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x00490000	0x004f6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000500000	0x00500000	0x005c7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005d0000	0x005d0000	0x006aefff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006b0000	0x006b0000	0x006b0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000006c0000	0x006c0000	0x006c6fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000006d0000	0x006d0000	0x006dffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000006e0000	0x006e0000	0x007e0fff	Pagefile Backed Memory	Readable	Region Actions
rpcss.dll	0x007f0000	0x0084bfff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000007f0000	0x007f0000	0x007f1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000800000	0x00800000	0x00800fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000810000	0x00810000	0x0088ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000890000	0x00890000	0x0089ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000890000	0x00890000	0x00896fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000008a0000	0x008a0000	0x008a6fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cih.exe	0x008b0000	0x0097bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000980000	0x00980000	0x00a7ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000aa0000	0x00aa0000	0x00e9ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000ea0000	0x00ea0000	0x01a9ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001c00000	0x01c00000	0x01c0ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001c10000	0x01c10000	0x01deffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x01df0000	0x020befff	Memory Mapped File	Readable	Region Actions
private_0x00000000020e0000	0x020e0000	0x024dffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000024e0000	0x024e0000	0x028d2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000029e0000	0x029e0000	0x02ddffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002de0000	0x02de0000	0x02ffffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002de0000	0x02de0000	0x02f9cfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002fc0000	0x02fc0000	0x02ffffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000003000000	0x03000000	0x031fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000003310000	0x03310000	0x0341ffff	Private Memory	Readable, Writable	Region Actions Download Dump
winmm.dll	0x6e3b0000	0x6e3e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x718d0000	0x718e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x72980000	0x72986fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x73a70000	0x73a82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73dc0000	0x73dfffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x740c0000	0x7425dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74660000	0x74668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x747c0000	0x747d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75090000	0x7509bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75110000	0x7511afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75180000	0x7518bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x75190000	0x751b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x751c0000	0x752dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x752e0000	0x75329fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x75360000	0x75371fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75410000	0x75545fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75550000	0x7559dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x755a0000	0x75668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75670000	0x756a4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x756b0000	0x75706fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75710000	0x7572efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75730000	0x757fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75810000	0x7589efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75980000	0x765c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x765d0000	0x765d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x765e0000	0x7667cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76680000	0x767dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x76840000	0x76934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76940000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x769e0000	0x76ab3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76ac0000	0x76b60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x76b70000	0x76d0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76d10000	0x76dbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x76dc0000	0x76fbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76fc0000	0x770fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77100000	0x77104fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77110000	0x77128fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77160000	0x77169fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77170000	0x771eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77200000	0x77200fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\eebsym5\appdata\local\temp\60484525\iwlwk	271.35 KB (277864 bytes)	MD5: 1ddc15ba0f5ad90873d42c41f4a2abc3 SHA1: 4cc438d56cd0317c3cd75f6630f2ce4ce4b31ca0 SHA256: c1492aca20af26af0c906dc391b808f2b227904a8948aa7b34caeddb70fc83cb		File Actions Show Properties Download

Host Behavior

File (171)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	type = file_type	1	Fn
Get Info	.	type = file_attributes	1	Fn
Get Info	ain.icm	type = file_attributes	1	Fn
Get Info	als.txt	type = file_attributes	1	Fn
Get Info	aqa.bmp	type = file_attributes	1	Fn
Get Info	bcu.mp4	type = file_attributes	1	Fn
Get Info	beb.ppt	type = file_attributes	1	Fn
Get Info	brh.ppt	type = file_attributes	1	Fn
Get Info	chm.docx	type = file_attributes	1	Fn
Get Info	cih.exe	type = file_attributes	1	Fn
Get Info	cvg.mp4	type = file_attributes	1	Fn
Get Info	cvn-nhc	type = file_attributes	1	Fn
Get Info	dxj.docx	type = file_attributes	1	Fn
Get Info	eff.icm	type = file_attributes	1	Fn
Get Info	emv.bmp	type = file_attributes	1	Fn
Get Info	erk.ico	type = file_attributes	1	Fn
Get Info	fpo.xl	type = file_attributes	1	Fn
Get Info	fqv.xl	type = file_attributes	1	Fn
Get Info	fun.mp4	type = file_attributes	1	Fn
Get Info	guv.xl	type = file_attributes	1	Fn
Get Info	hgu.ico	type = file_attributes	1	Fn
Get Info	hin.ppt	type = file_attributes	1	Fn
Get Info	hjd.mp4	type = file_attributes	1	Fn
Get Info	idv.xl	type = file_attributes	1	Fn
Get Info	isi.xl	type = file_attributes	1	Fn
Get Info	jdl.jpg	type = file_attributes	1	Fn
Get Info	jfo.dat	type = file_attributes	1	Fn
Get Info	jgu.bmp	type = file_attributes	1	Fn
Get Info	jkg.txt	type = file_attributes	1	Fn
Get Info	jub.bmp	type = file_attributes	1	Fn
Get Info	neo.ico	type = file_attributes	1	Fn
Get Info	nep.mp4	type = file_attributes	1	Fn
Get Info	nlb.pdf	type = file_attributes	1	Fn
Get Info	nvl.xl	type = file_attributes	1	Fn
Get Info	okk.pdf	type = file_attributes	1	Fn
Get Info	oxl.ico	type = file_attributes	1	Fn
Get Info	pac.ppt	type = file_attributes	1	Fn
Get Info	raq.jpg	type = file_attributes	1	Fn
Get Info	rnj.mp3	type = file_attributes	1	Fn
Get Info	rnr.mp3	type = file_attributes	1	Fn
Get Info	tik.icm	type = file_attributes	1	Fn
Get Info	tob.ico	type = file_attributes	1	Fn
Get Info	ugv.icm	type = file_attributes	1	Fn
Get Info	upe.mp3	type = file_attributes	1	Fn
Get Info	vqm.xl	type = file_attributes	1	Fn
Get Info	vua.jpg	type = file_attributes	1	Fn
Get Info	wjv.pdf	type = file_attributes	1	Fn
Get Info	wlk.pdf	type = file_attributes	1	Fn
Get Info	wxv.mp4	type = file_attributes	1	Fn
Get Info	xfg.dat	type = file_attributes	1	Fn
Get Info	xqa.mp4	type = file_attributes	1	Fn
Open	STD_INPUT_HANDLE		2	Fn
Open	STD_OUTPUT_HANDLE		1	Fn
Open	STD_ERROR_HANDLE		1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	size = 65536, size_out = 65536	92	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	size = 65536, size_out = 8772	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	size = 53248, size_out = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	size = 65536, size_out = 20	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	size = 61440, size_out = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	size = 65536, size_out = 7852	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	size = 65536, size_out = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	size = 65536, size_out = 65536	12	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	size = 65536, size_out = 50285	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	size = 65536, size_out = 0	1	Fn

Registry (3)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Control Panel\Mouse		1	Fn
Open Key	HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt		1	Fn
Read Value	HKEY_CURRENT_USER\Control Panel\Mouse	value_name = SwapMouseButtons, data = 48	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	os_pid = 0xa30, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL		1	Fn

Module (17)

Operation	Module	Additional Information	Count	Logfile
Load	kernel32.dll	base_address = 0x769e0000	1	Fn
Load	uxtheme.dll	base_address = 0x73dc0000	1	Fn
Load	user32.dll	base_address = 0x755a0000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x769e0000	2	Fn
Get Handle	mscoree.dll	base_address = 0x0	1	Fn
Get Filename		process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe, size = 260	3	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsAlloc, address_out = 0x76a3418d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsGetValue, address_out = 0x76a31e16	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsSetValue, address_out = 0x76a376e6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsFree, address_out = 0x76a31f61	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsWow64Process, address_out = 0x76a24785	1	Fn
Get Address	c:\windows\system32\uxtheme.dll	function = IsThemeActive, address_out = 0x73dcf785	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CallWindowProc, address_out = 0x0	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CallWindowProcA, address_out = 0x755d2bd3	1	Fn

Window (2)

Operation	Window Name	Additional Information	Success	Count	Logfile
Create	AutoIt v3	class_name = AutoIt v3, wndproc_parameter = 0		1	Fn

System (6)

Operation	Additional Information	Count	Logfile
Sleep	duration = 750 milliseconds (0.750 seconds)	1	Fn
Get Time	type = System Time, time = 2017-10-04 02:23:36 (UTC)	1	Fn
Get Time	type = Ticks, time = 54132	1	Fn
Get Time	type = System Time, time = 2017-10-04 02:23:37 (UTC)	1	Fn
Get Info	type = Operating System	1	Fn
Get Info	type = Hardware Information	1	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Get Environment String			1	Fn Data

Ini (3)

Operation	Filename	Additional Information	Count	Logfile
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = Dir, data_out = 60484525	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = sK, data_out = 228	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = sN, data_out = rpi.qcn	1	Fn

Debug (1)

Operation	Process	Additional Information	Success	Count	Logfile
Check for Presence	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe			1	Fn

Process #3: cih.exe

(Host: 371, Network: 0)

Information	Value
ID	#3
File Name	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe
Command Line	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK
Initial Working Directory	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor	Start Time: 00:00:16, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:55

OS Process Information

Information	Value
PID	0xa30
Parent PID	0xa20 (c:\users\eebsym5\appdata\local\temp\60484525\cih.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A34 0x A38 0x A3C 0x A40

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x004effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004f0000	0x004f0000	0x005b7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005c0000	0x005c0000	0x006c0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006d0000	0x006d0000	0x006d1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000006e0000	0x006e0000	0x0077ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000006e0000	0x006e0000	0x006e1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006f0000	0x006f0000	0x006f0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000700000	0x00700000	0x00706fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000710000	0x00710000	0x00711fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000720000	0x00720000	0x00720fff	Private Memory	Readable, Writable	Region Actions
tzres.dll	0x00730000	0x00730fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000730000	0x00730000	0x00730fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000740000	0x00740000	0x0077ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000780000	0x00780000	0x00780fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000790000	0x00790000	0x00790fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000007a0000	0x007a0000	0x007a0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000007b0000	0x007b0000	0x007bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000007c0000	0x007c0000	0x0089efff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000008a0000	0x008a0000	0x008a0fff	Private Memory	Readable, Writable, Executable	Region Actions
cih.exe	0x008b0000	0x0097bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcss.dll	0x00980000	0x009dbfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000980000	0x00980000	0x009fffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x00a00000	0x00a3bfff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x00a00000	0x00a3bfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000a00000	0x00a00000	0x00a00fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000a40000	0x00a40000	0x00e3ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000e40000	0x00e40000	0x01a3ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01a40000	0x01d0efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001d10000	0x01d10000	0x01e0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e30000	0x01e30000	0x0222ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002230000	0x02230000	0x02622fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002630000	0x02630000	0x0273ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002740000	0x02740000	0x0293ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002940000	0x02940000	0x02afcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000029e0000	0x029e0000	0x02ddffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002de0000	0x02de0000	0x02f9cfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002ea0000	0x02ea0000	0x0329ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000032a0000	0x032a0000	0x0345cfff	Private Memory	Readable, Writable	Region Actions Download Dump
winmm.dll	0x6e3b0000	0x6e3e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x718d0000	0x718e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x72980000	0x72986fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x73a70000	0x73a82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73dc0000	0x73dfffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x740c0000	0x7425dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74660000	0x74668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x747c0000	0x747d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x749b0000	0x749eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74c10000	0x74c25fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75090000	0x7509bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75110000	0x7511afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75180000	0x7518bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x75190000	0x751b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x751c0000	0x752dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x752e0000	0x75329fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x75360000	0x75371fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75410000	0x75545fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75550000	0x7559dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x755a0000	0x75668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75670000	0x756a4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x756b0000	0x75706fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75710000	0x7572efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75730000	0x757fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75810000	0x7589efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75980000	0x765c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x765d0000	0x765d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x765e0000	0x7667cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76680000	0x767dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x76840000	0x76934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76940000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x769e0000	0x76ab3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76ac0000	0x76b60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x76b70000	0x76d0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76d10000	0x76dbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x76dc0000	0x76fbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76fc0000	0x770fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77100000	0x77104fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77110000	0x77128fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77160000	0x77169fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77170000	0x771eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77200000	0x77200fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

File (41)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	type = file_type	1	Fn
Get Info	60484525	type = file_attributes	2	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\spd	type = file_attributes	1	Fn
Get Info	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	type = file_attributes	1	Fn
Open	STD_INPUT_HANDLE		2	Fn
Open	STD_OUTPUT_HANDLE		1	Fn
Open	STD_ERROR_HANDLE		1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	size = 65536, size_out = 65536	8	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	size = 65536, size_out = 15800	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	size = 49152, size_out = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	size = 65536, size_out = 20	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	size = 61440, size_out = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	size = 65536, size_out = 15720	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	size = 65536, size_out = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	size = 65536, size_out = 65536	12	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	size = 65536, size_out = 50285	1	Fn Data
Delete	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK		1	Fn

Registry (5)

Operation	Key	Additional Information	Count	Logfile
Create Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run		1	Fn
Open Key	HKEY_CURRENT_USER\Control Panel\Mouse		1	Fn
Open Key	HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt		1	Fn
Read Value	HKEY_CURRENT_USER\Control Panel\Mouse	value_name = SwapMouseButtons, data = 48	1	Fn
Write Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	value_name = WindowsUpdate, data = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 212, type = REG_SZ	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	os_pid = 0xa4c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE		1	Fn

Thread (3)

Operation	Process	Additional Information	Count	Logfile
Get Context	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	os_tid = 0xa34	1	Fn
Set Context	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	os_tid = 0xa34	1	Fn
Resume	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	os_tid = 0xa34	1	Fn

Memory (7)

Operation	Process	Additional Information	Count	Logfile
Allocate	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 106496	1	Fn
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	address = 0x400000, size = 4096	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	address = 0x401000, size = 69632	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	address = 0x412000, size = 24576	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	address = 0x418000, size = 4096	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	address = 0x419000, size = 4096	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	address = 0x7ffd3008, size = 4	1	Fn Data

Module (48)

Operation	Module	Additional Information	Count	Logfile
Load	kernel32.dll	base_address = 0x769e0000	1	Fn
Load	uxtheme.dll	base_address = 0x73dc0000	1	Fn
Load	Advapi32.dll	base_address = 0x76940000	1	Fn
Load	user32.dll	base_address = 0x755a0000	1	Fn
Load	kernel32	base_address = 0x769e0000	17	Fn
Load	ntdll	base_address = 0x76fc0000	8	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x769e0000	2	Fn
Get Handle	mscoree.dll	base_address = 0x0	1	Fn
Get Filename		process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe, size = 260	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsAlloc, address_out = 0x76a3418d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsGetValue, address_out = 0x76a31e16	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsSetValue, address_out = 0x76a376e6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsFree, address_out = 0x76a31f61	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsWow64Process, address_out = 0x76a24785	1	Fn
Get Address	c:\windows\system32\uxtheme.dll	function = IsThemeActive, address_out = 0x73dcf785	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptAcquireContext, address_out = 0x0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptAcquireContextA, address_out = 0x769491dd	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptCreateHash, address_out = 0x7694df4e	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptHashData, address_out = 0x7694df36	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDeriveKey, address_out = 0x76983188	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDestroyHash, address_out = 0x7694df66	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDecrypt, address_out = 0x76983178	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CallWindowProcW, address_out = 0x755b1b3c	1	Fn

Service (1)

Operation	Additional Information	Success	Count	Logfile
Open Manager	database_name = SERVICES_ACTIVE_DATABASE		1	Fn

Window (2)

Operation	Window Name	Additional Information	Success	Count	Logfile
Create	AutoIt v3	class_name = AutoIt v3, wndproc_parameter = 0		1	Fn

System (235)

Operation	Additional Information	Count	Logfile
Sleep	duration = 750 milliseconds (0.750 seconds)	7	Fn
Sleep	duration = 10 milliseconds (0.010 seconds)	219	Fn
Get Time	type = System Time, time = 2017-10-04 02:23:37 (UTC)	3	Fn
Get Time	type = Ticks, time = 54881	1	Fn
Get Info	type = Operating System	1	Fn
Get Info	type = Hardware Information	1	Fn
Get Info	type = Windows Directory, result_out = C:\Windows	3	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Get Environment String			1	Fn Data

Ini (22)

Operation	Filename	Additional Information	Count	Logfile
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = Dir, data_out = 60484525	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = msg	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = _S0x20057179D673181B71D4593BFB2A0450	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = VM	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = SandBox	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = duac	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = drpt	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = btklr	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = taskmnrg	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = hSUps	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = StartUps, data_out = lju-0W23JhA138k76msH67J30	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = Key, data_out = WindowsUpdate	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = AuEx, data_out = cvn-nhc	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = ExEc, data_out = cih.exe	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = Down	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = Net	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = eof	2	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = RP, data_out = qkr.xul	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = Keys, data_out = jom	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = fb	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = btkl	1	Fn

Debug (1)

Operation	Process	Additional Information	Success	Count	Logfile
Check for Presence	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe			1	Fn

Process #4: regsvcs.exe

(Host: 274, Network: 39)

Information	Value
ID	#4
File Name	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Initial Working Directory	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor	Start Time: 00:00:19, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:52

OS Process Information

Information	Value
PID	0xa4c
Parent PID	0xa30 (c:\users\eebsym5\appdata\local\temp\60484525\cih.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A50 0x A54 0x A58 0x A5C 0x A60 0x A64 0x A68 0x A74 0x A80 0x A84 0x A88 0x A8C 0x AC8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x001effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001f0000	0x001f0000	0x002b7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002c0000	0x002c0000	0x003c0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003d0000	0x003d0000	0x003d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003e0000	0x003e0000	0x003e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x003f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x00419fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000460000	0x00460000	0x0055ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000580000	0x00580000	0x0067ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000680000	0x00680000	0x0077ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007e0000	0x007e0000	0x008dffff	Private Memory	Readable, Writable	Region Actions
regsvcs.exe	0x008e0000	0x008edfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000008f0000	0x008f0000	0x014effff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001580000	0x01580000	0x0167ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016b0000	0x016b0000	0x017affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000017b0000	0x017b0000	0x018affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001960000	0x01960000	0x01a5ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01a60000	0x01d2efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001d30000	0x01d30000	0x01efffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001d30000	0x01d30000	0x01e9ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001d30000	0x01d30000	0x01e1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e90000	0x01e90000	0x01e9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ec0000	0x01ec0000	0x01efffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f00000	0x01f00000	0x020fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001f00000	0x01f00000	0x01feffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ff0000	0x01ff0000	0x020effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000020f0000	0x020f0000	0x020fffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000021c0000	0x021c0000	0x022bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002320000	0x02320000	0x0241ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002420000	0x02420000	0x0261ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002460000	0x02460000	0x0255ffff	Private Memory	Readable, Writable	Region Actions Download Dump
msvcp60.dll	0x6d750000	0x6d7b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winrnr.dll	0x6de10000	0x6de17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pnrpnsp.dll	0x6de20000	0x6de31fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
napinsp.dll	0x6de50000	0x6de5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x6e3b0000	0x6e3e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasadhlp.dll	0x714a0000	0x714a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fwpuclnt.dll	0x73310000	0x73347fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x73670000	0x73676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x73690000	0x736abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x73890000	0x7389ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdiplus.dll	0x73c30000	0x73dbffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x746f0000	0x746f4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x74a90000	0x74ad3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x74bd0000	0x74c0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75070000	0x7508afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75180000	0x7518bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x751c0000	0x752dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x752e0000	0x75329fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75410000	0x75545fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75550000	0x7559dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x755a0000	0x75668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75670000	0x756a4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x756b0000	0x75706fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75710000	0x7572efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75730000	0x757fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75810000	0x7589efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75980000	0x765c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x765d0000	0x765d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x765e0000	0x7667cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76680000	0x767dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x76840000	0x76934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76940000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x769e0000	0x76ab3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76ac0000	0x76b60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76d10000	0x76dbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x76dc0000	0x76fbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76fc0000	0x770fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77100000	0x77104fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77110000	0x77128fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77160000	0x77169fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77200000	0x77200fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd3000	0x7ffd3000	0x7ffd3fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffd5000	0x7ffd5000	0x7ffd5fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffd6000	0x7ffd6000	0x7ffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffd7000	0x7ffd7000	0x7ffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffd8000	0x7ffd8000	0x7ffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffd9000	0x7ffd9000	0x7ffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#3: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0xa34	address = 0x400000, size = 4096	1	Fn Data
Modify Memory	#3: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0xa34	address = 0x401000, size = 69632	1	Fn Data
Modify Memory	#3: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0xa34	address = 0x412000, size = 24576	1	Fn Data
Modify Memory	#3: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0xa34	address = 0x418000, size = 4096	1	Fn Data
Modify Memory	#3: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0xa34	address = 0x419000, size = 4096	1	Fn Data
Modify Memory	#3: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0xa34	address = 0x7ffd3008, size = 4	1	Fn Data
Modify Control Flow	#3: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0xa34	os_tid = 0xa50, address = 0x77007098	1	Fn

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\eebsym5\appdata\roaming\chrome\logs.dat	0.02 KB (19 bytes)	MD5: 38182931074f70c4af328e12641acd51 SHA1: 96a8d3ad86aa0991ed7e8a0b89b1e3ea007d4327 SHA256: f05dd4eb5990bd9ca1497af17ab66595f92853535c1619748d316e09a4a1a126		File Actions Show Properties Download
c:\users\eebsym5\appdata\roaming\chrome\logs.dat	0.01 KB (13 bytes)	MD5: 4241be51b5abe777809dc6f32247a4a9 SHA1: 24df3e03dd8d4a0467a7887c9ce865f630f03725 SHA256: 6bf4b2ce4815a57a74e5314f7087bad520eeb4fadc849c3088b62e24ca7dea8c		File Actions Show Properties Download

Host Behavior

File (69)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	9	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\widfu	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	9	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	10	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\widfu	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create Directory	C:\Users\EEBsYm5\AppData\Roaming\chrome		1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Temp\widfu	type = size	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh	type = size	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat	type = file_attributes	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\widfu	size = 0, size_out = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh	size = 2, size_out = 2	1	Fn Data
Write	C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat	size = 19	1	Fn Data
Delete	C:\Users\EEBsYm5\AppData\Local\Temp\widfu		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@ad13.adfarm1.adition[1].txt		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adfarm1.adition[1].txt		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adform[1].txt		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adnxs[1].txt		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adtech[2].txt		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@advertising[1].txt		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@api.bing[2].txt		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@at.atwola[2].txt		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@bing[1].txt		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@bs.serving-sys[1].txt		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@bs.serving-sys[2].txt		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@c.bing[2].txt		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@c.msn[2].txt		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@google[1].txt		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@linkedin[2].txt		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@msn[1].txt		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@scorecardresearch[2].txt		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@serving-sys[1].txt		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@track.adform[1].txt		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@www.bing[1].txt		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@www.linkedin[1].txt		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@www.msn[2].txt		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\index.dat		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\logins.json		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\key3.db		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Cookies		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data		1	Fn

Registry (28)

Operation	Key	Additional Information	Count	Logfile
Create Key	HKEY_CURRENT_USER\Software\34419-GRNPWA\		1	Fn
Create Key	HKEY_CURRENT_USER\Software\34419-GRNPWA\		1	Fn
Create Key	HKEY_CURRENT_USER\Software\34419-GRNPWA\		2	Fn
Create Key	HKEY_CURRENT_USER\Software\34419-GRNPWA\		1	Fn
Create Key	HKEY_CURRENT_USER\Software\34419-GRNPWA\		4	Fn
Open Key	HKEY_CURRENT_USER\Software\34419-GRNPWA\		2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion		1	Fn
Open Key	HKEY_CURRENT_USER\Software\34419-GRNPWA\		1	Fn
Open Key	HKEY_CURRENT_USER\Software\34419-GRNPWA\		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders		1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	value_name = ProductName, data = 87	1	Fn
Read Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = FR	1	Fn
Read Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = name, data = 180	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders	value_name = Cookies, data = 37	1	Fn
Write Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
Write Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = WD, data = 2636, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Write Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = EXEpath, size = 116, type = REG_BINARY	2	Fn Data
Write Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
Write Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = FR, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Write Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = EXEpath, size = 116, type = REG_BINARY	3	Fn Data

Process (5)

Operation	Process	Additional Information	Count	Logfile
Create	C:\Windows\system32\svchost.exe	os_pid = 0xa6c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh"	os_pid = 0xa90, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu"	os_pid = 0xa98, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl"	os_pid = 0xaa0, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = SYNCHRONIZE	1	Fn

Thread (12)

Operation	Process	Additional Information	Count	Logfile
Get Context	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0xa64	1	Fn
Get Context	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0xa88	1	Fn
Get Context	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0xa88	1	Fn
Get Context	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0xa88	1	Fn
Set Context	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0xa64	1	Fn
Set Context	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0xa88	1	Fn
Set Context	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0xa88	1	Fn
Set Context	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0xa88	1	Fn
Resume	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0xa64	1	Fn
Resume	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0xa88	1	Fn
Resume	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0xa88	1	Fn
Resume	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0xa88	1	Fn

Memory (29)

Operation	Process	Additional Information	Count	Logfile
Allocate	C:\Windows\system32\svchost.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 106496	1	Fn
Allocate	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh"	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 356352	1	Fn
Allocate	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu"	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 147456	1	Fn
Allocate	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl"	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 122880	1	Fn
Read	C:\Windows\system32\svchost.exe	address = 0x7ffd7008, size = 4	1	Fn Data
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh"	address = 0x7ffdb008, size = 4	1	Fn Data
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu"	address = 0x7ffdb008, size = 4	1	Fn Data
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl"	address = 0x7ffdb008, size = 4	1	Fn Data
Write	C:\Windows\system32\svchost.exe	address = 0x400000, size = 4096	1	Fn Data
Write	C:\Windows\system32\svchost.exe	address = 0x401000, size = 69632	1	Fn Data
Write	C:\Windows\system32\svchost.exe	address = 0x412000, size = 24576	1	Fn Data
Write	C:\Windows\system32\svchost.exe	address = 0x418000, size = 4096	1	Fn Data
Write	C:\Windows\system32\svchost.exe	address = 0x419000, size = 4096	1	Fn Data
Write	C:\Windows\system32\svchost.exe	address = 0x7ffd7008, size = 4	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh"	address = 0x400000, size = 512	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh"	address = 0x401000, size = 172032	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh"	address = 0x455000, size = 3584	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh"	address = 0x456000, size = 2048	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh"	address = 0x7ffdb008, size = 4	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu"	address = 0x400000, size = 512	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu"	address = 0x401000, size = 54784	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu"	address = 0x422000, size = 3584	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu"	address = 0x423000, size = 4096	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu"	address = 0x7ffdb008, size = 4	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl"	address = 0x400000, size = 512	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl"	address = 0x401000, size = 44032	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl"	address = 0x41c000, size = 3584	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl"	address = 0x41d000, size = 4096	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl"	address = 0x7ffdb008, size = 4	1	Fn Data

Module (33)

Operation	Module	Additional Information	Count	Logfile
Load	User32.dll	base_address = 0x755a0000	1	Fn
Load	kernel32.dll	base_address = 0x769e0000	2	Fn
Load	Psapi.dll	base_address = 0x77100000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x755a0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	3	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x769e0000	3	Fn
Get Handle	c:\windows\system32\shell32.dll	base_address = 0x75980000	1	Fn
Get Handle	c:\windows\system32\ntdll.dll	base_address = 0x76fc0000	4	Fn
Get Filename		process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetCursorInfo, address_out = 0x75604b31	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetLastInputInfo, address_out = 0x755b3834	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetConsoleWindow, address_out = 0x76a42787	1	Fn
Get Address	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address_out = 0x771015bc	1	Fn
Get Address	c:\windows\system32\psapi.dll	function = GetModuleFileNameExW, address_out = 0x771013f0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalMemoryStatusEx, address_out = 0x76a18a2b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsWow64Process, address_out = 0x76a24785	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetComputerNameExW, address_out = 0x76a20f04	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = IsUserAnAdmin, address_out = 0x759d44f5	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetProcessDEPPolicy, address_out = 0x76a1602f	1	Fn
Get Address	c:\windows\system32\ntdll.dll	function = NtUnmapViewOfSection, address_out = 0x770069b8	4	Fn

Keyboard (6)

Operation	Additional Information	Success	Count	Logfile
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721		1	Fn
Read	virtual_key_code = VK_CAPITAL, result_out = 0		5	Fn

System (85)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = cRh2YWu7, type = ComputerNameDnsHostname	1	Fn
Get Clipboard	format = 1	1	Fn
Sleep	duration = 10000 milliseconds (10.000 seconds)	2	Fn
Sleep	duration = 500 milliseconds (0.500 seconds)	11	Fn
Sleep	duration = 1200000 milliseconds (1200.000 seconds)	1	Fn
Sleep	duration = 3000 milliseconds (3.000 seconds)	7	Fn
Sleep	duration = 2000 milliseconds (2.000 seconds)	1	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	36	Fn
Get Time	type = Ticks, time = 58281	2	Fn
Get Time	type = Ticks, time = 58359	2	Fn
Get Time	type = Ticks, time = 58515	2	Fn
Get Time	type = Ticks, time = 59607	1	Fn
Get Time	type = Ticks, time = 60621	1	Fn
Get Time	type = Ticks, time = 61635	1	Fn
Get Time	type = Ticks, time = 62650	1	Fn
Get Time	type = Ticks, time = 63664	1	Fn
Get Time	type = Ticks, time = 64678	1	Fn
Get Time	type = Ticks, time = 65692	1	Fn
Get Time	type = Ticks, time = 66706	1	Fn
Get Time	type = Ticks, time = 67720	1	Fn
Get Time	type = Ticks, time = 68156	2	Fn
Get Time	type = Ticks, time = 68734	1	Fn
Get Time	type = Ticks, time = 69748	1	Fn
Get Time	type = Ticks, time = 70762	1	Fn
Get Time	type = Ticks, time = 71776	1	Fn
Get Time	type = Ticks, time = 72790	1	Fn
Get Time	type = Ticks, time = 73804	1	Fn
Get Time	type = Ticks, time = 74818	1	Fn
Get Time	type = Ticks, time = 75988	1	Fn

Mutex (3)

Operation	Additional Information	Count	Logfile
Create	mutex_name = 34419-GRNPWA	1	Fn
Open	mutex_name = Remcos_Mutex_Inj, desired_access = SYNCHRONIZE	1	Fn
Open	mutex_name = Mutex_RemWatchdog, desired_access = SYNCHRONIZE	1	Fn

Network Behavior

DNS (2)

Operation	Additional Information	Success	Count	Logfile
Resolve Name	host = jlux123.no-ip.biz		1	Fn
Resolve Name	host = jluxi.dynu.com, address_out = 185.62.188.68		1	Fn

TCP Sessions (3)

Information	Value
Total Data Sent	0.77 KB (788 bytes)
Total Data Received	286.71 KB (293588 bytes)
Contacted Host Count	1
Contacted Hosts	185.62.188.68:1991

TCP Session #1

Information	Value
Handle	0x18c
Address Family	AF_UNSPEC
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	185.62.188.68
Remote Port	1991
Local Address	0.0.0.0
Local Port	1728
Data Sent	0.63 KB (641 bytes)
Data Received	0.15 KB (156 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_UNSPEC, type = SOCK_STREAM	1	Fn
Connect	remote_address = 185.62.188.68, remote_port = 1991	1	Fn
Send	flags = NO_FLAG_SET, size = 485, size_out = 485	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 1000, size_out = 32	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 1000, size_out = 45	1	Fn Data
Send	flags = NO_FLAG_SET, size = 78, size_out = 78	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 1000, size_out = 47	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 1000, size_out = 32	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 1000	1	Fn
Send	flags = NO_FLAG_SET, size = 78, size_out = 78	1	Fn Data

TCP Session #2

Information	Value
Handle	0x1b4
Address Family	AF_UNSPEC
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	185.62.188.68
Remote Port	1991
Local Address	0.0.0.0
Local Port	1984
Data Sent	0.10 KB (99 bytes)
Data Received	286.55 KB (293432 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_UNSPEC, type = SOCK_STREAM	1	Fn
Connect	remote_address = 185.62.188.68, remote_port = 1991	1	Fn
Send	flags = NO_FLAG_SET, size = 42, size_out = 42	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 1000, size_out = 1000	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 4808	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 65000	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 3244	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 65000	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 340	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 65000	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 9052	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 3752	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 3508	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 2904	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 1452	2	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 65000	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 1920	1	Fn Data
Send	flags = NO_FLAG_SET, size = 57, size_out = 57	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #3

Information	Value
Handle	0x1c8
Address Family	AF_UNSPEC
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	185.62.188.68
Remote Port	1991
Local Address	0.0.0.0
Local Port	2240
Data Sent	0.05 KB (48 bytes)
Data Received	0.00 KB (0 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_UNSPEC, type = SOCK_STREAM	1	Fn
Connect	remote_address = 185.62.188.68, remote_port = 1991	1	Fn
Send	flags = NO_FLAG_SET, size = 48, size_out = 48	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

Process #5: svchost.exe

(Host: 19, Network: 0)

Information	Value
ID	#5
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe
Initial Working Directory	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor	Start Time: 00:00:20, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:51

OS Process Information

Information	Value
PID	0xa6c
Parent PID	0xa4c (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A70

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000070000	0x00070000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x001affff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x001b0000	0x00216fff	Memory Mapped File	Readable	Region Actions
svchost.exe	0x002b0000	0x002b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000002c0000	0x002c0000	0x00387fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003b0000	0x003b0000	0x003bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x00419fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000420000	0x00420000	0x00520fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000530000	0x00530000	0x0112ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001130000	0x01130000	0x0122ffff	Private Memory	Readable, Writable	Region Actions
msvcp60.dll	0x6d750000	0x6d7b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x6e3b0000	0x6e3e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdiplus.dll	0x73c30000	0x73dbffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75180000	0x7518bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x751c0000	0x752dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x752e0000	0x75329fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75410000	0x75545fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75550000	0x7559dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x755a0000	0x75668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75670000	0x756a4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x756b0000	0x75706fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75710000	0x7572efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75730000	0x757fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75810000	0x7589efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75980000	0x765c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x765d0000	0x765d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x765e0000	0x7667cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76680000	0x767dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x76840000	0x76934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76940000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x769e0000	0x76ab3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76ac0000	0x76b60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76d10000	0x76dbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x76dc0000	0x76fbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76fc0000	0x770fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77110000	0x77128fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77160000	0x77169fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77200000	0x77200fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd7000	0x7ffd7000	0x7ffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa64	address = 0x400000, size = 4096	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa64	address = 0x401000, size = 69632	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa64	address = 0x412000, size = 24576	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa64	address = 0x418000, size = 4096	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa64	address = 0x419000, size = 4096	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa64	address = 0x7ffd7008, size = 4	1	Fn Data
Modify Control Flow	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa64	os_tid = 0xa70, address = 0x77007098	1	Fn

Host Behavior

File (3)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Get Info	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	type = size	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	size = 45216, size_out = 45216	1	Fn Data

Registry (6)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\34419-GRNPWA\		2	Fn
Open Key	HKEY_CURRENT_USER\Software\34419-GRNPWA\		1	Fn
Read Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = WD, data = 2636, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = EXEpath, data = 169	1	Fn
Delete Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = WD	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Open	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	desired_access = SYNCHRONIZE		1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Load	User32.dll	base_address = 0x755a0000	1	Fn
Load	kernel32.dll	base_address = 0x769e0000	1	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x755a0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Filename		process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetCursorInfo, address_out = 0x75604b31	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetLastInputInfo, address_out = 0x755b3834	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetConsoleWindow, address_out = 0x76a42787	1	Fn

Mutex (1)

Operation	Additional Information	Success	Count	Logfile
Create	mutex_name = Mutex_RemWatchdog		1	Fn

Process #6: regsvcs.exe

(Host: 1260, Network: 0)

Information	Value
ID	#6
File Name	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh"
Initial Working Directory	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor	Start Time: 00:00:20, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:51

OS Process Information

Information	Value
PID	0xa90
Parent PID	0xa4c (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A94 0x AB0

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x0012ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000130000	0x00130000	0x00133fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00140fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00150000	0x001b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000001c0000	0x001c0000	0x00287fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000290000	0x00290000	0x00290fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002a0000	0x002a0000	0x002affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002b0000	0x002b0000	0x003affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003b0000	0x003b0000	0x003b0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
rsaenh.dll	0x003c0000	0x003fbfff	Memory Mapped File	Readable	Region Actions
tzres.dll	0x003c0000	0x003c0fff	Memory Mapped File	Readable	Region Actions
private_0x00000000003c0000	0x003c0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003c0000	0x003c0000	0x003c6fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000003d0000	0x003d0000	0x003d6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003e0000	0x003e0000	0x003e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000003f0000	0x003f0000	0x003f6fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x00456fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000460000	0x00460000	0x00560fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000570000	0x00570000	0x005effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000640000	0x00640000	0x0064ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000650000	0x00650000	0x0074ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000750000	0x00750000	0x00850fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000750000	0x00750000	0x0081ffff	Private Memory	Readable, Writable	Region Actions
regsvcs.exe	0x008e0000	0x008edfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000008f0000	0x008f0000	0x014effff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x014f0000	0x017befff	Memory Mapped File	Readable	Region Actions
private_0x0000000001820000	0x01820000	0x0191ffff	Private Memory	Readable, Writable	Region Actions
nss3.dll	0x01920000	0x01ad1fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001920000	0x01920000	0x01a1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a20000	0x01a20000	0x01b1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b00000	0x01b00000	0x01bfffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001c00000	0x01c00000	0x01ff2fff	Pagefile Backed Memory	Readable	Region Actions
nss3.dll	0x6ce40000	0x6cff4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
freebl3.dll	0x6d0a0000	0x6d0eefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
freebl3.dll	0x6d0b0000	0x6d0fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
softokn3.dll	0x6d0f0000	0x6d116fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nssdbm3.dll	0x6d100000	0x6d116fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
softokn3.dll	0x6d120000	0x6d146fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nssdbm3.dll	0x6d130000	0x6d146fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcp100.dll	0x6d150000	0x6d1b8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mozglue.dll	0x6d590000	0x6d5b1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr100.dll	0x6d5c0000	0x6d67dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x6d6c0000	0x6d743fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x6de40000	0x6de46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x6e3b0000	0x6e3e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vaultcli.dll	0x6e640000	0x6e64bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pstorec.dll	0x72970000	0x7297cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x73840000	0x73853fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74660000	0x74668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x749b0000	0x749eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74c10000	0x74c25fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75090000	0x7509bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75180000	0x7518bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x751c0000	0x752dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x752e0000	0x75329fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75410000	0x75545fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75550000	0x7559dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x755a0000	0x75668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75670000	0x756a4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x756b0000	0x75706fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75710000	0x7572efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75730000	0x757fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75810000	0x7589efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75980000	0x765c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x765d0000	0x765d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x765e0000	0x7667cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76680000	0x767dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x76840000	0x76934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76940000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x769e0000	0x76ab3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76ac0000	0x76b60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76d10000	0x76dbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x76dc0000	0x76fbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76fc0000	0x770fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77100000	0x77104fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77110000	0x77128fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77160000	0x77169fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77170000	0x771eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77200000	0x77200fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x400000, size = 512	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x401000, size = 172032	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x455000, size = 3584	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x456000, size = 2048	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x7ffdb008, size = 4	1	Fn Data
Modify Control Flow	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	os_tid = 0xa94, address = 0x77007098	1	Fn

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\eebsym5\appdata\local\temp\moqutzmqrxoadnrfihvxswbpaqgibrkh	0.00 KB (2 bytes)	MD5: f3b25701fe362ec84616a93a45ce9998 SHA1: d62636d8caec13f04e28442a0a6fa1afeb024bbb SHA256: b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209		File Actions Show Properties Download

Host Behavior

File (778)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data	desired_access = GENERIC_READ	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data	desired_access = GENERIC_READ	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Get Info	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs_lng.ini	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	type = size	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat	type = size	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	type = size	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat	type = size	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\history.dat	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite	type = time	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini	type = file_attributes	1	Fn
Get Info	C:\Program Files\Mozilla Firefox\nss3.dll	type = file_attributes	3	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\logins.json	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite	type = file_attributes	1	Fn
Get Info	C:\Program Files\Mozilla Firefox\sqlite3.dll	type = file_attributes	1	Fn
Get Info	C:\Program Files\Mozilla Firefox\mozsqlite3.dll	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini	type = file_attributes	1	Fn
Get Info	C:\Program Files\Sea Monkey\nss3.dll	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	type = file_attributes	2	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data	type = size, size_out = 0	5	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal	type = file_attributes	2	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	type = file_attributes	2	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data	type = size, size_out = 0	5	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal	type = file_attributes	2	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\pnacl\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\pnacl\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SwiftShader\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SwiftShader\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Apple Computer\Preferences\keychain.plist	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Opera\Opera\wand.dat	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Opera\Opera7\profile\wand.dat	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Opera Software\Opera Stable\Login Data	type = file_attributes	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	size = 32, size_out = 32	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	size = 8, size_out = 8	136	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	size = 256, size_out = 256	109	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	size = 384, size_out = 384	3	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat	size = 32, size_out = 32	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat	size = 8, size_out = 8	124	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat	size = 256, size_out = 256	123	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat	size = 384, size_out = 384	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	size = 32, size_out = 32	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	size = 8, size_out = 8	90	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	size = 256, size_out = 256	2	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	size = 384, size_out = 384	2	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat	size = 32, size_out = 32	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat	size = 8, size_out = 8	94	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat	size = 256, size_out = 256	2	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data	size = 100, size_out = 100	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data	size = 2048, size_out = 2048	4	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data	size = 16, size_out = 16	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data	size = 100, size_out = 100	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data	size = 2048, size_out = 2048	2	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data	size = 16, size_out = 16	1	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh	size = 2	1	Fn Data

Registry (29)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin		3	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe		1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn

Process (48)

Operation	Process	Additional Information	Count	Logfile
Open	System	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\smss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\wininit.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\services.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\lsass.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\lsm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\winlogon.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\audiodg.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\spoolsv.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskeng.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\adobe\reader 10.0\reader\reader_sl.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskeng.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft analysis services\ind-licenses-manual-nickel.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\conhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows photo viewer\pokemon_limousines_alternate.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft visual studio 8\salvation_sure_perspective_ranges.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft sync framework\possessionschooldeterminedgamma.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\common files\surfing.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\uninstall information\fred_delays.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows portable devices\voice-moore-yemen.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\google\north comp.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows journal\remote_costa_security.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows sidebar\demonstrate-brandon-pa.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows mail\dsc_meaning.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\mozilla maintenance service\medieval-ranges-san-delhi.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows journal\genderwriters.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\mozilla firefox\mileage-act.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows media player\variables except besides.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft sync framework\blind-ratio.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\mobsync.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn

Module (374)

Operation	Module	Additional Information	Count	Logfile
Load	comctl32.dll	base_address = 0x6d6c0000	1	Fn
Load	shell32.dll	base_address = 0x75980000	1	Fn
Load	advapi32.dll	base_address = 0x76940000	2	Fn
Load	pstorec.dll	base_address = 0x72970000	1	Fn
Load	vaultcli.dll	base_address = 0x6e640000	1	Fn
Load	C:\Program Files\Mozilla Firefox\nss3.dll	base_address = 0x6ce40000	1	Fn
Load	psapi.dll	base_address = 0x77100000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x769e0000	3	Fn
Get Handle	c:\windows\system32\msvcrt.dll	base_address = 0x76d10000	1	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d6c0000	1	Fn
Get Handle	c:\windows\system32\version.dll	base_address = 0x74660000	1	Fn
Get Handle	c:\windows\system32\wininet.dll	base_address = 0x76840000	1	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x755a0000	1	Fn
Get Handle	c:\windows\system32\gdi32.dll	base_address = 0x75550000	1	Fn
Get Handle	c:\windows\system32\comdlg32.dll	base_address = 0x77170000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76940000	1	Fn
Get Handle	c:\windows\system32\shell32.dll	base_address = 0x75980000	1	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76680000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	22	Fn
Get Handle	C:\Program Files\Mozilla Firefox\nss3.dll	base_address = 0x0	1	Fn
Get Handle	c:\program files\mozilla firefox\nss3.dll	base_address = 0x6ce40000	2	Fn
Get Filename		process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	2	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\system32\taskhost.exe, file_name_orig = C:\Windows\system32\taskhost.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\system32\dwm.exe, file_name_orig = C:\Windows\system32\Dwm.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\adobe\reader 10.0\reader\reader_sl.exe, file_name_orig = C:\Program Files\Adobe\Reader 10.0\Reader\reader_sl.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\system32\taskeng.exe, file_name_orig = C:\Windows\system32\taskeng.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\microsoft analysis services\ind-licenses-manual-nickel.exe, file_name_orig = C:\Program Files\Microsoft Analysis Services\ind-licenses-manual-nickel.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\system32\conhost.exe, file_name_orig = C:\Program Files\Windows Mail\handed.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\windows photo viewer\pokemon_limousines_alternate.exe, file_name_orig = C:\Program Files\Windows Photo Viewer\pokemon_limousines_alternate.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\microsoft visual studio 8\salvation_sure_perspective_ranges.exe, file_name_orig = C:\Program Files\Microsoft Visual Studio 8\salvation_sure_perspective_ranges.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\microsoft sync framework\possessionschooldeterminedgamma.exe, file_name_orig = C:\Program Files\Microsoft Sync Framework\possessionschooldeterminedgamma.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\common files\surfing.exe, file_name_orig = C:\Program Files\Common Files\surfing.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\uninstall information\fred_delays.exe, file_name_orig = C:\Program Files\Uninstall Information\fred_delays.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\windows portable devices\voice-moore-yemen.exe, file_name_orig = C:\Program Files\Windows Portable Devices\voice-moore-yemen.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\google\north comp.exe, file_name_orig = C:\Program Files\Google\north comp.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\windows journal\remote_costa_security.exe, file_name_orig = C:\Program Files\Windows Journal\remote_costa_security.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\windows sidebar\demonstrate-brandon-pa.exe, file_name_orig = C:\Program Files\Windows Sidebar\demonstrate-brandon-pa.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\windows mail\dsc_meaning.exe, file_name_orig = C:\Program Files\Windows Mail\dsc_meaning.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\mozilla maintenance service\medieval-ranges-san-delhi.exe, file_name_orig = C:\Program Files\Mozilla Maintenance Service\medieval-ranges-san-delhi.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\windows journal\genderwriters.exe, file_name_orig = C:\Program Files\Windows Journal\genderwriters.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\mozilla firefox\mileage-act.exe, file_name_orig = C:\Program Files\Mozilla Firefox\mileage-act.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\windows media player\variables except besides.exe, file_name_orig = C:\Program Files\Windows Media Player\variables except besides.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\microsoft sync framework\blind-ratio.exe, file_name_orig = C:\Program Files\Microsoft Sync Framework\blind-ratio.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\system32\mobsync.exe, file_name_orig = C:\Windows\System32\mobsync.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualProtect, address_out = 0x76a22341	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __setusermatherr, address_out = 0x76da77ad	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _adjust_fdiv, address_out = 0x76db32ec	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __p__commode, address_out = 0x76d227c3	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __p__fmode, address_out = 0x76d227ce	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcscat, address_out = 0x76d90ea6	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __set_app_type, address_out = 0x76d22804	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _controlfp, address_out = 0x76d1e1e1	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = realloc, address_out = 0x76d1b10d	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = qsort, address_out = 0x76d1d3e6	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _itow, address_out = 0x76d2019c	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _wcsupr, address_out = 0x76d1dac1	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _wcslwr, address_out = 0x76d1fb25	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strchr, address_out = 0x76d1dbeb	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _initterm, address_out = 0x76d1c151	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcsncmp, address_out = 0x76d1b05e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memmove, address_out = 0x76d19e5a	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = free, address_out = 0x76d19894	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = modf, address_out = 0x76d27551	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _memicmp, address_out = 0x76d206c8	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcstoul, address_out = 0x76d1b319	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = malloc, address_out = 0x76d19cee	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _XcptFilter, address_out = 0x76d3dc75	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strcpy, address_out = 0x76d28d6e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _wtoi64, address_out = 0x76d2062e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strcmp, address_out = 0x76d28b11	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcsrchr, address_out = 0x76d1a73f	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __wgetmainargs, address_out = 0x76d24e7c	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _wcmdln, address_out = 0x76db04dc	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = exit, address_out = 0x76d236aa	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _strlwr, address_out = 0x76d2ca0b	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _cexit, address_out = 0x76d237d4	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _wcsnicmp, address_out = 0x76d1aae3	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = ??3@YAXPAX@Z, address_out = 0x76d1b0b9	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = ??2@YAPAXI@Z, address_out = 0x76d1b0c9	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memcmp, address_out = 0x76d27975	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcscmp, address_out = 0x76d2d3b7	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = abs, address_out = 0x76d3eb1e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = log, address_out = 0x76d3de50	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _purecall, address_out = 0x76d76ea9	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcslen, address_out = 0x76d2d335	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _wtoi, address_out = 0x76d1c823	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _wcsicmp, address_out = 0x76d1a9e9	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcschr, address_out = 0x76d1aa61	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memcpy, address_out = 0x76d19910	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcscpy, address_out = 0x76d2d4f8	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memset, address_out = 0x76d19790	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strlen, address_out = 0x76d243d3	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcsncat, address_out = 0x76d90ed9	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _snwprintf, address_out = 0x76d395d1	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _except_handler3, address_out = 0x76d3d770	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _exit, address_out = 0x76d7b2c0	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _c_exit, address_out = 0x76d7b2db	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _onexit, address_out = 0x76d2112d	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __dllonexit, address_out = 0x76d1f509	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memchr, address_out = 0x76d2e134	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _gmtime64, address_out = 0x76d92936	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strftime, address_out = 0x76d91fd5	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = 17, address_out = 0x6d6c1739	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_AddMasked, address_out = 0x6d6c8b75	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_SetImageCount, address_out = 0x6d726e17	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_Create, address_out = 0x6d6c908c	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_ReplaceIcon, address_out = 0x6d726ea3	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = CreateToolbarEx, address_out = 0x6d6ea4d5	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = CreateStatusWindowW, address_out = 0x6d6ea10f	1	Fn
Get Address	c:\windows\system32\version.dll	function = GetFileVersionInfoSizeW, address_out = 0x746619d9	1	Fn
Get Address	c:\windows\system32\version.dll	function = GetFileVersionInfoW, address_out = 0x746619f4	1	Fn
Get Address	c:\windows\system32\version.dll	function = VerQueryValueW, address_out = 0x74661b51	1	Fn
Get Address	c:\windows\system32\wininet.dll	function = FindCloseUrlCache, address_out = 0x76888409	1	Fn
Get Address	c:\windows\system32\wininet.dll	function = FindNextUrlCacheEntryW, address_out = 0x7687989c	1	Fn
Get Address	c:\windows\system32\wininet.dll	function = FindFirstUrlCacheEntryW, address_out = 0x7687978a	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFullPathNameA, address_out = 0x76a33735	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = DeleteFileA, address_out = 0x76a247cb	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceW, address_out = 0x76a13530	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFullPathNameW, address_out = 0x76a34543	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = AreFileApisANSI, address_out = 0x76a6f311	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address_out = 0x770077a0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetSystemTime, address_out = 0x76a2ced8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LockFileEx, address_out = 0x76a4692f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FormatMessageA, address_out = 0x76a48868	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address_out = 0x76a32fde	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = UnlockFileEx, address_out = 0x76a46947	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTickCount, address_out = 0x76a2ba60	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LockFile, address_out = 0x76a4642f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address_out = 0x76a17f81	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address_out = 0x7701a149	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileA, address_out = 0x76a2cee8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceA, address_out = 0x76a3d7d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Sleep, address_out = 0x76a2ba46	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address_out = 0x76a2cf41	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStartupInfoW, address_out = 0x76a33891	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTempPathA, address_out = 0x76a46a65	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = UnlockFile, address_out = 0x76a46417	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = InterlockedCompareExchange, address_out = 0x76a2bb92	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = DeleteCriticalSection, address_out = 0x77019ac5	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileAttributesExW, address_out = 0x76a2273d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = QueryPerformanceCounter, address_out = 0x76a2bb9f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileAttributesA, address_out = 0x76a31de6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77007760	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address_out = 0x76a22319	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address_out = 0x76a33728	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = EnumResourceTypesW, address_out = 0x76a42b37	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x76a2ca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileSize, address_out = 0x76a20273	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address_out = 0x76a2cecb	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x76a2ca7c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FileTimeToLocalFileTime, address_out = 0x76a32004	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = DeleteFileW, address_out = 0x76a20f62	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CopyFileW, address_out = 0x76a167c3	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileW, address_out = 0x76a2cc56	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CompareFileTime, address_out = 0x76a313f3	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FreeLibrary, address_out = 0x76a2d9d0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryW, address_out = 0x76a33c01	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetProcAddress, address_out = 0x76a333d3	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x76a2bf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FileTimeToSystemTime, address_out = 0x76a31dfe	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFilePointerEx, address_out = 0x76a1f5b2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentDirectoryW, address_out = 0x76a3c13a	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ExpandEnvironmentStringsW, address_out = 0x76a24680	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WideCharToMultiByte, address_out = 0x76a3450e	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = MultiByteToWideChar, address_out = 0x76a3452b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalLock, address_out = 0x76a29e05	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDateFormatW, address_out = 0x76a2afab	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileTime, address_out = 0x76a20f6f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FormatMessageW, address_out = 0x76a254a3	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTempFileNameW, address_out = 0x76a16d1d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExW, address_out = 0x76a23b1a	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindClose, address_out = 0x76a30e62	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindFirstFileW, address_out = 0x76a353b2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleHandleW, address_out = 0x76a3374d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTimeFormatW, address_out = 0x76a2ac29	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFilePointer, address_out = 0x76a2db36	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileAttributesW, address_out = 0x76a364ff	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryW, address_out = 0x76a204b6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReadFile, address_out = 0x76a296fb	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleFileNameW, address_out = 0x76a33c26	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WriteFile, address_out = 0x76a31400	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindResourceW, address_out = 0x76a23e61	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LockResource, address_out = 0x76a1fd29	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = lstrcpyW, address_out = 0x76a18bfa	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = lstrlenW, address_out = 0x76a2d9e8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadResource, address_out = 0x76a2984d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SystemTimeToTzSpecificLocalTime, address_out = 0x76a1b149	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryExW, address_out = 0x76a24775	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x76a29ce1	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalUnlock, address_out = 0x76a29d50	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTempPathW, address_out = 0x76a18b33	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindNextFileW, address_out = 0x76a2963a	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SizeofResource, address_out = 0x76a23e7f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileMappingW, address_out = 0x76a20a7f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address_out = 0x76a2899b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address_out = 0x76a2db13	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x76a2cdcf	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = DuplicateHandle, address_out = 0x76a2cdd9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcessId, address_out = 0x76a2cac4	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = OpenProcess, address_out = 0x76a259d7	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringW, address_out = 0x76a17d32	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringW, address_out = 0x76a180eb	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntW, address_out = 0x76a1775f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = EnumResourceNamesW, address_out = 0x76a47e29	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStdHandle, address_out = 0x76a31e46	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetErrorMode, address_out = 0x76a34a51	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ExitProcess, address_out = 0x76a3214f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReadProcessMemory, address_out = 0x76a1c1ce	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetCurrentDirectoryW, address_out = 0x76a37663	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Process32FirstW, address_out = 0x76a1fa35	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Process32NextW, address_out = 0x76a1faca	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x76a1f731	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DispatchMessageW, address_out = 0x755bcc61	1	Fn
Get Address	c:\windows\system32\user32.dll	function = BeginDeferWindowPos, address_out = 0x755aa6a6	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TranslateMessage, address_out = 0x755b64c7	1	Fn
Get Address	c:\windows\system32\user32.dll	function = IsDialogMessageW, address_out = 0x755b4104	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DrawTextExW, address_out = 0x755b5894	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMessageW, address_out = 0x755bcde8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = PostQuitMessage, address_out = 0x755ab308	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TrackPopupMenu, address_out = 0x755c2228	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RegisterWindowMessageW, address_out = 0x755adf8d	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetKeyState, address_out = 0x755b2b4d	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EndDeferWindowPos, address_out = 0x755aa67a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DialogBoxParamW, address_out = 0x755c3b9b	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ChildWindowFromPoint, address_out = 0x755eb6aa	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadCursorW, address_out = 0x755aed90	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetCursor, address_out = 0x755b3075	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSysColorBrush, address_out = 0x755af1ed	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ShowWindow, address_out = 0x755af2a9	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowTextW, address_out = 0x755b612b	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetDlgItemInt, address_out = 0x755cec2e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = UpdateWindow, address_out = 0x755affa8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetDlgItemTextW, address_out = 0x755cebd4	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDlgItemTextW, address_out = 0x755cecbc	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetClientRect, address_out = 0x755b54dd	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x755b67cf	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DeferWindowPos, address_out = 0x755aa6c8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CreateWindowExW, address_out = 0x755aec7c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowRect, address_out = 0x755b558c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SendDlgItemMessageW, address_out = 0x755c70d8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDlgItemInt, address_out = 0x755ced56	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EndDialog, address_out = 0x755d3ba3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowLongW, address_out = 0x755b4449	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDlgItem, address_out = 0x755d42bb	1	Fn
Get Address	c:\windows\system32\user32.dll	function = InvalidateRect, address_out = 0x755b566d	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowPlacement, address_out = 0x755d69de	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadAcceleratorsW, address_out = 0x755a976d	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DefWindowProcW, address_out = 0x755b507d	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SendMessageW, address_out = 0x755b5539	1	Fn
Get Address	c:\windows\system32\user32.dll	function = PostMessageW, address_out = 0x755b447b	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RegisterClassW, address_out = 0x755aed4a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MessageBoxW, address_out = 0x755fea5f	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TranslateAcceleratorW, address_out = 0x755b667e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetMenu, address_out = 0x755d6b0e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowPlacement, address_out = 0x755a7f78	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadImageW, address_out = 0x755b12eb	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadIconW, address_out = 0x755af142	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowLongW, address_out = 0x755b61b8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetFocus, address_out = 0x755aabad	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenuStringW, address_out = 0x755d6528	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CheckMenuItem, address_out = 0x755cee7c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenuItemCount, address_out = 0x755aae39	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CheckMenuRadioItem, address_out = 0x755c25df	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CloseClipboard, address_out = 0x755d446c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetCursorPos, address_out = 0x755aa4b3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetClipboardData, address_out = 0x755c2962	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnableWindow, address_out = 0x755a8d02	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSysColor, address_out = 0x755bdb7a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetParent, address_out = 0x755b6029	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MapWindowPoints, address_out = 0x755b5caa	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenu, address_out = 0x755d6b68	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDC, address_out = 0x755b544c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSubMenu, address_out = 0x755a9c19	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EmptyClipboard, address_out = 0x755c290c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnableMenuItem, address_out = 0x755d43bc	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ReleaseDC, address_out = 0x755b5421	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetClassNameW, address_out = 0x755b2a29	1	Fn
Get Address	c:\windows\system32\user32.dll	function = OpenClipboard, address_out = 0x755d447e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MoveWindow, address_out = 0x755a8d29	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CreateDialogParamW, address_out = 0x755d5630	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumChildWindows, address_out = 0x755b2948	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadStringW, address_out = 0x755adfba	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DestroyWindow, address_out = 0x755ab2f4	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowPos, address_out = 0x755b1bc4	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowTextW, address_out = 0x755ab8c5	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadMenuW, address_out = 0x755af214	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ModifyMenuW, address_out = 0x755d46c7	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenuItemInfoW, address_out = 0x755aaefa	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDlgCtrlID, address_out = 0x755ab4e8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DestroyMenu, address_out = 0x755a87f7	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetBkColor, address_out = 0x75556a3c	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SelectObject, address_out = 0x75556640	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetDeviceCaps, address_out = 0x75556f7f	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitCommonControlsEx, address_out = 0x6d6c6be6	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = SHGetSpecialFolderPathW, address_out = 0x759a0468	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptAcquireContextA, address_out = 0x769491dd	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptReleaseContext, address_out = 0x7694e124	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptCreateHash, address_out = 0x7694df4e	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptGetHashParam, address_out = 0x7694df7e	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptHashData, address_out = 0x7694df36	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDestroyHash, address_out = 0x7694df66	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredReadA, address_out = 0x769871c1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredFree, address_out = 0x7694b2ec	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredDeleteA, address_out = 0x76987941	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredEnumerateA, address_out = 0x76987381	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredEnumerateW, address_out = 0x76987481	1	Fn
Get Address	c:\windows\system32\pstorec.dll	function = PStoreCreateInstance, address_out = 0x7297526c	1	Fn
Get Address	c:\windows\system32\vaultcli.dll	function = VaultOpenVault, address_out = 0x6e6426a9	1	Fn
Get Address	c:\windows\system32\vaultcli.dll	function = VaultCloseVault, address_out = 0x6e642718	1	Fn
Get Address	c:\windows\system32\vaultcli.dll	function = VaultEnumerateItems, address_out = 0x6e643099	1	Fn
Get Address	c:\windows\system32\vaultcli.dll	function = VaultFree, address_out = 0x6e644321	1	Fn
Get Address	c:\windows\system32\vaultcli.dll	function = VaultGetInformation, address_out = 0x6e6424c0	1	Fn
Get Address	c:\windows\system32\vaultcli.dll	function = VaultGetItem, address_out = 0x6e643242	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = NSS_Init, address_out = 0x6cefd70b	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = NSS_Shutdown, address_out = 0x6cefd13c	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11_GetInternalKeySlot, address_out = 0x6ce93c51	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11_FreeSlot, address_out = 0x6ce93333	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11_CheckUserPassword, address_out = 0x6ce7cbc4	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11_Authenticate, address_out = 0x6ce7d3ca	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11SDR_Decrypt, address_out = 0x6ce900a7	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = sqlite3_open, address_out = 0x6cfa1ca0	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = sqlite3_prepare, address_out = 0x6cf2ce70	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = sqlite3_step, address_out = 0x6cf95200	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = sqlite3_column_text, address_out = 0x6cf4d400	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = sqlite3_column_int, address_out = 0x6cf4d3a0	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = sqlite3_column_int64, address_out = 0x6cf4d3d0	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = sqlite3_finalize, address_out = 0x6cf79f60	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = sqlite3_close, address_out = 0x6cf7bde0	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = sqlite3_exec, address_out = 0x6cf7a270	1	Fn
Get Address	c:\windows\system32\psapi.dll	function = GetModuleBaseNameW, address_out = 0x7710152c	1	Fn
Get Address	c:\windows\system32\psapi.dll	function = EnumProcessModules, address_out = 0x77101408	1	Fn
Get Address	c:\windows\system32\psapi.dll	function = GetModuleFileNameExW, address_out = 0x771013f0	1	Fn
Get Address	c:\windows\system32\psapi.dll	function = EnumProcesses, address_out = 0x77101544	1	Fn
Get Address	c:\windows\system32\psapi.dll	function = GetModuleInformation, address_out = 0x77101420	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetProcessTimes, address_out = 0x76a1f626	1	Fn

System (3)

Operation	Additional Information	Success	Count	Logfile
Get Info	type = Operating System		2	Fn
Get Info	type = Hardware Information		1	Fn

Ini (28)

Operation	Filename	Additional Information	Count	Logfile
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = ShowGridLines, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = SaveFilterIndex, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = ShowInfoTip, default_value = 1	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = MarkOddEvenRows, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = ShowTimeInGMT, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = LoadPasswordsIE, default_value = 1	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = LoadPasswordsFirefox, default_value = 1	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = LoadPasswordsChrome, default_value = 1	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = LoadPasswordsOpera, default_value = 1	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = LoadPasswordsSafari, default_value = 1	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = LoadPasswordsYandex, default_value = 1	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = UseChromeProfileFolder, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = UseOperaPasswordFile, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = FirefoxProfileFolder	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = FirefoxInstallFolder	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = ChromeProfileFolder	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = OperaPasswordFile	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = SaveFileEncoeding, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = WinPos	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Columns	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Sort, default_value = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini	section_name = Profile0, key_name = Path, data_out = Profiles/h231daer.default	1	Fn
Read	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini	section_name = Profile0, key_name = IsRelative, default_value = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini	section_name = Profile1, key_name = Path	1	Fn
Read	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini	section_name = Profile1, key_name = IsRelative, default_value = 0	1	Fn

Process #7: regsvcs.exe

(Host: 340, Network: 0)

Information	Value
ID	#7
File Name	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu"
Initial Working Directory	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor	Start Time: 00:00:20, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:51

OS Process Information

Information	Value
PID	0xa98
Parent PID	0xa4c (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A9C 0x AA8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x001cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x002cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002d0000	0x002d0000	0x00397fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003a0000	0x003a0000	0x003a0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000003b0000	0x003b0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
tzres.dll	0x003b0000	0x003b0fff	Memory Mapped File	Readable	Region Actions
private_0x00000000003c0000	0x003c0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003d0000	0x003d0000	0x003d6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003e0000	0x003e0000	0x003e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x00423fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000430000	0x00430000	0x00530fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000570000	0x00570000	0x0057ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000580000	0x00580000	0x0067ffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x00680000	0x006bbfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000730000	0x00730000	0x0073ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000740000	0x00740000	0x0083ffff	Private Memory	Readable, Writable	Region Actions
regsvcs.exe	0x008e0000	0x008edfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000008f0000	0x008f0000	0x014effff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001500000	0x01500000	0x015fffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01600000	0x018cefff	Memory Mapped File	Readable	Region Actions
private_0x00000000018d0000	0x018d0000	0x01aeffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000018d0000	0x018d0000	0x019cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001900000	0x01900000	0x019fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ab0000	0x01ab0000	0x01aeffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001af0000	0x01af0000	0x01ee2fff	Pagefile Backed Memory	Readable	Region Actions
msvcp100.dll	0x6ced0000	0x6cf38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr100.dll	0x6cf40000	0x6cffdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nss3.dll	0x6d000000	0x6d1b4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
freebl3.dll	0x6d5b0000	0x6d5fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nssdbm3.dll	0x6d600000	0x6d616fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
softokn3.dll	0x6d620000	0x6d646fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mozglue.dll	0x6d650000	0x6d671fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x6d6c0000	0x6d743fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x6e3b0000	0x6e3e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x72980000	0x72986fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x749b0000	0x749eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74c10000	0x74c25fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75070000	0x7508afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75090000	0x7509bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75180000	0x7518bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x751c0000	0x752dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x752e0000	0x75329fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75550000	0x7559dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x755a0000	0x75668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75670000	0x756a4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x756b0000	0x75706fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75710000	0x7572efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75730000	0x757fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75980000	0x765c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x765d0000	0x765d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x765e0000	0x7667cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76680000	0x767dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76940000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x769e0000	0x76ab3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76ac0000	0x76b60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76d10000	0x76dbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76fc0000	0x770fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77110000	0x77128fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77160000	0x77169fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77170000	0x771eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77200000	0x77200fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x400000, size = 512	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x401000, size = 54784	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x422000, size = 3584	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x423000, size = 4096	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x7ffdb008, size = 4	1	Fn Data
Modify Control Flow	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	os_tid = 0xa9c, address = 0x77007098	1	Fn

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\eebsym5\appdata\local\temp\widfu	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855		File Actions Show Properties

Host Behavior

File (19)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\widfu	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Get Info	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs_lng.ini	type = file_attributes	1	Fn
Get Info	trillian	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Trillian\users\global	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Profiles	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\.gaim	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\.purple	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Miranda	type = file_attributes	1	Fn
Get Info		type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\MySpace\IM\users.txt	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Digsby\digsby.dat	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\history.dat	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite	type = time	1	Fn
Get Info	C:\Program Files\Mozilla Firefox\nss3.dll	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.txt	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons2.txt	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons3.txt	type = file_attributes	1	Fn

Registry (28)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Miranda		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\MessengerService		3	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL		1	Fn
Open Key	HKEY_CURRENT_USER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users		1	Fn
Open Key	HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords		1	Fn
Open Key	HKEY_CURRENT_USER\Software\AIM\AIMPRO		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Yahoo\Pager		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mirabilis\ICQ\NewOwners		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Mirabilis\ICQ\NewOwners		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Paltalk		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2		1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	value_name = ProgramFilesDir, data = C:\Program Files, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn

Module (272)

Operation	Module	Additional Information	Count	Logfile
Load	comctl32.dll	base_address = 0x6d6c0000	1	Fn
Load	shell32.dll	base_address = 0x75980000	1	Fn
Load	advapi32.dll	base_address = 0x76940000	4	Fn
Load	crypt32.dll	base_address = 0x751c0000	1	Fn
Load	C:\Program Files\Mozilla Firefox\nss3.dll	base_address = 0x6d000000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x769e0000	3	Fn
Get Handle	c:\windows\system32\msvcrt.dll	base_address = 0x76d10000	1	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d6c0000	1	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x755a0000	1	Fn
Get Handle	c:\windows\system32\gdi32.dll	base_address = 0x75550000	1	Fn
Get Handle	c:\windows\system32\comdlg32.dll	base_address = 0x77170000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76940000	1	Fn
Get Handle	c:\windows\system32\shell32.dll	base_address = 0x75980000	1	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76680000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	2	Fn
Get Filename		process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualProtect, address_out = 0x76a22341	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = free, address_out = 0x76d19894	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _strlwr, address_out = 0x76d2ca0b	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _strupr, address_out = 0x76d2d49e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _wcslwr, address_out = 0x76d1fb25	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = qsort, address_out = 0x76d1d3e6	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _wcsnicmp, address_out = 0x76d1aae3	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strncmp, address_out = 0x76d1b443	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __dllonexit, address_out = 0x76d1f509	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _onexit, address_out = 0x76d2112d	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _c_exit, address_out = 0x76d7b2db	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _exit, address_out = 0x76d7b2c0	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _XcptFilter, address_out = 0x76d3dc75	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _cexit, address_out = 0x76d237d4	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = exit, address_out = 0x76d236aa	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _acmdln, address_out = 0x76db04d8	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strrchr, address_out = 0x76d1dbae	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _initterm, address_out = 0x76d1c151	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __setusermatherr, address_out = 0x76da77ad	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strchr, address_out = 0x76d1dbeb	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _ultoa, address_out = 0x76d61822	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = malloc, address_out = 0x76d19cee	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _memicmp, address_out = 0x76d206c8	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strcmp, address_out = 0x76d28b11	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _mbsnbicmp, address_out = 0x76d73480	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _mbsrchr, address_out = 0x76d28e5b	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _snprintf, address_out = 0x76d3fa7c	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memset, address_out = 0x76d19790	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _strnicmp, address_out = 0x76d20578	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcschr, address_out = 0x76d1aa61	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcsncmp, address_out = 0x76d1b05e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcslen, address_out = 0x76d2d335	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = abs, address_out = 0x76d3eb1e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = sprintf, address_out = 0x76d2d354	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = atoi, address_out = 0x76d1dbe0	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memcmp, address_out = 0x76d27975	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __getmainargs, address_out = 0x76d22bc0	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _strcmpi, address_out = 0x76d1db38	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _mbsicmp, address_out = 0x76d29238	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _purecall, address_out = 0x76d76ea9	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = log, address_out = 0x76d3de50	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _mbscmp, address_out = 0x76d383c0	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = ??2@YAPAXI@Z, address_out = 0x76d1b0c9	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = ??3@YAXPAX@Z, address_out = 0x76d1b0b9	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strlen, address_out = 0x76d243d3	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _itoa, address_out = 0x76d34218	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strcpy, address_out = 0x76d28d6e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strtoul, address_out = 0x76d2012e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memcpy, address_out = 0x76d19910	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcscpy, address_out = 0x76d2d4f8	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strcat, address_out = 0x76d28d75	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strncat, address_out = 0x76d40909	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _adjust_fdiv, address_out = 0x76db32ec	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __p__commode, address_out = 0x76d227c3	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __p__fmode, address_out = 0x76d227ce	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __set_app_type, address_out = 0x76d22804	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _controlfp, address_out = 0x76d1e1e1	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _except_handler3, address_out = 0x76d3d770	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = 6, address_out = 0x6d6ea14c	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_Create, address_out = 0x6d6c908c	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_ReplaceIcon, address_out = 0x6d726ea3	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = 17, address_out = 0x6d6c1739	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_AddMasked, address_out = 0x6d6c8b75	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_SetImageCount, address_out = 0x6d726e17	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = CreateToolbarEx, address_out = 0x6d6ea4d5	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetCurrentDirectoryA, address_out = 0x76a2903d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ExitProcess, address_out = 0x76a3214f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcessId, address_out = 0x76a2cac4	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x76a2cdcf	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CompareFileTime, address_out = 0x76a313f3	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVolumeInformationA, address_out = 0x76a441aa	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStdHandle, address_out = 0x76a31e46	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address_out = 0x76a1d8d7	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address_out = 0x76a1dc43	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = EnumResourceNamesA, address_out = 0x76a45a34	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address_out = 0x76a3d763	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetComputerNameA, address_out = 0x76a16ba9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTempPathA, address_out = 0x76a46a65	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetSystemDirectoryA, address_out = 0x76a28fc5	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address_out = 0x76a45d02	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateRemoteThread, address_out = 0x76a6f33b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindResourceA, address_out = 0x76a2a05b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = EnumResourceTypesA, address_out = 0x76a6cb42	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LockResource, address_out = 0x76a1fd29	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStartupInfoA, address_out = 0x769e1e10	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = DeleteFileA, address_out = 0x76a247cb	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadResource, address_out = 0x76a2984d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SizeofResource, address_out = 0x76a23e7f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WideCharToMultiByte, address_out = 0x76a3450e	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetProcAddress, address_out = 0x76a333d3	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address_out = 0x76a2cf41	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FreeLibrary, address_out = 0x76a2d9d0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = MultiByteToWideChar, address_out = 0x76a3452b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WriteFile, address_out = 0x76a31400	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address_out = 0x76a3395c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReadProcessMemory, address_out = 0x76a1c1ce	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address_out = 0x76a2ba90	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x76a2ca7c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x76a2ca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address_out = 0x76a1c1de	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ResumeThread, address_out = 0x76a20f1c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address_out = 0x76a1c1b6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = OpenProcess, address_out = 0x76a259d7	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileSize, address_out = 0x76a20273	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualFreeEx, address_out = 0x76a1c1ee	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentDirectoryA, address_out = 0x76a1733c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ExpandEnvironmentStringsA, address_out = 0x76a18a5b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x76a29ce1	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address_out = 0x76a333f6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalLock, address_out = 0x76a29e05	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalUnlock, address_out = 0x76a29d50	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindNextFileA, address_out = 0x76a2a187	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryExA, address_out = 0x76a247fa	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindFirstFileA, address_out = 0x76a32d89	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileA, address_out = 0x76a2cee8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x76a2bf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileTime, address_out = 0x76a20f6f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFilePointer, address_out = 0x76a2db36	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileAttributesA, address_out = 0x76a31de6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTempFileNameA, address_out = 0x76a4695f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindClose, address_out = 0x76a30e62	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x76a33861	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FormatMessageA, address_out = 0x76a48868	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReadFile, address_out = 0x76a296fb	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CopyRect, address_out = 0x755b4ad9	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DrawTextExA, address_out = 0x755cae60	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DispatchMessageA, address_out = 0x755b2e32	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMessageA, address_out = 0x755b1899	1	Fn
Get Address	c:\windows\system32\user32.dll	function = IsDialogMessageA, address_out = 0x755c2019	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DeferWindowPos, address_out = 0x755aa6c8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TranslateMessage, address_out = 0x755b64c7	1	Fn
Get Address	c:\windows\system32\user32.dll	function = BeginDeferWindowPos, address_out = 0x755aa6a6	1	Fn
Get Address	c:\windows\system32\user32.dll	function = PostQuitMessage, address_out = 0x755ab308	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TrackPopupMenu, address_out = 0x755c2228	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EndDeferWindowPos, address_out = 0x755aa67a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetFocus, address_out = 0x755b3a34	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RegisterWindowMessageA, address_out = 0x755ac091	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowTextA, address_out = 0x755a6eed	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenuItemInfoA, address_out = 0x755a856a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetCursor, address_out = 0x755b3075	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ChildWindowFromPoint, address_out = 0x755eb6aa	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSysColorBrush, address_out = 0x755af1ed	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SendMessageA, address_out = 0x755aad60	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadCursorA, address_out = 0x755a8328	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MessageBoxA, address_out = 0x755fea11	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetDlgItemTextA, address_out = 0x755c707a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDlgItemTextA, address_out = 0x75603d14	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowTextA, address_out = 0x755d0c5b	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EndDialog, address_out = 0x755d3ba3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDlgItem, address_out = 0x755d42bb	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CreateWindowExA, address_out = 0x755abf40	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowRect, address_out = 0x755b558c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RegisterClassA, address_out = 0x755abc6a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = UpdateWindow, address_out = 0x755affa8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x755b67cf	1	Fn
Get Address	c:\windows\system32\user32.dll	function = PostMessageA, address_out = 0x755ab446	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetMenu, address_out = 0x755d6b0e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ShowWindow, address_out = 0x755af2a9	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadAcceleratorsA, address_out = 0x755cae02	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowPos, address_out = 0x755b1bc4	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DefWindowProcA, address_out = 0x755abb1c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TranslateAcceleratorA, address_out = 0x755d133f	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowPlacement, address_out = 0x755d69de	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadIconA, address_out = 0x755a64ad	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowLongA, address_out = 0x755aa95e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowLongA, address_out = 0x755a8ba3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = InvalidateRect, address_out = 0x755b566d	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetFocus, address_out = 0x755aabad	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MapDialogRect, address_out = 0x755d347a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetRect, address_out = 0x755b498b	1	Fn
Get Address	c:\windows\system32\user32.dll	function = OpenClipboard, address_out = 0x755d447e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDC, address_out = 0x755b544c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EmptyClipboard, address_out = 0x755c290c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnableMenuItem, address_out = 0x755d43bc	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ReleaseDC, address_out = 0x755b5421	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MoveWindow, address_out = 0x755a8d29	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenuItemCount, address_out = 0x755aae39	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CheckMenuItem, address_out = 0x755cee7c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetClientRect, address_out = 0x755b54dd	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenuStringA, address_out = 0x75603a16	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetClipboardData, address_out = 0x755c2962	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetCursorPos, address_out = 0x755aa4b3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetClassNameA, address_out = 0x755d2445	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CloseClipboard, address_out = 0x755d446c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MapWindowPoints, address_out = 0x755b5caa	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadImageA, address_out = 0x755c7779	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSysColor, address_out = 0x755bdb7a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenu, address_out = 0x755d6b68	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSubMenu, address_out = 0x755a9c19	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadMenuA, address_out = 0x755bf92c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetParent, address_out = 0x755b6029	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadStringA, address_out = 0x755a66a7	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CreateDialogParamA, address_out = 0x755c1f42	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ModifyMenuA, address_out = 0x75603ae0	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DestroyWindow, address_out = 0x755ab2f4	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DialogBoxParamA, address_out = 0x755ecf42	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDlgCtrlID, address_out = 0x755ab4e8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DestroyMenu, address_out = 0x755a87f7	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumChildWindows, address_out = 0x755b2948	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SelectObject, address_out = 0x75556640	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetTextColor, address_out = 0x75556906	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreateFontIndirectA, address_out = 0x7555d22d	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetBkMode, address_out = 0x755569b1	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = DeleteObject, address_out = 0x75555f14	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetTextExtentPoint32A, address_out = 0x755607b0	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetBkColor, address_out = 0x75556a3c	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetDeviceCaps, address_out = 0x75556f7f	1	Fn
Get Address	c:\windows\system32\comdlg32.dll	function = GetSaveFileNameA, address_out = 0x771aa353	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegOpenKeyExA, address_out = 0x76954907	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegEnumKeyExA, address_out = 0x76951481	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegQueryValueExA, address_out = 0x769548ef	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegEnumKeyA, address_out = 0x7696a299	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegOpenKeyExW, address_out = 0x7695468d	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegDeleteKeyA, address_out = 0x7696a8b7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegEnumValueA, address_out = 0x7694cf49	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetUserNameA, address_out = 0x7696a4b4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegEnumValueW, address_out = 0x769548cc	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegCloseKey, address_out = 0x7695469d	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = SHGetPathFromIDListA, address_out = 0x75aa1c24	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = SHGetMalloc, address_out = 0x759a0602	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = SHBrowseForFolderA, address_out = 0x75bcdc6a	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = ShellExecuteA, address_out = 0x75bc7078	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitialize, address_out = 0x7669b636	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoUninitialize, address_out = 0x766c86d3	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitCommonControlsEx, address_out = 0x6d6c6be6	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = SHGetSpecialFolderPathA, address_out = 0x75bcfb26	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76954304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address_out = 0x7695404a	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address_out = 0x7695418e	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredReadW, address_out = 0x769872a1	2	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredFree, address_out = 0x7694b2ec	2	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredEnumerateW, address_out = 0x76987481	2	Fn
Get Address	c:\windows\system32\crypt32.dll	function = CryptUnprotectData, address_out = 0x751f5a7f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsDebuggerPresent, address_out = 0x76a23ea8	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = NSS_Init, address_out = 0x6d0bd70b	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = NSS_Shutdown, address_out = 0x6d0bd13c	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11_GetInternalKeySlot, address_out = 0x6d053c51	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11_FreeSlot, address_out = 0x6d053333	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11_Authenticate, address_out = 0x6d03d3ca	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11SDR_Decrypt, address_out = 0x6d0500a7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptAcquireContextA, address_out = 0x769491dd	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptReleaseContext, address_out = 0x7694e124	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptCreateHash, address_out = 0x7694df4e	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptGetHashParam, address_out = 0x7694df7e	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptHashData, address_out = 0x7694df36	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDestroyHash, address_out = 0x7694df66	1	Fn

System (3)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	1	Fn
Get Info	type = Windows Directory, result_out = C:\Windows	1	Fn

Ini (14)

Operation	Filename	Additional Information	Count	Logfile
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = ShowGridLines, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = SaveFilterIndex, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = AddExportHeaderLine, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = MarkOddEvenRows, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Folder0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Folder1	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Folder2	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Folder3	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Folder4	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Folder5	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Folder6	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = WinPos	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Columns	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Sort, default_value = 0	1	Fn

Debug (1)

Operation	Process	Additional Information	Success	Count	Logfile
Check for Presence	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe			1	Fn

Process #8: regsvcs.exe

(Host: 430, Network: 0)

Information	Value
ID	#8
File Name	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl"
Initial Working Directory	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor	Start Time: 00:00:20, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:51

OS Process Information

Information	Value
PID	0xaa0
Parent PID	0xa4c (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x AA4 0x AC4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000130000	0x00130000	0x0013ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000270000	0x00270000	0x00337fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000400000	0x00400000	0x0041dfff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000500000	0x00500000	0x005fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000600000	0x00600000	0x00700fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000007f0000	0x007f0000	0x007fffff	Private Memory	Readable, Writable	Region Actions
regsvcs.exe	0x008e0000	0x008edfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000008f0000	0x008f0000	0x014effff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000014f0000	0x014f0000	0x015effff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x015f0000	0x018befff	Memory Mapped File	Readable	Region Actions
private_0x0000000001a40000	0x01a40000	0x01b3ffff	Private Memory	Readable, Writable	Region Actions
comctl32.dll	0x6d6c0000	0x6d743fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pstorec.dll	0x72970000	0x7297cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x73840000	0x73853fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75070000	0x7508afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75180000	0x7518bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x751c0000	0x752dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x752e0000	0x75329fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75550000	0x7559dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x755a0000	0x75668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x756b0000	0x75706fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75710000	0x7572efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75730000	0x757fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75980000	0x765c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x765e0000	0x7667cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76680000	0x767dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76940000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x769e0000	0x76ab3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76ac0000	0x76b60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76d10000	0x76dbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76fc0000	0x770fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77110000	0x77128fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77160000	0x77169fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77170000	0x771eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77200000	0x77200fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x400000, size = 512	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x401000, size = 44032	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x41c000, size = 3584	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x41d000, size = 4096	1	Fn Data
Modify Memory	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	address = 0x7ffdb008, size = 4	1	Fn Data
Modify Control Flow	#4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0xa88	os_tid = 0xaa4, address = 0x77007098	1	Fn

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\eebsym5\appdata\local\temp\zljxukhl	0.46 KB (469 bytes)	MD5: b2912991f1be1bdf15ea7028328cc3bf SHA1: a18027ccd9e804696cac7dc581c58ce59b77e3c5 SHA256: 1035b4c326e3ee76f23a9532c2de82ba28071fb55ebfa27f99f48bb08f7c8114		File Actions Show Properties Download

Host Behavior

File (32)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Get Info	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs_lng.ini	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Profiles	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Thunderbird\Profiles	type = file_attributes	1	Fn
Get Info	C:\Program Files\Mozilla Thunderbird	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount	type = size	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount	type = size	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount	type = size	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount	size = 1734, size_out = 1734	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount	size = 1506, size_out = 1506	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount	size = 670, size_out = 670	1	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl	size = 50	2	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl	size = 2	3	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl	size = 30	1	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl	size = 52	1	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl	size = 35	1	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl	size = 27	2	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl	size = 22	4	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl	size = 24	1	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl	size = 26	1	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl	size = 29	1	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl	size = 25	1	Fn Data

Registry (124)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts		1	Fn
Open Key	HKEY_CURRENT_USER\Identities		1	Fn
Open Key	HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}		1	Fn
Open Key	HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}\Software\Microsoft\Internet Account Manager\Accounts		1	Fn
Open Key	HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\24f93cf8ea9a9546b93f8dc78abb6a97		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3c51f4951df2d34baef1a05b725728d2		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\42405d6c3502e64caa2aeda354771336		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5e8673e5f416694397a90d6dc37f5694		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\600082486368c34683de3c06ff753b3b		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6c393c97bf8f52408197f7e63b61e548		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9fd587aab699e24cb035dd8129bd6b5b		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\d9417b97bf6b594d89a41cdbed740112		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e3233d298149174193c9c78f955de155		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e50f0eb5db19ee44ba2717941e28e885		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles		1	Fn
Open Key	HKEY_CURRENT_USER\Software\IncrediMail\Identities		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Group Mail		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\MessengerService		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Yahoo\Pager		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail		1	Fn
Read Value	HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}	value_name = Username, data = Main Identity, type = REG_SZ	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = POP3 User, data = 48, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = IMAP User, data = 48, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = HTTP User, data = 48, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = SMTP User, data = 48, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = POP3 User, data = 48, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = IMAP User, data = 48, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = HTTP User, data = 48, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = SMTP User, data = 48, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = POP3 User, type = REG_BINARY	1	Fn Data
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = POP3 Server, type = REG_BINARY	1	Fn Data
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = Display Name, type = REG_BINARY	1	Fn Data
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = Email, type = REG_BINARY	1	Fn Data
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = SMTP Server, type = REG_BINARY	1	Fn Data
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = POP3 Use SPA, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = POP3 Password, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = IMAP User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = HTTP User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = SMTP User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	value_name = POP3 User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	value_name = IMAP User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	value_name = HTTP User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	value_name = SMTP User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary	value_name = POP3 User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary	value_name = IMAP User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary	value_name = HTTP User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary	value_name = SMTP User, data = 100, type = REG_NONE	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Identities		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Identities		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\24f93cf8ea9a9546b93f8dc78abb6a97		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3c51f4951df2d34baef1a05b725728d2		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\42405d6c3502e64caa2aeda354771336		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5e8673e5f416694397a90d6dc37f5694		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\600082486368c34683de3c06ff753b3b		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6c393c97bf8f52408197f7e63b61e548		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9fd587aab699e24cb035dd8129bd6b5b		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\d9417b97bf6b594d89a41cdbed740112		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e3233d298149174193c9c78f955de155		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e50f0eb5db19ee44ba2717941e28e885		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles		1	Fn

Module (264)

Operation	Module	Additional Information	Count	Logfile
Load	comctl32.dll	base_address = 0x6d6c0000	1	Fn
Load	shell32.dll	base_address = 0x75980000	1	Fn
Load	pstorec.dll	base_address = 0x72970000	1	Fn
Load	crypt32.dll	base_address = 0x751c0000	2	Fn
Load	advapi32.dll	base_address = 0x76940000	3	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x769e0000	2	Fn
Get Handle	c:\windows\system32\msvcrt.dll	base_address = 0x76d10000	1	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x6d6c0000	1	Fn
Get Handle	c:\windows\system32\rpcrt4.dll	base_address = 0x76ac0000	1	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x755a0000	1	Fn
Get Handle	c:\windows\system32\gdi32.dll	base_address = 0x75550000	1	Fn
Get Handle	c:\windows\system32\comdlg32.dll	base_address = 0x77170000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76940000	1	Fn
Get Handle	c:\windows\system32\shell32.dll	base_address = 0x75980000	1	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76680000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	2	Fn
Get Filename		process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualProtect, address_out = 0x76a22341	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memmove, address_out = 0x76d19e5a	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcschr, address_out = 0x76d1aa61	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcslen, address_out = 0x76d2d335	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcsncmp, address_out = 0x76d1b05e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _itoa, address_out = 0x76d34218	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _strlwr, address_out = 0x76d2ca0b	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = qsort, address_out = 0x76d1d3e6	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strncmp, address_out = 0x76d1b443	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _snprintf, address_out = 0x76d3fa7c	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _mbsrchr, address_out = 0x76d28e5b	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _mbsnbicmp, address_out = 0x76d73480	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __dllonexit, address_out = 0x76d1f509	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _onexit, address_out = 0x76d2112d	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _c_exit, address_out = 0x76d7b2db	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _exit, address_out = 0x76d7b2c0	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _XcptFilter, address_out = 0x76d3dc75	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _cexit, address_out = 0x76d237d4	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _strnicmp, address_out = 0x76d20578	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _acmdln, address_out = 0x76db04d8	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __getmainargs, address_out = 0x76d22bc0	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _initterm, address_out = 0x76d1c151	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _memicmp, address_out = 0x76d206c8	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = malloc, address_out = 0x76d19cee	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strrchr, address_out = 0x76d1dbae	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _stricmp, address_out = 0x76d1db38	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = free, address_out = 0x76d19894	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = modf, address_out = 0x76d27551	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memcmp, address_out = 0x76d27975	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strtoul, address_out = 0x76d2012e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = ??3@YAXPAX@Z, address_out = 0x76d1b0b9	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = ??2@YAPAXI@Z, address_out = 0x76d1b0c9	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memcpy, address_out = 0x76d19910	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = sprintf, address_out = 0x76d2d354	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _mbsicmp, address_out = 0x76d29238	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = atoi, address_out = 0x76d1dbe0	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _strcmpi, address_out = 0x76d1db38	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strlen, address_out = 0x76d243d3	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strcmp, address_out = 0x76d28b11	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = exit, address_out = 0x76d236aa	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _adjust_fdiv, address_out = 0x76db32ec	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcsstr, address_out = 0x76d1bf71	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = log, address_out = 0x76d3de50	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _mbscmp, address_out = 0x76d383c0	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strchr, address_out = 0x76d1dbeb	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _purecall, address_out = 0x76d76ea9	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strncat, address_out = 0x76d40909	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = abs, address_out = 0x76d3eb1e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strcat, address_out = 0x76d28d75	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _ultoa, address_out = 0x76d61822	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strcpy, address_out = 0x76d28d6e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memset, address_out = 0x76d19790	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __p__commode, address_out = 0x76d227c3	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __p__fmode, address_out = 0x76d227ce	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __set_app_type, address_out = 0x76d22804	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _controlfp, address_out = 0x76d1e1e1	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _except_handler3, address_out = 0x76d3d770	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __setusermatherr, address_out = 0x76da77ad	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = CreateToolbarEx, address_out = 0x6d6ea4d5	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_Create, address_out = 0x6d6c908c	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_AddMasked, address_out = 0x6d6c8b75	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_SetImageCount, address_out = 0x6d726e17	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = 17, address_out = 0x6d6c1739	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_ReplaceIcon, address_out = 0x6d726ea3	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = 6, address_out = 0x6d6ea14c	1	Fn
Get Address	c:\windows\system32\rpcrt4.dll	function = UuidFromStringA, address_out = 0x76ac7348	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentDirectoryA, address_out = 0x76a1733c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address_out = 0x76a2cf41	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetCurrentDirectoryA, address_out = 0x76a2903d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x76a2cdcf	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ExitProcess, address_out = 0x76a3214f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcessId, address_out = 0x76a2cac4	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReadProcessMemory, address_out = 0x76a1c1ce	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = OpenProcess, address_out = 0x76a259d7	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStdHandle, address_out = 0x76a31e46	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address_out = 0x76a1dc43	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = EnumResourceNamesA, address_out = 0x76a45a34	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address_out = 0x76a3d763	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetComputerNameA, address_out = 0x76a16ba9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileSize, address_out = 0x76a20273	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileA, address_out = 0x76a2cee8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalUnlock, address_out = 0x76a29d50	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalLock, address_out = 0x76a29e05	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTempPathA, address_out = 0x76a46a65	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x76a29ce1	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x76a2ca7c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindResourceA, address_out = 0x76a2a05b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadResource, address_out = 0x76a2984d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = EnumResourceTypesA, address_out = 0x76a6cb42	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SizeofResource, address_out = 0x76a23e7f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LockResource, address_out = 0x76a1fd29	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = DeleteFileA, address_out = 0x76a247cb	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStartupInfoA, address_out = 0x769e1e10	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address_out = 0x76a1d8d7	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = MultiByteToWideChar, address_out = 0x76a3452b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WideCharToMultiByte, address_out = 0x76a3450e	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ExpandEnvironmentStringsA, address_out = 0x76a18a5b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x76a2ca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WriteFile, address_out = 0x76a31400	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address_out = 0x76a678ad	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FreeLibrary, address_out = 0x76a2d9d0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetProcAddress, address_out = 0x76a333d3	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address_out = 0x76a3395c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address_out = 0x76a333f6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindFirstFileA, address_out = 0x76a32d89	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindNextFileA, address_out = 0x76a2a187	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFilePointer, address_out = 0x76a2db36	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x76a2bf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryExA, address_out = 0x76a247fa	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileAttributesA, address_out = 0x76a31de6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTempFileNameA, address_out = 0x76a4695f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindClose, address_out = 0x76a30e62	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FormatMessageA, address_out = 0x76a48868	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address_out = 0x76a45d02	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReadFile, address_out = 0x76a296fb	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x76a33861	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetClassNameA, address_out = 0x755d2445	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMessageA, address_out = 0x755b1899	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TranslateMessage, address_out = 0x755b64c7	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RegisterWindowMessageA, address_out = 0x755ac091	1	Fn
Get Address	c:\windows\system32\user32.dll	function = PostQuitMessage, address_out = 0x755ab308	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TrackPopupMenu, address_out = 0x755c2228	1	Fn
Get Address	c:\windows\system32\user32.dll	function = PostMessageA, address_out = 0x755ab446	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetFocus, address_out = 0x755b3a34	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DispatchMessageA, address_out = 0x755b2e32	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DrawTextExA, address_out = 0x755cae60	1	Fn
Get Address	c:\windows\system32\user32.dll	function = IsDialogMessageA, address_out = 0x755c2019	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowTextA, address_out = 0x755a6eed	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenuItemInfoA, address_out = 0x755a856a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumChildWindows, address_out = 0x755b2948	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DestroyMenu, address_out = 0x755a87f7	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDlgCtrlID, address_out = 0x755ab4e8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DialogBoxParamA, address_out = 0x755ecf42	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ShowWindow, address_out = 0x755af2a9	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetCursor, address_out = 0x755b3075	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadCursorA, address_out = 0x755a8328	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ChildWindowFromPoint, address_out = 0x755eb6aa	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSysColorBrush, address_out = 0x755af1ed	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EndDialog, address_out = 0x755d3ba3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDlgItem, address_out = 0x755d42bb	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CreateWindowExA, address_out = 0x755abf40	1	Fn
Get Address	c:\windows\system32\user32.dll	function = InvalidateRect, address_out = 0x755b566d	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetDlgItemInt, address_out = 0x755cec2e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = BeginPaint, address_out = 0x755b5d14	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetClientRect, address_out = 0x755b54dd	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindow, address_out = 0x755b2780	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetDlgItemTextA, address_out = 0x755c707a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DrawFrameControl, address_out = 0x755cb4f9	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDlgItemTextA, address_out = 0x75603d14	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SendDlgItemMessageA, address_out = 0x755c7241	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowTextA, address_out = 0x755d0c5b	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowRect, address_out = 0x755b558c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x755b67cf	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDlgItemInt, address_out = 0x755ced56	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DeferWindowPos, address_out = 0x755aa6c8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EndPaint, address_out = 0x755b5d42	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DefWindowProcA, address_out = 0x755abb1c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TranslateAcceleratorA, address_out = 0x755d133f	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MessageBoxA, address_out = 0x755fea11	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowPlacement, address_out = 0x755d69de	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RegisterClassA, address_out = 0x755abc6a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = UpdateWindow, address_out = 0x755affa8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetMenu, address_out = 0x755d6b0e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadAcceleratorsA, address_out = 0x755cae02	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowPos, address_out = 0x755b1bc4	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SendMessageA, address_out = 0x755aad60	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadIconA, address_out = 0x755a64ad	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowLongA, address_out = 0x755aa95e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowLongA, address_out = 0x755a8ba3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetFocus, address_out = 0x755aabad	1	Fn
Get Address	c:\windows\system32\user32.dll	function = BeginDeferWindowPos, address_out = 0x755aa6a6	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EndDeferWindowPos, address_out = 0x755aa67a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CheckMenuItem, address_out = 0x755cee7c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenuItemCount, address_out = 0x755aae39	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetClipboardData, address_out = 0x755c2962	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenuStringA, address_out = 0x75603a16	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnableWindow, address_out = 0x755a8d02	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DestroyWindow, address_out = 0x755ab2f4	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetCursorPos, address_out = 0x755aa4b3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadImageA, address_out = 0x755c7779	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSysColor, address_out = 0x755bdb7a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MapWindowPoints, address_out = 0x755b5caa	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenu, address_out = 0x755d6b68	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CloseClipboard, address_out = 0x755d446c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetParent, address_out = 0x755b6029	1	Fn
Get Address	c:\windows\system32\user32.dll	function = OpenClipboard, address_out = 0x755d447e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDC, address_out = 0x755b544c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EmptyClipboard, address_out = 0x755c290c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MoveWindow, address_out = 0x755a8d29	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSubMenu, address_out = 0x755a9c19	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnableMenuItem, address_out = 0x755d43bc	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ReleaseDC, address_out = 0x755b5421	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadMenuA, address_out = 0x755bf92c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadStringA, address_out = 0x755a66a7	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CreateDialogParamA, address_out = 0x755c1f42	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ModifyMenuA, address_out = 0x75603ae0	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetDeviceCaps, address_out = 0x75556f7f	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetTextColor, address_out = 0x75556906	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreateFontIndirectA, address_out = 0x7555d22d	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetBkMode, address_out = 0x755569b1	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = DeleteObject, address_out = 0x75555f14	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetTextExtentPoint32A, address_out = 0x755607b0	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetBkColor, address_out = 0x75556a3c	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SelectObject, address_out = 0x75556640	1	Fn
Get Address	c:\windows\system32\comdlg32.dll	function = GetOpenFileNameA, address_out = 0x771aa2a9	1	Fn
Get Address	c:\windows\system32\comdlg32.dll	function = GetSaveFileNameA, address_out = 0x771aa353	1	Fn
Get Address	c:\windows\system32\comdlg32.dll	function = FindTextA, address_out = 0x771aacd6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegEnumKeyA, address_out = 0x7696a299	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegEnumKeyExA, address_out = 0x76951481	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegQueryValueExA, address_out = 0x769548ef	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegOpenKeyExA, address_out = 0x76954907	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegDeleteKeyA, address_out = 0x7696a8b7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetUserNameA, address_out = 0x7696a4b4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegCloseKey, address_out = 0x7695469d	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = SHBrowseForFolderA, address_out = 0x75bcdc6a	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = SHGetPathFromIDListA, address_out = 0x75aa1c24	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = SHGetMalloc, address_out = 0x759a0602	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = ShellExecuteA, address_out = 0x75bc7078	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitialize, address_out = 0x7669b636	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoTaskMemFree, address_out = 0x766d6f41	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoUninitialize, address_out = 0x766c86d3	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitCommonControlsEx, address_out = 0x6d6c6be6	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = SHGetSpecialFolderPathA, address_out = 0x75bcfb26	1	Fn
Get Address	c:\windows\system32\pstorec.dll	function = PStoreCreateInstance, address_out = 0x7297526c	1	Fn
Get Address	c:\windows\system32\crypt32.dll	function = CryptUnprotectData, address_out = 0x751f5a7f	2	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredReadA, address_out = 0x769871c1	3	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredFree, address_out = 0x7694b2ec	3	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredDeleteA, address_out = 0x76987941	3	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredEnumerateA, address_out = 0x76987381	3	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredEnumerateW, address_out = 0x76987481	3	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Computer Name	result_out = CRH2YWU7		1	Fn
Get Info	type = Operating System		1	Fn

Ini (7)

Operation	Filename	Additional Information	Count	Logfile
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = ShowGridLines, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = SaveFilterIndex, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = AddExportHeaderLine, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = MarkOddEvenRows, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = WinPos	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Columns	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Sort, default_value = 0	1	Fn

Process #9: cih.exe

(Host: 162, Network: 0)

Information	Value
ID	#9
File Name	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe
Command Line	"C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe" C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:55, Reason: Autostart
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:16

OS Process Information

Information	Value
PID	0x750
Parent PID	0x608 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ee71 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 754 0x 7EC 0x 158

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x00187fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000190000	0x00190000	0x0058ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000590000	0x00590000	0x00690fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000006a0000	0x006a0000	0x006a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000006b0000	0x006b0000	0x006b0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000006c0000	0x006c0000	0x006c0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000006d0000	0x006d0000	0x006d1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006e0000	0x006e0000	0x006e1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006f0000	0x006f0000	0x006f0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000700000	0x00700000	0x00706fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000710000	0x00710000	0x00711fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000720000	0x00720000	0x00720fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000730000	0x00730000	0x0073ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000730000	0x00730000	0x00734fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000740000	0x00740000	0x00744fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000760000	0x00760000	0x00b5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000b60000	0x00b60000	0x00c9ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000b60000	0x00b60000	0x00c3efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000c60000	0x00c60000	0x00c9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ca0000	0x00ca0000	0x00caffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x00cb0000	0x00f7efff	Memory Mapped File	Readable	Region Actions
cih.exe	0x00fa0000	0x0106bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000001070000	0x01070000	0x01c6ffff	Pagefile Backed Memory	Readable	Region Actions
rpcss.dll	0x01c70000	0x01ccbfff	Memory Mapped File	Readable	Region Actions
rpcss.dll	0x01c70000	0x01ccbfff	Memory Mapped File	Readable	Region Actions
private_0x0000000001c70000	0x01c70000	0x01ceffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d50000	0x01d50000	0x0214ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002150000	0x02150000	0x02542fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002550000	0x02550000	0x025effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002610000	0x02610000	0x02a0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a10000	0x02a10000	0x02b0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b10000	0x02b10000	0x02cccfff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b10000	0x02b10000	0x02d0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003280000	0x03280000	0x0338ffff	Private Memory	Readable, Writable	Region Actions
winmm.dll	0x6ec80000	0x6ecb1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x6ed20000	0x6ed26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x71e70000	0x71e81fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x74370000	0x74382fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x746a0000	0x746dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x74820000	0x749bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74d90000	0x74d98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x74ef0000	0x74f06fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75790000	0x7579bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75840000	0x7584afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x758b0000	0x758bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x758c0000	0x758e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x758f0000	0x75901fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x75910000	0x75a2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75a30000	0x75a79fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75b40000	0x75c13fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75c20000	0x75d14fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75d20000	0x75dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75e00000	0x75ffafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76000000	0x7609ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x760a0000	0x7616bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76170000	0x762cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x762d0000	0x7635efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76360000	0x76400fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76460000	0x764adfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x764b0000	0x76578fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76580000	0x76589fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76590000	0x765e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x76650000	0x76655fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76660000	0x7667efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76720000	0x767bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x767c0000	0x77409fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x77410000	0x775acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x775b0000	0x776e5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776f0000	0x7782bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77830000	0x77834fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77840000	0x77858fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77860000	0x778dafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x778e0000	0x77914fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77930000	0x77930fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd5000	0x7ffd5000	0x7ffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\eebsym5\appdata\local\temp\60484525\kqmao	271.35 KB (277864 bytes)	MD5: 1ddc15ba0f5ad90873d42c41f4a2abc3 SHA1: 4cc438d56cd0317c3cd75f6630f2ce4ce4b31ca0 SHA256: c1492aca20af26af0c906dc391b808f2b227904a8948aa7b34caeddb70fc83cb		File Actions Show Properties Download

Host Behavior

File (124)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	type = file_type	1	Fn
Get Info	.	type = file_attributes	1	Fn
Get Info	0409	type = file_attributes	1	Fn
Open	STD_INPUT_HANDLE		2	Fn
Open	STD_OUTPUT_HANDLE		1	Fn
Open	STD_ERROR_HANDLE		1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	size = 65536, size_out = 65536	92	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	size = 65536, size_out = 8772	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	size = 53248, size_out = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	size = 65536, size_out = 20	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	size = 61440, size_out = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	size = 65536, size_out = 7852	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	size = 65536, size_out = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	size = 65536, size_out = 65536	12	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	size = 65536, size_out = 50285	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO	size = 65536, size_out = 0	1	Fn
Write	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO	size = 277864	1	Fn Data

Registry (3)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Control Panel\Mouse		1	Fn
Open Key	HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt		1	Fn
Read Value	HKEY_CURRENT_USER\Control Panel\Mouse	value_name = SwapMouseButtons, data = 48	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO	os_pid = 0x480, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL		1	Fn

Module (17)

Operation	Module	Additional Information	Count	Logfile
Load	kernel32.dll	base_address = 0x75b40000	1	Fn
Load	uxtheme.dll	base_address = 0x746a0000	1	Fn
Load	user32.dll	base_address = 0x764b0000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75b40000	2	Fn
Get Handle	mscoree.dll	base_address = 0x0	1	Fn
Get Filename		process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe, size = 260	3	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsAlloc, address_out = 0x75b9418d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsGetValue, address_out = 0x75b91e16	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsSetValue, address_out = 0x75b976e6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsFree, address_out = 0x75b91f61	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsWow64Process, address_out = 0x75b84785	1	Fn
Get Address	c:\windows\system32\uxtheme.dll	function = IsThemeActive, address_out = 0x746af785	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CallWindowProc, address_out = 0x0	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CallWindowProcA, address_out = 0x764e2bd3	1	Fn

Window (2)

Operation	Window Name	Additional Information	Success	Count	Logfile
Create	AutoIt v3	class_name = AutoIt v3, wndproc_parameter = 0		1	Fn

System (7)

Operation	Additional Information	Count	Logfile
Sleep	duration = 750 milliseconds (0.750 seconds)	2	Fn
Get Time	type = System Time, time = 2017-10-04 02:24:17 (UTC)	1	Fn
Get Time	type = Ticks, time = 11965	1	Fn
Get Time	type = System Time, time = 2017-10-04 02:24:20 (UTC)	1	Fn
Get Info	type = Operating System	1	Fn
Get Info	type = Hardware Information	1	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Get Environment String			1	Fn Data

Ini (3)

Operation	Filename	Additional Information	Count	Logfile
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = Dir, data_out = 60484525	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = sK, data_out = 228	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = sN, data_out = rpi.qcn	1	Fn

Debug (1)

Operation	Process	Additional Information	Success	Count	Logfile
Check for Presence	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe			1	Fn

Process #10: cih.exe

(Host: 353, Network: 0)

Information	Value
ID	#10
File Name	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe
Command Line	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:08

OS Process Information

Information	Value
PID	0x480
Parent PID	0x750 (c:\users\eebsym5\appdata\local\temp\60484525\cih.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ee71 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 488 0x 61C 0x 6BC 0x 758

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00100fff	Pagefile Backed Memory	Readable, Writable	Region Actions
rpcss.dll	0x00110000	0x0016bfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000110000	0x00110000	0x00116fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x00121fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000130000	0x00130000	0x00130fff	Private Memory	Readable, Writable	Region Actions
tzres.dll	0x00140000	0x00140fff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x00140000	0x0017bfff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x00140000	0x0017bfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000140000	0x00140000	0x00140fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000160000	0x00160000	0x00160fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000170000	0x00170000	0x00170fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000180000	0x00180000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x00190fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000001a0000	0x001a0000	0x001a0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000001f0000	0x001f0000	0x005effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005f0000	0x005f0000	0x006b7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000006c0000	0x006c0000	0x00abffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000ac0000	0x00ac0000	0x00bc0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000bd0000	0x00bd0000	0x00caefff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000cb0000	0x00cb0000	0x00cbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000cc0000	0x00cc0000	0x00dbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000cc0000	0x00cc0000	0x00d3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d80000	0x00d80000	0x00dbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000dc0000	0x00dc0000	0x00ebffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ec0000	0x00ec0000	0x00f3ffff	Private Memory	Readable, Writable	Region Actions
cih.exe	0x00fa0000	0x0106bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000001070000	0x01070000	0x01c6ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01c70000	0x01f3efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001f40000	0x01f40000	0x0233ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002340000	0x02340000	0x02732fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002780000	0x02780000	0x02b7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b80000	0x02b80000	0x02d7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d80000	0x02d80000	0x02f3cfff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002e60000	0x02e60000	0x0325ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003260000	0x03260000	0x0341cfff	Private Memory	Readable, Writable	Region Actions
winmm.dll	0x6ec80000	0x6ecb1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x6ed20000	0x6ed26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x71e70000	0x71e81fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x74370000	0x74382fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x746a0000	0x746dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x74820000	0x749bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74d90000	0x74d98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x74ef0000	0x74f06fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x750b0000	0x750eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x75310000	0x75325fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75790000	0x7579bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75840000	0x7584afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x758b0000	0x758bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x758c0000	0x758e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x758f0000	0x75901fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x75910000	0x75a2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75a30000	0x75a79fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75b40000	0x75c13fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75c20000	0x75d14fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75d20000	0x75dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75e00000	0x75ffafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76000000	0x7609ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x760a0000	0x7616bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76170000	0x762cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x762d0000	0x7635efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76360000	0x76400fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76460000	0x764adfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x764b0000	0x76578fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76580000	0x76589fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76590000	0x765e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x76650000	0x76655fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76660000	0x7667efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76720000	0x767bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x767c0000	0x77409fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x77410000	0x775acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x775b0000	0x776e5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776f0000	0x7782bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77830000	0x77834fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77840000	0x77858fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77860000	0x778dafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x778e0000	0x77914fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77930000	0x77930fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

File (41)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO	type = file_type	1	Fn
Get Info	60484525	type = file_attributes	2	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\spd	type = file_attributes	1	Fn
Get Info	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO	type = file_attributes	1	Fn
Open	STD_INPUT_HANDLE		2	Fn
Open	STD_OUTPUT_HANDLE		1	Fn
Open	STD_ERROR_HANDLE		1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO	size = 65536, size_out = 65536	8	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO	size = 65536, size_out = 15800	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO	size = 49152, size_out = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO	size = 65536, size_out = 20	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO	size = 61440, size_out = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO	size = 65536, size_out = 15720	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO	size = 65536, size_out = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	size = 65536, size_out = 65536	12	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	size = 65536, size_out = 50285	1	Fn Data
Delete	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO		1	Fn

Registry (7)

Operation	Key	Additional Information	Count	Logfile
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run		1	Fn
Create Key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run		1	Fn
Open Key	HKEY_CURRENT_USER\Control Panel\Mouse		1	Fn
Open Key	HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt		1	Fn
Read Value	HKEY_CURRENT_USER\Control Panel\Mouse	value_name = SwapMouseButtons, data = 48	1	Fn
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	value_name = WindowsUpdate, data = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 212, type = REG_SZ	1	Fn
Write Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run	value_name = WindowsUpdate, data = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 212, type = REG_SZ	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	os_pid = 0x328, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE		1	Fn

Thread (3)

Operation	Process	Additional Information	Count	Logfile
Get Context	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	os_tid = 0x488	1	Fn
Set Context	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	os_tid = 0x488	1	Fn
Resume	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	os_tid = 0x488	1	Fn

Memory (7)

Operation	Process	Additional Information	Count	Logfile
Allocate	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 106496	1	Fn
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	address = 0x400000, size = 4096	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	address = 0x401000, size = 69632	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	address = 0x412000, size = 24576	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	address = 0x418000, size = 4096	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	address = 0x419000, size = 4096	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	address = 0x7ffdb008, size = 4	1	Fn Data

Module (48)

Operation	Module	Additional Information	Count	Logfile
Load	kernel32.dll	base_address = 0x75b40000	1	Fn
Load	uxtheme.dll	base_address = 0x746a0000	1	Fn
Load	Advapi32.dll	base_address = 0x76000000	1	Fn
Load	user32.dll	base_address = 0x764b0000	1	Fn
Load	kernel32	base_address = 0x75b40000	17	Fn
Load	ntdll	base_address = 0x776f0000	8	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75b40000	2	Fn
Get Handle	mscoree.dll	base_address = 0x0	1	Fn
Get Filename		process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe, size = 260	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsAlloc, address_out = 0x75b9418d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsGetValue, address_out = 0x75b91e16	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsSetValue, address_out = 0x75b976e6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsFree, address_out = 0x75b91f61	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsWow64Process, address_out = 0x75b84785	1	Fn
Get Address	c:\windows\system32\uxtheme.dll	function = IsThemeActive, address_out = 0x746af785	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptAcquireContext, address_out = 0x0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptAcquireContextA, address_out = 0x760091dd	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptCreateHash, address_out = 0x7600df4e	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptHashData, address_out = 0x7600df36	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDeriveKey, address_out = 0x76043188	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDestroyHash, address_out = 0x7600df66	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDecrypt, address_out = 0x76043178	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CallWindowProcW, address_out = 0x764c1b3c	1	Fn

Service (1)

Operation	Additional Information	Success	Count	Logfile
Open Manager	database_name = SERVICES_ACTIVE_DATABASE		1	Fn

Window (2)

Operation	Window Name	Additional Information	Success	Count	Logfile
Create	AutoIt v3	class_name = AutoIt v3, wndproc_parameter = 0		1	Fn

System (215)

Operation	Additional Information	Count	Logfile
Sleep	duration = 750 milliseconds (0.750 seconds)	7	Fn
Sleep	duration = 10 milliseconds (0.010 seconds)	199	Fn
Get Time	type = System Time, time = 2017-10-04 02:24:20 (UTC)	1	Fn
Get Time	type = Ticks, time = 15490	1	Fn
Get Time	type = System Time, time = 2017-10-04 02:24:21 (UTC)	2	Fn
Get Info	type = Operating System	1	Fn
Get Info	type = Hardware Information	1	Fn
Get Info	type = Windows Directory, result_out = C:\Windows	3	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Get Environment String			1	Fn Data

Ini (22)

Operation	Filename	Additional Information	Count	Logfile
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = Dir, data_out = 60484525	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = msg	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = _S0x20057179D673181B71D4593BFB2A0450	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = VM	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = SandBox	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = duac	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = drpt	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = btklr	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = taskmnrg	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = hSUps	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = StartUps, data_out = lju-0W23JhA138k76msH67J30	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = Key, data_out = WindowsUpdate	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = AuEx, data_out = cvn-nhc	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = ExEc, data_out = cih.exe	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = Down	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = Net	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = eof	2	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = RP, data_out = qkr.xul	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = Keys, data_out = jom	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = fb	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = btkl	1	Fn

Debug (1)

Operation	Process	Additional Information	Success	Count	Logfile
Check for Presence	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe			1	Fn

Process #11: regsvcs.exe

(Host: 432, Network: 41)

Information	Value
ID	#11
File Name	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:07, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:04

OS Process Information

Information	Value
PID	0x328
Parent PID	0x480 (c:\users\eebsym5\appdata\local\temp\60484525\cih.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ee71 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 4D8 0x 7E4 0x 340 0x 324 0x 320 0x 12C 0x 334 0x 360 0x 428 0x 530 0x 43C 0x 518 0x 750 0x 7A4 0x 150 0x 624 0x 69C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000060000	0x00060000	0x00060fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000070000	0x00070000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x0017ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000180000	0x00180000	0x00180fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x00190fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001a0000	0x001a0000	0x001a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x002affff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x002b0000	0x00316fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000320000	0x00320000	0x0037ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000390000	0x00390000	0x0039ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x00419fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000420000	0x00420000	0x004e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000004f0000	0x004f0000	0x005f0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000600000	0x00600000	0x006fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000700000	0x00700000	0x007fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000810000	0x00810000	0x0090ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000950000	0x00950000	0x00a4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a50000	0x00a50000	0x00b6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a50000	0x00a50000	0x00b4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000b60000	0x00b60000	0x00b6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c00000	0x00c00000	0x00cfffff	Private Memory	Readable, Writable	Region Actions
regsvcs.exe	0x00d30000	0x00d3dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000d40000	0x00d40000	0x0193ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001990000	0x01990000	0x01a8ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01a90000	0x01d5efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001d60000	0x01d60000	0x01f1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d60000	0x01d60000	0x01e4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ee0000	0x01ee0000	0x01f1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f40000	0x01f40000	0x0203ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002120000	0x02120000	0x0221ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002220000	0x02220000	0x0241ffff	Private Memory	Readable, Writable	Region Actions
winmm.dll	0x6ec80000	0x6ecb1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasadhlp.dll	0x6f7a0000	0x6f7a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcp60.dll	0x72440000	0x724a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winrnr.dll	0x730a0000	0x730a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pnrpnsp.dll	0x730b0000	0x730c1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fwpuclnt.dll	0x73940000	0x73977fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x73a80000	0x73a86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x73a90000	0x73aabfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x73bb0000	0x73bbffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
napinsp.dll	0x73ef0000	0x73efffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdiplus.dll	0x74510000	0x7469ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x74e20000	0x74e24fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x75190000	0x751d3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x752d0000	0x7530bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75770000	0x7578afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x758b0000	0x758bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x75910000	0x75a2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75a30000	0x75a79fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75b40000	0x75c13fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75c20000	0x75d14fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75d20000	0x75dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75e00000	0x75ffafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76000000	0x7609ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x760a0000	0x7616bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76170000	0x762cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x762d0000	0x7635efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76360000	0x76400fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76460000	0x764adfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x764b0000	0x76578fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76580000	0x76589fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76590000	0x765e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x76650000	0x76655fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76660000	0x7667efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76720000	0x767bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x767c0000	0x77409fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x775b0000	0x776e5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776f0000	0x7782bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77830000	0x77834fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77840000	0x77858fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x778e0000	0x77914fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77930000	0x77930fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd6000	0x7ffd6000	0x7ffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffd7000	0x7ffd7000	0x7ffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffd8000	0x7ffd8000	0x7ffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffd9000	0x7ffd9000	0x7ffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#10: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0x488	address = 0x400000, size = 4096	1	Fn Data
Modify Memory	#10: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0x488	address = 0x401000, size = 69632	1	Fn Data
Modify Memory	#10: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0x488	address = 0x412000, size = 24576	1	Fn Data
Modify Memory	#10: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0x488	address = 0x418000, size = 4096	1	Fn Data
Modify Memory	#10: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0x488	address = 0x419000, size = 4096	1	Fn Data
Modify Memory	#10: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0x488	address = 0x7ffdb008, size = 4	1	Fn Data
Modify Control Flow	#10: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	0x488	os_tid = 0x4d8, address = 0x77737098	1	Fn

Host Behavior

File (45)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	9	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	9	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	10	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create	C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Create Directory	C:\Users\EEBsYm5\AppData\Roaming\chrome		1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat	type = size	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv	type = size	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt	type = size	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat	type = file_attributes	1	Fn
Read	C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat	size = 19, size_out = 19	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv	size = 0, size_out = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt	size = 2, size_out = 2	1	Fn Data
Write	C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat	size = 13	1	Fn Data
Delete Directory	C:\Users\EEBsYm5\AppData\Roaming\chrome		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv		1	Fn
Delete	C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt		1	Fn

Registry (58)

Operation	Key	Additional Information	Count	Logfile
Create Key	HKEY_CURRENT_USER\Software\34419-GRNPWA\		1	Fn
Create Key	HKEY_CURRENT_USER\Software\34419-GRNPWA\		1	Fn
Create Key	HKEY_CURRENT_USER\Software\34419-GRNPWA\		2	Fn
Create Key	HKEY_CURRENT_USER\Software\34419-GRNPWA\		8	Fn
Create Key	HKEY_CURRENT_USER\Software\34419-GRNPWA\		10	Fn
Create Key	HKEY_CURRENT_USER\Software\34419-GRNPWA\		1	Fn
Open Key	HKEY_CURRENT_USER\Software\34419-GRNPWA\		2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion		1	Fn
Open Key	HKEY_CURRENT_USER\Software\34419-GRNPWA\		2	Fn
Open Key	HKEY_CURRENT_USER\Software\34419-GRNPWA\		1	Fn
Read Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = WD, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = Inj, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	value_name = ProductName, data = 87	1	Fn
Read Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = FR	1	Fn
Read Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = FR, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = name, data = 108	1	Fn
Write Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data
Write Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = WD, data = 808, size = 4, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Write Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = EXEpath, size = 116, type = REG_BINARY	2	Fn Data
Write Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = EXEpath, size = 116, type = REG_BINARY	8	Fn Data
Write Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = EXEpath, size = 116, type = REG_BINARY	10	Fn Data
Write Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = EXEpath, size = 116, type = REG_BINARY	1	Fn Data

Process (5)

Operation	Process	Additional Information	Count	Logfile
Create	C:\Windows\system32\svchost.exe	os_pid = 0x318, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt"	os_pid = 0x520, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv"	os_pid = 0x514, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel"	os_pid = 0x36c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = SYNCHRONIZE	1	Fn

Thread (12)

Operation	Process	Additional Information	Count	Logfile
Get Context	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0x320	1	Fn
Get Context	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0x530	1	Fn
Get Context	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0x530	1	Fn
Get Context	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0x530	1	Fn
Set Context	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0x320	1	Fn
Set Context	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0x530	1	Fn
Set Context	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0x530	1	Fn
Set Context	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0x530	1	Fn
Resume	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0x320	1	Fn
Resume	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0x530	1	Fn
Resume	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0x530	1	Fn
Resume	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	os_tid = 0x530	1	Fn

Memory (29)

Operation	Process	Additional Information	Count	Logfile
Allocate	C:\Windows\system32\svchost.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 106496	1	Fn
Allocate	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt"	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 356352	1	Fn
Allocate	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv"	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 147456	1	Fn
Allocate	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel"	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 122880	1	Fn
Read	C:\Windows\system32\svchost.exe	address = 0x7ffde008, size = 4	1	Fn Data
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt"	address = 0x7ffda008, size = 4	1	Fn Data
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv"	address = 0x7ffd8008, size = 4	1	Fn Data
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel"	address = 0x7ffd9008, size = 4	1	Fn Data
Write	C:\Windows\system32\svchost.exe	address = 0x400000, size = 4096	1	Fn Data
Write	C:\Windows\system32\svchost.exe	address = 0x401000, size = 69632	1	Fn Data
Write	C:\Windows\system32\svchost.exe	address = 0x412000, size = 24576	1	Fn Data
Write	C:\Windows\system32\svchost.exe	address = 0x418000, size = 4096	1	Fn Data
Write	C:\Windows\system32\svchost.exe	address = 0x419000, size = 4096	1	Fn Data
Write	C:\Windows\system32\svchost.exe	address = 0x7ffde008, size = 4	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt"	address = 0x400000, size = 512	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt"	address = 0x401000, size = 172032	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt"	address = 0x455000, size = 3584	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt"	address = 0x456000, size = 2048	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt"	address = 0x7ffda008, size = 4	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv"	address = 0x400000, size = 512	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv"	address = 0x401000, size = 54784	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv"	address = 0x422000, size = 3584	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv"	address = 0x423000, size = 4096	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv"	address = 0x7ffd8008, size = 4	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel"	address = 0x400000, size = 512	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel"	address = 0x401000, size = 44032	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel"	address = 0x41c000, size = 3584	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel"	address = 0x41d000, size = 4096	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel"	address = 0x7ffd9008, size = 4	1	Fn Data

Module (33)

Operation	Module	Additional Information	Count	Logfile
Load	User32.dll	base_address = 0x764b0000	1	Fn
Load	kernel32.dll	base_address = 0x75b40000	2	Fn
Load	Psapi.dll	base_address = 0x77830000	2	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x764b0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	3	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75b40000	3	Fn
Get Handle	c:\windows\system32\shell32.dll	base_address = 0x767c0000	1	Fn
Get Handle	c:\windows\system32\ntdll.dll	base_address = 0x776f0000	4	Fn
Get Filename		process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	2	Fn
Get Address	c:\windows\system32\user32.dll	function = GetCursorInfo, address_out = 0x76514b31	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetLastInputInfo, address_out = 0x764c3834	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetConsoleWindow, address_out = 0x75ba2787	1	Fn
Get Address	c:\windows\system32\psapi.dll	function = GetModuleFileNameExA, address_out = 0x778315bc	1	Fn
Get Address	c:\windows\system32\psapi.dll	function = GetModuleFileNameExW, address_out = 0x778313f0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalMemoryStatusEx, address_out = 0x75b78a2b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsWow64Process, address_out = 0x75b84785	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetComputerNameExW, address_out = 0x75b80f04	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = IsUserAnAdmin, address_out = 0x768144f5	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetProcessDEPPolicy, address_out = 0x75b7602f	1	Fn
Get Address	c:\windows\system32\ntdll.dll	function = NtUnmapViewOfSection, address_out = 0x777369b8	4	Fn

Keyboard (1)

Operation	Additional Information	Success	Count	Logfile
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721		1	Fn

System (242)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = cRh2YWu7, type = ComputerNameDnsHostname	1	Fn
Get Clipboard	format = 1	1	Fn
Sleep	duration = 10000 milliseconds (10.000 seconds)	7	Fn
Sleep	duration = 500 milliseconds (0.500 seconds)	11	Fn
Sleep	duration = 3000 milliseconds (3.000 seconds)	22	Fn
Sleep	duration = 2000 milliseconds (2.000 seconds)	1	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	125	Fn
Get Time	type = Ticks, time = 19468	2	Fn
Get Time	type = Ticks, time = 20092	2	Fn
Get Time	type = Ticks, time = 20155	2	Fn
Get Time	type = Ticks, time = 20482	1	Fn
Get Time	type = Ticks, time = 21496	1	Fn
Get Time	type = Ticks, time = 21886	2	Fn
Get Time	type = Ticks, time = 22510	1	Fn
Get Time	type = Ticks, time = 23524	1	Fn
Get Time	type = Ticks, time = 24538	1	Fn
Get Time	type = Ticks, time = 25552	1	Fn
Get Time	type = Ticks, time = 26644	1	Fn
Get Time	type = Ticks, time = 27658	1	Fn
Get Time	type = Ticks, time = 28672	1	Fn
Get Time	type = Ticks, time = 29686	1	Fn
Get Time	type = Ticks, time = 30700	1	Fn
Get Time	type = Ticks, time = 31715	1	Fn
Get Time	type = Ticks, time = 32729	1	Fn
Get Time	type = Ticks, time = 33743	1	Fn
Get Time	type = Ticks, time = 34757	1	Fn
Get Time	type = Ticks, time = 35771	1	Fn
Get Time	type = Ticks, time = 36785	1	Fn
Get Time	type = Ticks, time = 37799	1	Fn
Get Time	type = Ticks, time = 38813	1	Fn
Get Time	type = Ticks, time = 39827	1	Fn
Get Time	type = Ticks, time = 40841	1	Fn
Get Time	type = Ticks, time = 41855	1	Fn
Get Time	type = Ticks, time = 42245	2	Fn
Get Time	type = Ticks, time = 42869	1	Fn
Get Time	type = Ticks, time = 43883	1	Fn
Get Time	type = Ticks, time = 44897	1	Fn
Get Time	type = Ticks, time = 45911	1	Fn
Get Time	type = Ticks, time = 46925	1	Fn
Get Time	type = Ticks, time = 47939	1	Fn
Get Time	type = Ticks, time = 48953	1	Fn
Get Time	type = Ticks, time = 49967	1	Fn
Get Time	type = Ticks, time = 50981	1	Fn
Get Time	type = Ticks, time = 51995	1	Fn
Get Time	type = Ticks, time = 53009	1	Fn
Get Time	type = Ticks, time = 54023	1	Fn
Get Time	type = Ticks, time = 55037	1	Fn
Get Time	type = Ticks, time = 56051	1	Fn
Get Time	type = Ticks, time = 57065	1	Fn
Get Time	type = Ticks, time = 58079	1	Fn
Get Time	type = Ticks, time = 59093	1	Fn
Get Time	type = Ticks, time = 60107	1	Fn
Get Time	type = Ticks, time = 61121	1	Fn
Get Time	type = Ticks, time = 62135	1	Fn
Get Time	type = Ticks, time = 62431	2	Fn
Get Time	type = Ticks, time = 63149	1	Fn
Get Time	type = Ticks, time = 64163	1	Fn
Get Time	type = Ticks, time = 65177	1	Fn
Get Time	type = Ticks, time = 66191	1	Fn
Get Time	type = Ticks, time = 67205	1	Fn
Get Time	type = Ticks, time = 68219	1	Fn
Get Time	type = Ticks, time = 69233	1	Fn
Get Time	type = Ticks, time = 70247	1	Fn
Get Time	type = Ticks, time = 71261	1	Fn
Get Time	type = Ticks, time = 72275	1	Fn
Get Time	type = Ticks, time = 73289	1	Fn
Get Time	type = Ticks, time = 74303	1	Fn
Get Time	type = Ticks, time = 75317	1	Fn
Get Time	type = Ticks, time = 76331	1	Fn
Get Time	type = Ticks, time = 77345	1	Fn
Get Time	type = Ticks, time = 78359	1	Fn
Get Time	type = Ticks, time = 79373	1	Fn
Get Time	type = Ticks, time = 80387	1	Fn
Get Time	type = Ticks, time = 81401	1	Fn
Get Time	type = Ticks, time = 82415	1	Fn

Mutex (3)

Operation	Additional Information	Count	Logfile
Create	mutex_name = 34419-GRNPWA	1	Fn
Open	mutex_name = Remcos_Mutex_Inj, desired_access = SYNCHRONIZE	1	Fn
Open	mutex_name = Mutex_RemWatchdog, desired_access = SYNCHRONIZE	1	Fn

Network Behavior

DNS (2)

Operation	Additional Information	Success	Count	Logfile
Resolve Name	host = jlux123.no-ip.biz		1	Fn
Resolve Name	host = jluxi.dynu.com, address_out = 185.62.188.68		1	Fn

TCP Sessions (3)

Information	Value
Total Data Sent	0.88 KB (903 bytes)
Total Data Received	286.80 KB (293679 bytes)
Contacted Host Count	1
Contacted Hosts	185.62.188.68:1991

TCP Session #1

Information	Value
Handle	0x18c
Address Family	AF_UNSPEC
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	185.62.188.68
Remote Port	1991
Local Address	0.0.0.0
Local Port	1728
Data Sent	0.72 KB (737 bytes)
Data Received	0.24 KB (247 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_UNSPEC, type = SOCK_STREAM	1	Fn
Connect	remote_address = 185.62.188.68, remote_port = 1991	1	Fn
Send	flags = NO_FLAG_SET, size = 473, size_out = 473	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 1000, size_out = 32	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 1000, size_out = 92	1	Fn Data
Send	flags = NO_FLAG_SET, size = 66, size_out = 66	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 1000, size_out = 27	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 1000, size_out = 32	2	Fn Data
Send	flags = NO_FLAG_SET, size = 66, size_out = 66	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 1000, size_out = 32	1	Fn Data
Send	flags = NO_FLAG_SET, size = 66, size_out = 66	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 1000	1	Fn
Send	flags = NO_FLAG_SET, size = 66, size_out = 66	1	Fn Data

TCP Session #2

Information	Value
Handle	0x1bc
Address Family	AF_UNSPEC
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	185.62.188.68
Remote Port	1991
Local Address	0.0.0.0
Local Port	1728
Data Sent	0.10 KB (99 bytes)
Data Received	286.55 KB (293432 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_UNSPEC, type = SOCK_STREAM	1	Fn
Connect	remote_address = 185.62.188.68, remote_port = 1991	1	Fn
Send	flags = NO_FLAG_SET, size = 42, size_out = 42	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 1000, size_out = 1000	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 4808	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 65000	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 9052	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 3752	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 604	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 65000	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 340	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 65000	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 340	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 65000	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 340	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65000, size_out = 13196	1	Fn Data
Send	flags = NO_FLAG_SET, size = 57, size_out = 57	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

TCP Session #3

Information	Value
Handle	0x1c4
Address Family	AF_UNSPEC
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	185.62.188.68
Remote Port	1991
Local Address	0.0.0.0
Local Port	1984
Data Sent	0.07 KB (67 bytes)
Data Received	0.00 KB (0 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_UNSPEC, type = SOCK_STREAM	1	Fn
Connect	remote_address = 185.62.188.68, remote_port = 1991	1	Fn
Send	flags = NO_FLAG_SET, size = 67, size_out = 67	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

Process #12: svchost.exe

(Host: 19, Network: 0)

Information	Value
ID	#12
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:07, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:04

OS Process Information

Information	Value
PID	0x318
Parent PID	0x328 (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ee71 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 330

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000b0000	0x000b0000	0x000effff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x000f0000	0x00156fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000160000	0x00160000	0x0025ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000260000	0x00260000	0x00327fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000370000	0x00370000	0x0037ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x00419fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000420000	0x00420000	0x00520fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000530000	0x00530000	0x0062ffff	Private Memory	Readable, Writable	Region Actions
svchost.exe	0x00940000	0x00947fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000950000	0x00950000	0x0154ffff	Pagefile Backed Memory	Readable	Region Actions
winmm.dll	0x6ec80000	0x6ecb1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcp60.dll	0x72440000	0x724a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdiplus.dll	0x74510000	0x7469ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x758b0000	0x758bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x75910000	0x75a2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75a30000	0x75a79fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75b40000	0x75c13fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75c20000	0x75d14fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75d20000	0x75dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75e00000	0x75ffafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76000000	0x7609ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x760a0000	0x7616bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76170000	0x762cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x762d0000	0x7635efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76360000	0x76400fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76460000	0x764adfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x764b0000	0x76578fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76580000	0x76589fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76590000	0x765e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x76650000	0x76655fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76660000	0x7667efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76720000	0x767bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x767c0000	0x77409fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x775b0000	0x776e5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776f0000	0x7782bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77840000	0x77858fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x778e0000	0x77914fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77930000	0x77930fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x320	address = 0x400000, size = 4096	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x320	address = 0x401000, size = 69632	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x320	address = 0x412000, size = 24576	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x320	address = 0x418000, size = 4096	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x320	address = 0x419000, size = 4096	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x320	address = 0x7ffde008, size = 4	1	Fn Data
Modify Control Flow	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x320	os_tid = 0x330, address = 0x77737098	1	Fn

Host Behavior

File (3)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
Get Info	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	type = size	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	size = 45216, size_out = 45216	1	Fn Data

Registry (6)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\34419-GRNPWA\		2	Fn
Open Key	HKEY_CURRENT_USER\Software\34419-GRNPWA\		1	Fn
Read Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = WD, data = 808, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = EXEpath, data = 169	1	Fn
Delete Value	HKEY_CURRENT_USER\Software\34419-GRNPWA\	value_name = WD	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Open	c:\windows\system32\svchost.exe	desired_access = SYNCHRONIZE		1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Load	User32.dll	base_address = 0x764b0000	1	Fn
Load	kernel32.dll	base_address = 0x75b40000	1	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x764b0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	1	Fn
Get Filename		process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetCursorInfo, address_out = 0x76514b31	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetLastInputInfo, address_out = 0x764c3834	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetConsoleWindow, address_out = 0x75ba2787	1	Fn

Mutex (1)

Operation	Additional Information	Success	Count	Logfile
Create	mutex_name = Mutex_RemWatchdog		1	Fn

Process #13: regsvcs.exe

(Host: 1184, Network: 0)

Information	Value
ID	#13
File Name	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:09, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:02

OS Process Information

Information	Value
PID	0x520
Parent PID	0x328 (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ee71 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 528 0x 754

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
tzres.dll	0x000e0000	0x000e0fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e4fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00101fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x00210000	0x0024bfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000210000	0x00210000	0x00214fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x0025ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000280000	0x00280000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000290000	0x00290000	0x00357fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000360000	0x00360000	0x003fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x00456fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000460000	0x00460000	0x00560fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005a0000	0x005a0000	0x0069ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000006a0000	0x006a0000	0x0079ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x007a0000	0x00a6efff	Memory Mapped File	Readable	Region Actions
private_0x0000000000a70000	0x00a70000	0x00b70fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a70000	0x00a70000	0x00b8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000bf0000	0x00bf0000	0x00ceffff	Private Memory	Readable, Writable	Region Actions
regsvcs.exe	0x00d30000	0x00d3dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000d40000	0x00d40000	0x0193ffff	Pagefile Backed Memory	Readable	Region Actions
nss3.dll	0x01940000	0x01af1fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001940000	0x01940000	0x01a3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a40000	0x01a40000	0x01b3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b00000	0x01b00000	0x01bfffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001c00000	0x01c00000	0x01ff2fff	Pagefile Backed Memory	Readable	Region Actions
winmm.dll	0x6ec80000	0x6ecb1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
freebl3.dll	0x6f030000	0x6f07efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x72220000	0x722a3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vaultcli.dll	0x723c0000	0x723cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pstorec.dll	0x72430000	0x7243cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcp100.dll	0x73170000	0x731d8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr100.dll	0x731e0000	0x7329dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nss3.dll	0x732a0000	0x73454fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x73b60000	0x73b73fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
softokn3.dll	0x73f00000	0x73f26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mozglue.dll	0x73f30000	0x73f51fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nssdbm3.dll	0x73fd0000	0x73fe6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x73ff0000	0x73ff6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74d90000	0x74d98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x750b0000	0x750eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x75310000	0x75325fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75790000	0x7579bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x758b0000	0x758bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x75910000	0x75a2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75a30000	0x75a79fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75b40000	0x75c13fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75c20000	0x75d14fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75d20000	0x75dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75e00000	0x75ffafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76000000	0x7609ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x760a0000	0x7616bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76170000	0x762cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x762d0000	0x7635efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76360000	0x76400fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76460000	0x764adfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x764b0000	0x76578fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76580000	0x76589fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76590000	0x765e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x76650000	0x76655fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76660000	0x7667efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76720000	0x767bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x767c0000	0x77409fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x775b0000	0x776e5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776f0000	0x7782bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77830000	0x77834fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77840000	0x77858fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77860000	0x778dafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x778e0000	0x77914fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77930000	0x77930fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x400000, size = 512	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x401000, size = 172032	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x455000, size = 3584	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x456000, size = 2048	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x7ffda008, size = 4	1	Fn Data
Modify Control Flow	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	os_tid = 0x528, address = 0x77737098	1	Fn

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\eebsym5\appdata\local\temp\mwixlzwnapdxngrlcvznt	0.00 KB (2 bytes)	MD5: f3b25701fe362ec84616a93a45ce9998 SHA1: d62636d8caec13f04e28442a0a6fa1afeb024bbb SHA256: b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209		File Actions Show Properties Download

Host Behavior

File (758)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data	desired_access = GENERIC_READ	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Get Info	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs_lng.ini	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	type = size	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat	type = size	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	type = size	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat	type = size	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\history.dat	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite	type = time	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini	type = file_attributes	1	Fn
Get Info	C:\Program Files\Mozilla Firefox\nss3.dll	type = file_attributes	2	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini	type = file_attributes	1	Fn
Get Info	C:\Program Files\Sea Monkey\nss3.dll	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	type = file_attributes	2	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data	type = size, size_out = 0	5	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal	type = file_attributes	2	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\pnacl\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\pnacl\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SwiftShader\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SwiftShader\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Apple Computer\Preferences\keychain.plist	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Opera\Opera\wand.dat	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Opera\Opera7\profile\wand.dat	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Opera Software\Opera Stable\Login Data	type = file_attributes	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	size = 32, size_out = 32	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	size = 8, size_out = 8	136	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	size = 256, size_out = 256	109	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	size = 384, size_out = 384	3	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat	size = 32, size_out = 32	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat	size = 8, size_out = 8	124	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat	size = 256, size_out = 256	123	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat	size = 384, size_out = 384	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	size = 32, size_out = 32	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	size = 8, size_out = 8	90	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	size = 256, size_out = 256	2	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	size = 384, size_out = 384	2	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat	size = 32, size_out = 32	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat	size = 8, size_out = 8	94	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat	size = 256, size_out = 256	2	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data	size = 100, size_out = 100	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data	size = 2048, size_out = 2048	4	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data	size = 16, size_out = 16	1	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt	size = 2	1	Fn Data

Registry (20)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin		2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe		1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		2	Fn

Process (29)

Operation	Process	Additional Information	Count	Logfile
Open	System	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\smss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\wininit.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\winlogon.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\services.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\lsass.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\lsm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\audiodg.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\spoolsv.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\userinit.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskeng.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\adobe\reader 10.0\reader\reader_sl.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn

Module (346)

Operation	Module	Additional Information	Count	Logfile
Load	comctl32.dll	base_address = 0x72220000	1	Fn
Load	shell32.dll	base_address = 0x767c0000	1	Fn
Load	advapi32.dll	base_address = 0x76000000	2	Fn
Load	pstorec.dll	base_address = 0x72430000	1	Fn
Load	vaultcli.dll	base_address = 0x723c0000	1	Fn
Load	C:\Program Files\Mozilla Firefox\nss3.dll	base_address = 0x732a0000	1	Fn
Load	psapi.dll	base_address = 0x77830000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75b40000	3	Fn
Get Handle	c:\windows\system32\msvcrt.dll	base_address = 0x75d20000	1	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x72220000	1	Fn
Get Handle	c:\windows\system32\version.dll	base_address = 0x74d90000	1	Fn
Get Handle	c:\windows\system32\wininet.dll	base_address = 0x75c20000	1	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x764b0000	1	Fn
Get Handle	c:\windows\system32\gdi32.dll	base_address = 0x76460000	1	Fn
Get Handle	c:\windows\system32\comdlg32.dll	base_address = 0x77860000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76000000	1	Fn
Get Handle	c:\windows\system32\shell32.dll	base_address = 0x767c0000	1	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76170000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	22	Fn
Get Handle	C:\Program Files\Mozilla Firefox\nss3.dll	base_address = 0x0	1	Fn
Get Handle	c:\program files\mozilla firefox\nss3.dll	base_address = 0x732a0000	1	Fn
Get Filename		process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	2	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\system32\taskhost.exe, file_name_orig = C:\Windows\system32\taskhost.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\system32\userinit.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\system32\dwm.exe, file_name_orig = C:\Windows\system32\Dwm.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\adobe\reader 10.0\reader\reader_sl.exe, file_name_orig = C:\Program Files\Adobe\Reader 10.0\Reader\reader_sl.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualProtect, address_out = 0x75b82341	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __setusermatherr, address_out = 0x75db77ad	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _adjust_fdiv, address_out = 0x75dc32ec	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __p__commode, address_out = 0x75d327c3	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __p__fmode, address_out = 0x75d327ce	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcscat, address_out = 0x75da0ea6	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __set_app_type, address_out = 0x75d32804	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _controlfp, address_out = 0x75d2e1e1	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = realloc, address_out = 0x75d2b10d	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = qsort, address_out = 0x75d2d3e6	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _itow, address_out = 0x75d3019c	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _wcsupr, address_out = 0x75d2dac1	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _wcslwr, address_out = 0x75d2fb25	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strchr, address_out = 0x75d2dbeb	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _initterm, address_out = 0x75d2c151	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcsncmp, address_out = 0x75d2b05e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memmove, address_out = 0x75d29e5a	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = free, address_out = 0x75d29894	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = modf, address_out = 0x75d37551	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _memicmp, address_out = 0x75d306c8	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcstoul, address_out = 0x75d2b319	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = malloc, address_out = 0x75d29cee	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _XcptFilter, address_out = 0x75d4dc75	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strcpy, address_out = 0x75d38d6e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _wtoi64, address_out = 0x75d3062e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strcmp, address_out = 0x75d38b11	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcsrchr, address_out = 0x75d2a73f	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __wgetmainargs, address_out = 0x75d34e7c	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _wcmdln, address_out = 0x75dc04dc	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = exit, address_out = 0x75d336aa	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _strlwr, address_out = 0x75d3ca0b	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _cexit, address_out = 0x75d337d4	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _wcsnicmp, address_out = 0x75d2aae3	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = ??3@YAXPAX@Z, address_out = 0x75d2b0b9	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = ??2@YAPAXI@Z, address_out = 0x75d2b0c9	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memcmp, address_out = 0x75d37975	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcscmp, address_out = 0x75d3d3b7	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = abs, address_out = 0x75d4eb1e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = log, address_out = 0x75d4de50	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _purecall, address_out = 0x75d86ea9	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcslen, address_out = 0x75d3d335	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _wtoi, address_out = 0x75d2c823	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _wcsicmp, address_out = 0x75d2a9e9	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcschr, address_out = 0x75d2aa61	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memcpy, address_out = 0x75d29910	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcscpy, address_out = 0x75d3d4f8	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memset, address_out = 0x75d29790	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strlen, address_out = 0x75d343d3	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcsncat, address_out = 0x75da0ed9	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _snwprintf, address_out = 0x75d495d1	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _except_handler3, address_out = 0x75d4d770	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _exit, address_out = 0x75d8b2c0	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _c_exit, address_out = 0x75d8b2db	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _onexit, address_out = 0x75d3112d	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __dllonexit, address_out = 0x75d2f509	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memchr, address_out = 0x75d3e134	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _gmtime64, address_out = 0x75da2936	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strftime, address_out = 0x75da1fd5	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = 17, address_out = 0x72221739	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_AddMasked, address_out = 0x72228b75	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_SetImageCount, address_out = 0x72286e17	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_Create, address_out = 0x7222908c	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_ReplaceIcon, address_out = 0x72286ea3	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = CreateToolbarEx, address_out = 0x7224a4d5	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = CreateStatusWindowW, address_out = 0x7224a10f	1	Fn
Get Address	c:\windows\system32\version.dll	function = GetFileVersionInfoSizeW, address_out = 0x74d919d9	1	Fn
Get Address	c:\windows\system32\version.dll	function = GetFileVersionInfoW, address_out = 0x74d919f4	1	Fn
Get Address	c:\windows\system32\version.dll	function = VerQueryValueW, address_out = 0x74d91b51	1	Fn
Get Address	c:\windows\system32\wininet.dll	function = FindCloseUrlCache, address_out = 0x75c68409	1	Fn
Get Address	c:\windows\system32\wininet.dll	function = FindNextUrlCacheEntryW, address_out = 0x75c5989c	1	Fn
Get Address	c:\windows\system32\wininet.dll	function = FindFirstUrlCacheEntryW, address_out = 0x75c5978a	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFullPathNameA, address_out = 0x75b93735	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = DeleteFileA, address_out = 0x75b847cb	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceW, address_out = 0x75b73530	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFullPathNameW, address_out = 0x75b94543	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = AreFileApisANSI, address_out = 0x75bcf311	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = EnterCriticalSection, address_out = 0x777377a0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetSystemTime, address_out = 0x75b8ced8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LockFileEx, address_out = 0x75ba692f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FormatMessageA, address_out = 0x75ba8868	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetSystemTimeAsFileTime, address_out = 0x75b92fde	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = UnlockFileEx, address_out = 0x75ba6947	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTickCount, address_out = 0x75b8ba60	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LockFile, address_out = 0x75ba642f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlushFileBuffers, address_out = 0x75b77f81	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = InitializeCriticalSection, address_out = 0x7774a149	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileA, address_out = 0x75b8cee8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDiskFreeSpaceA, address_out = 0x75b9d7d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Sleep, address_out = 0x75b8ba46	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address_out = 0x75b8cf41	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStartupInfoW, address_out = 0x75b93891	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTempPathA, address_out = 0x75ba6a65	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = UnlockFile, address_out = 0x75ba6417	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = InterlockedCompareExchange, address_out = 0x75b8bb92	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = DeleteCriticalSection, address_out = 0x77749ac5	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileAttributesExW, address_out = 0x75b8273d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = QueryPerformanceCounter, address_out = 0x75b8bb9f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileAttributesA, address_out = 0x75b91de6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77737760	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetEndOfFile, address_out = 0x75b82319	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetSystemInfo, address_out = 0x75b93728	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = EnumResourceTypesW, address_out = 0x75ba2b37	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x75b8ca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileSize, address_out = 0x75b80273	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SystemTimeToFileTime, address_out = 0x75b8cecb	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x75b8ca7c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FileTimeToLocalFileTime, address_out = 0x75b92004	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = DeleteFileW, address_out = 0x75b80f62	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CopyFileW, address_out = 0x75b767c3	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileW, address_out = 0x75b8cc56	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CompareFileTime, address_out = 0x75b913f3	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FreeLibrary, address_out = 0x75b8d9d0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryW, address_out = 0x75b93c01	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetProcAddress, address_out = 0x75b933d3	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x75b8bf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FileTimeToSystemTime, address_out = 0x75b91dfe	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFilePointerEx, address_out = 0x75b7f5b2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentDirectoryW, address_out = 0x75b9c13a	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ExpandEnvironmentStringsW, address_out = 0x75b84680	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WideCharToMultiByte, address_out = 0x75b9450e	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = MultiByteToWideChar, address_out = 0x75b9452b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalLock, address_out = 0x75b89e05	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDateFormatW, address_out = 0x75b8afab	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileTime, address_out = 0x75b80f6f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FormatMessageW, address_out = 0x75b854a3	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTempFileNameW, address_out = 0x75b76d1d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExW, address_out = 0x75b83b1a	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindClose, address_out = 0x75b90e62	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindFirstFileW, address_out = 0x75b953b2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleHandleW, address_out = 0x75b9374d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTimeFormatW, address_out = 0x75b8ac29	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFilePointer, address_out = 0x75b8db36	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileAttributesW, address_out = 0x75b964ff	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryW, address_out = 0x75b804b6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReadFile, address_out = 0x75b896fb	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleFileNameW, address_out = 0x75b93c26	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WriteFile, address_out = 0x75b91400	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindResourceW, address_out = 0x75b83e61	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LockResource, address_out = 0x75b7fd29	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = lstrcpyW, address_out = 0x75b78bfa	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = lstrlenW, address_out = 0x75b8d9e8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadResource, address_out = 0x75b8984d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SystemTimeToTzSpecificLocalTime, address_out = 0x75b7b149	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryExW, address_out = 0x75b84775	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x75b89ce1	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalUnlock, address_out = 0x75b89d50	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTempPathW, address_out = 0x75b78b33	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindNextFileW, address_out = 0x75b8963a	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SizeofResource, address_out = 0x75b83e7f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileMappingW, address_out = 0x75b80a7f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = MapViewOfFile, address_out = 0x75b8899b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address_out = 0x75b8db13	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x75b8cdcf	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = DuplicateHandle, address_out = 0x75b8cdd9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcessId, address_out = 0x75b8cac4	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = OpenProcess, address_out = 0x75b859d7	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringW, address_out = 0x75b77d32	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringW, address_out = 0x75b780eb	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntW, address_out = 0x75b7775f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = EnumResourceNamesW, address_out = 0x75ba7e29	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStdHandle, address_out = 0x75b91e46	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetErrorMode, address_out = 0x75b94a51	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ExitProcess, address_out = 0x75b9214f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReadProcessMemory, address_out = 0x75b7c1ce	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetCurrentDirectoryW, address_out = 0x75b97663	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Process32FirstW, address_out = 0x75b7fa35	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Process32NextW, address_out = 0x75b7faca	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x75b7f731	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DispatchMessageW, address_out = 0x764ccc61	1	Fn
Get Address	c:\windows\system32\user32.dll	function = BeginDeferWindowPos, address_out = 0x764ba6a6	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TranslateMessage, address_out = 0x764c64c7	1	Fn
Get Address	c:\windows\system32\user32.dll	function = IsDialogMessageW, address_out = 0x764c4104	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DrawTextExW, address_out = 0x764c5894	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMessageW, address_out = 0x764ccde8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = PostQuitMessage, address_out = 0x764bb308	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TrackPopupMenu, address_out = 0x764d2228	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RegisterWindowMessageW, address_out = 0x764bdf8d	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetKeyState, address_out = 0x764c2b4d	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EndDeferWindowPos, address_out = 0x764ba67a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DialogBoxParamW, address_out = 0x764d3b9b	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ChildWindowFromPoint, address_out = 0x764fb6aa	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadCursorW, address_out = 0x764bed90	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetCursor, address_out = 0x764c3075	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSysColorBrush, address_out = 0x764bf1ed	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ShowWindow, address_out = 0x764bf2a9	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowTextW, address_out = 0x764c612b	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetDlgItemInt, address_out = 0x764dec2e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = UpdateWindow, address_out = 0x764bffa8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetDlgItemTextW, address_out = 0x764debd4	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDlgItemTextW, address_out = 0x764decbc	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetClientRect, address_out = 0x764c54dd	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x764c67cf	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DeferWindowPos, address_out = 0x764ba6c8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CreateWindowExW, address_out = 0x764bec7c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowRect, address_out = 0x764c558c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SendDlgItemMessageW, address_out = 0x764d70d8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDlgItemInt, address_out = 0x764ded56	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EndDialog, address_out = 0x764e3ba3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowLongW, address_out = 0x764c4449	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDlgItem, address_out = 0x764e42bb	1	Fn
Get Address	c:\windows\system32\user32.dll	function = InvalidateRect, address_out = 0x764c566d	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowPlacement, address_out = 0x764e69de	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadAcceleratorsW, address_out = 0x764b976d	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DefWindowProcW, address_out = 0x764c507d	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SendMessageW, address_out = 0x764c5539	1	Fn
Get Address	c:\windows\system32\user32.dll	function = PostMessageW, address_out = 0x764c447b	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RegisterClassW, address_out = 0x764bed4a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MessageBoxW, address_out = 0x7650ea5f	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TranslateAcceleratorW, address_out = 0x764c667e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetMenu, address_out = 0x764e6b0e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowPlacement, address_out = 0x764b7f78	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadImageW, address_out = 0x764c12eb	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadIconW, address_out = 0x764bf142	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowLongW, address_out = 0x764c61b8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetFocus, address_out = 0x764babad	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenuStringW, address_out = 0x764e6528	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CheckMenuItem, address_out = 0x764dee7c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenuItemCount, address_out = 0x764bae39	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CheckMenuRadioItem, address_out = 0x764d25df	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CloseClipboard, address_out = 0x764e446c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetCursorPos, address_out = 0x764ba4b3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetClipboardData, address_out = 0x764d2962	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnableWindow, address_out = 0x764b8d02	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSysColor, address_out = 0x764cdb7a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetParent, address_out = 0x764c6029	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MapWindowPoints, address_out = 0x764c5caa	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenu, address_out = 0x764e6b68	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDC, address_out = 0x764c544c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSubMenu, address_out = 0x764b9c19	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EmptyClipboard, address_out = 0x764d290c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnableMenuItem, address_out = 0x764e43bc	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ReleaseDC, address_out = 0x764c5421	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetClassNameW, address_out = 0x764c2a29	1	Fn
Get Address	c:\windows\system32\user32.dll	function = OpenClipboard, address_out = 0x764e447e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MoveWindow, address_out = 0x764b8d29	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CreateDialogParamW, address_out = 0x764e5630	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumChildWindows, address_out = 0x764c2948	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadStringW, address_out = 0x764bdfba	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DestroyWindow, address_out = 0x764bb2f4	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowPos, address_out = 0x764c1bc4	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowTextW, address_out = 0x764bb8c5	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadMenuW, address_out = 0x764bf214	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ModifyMenuW, address_out = 0x764e46c7	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenuItemInfoW, address_out = 0x764baefa	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDlgCtrlID, address_out = 0x764bb4e8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DestroyMenu, address_out = 0x764b87f7	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetBkColor, address_out = 0x76466a3c	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SelectObject, address_out = 0x76466640	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetDeviceCaps, address_out = 0x76466f7f	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitCommonControlsEx, address_out = 0x72226be6	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = SHGetSpecialFolderPathW, address_out = 0x767e0468	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptAcquireContextA, address_out = 0x760091dd	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptReleaseContext, address_out = 0x7600e124	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptCreateHash, address_out = 0x7600df4e	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptGetHashParam, address_out = 0x7600df7e	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptHashData, address_out = 0x7600df36	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDestroyHash, address_out = 0x7600df66	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredReadA, address_out = 0x760471c1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredFree, address_out = 0x7600b2ec	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredDeleteA, address_out = 0x76047941	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredEnumerateA, address_out = 0x76047381	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredEnumerateW, address_out = 0x76047481	1	Fn
Get Address	c:\windows\system32\pstorec.dll	function = PStoreCreateInstance, address_out = 0x7243526c	1	Fn
Get Address	c:\windows\system32\vaultcli.dll	function = VaultOpenVault, address_out = 0x723c26a9	1	Fn
Get Address	c:\windows\system32\vaultcli.dll	function = VaultCloseVault, address_out = 0x723c2718	1	Fn
Get Address	c:\windows\system32\vaultcli.dll	function = VaultEnumerateItems, address_out = 0x723c3099	1	Fn
Get Address	c:\windows\system32\vaultcli.dll	function = VaultFree, address_out = 0x723c4321	1	Fn
Get Address	c:\windows\system32\vaultcli.dll	function = VaultGetInformation, address_out = 0x723c24c0	1	Fn
Get Address	c:\windows\system32\vaultcli.dll	function = VaultGetItem, address_out = 0x723c3242	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = NSS_Init, address_out = 0x7335d70b	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = NSS_Shutdown, address_out = 0x7335d13c	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11_GetInternalKeySlot, address_out = 0x732f3c51	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11_FreeSlot, address_out = 0x732f3333	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11_CheckUserPassword, address_out = 0x732dcbc4	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11_Authenticate, address_out = 0x732dd3ca	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11SDR_Decrypt, address_out = 0x732f00a7	2	Fn
Get Address	c:\windows\system32\psapi.dll	function = GetModuleBaseNameW, address_out = 0x7783152c	1	Fn
Get Address	c:\windows\system32\psapi.dll	function = EnumProcessModules, address_out = 0x77831408	1	Fn
Get Address	c:\windows\system32\psapi.dll	function = GetModuleFileNameExW, address_out = 0x778313f0	1	Fn
Get Address	c:\windows\system32\psapi.dll	function = EnumProcesses, address_out = 0x77831544	1	Fn
Get Address	c:\windows\system32\psapi.dll	function = GetModuleInformation, address_out = 0x77831420	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetProcessTimes, address_out = 0x75b7f626	1	Fn

System (3)

Operation	Additional Information	Success	Count	Logfile
Get Info	type = Operating System		2	Fn
Get Info	type = Hardware Information		1	Fn

Ini (28)

Operation	Filename	Additional Information	Count	Logfile
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = ShowGridLines, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = SaveFilterIndex, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = ShowInfoTip, default_value = 1	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = MarkOddEvenRows, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = ShowTimeInGMT, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = LoadPasswordsIE, default_value = 1	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = LoadPasswordsFirefox, default_value = 1	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = LoadPasswordsChrome, default_value = 1	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = LoadPasswordsOpera, default_value = 1	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = LoadPasswordsSafari, default_value = 1	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = LoadPasswordsYandex, default_value = 1	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = UseChromeProfileFolder, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = UseOperaPasswordFile, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = FirefoxProfileFolder	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = FirefoxInstallFolder	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = ChromeProfileFolder	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = OperaPasswordFile	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = SaveFileEncoeding, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = WinPos	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Columns	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Sort, default_value = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini	section_name = Profile0, key_name = Path, data_out = Profiles/h231daer.default	1	Fn
Read	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini	section_name = Profile0, key_name = IsRelative, default_value = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini	section_name = Profile1, key_name = Path	1	Fn
Read	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini	section_name = Profile1, key_name = IsRelative, default_value = 0	1	Fn

Process #14: regsvcs.exe

(Host: 337, Network: 0)

Information	Value
ID	#14
File Name	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:09, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:02

OS Process Information

Information	Value
PID	0x514
Parent PID	0x328 (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ee71 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 510 0x 674

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable, Writable	Region Actions
tzres.dll	0x00070000	0x00070fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000080000	0x00080000	0x00086fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00190000	0x001f6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000200000	0x00200000	0x002c7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000002d0000	0x002d0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003d0000	0x003d0000	0x003d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x00423fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000430000	0x00430000	0x00530fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000540000	0x00540000	0x0054ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000550000	0x00550000	0x0064ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000680000	0x00680000	0x0068ffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x00690000	0x006cbfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000730000	0x00730000	0x0082ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x00830000	0x00afefff	Memory Mapped File	Readable	Region Actions
private_0x0000000000b00000	0x00b00000	0x00ceffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000b00000	0x00b00000	0x00bfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000cb0000	0x00cb0000	0x00ceffff	Private Memory	Readable, Writable	Region Actions
regsvcs.exe	0x00d30000	0x00d3dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000d40000	0x00d40000	0x0193ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001940000	0x01940000	0x01b1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001940000	0x01940000	0x01a3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a00000	0x01a00000	0x01afffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b10000	0x01b10000	0x01b1ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001b20000	0x01b20000	0x01f12fff	Pagefile Backed Memory	Readable	Region Actions
msvcp100.dll	0x6e240000	0x6e2a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr100.dll	0x6e2b0000	0x6e36dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nss3.dll	0x6e370000	0x6e524fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x6ec80000	0x6ecb1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
softokn3.dll	0x6f020000	0x6f046fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mozglue.dll	0x6f050000	0x6f071fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x721d0000	0x721d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x72220000	0x722a3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
freebl3.dll	0x73f10000	0x73f5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nssdbm3.dll	0x73fe0000	0x73ff6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x750b0000	0x750eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x75310000	0x75325fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75770000	0x7578afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75790000	0x7579bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x758b0000	0x758bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x75910000	0x75a2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75a30000	0x75a79fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75b40000	0x75c13fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75d20000	0x75dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76000000	0x7609ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x760a0000	0x7616bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76170000	0x762cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76360000	0x76400fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76460000	0x764adfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x764b0000	0x76578fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76580000	0x76589fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76590000	0x765e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x76650000	0x76655fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76660000	0x7667efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76720000	0x767bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x767c0000	0x77409fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776f0000	0x7782bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77840000	0x77858fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77860000	0x778dafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x778e0000	0x77914fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77930000	0x77930fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd8000	0x7ffd8000	0x7ffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x400000, size = 512	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x401000, size = 54784	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x422000, size = 3584	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x423000, size = 4096	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x7ffd8008, size = 4	1	Fn Data
Modify Control Flow	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	os_tid = 0x510, address = 0x77737098	1	Fn

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\eebsym5\appdata\local\temp\wqnqmshpoxvbxmnplxmoexxv	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855		File Actions Show Properties

Host Behavior

File (16)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Get Info	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs_lng.ini	type = file_attributes	1	Fn
Get Info	trillian	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Trillian\users\global	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Profiles	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\.gaim	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\.purple	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Miranda	type = file_attributes	1	Fn
Get Info		type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\MySpace\IM\users.txt	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Digsby\digsby.dat	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\history.dat	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite	type = time	1	Fn
Get Info	C:\Program Files\Mozilla Firefox\nss3.dll	type = file_attributes	1	Fn

Registry (28)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Miranda		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\MessengerService		3	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL		1	Fn
Open Key	HKEY_CURRENT_USER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users		1	Fn
Open Key	HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords		1	Fn
Open Key	HKEY_CURRENT_USER\Software\AIM\AIMPRO		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Yahoo\Pager		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mirabilis\ICQ\NewOwners		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Mirabilis\ICQ\NewOwners		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Paltalk		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2		1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	value_name = ProgramFilesDir, data = C:\Program Files, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn

Module (272)

Operation	Module	Additional Information	Count	Logfile
Load	comctl32.dll	base_address = 0x72220000	1	Fn
Load	shell32.dll	base_address = 0x767c0000	1	Fn
Load	advapi32.dll	base_address = 0x76000000	4	Fn
Load	crypt32.dll	base_address = 0x75910000	1	Fn
Load	C:\Program Files\Mozilla Firefox\nss3.dll	base_address = 0x6e370000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75b40000	3	Fn
Get Handle	c:\windows\system32\msvcrt.dll	base_address = 0x75d20000	1	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x72220000	1	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x764b0000	1	Fn
Get Handle	c:\windows\system32\gdi32.dll	base_address = 0x76460000	1	Fn
Get Handle	c:\windows\system32\comdlg32.dll	base_address = 0x77860000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76000000	1	Fn
Get Handle	c:\windows\system32\shell32.dll	base_address = 0x767c0000	1	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76170000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	2	Fn
Get Filename		process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualProtect, address_out = 0x75b82341	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = free, address_out = 0x75d29894	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _strlwr, address_out = 0x75d3ca0b	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _strupr, address_out = 0x75d3d49e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _wcslwr, address_out = 0x75d2fb25	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = qsort, address_out = 0x75d2d3e6	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _wcsnicmp, address_out = 0x75d2aae3	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strncmp, address_out = 0x75d2b443	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __dllonexit, address_out = 0x75d2f509	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _onexit, address_out = 0x75d3112d	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _c_exit, address_out = 0x75d8b2db	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _exit, address_out = 0x75d8b2c0	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _XcptFilter, address_out = 0x75d4dc75	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _cexit, address_out = 0x75d337d4	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = exit, address_out = 0x75d336aa	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _acmdln, address_out = 0x75dc04d8	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strrchr, address_out = 0x75d2dbae	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _initterm, address_out = 0x75d2c151	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __setusermatherr, address_out = 0x75db77ad	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strchr, address_out = 0x75d2dbeb	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _ultoa, address_out = 0x75d71822	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = malloc, address_out = 0x75d29cee	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _memicmp, address_out = 0x75d306c8	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strcmp, address_out = 0x75d38b11	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _mbsnbicmp, address_out = 0x75d83480	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _mbsrchr, address_out = 0x75d38e5b	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _snprintf, address_out = 0x75d4fa7c	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memset, address_out = 0x75d29790	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _strnicmp, address_out = 0x75d30578	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcschr, address_out = 0x75d2aa61	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcsncmp, address_out = 0x75d2b05e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcslen, address_out = 0x75d3d335	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = abs, address_out = 0x75d4eb1e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = sprintf, address_out = 0x75d3d354	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = atoi, address_out = 0x75d2dbe0	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memcmp, address_out = 0x75d37975	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __getmainargs, address_out = 0x75d32bc0	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _strcmpi, address_out = 0x75d2db38	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _mbsicmp, address_out = 0x75d39238	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _purecall, address_out = 0x75d86ea9	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = log, address_out = 0x75d4de50	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _mbscmp, address_out = 0x75d483c0	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = ??2@YAPAXI@Z, address_out = 0x75d2b0c9	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = ??3@YAXPAX@Z, address_out = 0x75d2b0b9	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strlen, address_out = 0x75d343d3	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _itoa, address_out = 0x75d44218	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strcpy, address_out = 0x75d38d6e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strtoul, address_out = 0x75d3012e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memcpy, address_out = 0x75d29910	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcscpy, address_out = 0x75d3d4f8	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strcat, address_out = 0x75d38d75	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strncat, address_out = 0x75d50909	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _adjust_fdiv, address_out = 0x75dc32ec	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __p__commode, address_out = 0x75d327c3	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __p__fmode, address_out = 0x75d327ce	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __set_app_type, address_out = 0x75d32804	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _controlfp, address_out = 0x75d2e1e1	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _except_handler3, address_out = 0x75d4d770	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = 6, address_out = 0x7224a14c	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_Create, address_out = 0x7222908c	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_ReplaceIcon, address_out = 0x72286ea3	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = 17, address_out = 0x72221739	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_AddMasked, address_out = 0x72228b75	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_SetImageCount, address_out = 0x72286e17	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = CreateToolbarEx, address_out = 0x7224a4d5	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetCurrentDirectoryA, address_out = 0x75b8903d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ExitProcess, address_out = 0x75b9214f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcessId, address_out = 0x75b8cac4	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x75b8cdcf	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CompareFileTime, address_out = 0x75b913f3	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVolumeInformationA, address_out = 0x75ba41aa	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStdHandle, address_out = 0x75b91e46	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address_out = 0x75b7d8d7	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address_out = 0x75b7dc43	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = EnumResourceNamesA, address_out = 0x75ba5a34	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address_out = 0x75b9d763	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetComputerNameA, address_out = 0x75b76ba9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTempPathA, address_out = 0x75ba6a65	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetSystemDirectoryA, address_out = 0x75b88fc5	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address_out = 0x75ba5d02	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateRemoteThread, address_out = 0x75bcf33b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindResourceA, address_out = 0x75b8a05b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = EnumResourceTypesA, address_out = 0x75bccb42	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LockResource, address_out = 0x75b7fd29	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStartupInfoA, address_out = 0x75b41e10	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = DeleteFileA, address_out = 0x75b847cb	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadResource, address_out = 0x75b8984d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SizeofResource, address_out = 0x75b83e7f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WideCharToMultiByte, address_out = 0x75b9450e	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetProcAddress, address_out = 0x75b933d3	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address_out = 0x75b8cf41	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FreeLibrary, address_out = 0x75b8d9d0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = MultiByteToWideChar, address_out = 0x75b9452b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WriteFile, address_out = 0x75b91400	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address_out = 0x75b9395c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReadProcessMemory, address_out = 0x75b7c1ce	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WaitForSingleObject, address_out = 0x75b8ba90	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x75b8ca7c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x75b8ca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WriteProcessMemory, address_out = 0x75b7c1de	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ResumeThread, address_out = 0x75b80f1c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address_out = 0x75b7c1b6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = OpenProcess, address_out = 0x75b859d7	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileSize, address_out = 0x75b80273	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualFreeEx, address_out = 0x75b7c1ee	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentDirectoryA, address_out = 0x75b7733c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ExpandEnvironmentStringsA, address_out = 0x75b78a5b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x75b89ce1	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address_out = 0x75b933f6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalLock, address_out = 0x75b89e05	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalUnlock, address_out = 0x75b89d50	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindNextFileA, address_out = 0x75b8a187	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryExA, address_out = 0x75b847fa	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindFirstFileA, address_out = 0x75b92d89	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileA, address_out = 0x75b8cee8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x75b8bf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileTime, address_out = 0x75b80f6f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFilePointer, address_out = 0x75b8db36	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileAttributesA, address_out = 0x75b91de6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTempFileNameA, address_out = 0x75ba695f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindClose, address_out = 0x75b90e62	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x75b93861	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FormatMessageA, address_out = 0x75ba8868	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReadFile, address_out = 0x75b896fb	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CopyRect, address_out = 0x764c4ad9	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DrawTextExA, address_out = 0x764dae60	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DispatchMessageA, address_out = 0x764c2e32	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMessageA, address_out = 0x764c1899	1	Fn
Get Address	c:\windows\system32\user32.dll	function = IsDialogMessageA, address_out = 0x764d2019	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DeferWindowPos, address_out = 0x764ba6c8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TranslateMessage, address_out = 0x764c64c7	1	Fn
Get Address	c:\windows\system32\user32.dll	function = BeginDeferWindowPos, address_out = 0x764ba6a6	1	Fn
Get Address	c:\windows\system32\user32.dll	function = PostQuitMessage, address_out = 0x764bb308	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TrackPopupMenu, address_out = 0x764d2228	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EndDeferWindowPos, address_out = 0x764ba67a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetFocus, address_out = 0x764c3a34	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RegisterWindowMessageA, address_out = 0x764bc091	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowTextA, address_out = 0x764b6eed	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenuItemInfoA, address_out = 0x764b856a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetCursor, address_out = 0x764c3075	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ChildWindowFromPoint, address_out = 0x764fb6aa	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSysColorBrush, address_out = 0x764bf1ed	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SendMessageA, address_out = 0x764bad60	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadCursorA, address_out = 0x764b8328	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MessageBoxA, address_out = 0x7650ea11	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetDlgItemTextA, address_out = 0x764d707a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDlgItemTextA, address_out = 0x76513d14	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowTextA, address_out = 0x764e0c5b	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EndDialog, address_out = 0x764e3ba3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDlgItem, address_out = 0x764e42bb	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CreateWindowExA, address_out = 0x764bbf40	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowRect, address_out = 0x764c558c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RegisterClassA, address_out = 0x764bbc6a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = UpdateWindow, address_out = 0x764bffa8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x764c67cf	1	Fn
Get Address	c:\windows\system32\user32.dll	function = PostMessageA, address_out = 0x764bb446	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetMenu, address_out = 0x764e6b0e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ShowWindow, address_out = 0x764bf2a9	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadAcceleratorsA, address_out = 0x764dae02	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowPos, address_out = 0x764c1bc4	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DefWindowProcA, address_out = 0x764bbb1c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TranslateAcceleratorA, address_out = 0x764e133f	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowPlacement, address_out = 0x764e69de	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadIconA, address_out = 0x764b64ad	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowLongA, address_out = 0x764ba95e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowLongA, address_out = 0x764b8ba3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = InvalidateRect, address_out = 0x764c566d	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetFocus, address_out = 0x764babad	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MapDialogRect, address_out = 0x764e347a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetRect, address_out = 0x764c498b	1	Fn
Get Address	c:\windows\system32\user32.dll	function = OpenClipboard, address_out = 0x764e447e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDC, address_out = 0x764c544c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EmptyClipboard, address_out = 0x764d290c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnableMenuItem, address_out = 0x764e43bc	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ReleaseDC, address_out = 0x764c5421	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MoveWindow, address_out = 0x764b8d29	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenuItemCount, address_out = 0x764bae39	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CheckMenuItem, address_out = 0x764dee7c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetClientRect, address_out = 0x764c54dd	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenuStringA, address_out = 0x76513a16	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetClipboardData, address_out = 0x764d2962	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetCursorPos, address_out = 0x764ba4b3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetClassNameA, address_out = 0x764e2445	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CloseClipboard, address_out = 0x764e446c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MapWindowPoints, address_out = 0x764c5caa	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadImageA, address_out = 0x764d7779	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSysColor, address_out = 0x764cdb7a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenu, address_out = 0x764e6b68	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSubMenu, address_out = 0x764b9c19	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadMenuA, address_out = 0x764cf92c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetParent, address_out = 0x764c6029	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadStringA, address_out = 0x764b66a7	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CreateDialogParamA, address_out = 0x764d1f42	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ModifyMenuA, address_out = 0x76513ae0	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DestroyWindow, address_out = 0x764bb2f4	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DialogBoxParamA, address_out = 0x764fcf42	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDlgCtrlID, address_out = 0x764bb4e8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DestroyMenu, address_out = 0x764b87f7	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumChildWindows, address_out = 0x764c2948	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SelectObject, address_out = 0x76466640	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetTextColor, address_out = 0x76466906	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreateFontIndirectA, address_out = 0x7646d22d	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetBkMode, address_out = 0x764669b1	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = DeleteObject, address_out = 0x76465f14	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetTextExtentPoint32A, address_out = 0x764707b0	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetBkColor, address_out = 0x76466a3c	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetDeviceCaps, address_out = 0x76466f7f	1	Fn
Get Address	c:\windows\system32\comdlg32.dll	function = GetSaveFileNameA, address_out = 0x7789a353	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegOpenKeyExA, address_out = 0x76014907	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegEnumKeyExA, address_out = 0x76011481	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegQueryValueExA, address_out = 0x760148ef	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegEnumKeyA, address_out = 0x7602a299	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegOpenKeyExW, address_out = 0x7601468d	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegDeleteKeyA, address_out = 0x7602a8b7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegEnumValueA, address_out = 0x7600cf49	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetUserNameA, address_out = 0x7602a4b4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegEnumValueW, address_out = 0x760148cc	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegCloseKey, address_out = 0x7601469d	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = SHGetPathFromIDListA, address_out = 0x768e1c24	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = SHGetMalloc, address_out = 0x767e0602	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = SHBrowseForFolderA, address_out = 0x76a0dc6a	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = ShellExecuteA, address_out = 0x76a07078	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitialize, address_out = 0x7618b636	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoUninitialize, address_out = 0x761b86d3	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitCommonControlsEx, address_out = 0x72226be6	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = SHGetSpecialFolderPathA, address_out = 0x76a0fb26	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = OpenProcessToken, address_out = 0x76014304	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = LookupPrivilegeValueA, address_out = 0x7601404a	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = AdjustTokenPrivileges, address_out = 0x7601418e	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredReadW, address_out = 0x760472a1	2	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredFree, address_out = 0x7600b2ec	2	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredEnumerateW, address_out = 0x76047481	2	Fn
Get Address	c:\windows\system32\crypt32.dll	function = CryptUnprotectData, address_out = 0x75945a7f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsDebuggerPresent, address_out = 0x75b83ea8	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = NSS_Init, address_out = 0x6e42d70b	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = NSS_Shutdown, address_out = 0x6e42d13c	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11_GetInternalKeySlot, address_out = 0x6e3c3c51	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11_FreeSlot, address_out = 0x6e3c3333	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11_Authenticate, address_out = 0x6e3ad3ca	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11SDR_Decrypt, address_out = 0x6e3c00a7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptAcquireContextA, address_out = 0x760091dd	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptReleaseContext, address_out = 0x7600e124	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptCreateHash, address_out = 0x7600df4e	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptGetHashParam, address_out = 0x7600df7e	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptHashData, address_out = 0x7600df36	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDestroyHash, address_out = 0x7600df66	1	Fn

System (3)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = CRH2YWU7	1	Fn
Get Info	type = Operating System	1	Fn
Get Info	type = Windows Directory, result_out = C:\Windows	1	Fn

Ini (14)

Operation	Filename	Additional Information	Count	Logfile
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = ShowGridLines, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = SaveFilterIndex, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = AddExportHeaderLine, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = MarkOddEvenRows, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Folder0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Folder1	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Folder2	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Folder3	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Folder4	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Folder5	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Folder6	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = WinPos	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Columns	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Sort, default_value = 0	1	Fn

Debug (1)

Operation	Process	Additional Information	Success	Count	Logfile
Check for Presence	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe			1	Fn

Process #15: regsvcs.exe

(Host: 430, Network: 0)

Information	Value
ID	#15
File Name	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:09, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:02

OS Process Information

Information	Value
PID	0x36c
Parent PID	0x328 (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ee71 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 45C 0x 66C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000250000	0x00250000	0x00317fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000400000	0x00400000	0x0041dfff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000420000	0x00420000	0x00520fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005f0000	0x005f0000	0x006effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007d0000	0x007d0000	0x007dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008c0000	0x008c0000	0x008cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008d0000	0x008d0000	0x009cffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x009d0000	0x00c9efff	Memory Mapped File	Readable	Region Actions
regsvcs.exe	0x00d30000	0x00d3dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000d40000	0x00d40000	0x0193ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001ac0000	0x01ac0000	0x01bbffff	Private Memory	Readable, Writable	Region Actions
comctl32.dll	0x72220000	0x722a3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pstorec.dll	0x72430000	0x7243cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x73b60000	0x73b73fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75770000	0x7578afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x758b0000	0x758bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x75910000	0x75a2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75a30000	0x75a79fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75b40000	0x75c13fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x75d20000	0x75dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76000000	0x7609ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x760a0000	0x7616bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76170000	0x762cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76360000	0x76400fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76460000	0x764adfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x764b0000	0x76578fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76580000	0x76589fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76590000	0x765e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76660000	0x7667efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76720000	0x767bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x767c0000	0x77409fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x776f0000	0x7782bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77840000	0x77858fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77860000	0x778dafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77930000	0x77930fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd9000	0x7ffd9000	0x7ffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x400000, size = 512	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x401000, size = 44032	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x41c000, size = 3584	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x41d000, size = 4096	1	Fn Data
Modify Memory	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	address = 0x7ffd9008, size = 4	1	Fn Data
Modify Control Flow	#11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe	0x530	os_tid = 0x45c, address = 0x77737098	1	Fn

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\eebsym5\appdata\local\temp\gsabfkrjcfngatbtcigqhckmyel	0.46 KB (469 bytes)	MD5: b2912991f1be1bdf15ea7028328cc3bf SHA1: a18027ccd9e804696cac7dc581c58ce59b77e3c5 SHA256: 1035b4c326e3ee76f23a9532c2de82ba28071fb55ebfa27f99f48bb08f7c8114		File Actions Show Properties Download

Host Behavior

File (32)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Get Info	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs_lng.ini	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Profiles	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Roaming\Thunderbird\Profiles	type = file_attributes	1	Fn
Get Info	C:\Program Files\Mozilla Thunderbird	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount	type = size	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount	type = size	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount	type = size	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount	size = 1734, size_out = 1734	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount	size = 1506, size_out = 1506	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount	size = 670, size_out = 670	1	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel	size = 50	2	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel	size = 2	3	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel	size = 30	1	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel	size = 52	1	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel	size = 35	1	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel	size = 27	2	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel	size = 22	4	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel	size = 24	1	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel	size = 26	1	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel	size = 29	1	Fn Data
Write	C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel	size = 25	1	Fn Data

Registry (124)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts		1	Fn
Open Key	HKEY_CURRENT_USER\Identities		1	Fn
Open Key	HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}		1	Fn
Open Key	HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}\Software\Microsoft\Internet Account Manager\Accounts		1	Fn
Open Key	HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\24f93cf8ea9a9546b93f8dc78abb6a97		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3c51f4951df2d34baef1a05b725728d2		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\42405d6c3502e64caa2aeda354771336		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5e8673e5f416694397a90d6dc37f5694		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\600082486368c34683de3c06ff753b3b		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6c393c97bf8f52408197f7e63b61e548		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9fd587aab699e24cb035dd8129bd6b5b		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\d9417b97bf6b594d89a41cdbed740112		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e3233d298149174193c9c78f955de155		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e50f0eb5db19ee44ba2717941e28e885		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles		1	Fn
Open Key	HKEY_CURRENT_USER\Software\IncrediMail\Identities		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Group Mail		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\MessengerService		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Yahoo\Pager		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail		1	Fn
Read Value	HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}	value_name = Username, data = Main Identity, type = REG_SZ	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = POP3 User, data = 24, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = IMAP User, data = 24, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = HTTP User, data = 24, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = SMTP User, data = 24, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = POP3 User, data = 24, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = IMAP User, data = 24, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = HTTP User, data = 24, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = SMTP User, data = 24, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = POP3 User, type = REG_BINARY	1	Fn Data
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = POP3 Server, type = REG_BINARY	1	Fn Data
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = Display Name, type = REG_BINARY	1	Fn Data
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = Email, type = REG_BINARY	1	Fn Data
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = SMTP Server, type = REG_BINARY	1	Fn Data
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = POP3 Use SPA, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = POP3 Password, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = IMAP User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = HTTP User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = SMTP User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	value_name = POP3 User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	value_name = IMAP User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	value_name = HTTP User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	value_name = SMTP User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary	value_name = POP3 User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary	value_name = IMAP User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary	value_name = HTTP User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary	value_name = SMTP User, data = 100, type = REG_NONE	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Identities		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Identities		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\24f93cf8ea9a9546b93f8dc78abb6a97		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3c51f4951df2d34baef1a05b725728d2		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\42405d6c3502e64caa2aeda354771336		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5e8673e5f416694397a90d6dc37f5694		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\600082486368c34683de3c06ff753b3b		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6c393c97bf8f52408197f7e63b61e548		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9fd587aab699e24cb035dd8129bd6b5b		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\d9417b97bf6b594d89a41cdbed740112		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e3233d298149174193c9c78f955de155		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e50f0eb5db19ee44ba2717941e28e885		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles		1	Fn

Module (264)

Operation	Module	Additional Information	Count	Logfile
Load	comctl32.dll	base_address = 0x72220000	1	Fn
Load	shell32.dll	base_address = 0x767c0000	1	Fn
Load	pstorec.dll	base_address = 0x72430000	1	Fn
Load	crypt32.dll	base_address = 0x75910000	2	Fn
Load	advapi32.dll	base_address = 0x76000000	3	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x75b40000	2	Fn
Get Handle	c:\windows\system32\msvcrt.dll	base_address = 0x75d20000	1	Fn
Get Handle	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	base_address = 0x72220000	1	Fn
Get Handle	c:\windows\system32\rpcrt4.dll	base_address = 0x76360000	1	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x764b0000	1	Fn
Get Handle	c:\windows\system32\gdi32.dll	base_address = 0x76460000	1	Fn
Get Handle	c:\windows\system32\comdlg32.dll	base_address = 0x77860000	1	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x76000000	1	Fn
Get Handle	c:\windows\system32\shell32.dll	base_address = 0x767c0000	1	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x76170000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	2	Fn
Get Filename		process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualProtect, address_out = 0x75b82341	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memmove, address_out = 0x75d29e5a	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcschr, address_out = 0x75d2aa61	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcslen, address_out = 0x75d3d335	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcsncmp, address_out = 0x75d2b05e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _itoa, address_out = 0x75d44218	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _strlwr, address_out = 0x75d3ca0b	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = qsort, address_out = 0x75d2d3e6	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strncmp, address_out = 0x75d2b443	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _snprintf, address_out = 0x75d4fa7c	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _mbsrchr, address_out = 0x75d38e5b	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _mbsnbicmp, address_out = 0x75d83480	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __dllonexit, address_out = 0x75d2f509	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _onexit, address_out = 0x75d3112d	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _c_exit, address_out = 0x75d8b2db	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _exit, address_out = 0x75d8b2c0	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _XcptFilter, address_out = 0x75d4dc75	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _cexit, address_out = 0x75d337d4	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _strnicmp, address_out = 0x75d30578	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _acmdln, address_out = 0x75dc04d8	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __getmainargs, address_out = 0x75d32bc0	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _initterm, address_out = 0x75d2c151	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _memicmp, address_out = 0x75d306c8	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = malloc, address_out = 0x75d29cee	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strrchr, address_out = 0x75d2dbae	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _stricmp, address_out = 0x75d2db38	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = free, address_out = 0x75d29894	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = modf, address_out = 0x75d37551	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memcmp, address_out = 0x75d37975	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strtoul, address_out = 0x75d3012e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = ??3@YAXPAX@Z, address_out = 0x75d2b0b9	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = ??2@YAPAXI@Z, address_out = 0x75d2b0c9	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memcpy, address_out = 0x75d29910	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = sprintf, address_out = 0x75d3d354	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _mbsicmp, address_out = 0x75d39238	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = atoi, address_out = 0x75d2dbe0	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _strcmpi, address_out = 0x75d2db38	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strlen, address_out = 0x75d343d3	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strcmp, address_out = 0x75d38b11	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = exit, address_out = 0x75d336aa	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _adjust_fdiv, address_out = 0x75dc32ec	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = wcsstr, address_out = 0x75d2bf71	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = log, address_out = 0x75d4de50	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _mbscmp, address_out = 0x75d483c0	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strchr, address_out = 0x75d2dbeb	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _purecall, address_out = 0x75d86ea9	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strncat, address_out = 0x75d50909	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = abs, address_out = 0x75d4eb1e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strcat, address_out = 0x75d38d75	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _ultoa, address_out = 0x75d71822	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = strcpy, address_out = 0x75d38d6e	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = memset, address_out = 0x75d29790	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __p__commode, address_out = 0x75d327c3	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __p__fmode, address_out = 0x75d327ce	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __set_app_type, address_out = 0x75d32804	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _controlfp, address_out = 0x75d2e1e1	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = _except_handler3, address_out = 0x75d4d770	1	Fn
Get Address	c:\windows\system32\msvcrt.dll	function = __setusermatherr, address_out = 0x75db77ad	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = CreateToolbarEx, address_out = 0x7224a4d5	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_Create, address_out = 0x7222908c	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_AddMasked, address_out = 0x72228b75	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_SetImageCount, address_out = 0x72286e17	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = 17, address_out = 0x72221739	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = ImageList_ReplaceIcon, address_out = 0x72286ea3	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = 6, address_out = 0x7224a14c	1	Fn
Get Address	c:\windows\system32\rpcrt4.dll	function = UuidFromStringA, address_out = 0x76367348	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentDirectoryA, address_out = 0x75b7733c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address_out = 0x75b8cf41	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetCurrentDirectoryA, address_out = 0x75b8903d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcess, address_out = 0x75b8cdcf	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ExitProcess, address_out = 0x75b9214f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcessId, address_out = 0x75b8cac4	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReadProcessMemory, address_out = 0x75b7c1ce	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = OpenProcess, address_out = 0x75b859d7	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStdHandle, address_out = 0x75b91e46	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetPrivateProfileIntA, address_out = 0x75b7dc43	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = EnumResourceNamesA, address_out = 0x75ba5a34	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WritePrivateProfileStringA, address_out = 0x75b9d763	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetComputerNameA, address_out = 0x75b76ba9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileSize, address_out = 0x75b80273	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileA, address_out = 0x75b8cee8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalUnlock, address_out = 0x75b89d50	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalLock, address_out = 0x75b89e05	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTempPathA, address_out = 0x75ba6a65	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GlobalAlloc, address_out = 0x75b89ce1	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x75b8ca7c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindResourceA, address_out = 0x75b8a05b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadResource, address_out = 0x75b8984d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = EnumResourceTypesA, address_out = 0x75bccb42	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SizeofResource, address_out = 0x75b83e7f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LockResource, address_out = 0x75b7fd29	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = DeleteFileA, address_out = 0x75b847cb	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetStartupInfoA, address_out = 0x75b41e10	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetPrivateProfileStringA, address_out = 0x75b7d8d7	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = MultiByteToWideChar, address_out = 0x75b9452b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WideCharToMultiByte, address_out = 0x75b9450e	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ExpandEnvironmentStringsA, address_out = 0x75b78a5b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalFree, address_out = 0x75b8ca64	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WriteFile, address_out = 0x75b91400	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetPrivateProfileSectionA, address_out = 0x75bc78ad	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FreeLibrary, address_out = 0x75b8d9d0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetProcAddress, address_out = 0x75b933d3	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address_out = 0x75b9395c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address_out = 0x75b933f6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindFirstFileA, address_out = 0x75b92d89	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindNextFileA, address_out = 0x75b8a187	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFilePointer, address_out = 0x75b8db36	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLastError, address_out = 0x75b8bf00	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryExA, address_out = 0x75b847fa	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileAttributesA, address_out = 0x75b91de6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTempFileNameA, address_out = 0x75ba695f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FindClose, address_out = 0x75b90e62	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FormatMessageA, address_out = 0x75ba8868	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetWindowsDirectoryA, address_out = 0x75ba5d02	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReadFile, address_out = 0x75b896fb	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetVersionExA, address_out = 0x75b93861	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetClassNameA, address_out = 0x764e2445	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMessageA, address_out = 0x764c1899	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TranslateMessage, address_out = 0x764c64c7	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RegisterWindowMessageA, address_out = 0x764bc091	1	Fn
Get Address	c:\windows\system32\user32.dll	function = PostQuitMessage, address_out = 0x764bb308	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TrackPopupMenu, address_out = 0x764d2228	1	Fn
Get Address	c:\windows\system32\user32.dll	function = PostMessageA, address_out = 0x764bb446	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetFocus, address_out = 0x764c3a34	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DispatchMessageA, address_out = 0x764c2e32	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DrawTextExA, address_out = 0x764dae60	1	Fn
Get Address	c:\windows\system32\user32.dll	function = IsDialogMessageA, address_out = 0x764d2019	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowTextA, address_out = 0x764b6eed	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenuItemInfoA, address_out = 0x764b856a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumChildWindows, address_out = 0x764c2948	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DestroyMenu, address_out = 0x764b87f7	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDlgCtrlID, address_out = 0x764bb4e8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DialogBoxParamA, address_out = 0x764fcf42	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ShowWindow, address_out = 0x764bf2a9	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetCursor, address_out = 0x764c3075	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadCursorA, address_out = 0x764b8328	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ChildWindowFromPoint, address_out = 0x764fb6aa	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSysColorBrush, address_out = 0x764bf1ed	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EndDialog, address_out = 0x764e3ba3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDlgItem, address_out = 0x764e42bb	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CreateWindowExA, address_out = 0x764bbf40	1	Fn
Get Address	c:\windows\system32\user32.dll	function = InvalidateRect, address_out = 0x764c566d	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetDlgItemInt, address_out = 0x764dec2e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = BeginPaint, address_out = 0x764c5d14	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetClientRect, address_out = 0x764c54dd	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindow, address_out = 0x764c2780	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetDlgItemTextA, address_out = 0x764d707a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DrawFrameControl, address_out = 0x764db4f9	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDlgItemTextA, address_out = 0x76513d14	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SendDlgItemMessageA, address_out = 0x764d7241	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowTextA, address_out = 0x764e0c5b	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowRect, address_out = 0x764c558c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x764c67cf	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDlgItemInt, address_out = 0x764ded56	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DeferWindowPos, address_out = 0x764ba6c8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EndPaint, address_out = 0x764c5d42	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DefWindowProcA, address_out = 0x764bbb1c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = TranslateAcceleratorA, address_out = 0x764e133f	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MessageBoxA, address_out = 0x7650ea11	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowPlacement, address_out = 0x764e69de	1	Fn
Get Address	c:\windows\system32\user32.dll	function = RegisterClassA, address_out = 0x764bbc6a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = UpdateWindow, address_out = 0x764bffa8	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetMenu, address_out = 0x764e6b0e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadAcceleratorsA, address_out = 0x764dae02	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowPos, address_out = 0x764c1bc4	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SendMessageA, address_out = 0x764bad60	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadIconA, address_out = 0x764b64ad	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetWindowLongA, address_out = 0x764ba95e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetWindowLongA, address_out = 0x764b8ba3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetFocus, address_out = 0x764babad	1	Fn
Get Address	c:\windows\system32\user32.dll	function = BeginDeferWindowPos, address_out = 0x764ba6a6	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EndDeferWindowPos, address_out = 0x764ba67a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CheckMenuItem, address_out = 0x764dee7c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenuItemCount, address_out = 0x764bae39	1	Fn
Get Address	c:\windows\system32\user32.dll	function = SetClipboardData, address_out = 0x764d2962	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenuStringA, address_out = 0x76513a16	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnableWindow, address_out = 0x764b8d02	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DestroyWindow, address_out = 0x764bb2f4	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetCursorPos, address_out = 0x764ba4b3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadImageA, address_out = 0x764d7779	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSysColor, address_out = 0x764cdb7a	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MapWindowPoints, address_out = 0x764c5caa	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMenu, address_out = 0x764e6b68	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CloseClipboard, address_out = 0x764e446c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetParent, address_out = 0x764c6029	1	Fn
Get Address	c:\windows\system32\user32.dll	function = OpenClipboard, address_out = 0x764e447e	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDC, address_out = 0x764c544c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EmptyClipboard, address_out = 0x764d290c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MoveWindow, address_out = 0x764b8d29	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSubMenu, address_out = 0x764b9c19	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnableMenuItem, address_out = 0x764e43bc	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ReleaseDC, address_out = 0x764c5421	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadMenuA, address_out = 0x764cf92c	1	Fn
Get Address	c:\windows\system32\user32.dll	function = LoadStringA, address_out = 0x764b66a7	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CreateDialogParamA, address_out = 0x764d1f42	1	Fn
Get Address	c:\windows\system32\user32.dll	function = ModifyMenuA, address_out = 0x76513ae0	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetDeviceCaps, address_out = 0x76466f7f	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetTextColor, address_out = 0x76466906	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = CreateFontIndirectA, address_out = 0x7646d22d	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetBkMode, address_out = 0x764669b1	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = DeleteObject, address_out = 0x76465f14	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = GetTextExtentPoint32A, address_out = 0x764707b0	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SetBkColor, address_out = 0x76466a3c	1	Fn
Get Address	c:\windows\system32\gdi32.dll	function = SelectObject, address_out = 0x76466640	1	Fn
Get Address	c:\windows\system32\comdlg32.dll	function = GetOpenFileNameA, address_out = 0x7789a2a9	1	Fn
Get Address	c:\windows\system32\comdlg32.dll	function = GetSaveFileNameA, address_out = 0x7789a353	1	Fn
Get Address	c:\windows\system32\comdlg32.dll	function = FindTextA, address_out = 0x7789acd6	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegEnumKeyA, address_out = 0x7602a299	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegEnumKeyExA, address_out = 0x76011481	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegQueryValueExA, address_out = 0x760148ef	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegOpenKeyExA, address_out = 0x76014907	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegDeleteKeyA, address_out = 0x7602a8b7	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetUserNameA, address_out = 0x7602a4b4	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegCloseKey, address_out = 0x7601469d	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = SHBrowseForFolderA, address_out = 0x76a0dc6a	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = SHGetPathFromIDListA, address_out = 0x768e1c24	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = SHGetMalloc, address_out = 0x767e0602	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = ShellExecuteA, address_out = 0x76a07078	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoInitialize, address_out = 0x7618b636	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoTaskMemFree, address_out = 0x761c6f41	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoUninitialize, address_out = 0x761b86d3	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitCommonControlsEx, address_out = 0x72226be6	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = SHGetSpecialFolderPathA, address_out = 0x76a0fb26	1	Fn
Get Address	c:\windows\system32\pstorec.dll	function = PStoreCreateInstance, address_out = 0x7243526c	1	Fn
Get Address	c:\windows\system32\crypt32.dll	function = CryptUnprotectData, address_out = 0x75945a7f	2	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredReadA, address_out = 0x760471c1	3	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredFree, address_out = 0x7600b2ec	3	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredDeleteA, address_out = 0x76047941	3	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredEnumerateA, address_out = 0x76047381	3	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredEnumerateW, address_out = 0x76047481	3	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Computer Name	result_out = CRH2YWU7		1	Fn
Get Info	type = Operating System		1	Fn

Ini (7)

Operation	Filename	Additional Information	Count	Logfile
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = ShowGridLines, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = SaveFilterIndex, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = AddExportHeaderLine, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = MarkOddEvenRows, default_value = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = WinPos	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Columns	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg	section_name = General, key_name = Sort, default_value = 0	1	Fn