Obfuscated AutoIt Malware Injects Executables to Steal Passwords and Browser Data

Involved Hosts

Hostname	IP Addresses	Country	City	Protocols	Has Blacklisted URL
jluxi.dynu.com	185.62.188.68	NL		DNS, TCP

Monitored Processes

Behavior Information - Grouped by Category

Process #1: 9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe

(Host: 4170, Network: 0)

Information	Value
ID	#1
File Name	c:\users\eebsym5\desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe
Command Line	"C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe"
Initial Working Directory	C:\Users\EEBsYm5\Desktop\
Monitor	Start Time: 00:00:10, Reason: Analysis Target
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:02:01

OS Process Information

Information	Value
PID	0xa00
Parent PID	0x658 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A04 0x A0C 0x A14 0x A18

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x0012ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000130000	0x00130000	0x00133fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00142fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000160000	0x00160000	0x00166fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000170000	0x00170000	0x00171fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000180000	0x00180000	0x00181fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x001affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001b0000	0x001b0000	0x002affff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x002b0000	0x00316fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000320000	0x00320000	0x003e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003f0000	0x003f0000	0x003f0fff	Pagefile Backed Memory	Readable	Region Actions
9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	0x00400000	0x00432fff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x0000000000440000	0x00440000	0x00540fff	Pagefile Backed Memory	Readable	Region Actions
rpcss.dll	0x00550000	0x005abfff	Memory Mapped File	Readable	Region Actions
rpcss.dll	0x00550000	0x005abfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000550000	0x00550000	0x005fffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000550000	0x00550000	0x00550fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000560000	0x00560000	0x00561fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000570000	0x00570000	0x00571fff	Pagefile Backed Memory	Readable	Region Actions
msctf.dll.mui	0x00570000	0x00570fff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x0000000000580000	0x00580000	0x00581fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000580000	0x00580000	0x00580fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cversions.1.db	0x00590000	0x00593fff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x00590000	0x00593fff	Memory Mapped File	Readable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000013.db	0x005a0000	0x005b4fff	Memory Mapped File	Readable	Region Actions
private_0x00000000005c0000	0x005c0000	0x005fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000600000	0x00600000	0x0060ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000610000	0x00610000	0x0120ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001210000	0x01210000	0x012eefff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x012f0000	0x015befff	Memory Mapped File	Readable	Region Actions
private_0x00000000015c0000	0x015c0000	0x0163ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000015c0000	0x015c0000	0x015c0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db	0x015d0000	0x015fffff	Memory Mapped File	Readable	Region Actions
private_0x0000000001600000	0x01600000	0x0163ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001640000	0x01640000	0x01a32fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001a40000	0x01a40000	0x01abffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001ac0000	0x01ac0000	0x01bc0fff	Private Memory	Readable, Writable	Region Actions Download Dump
staticcache.dat	0x01ac0000	0x023effff	Memory Mapped File	Readable	Region Actions
private_0x00000000023f0000	0x023f0000	0x024f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000023f0000	0x023f0000	0x027f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000023f0000	0x023f0000	0x027f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
cversions.2.db	0x023f0000	0x023f3fff	Memory Mapped File	Readable	Region Actions
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x02400000	0x02465fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002470000	0x02470000	0x0256ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002570000	0x02570000	0x0266ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000002670000	0x02670000	0x02670fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000002680000	0x02680000	0x0277ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002800000	0x02800000	0x02900fff	Private Memory	Readable, Writable	Region Actions Download Dump
riched20.dll	0x6d740000	0x6d7b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
tiptsf.dll	0x6e5a0000	0x6e5f7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shdocvw.dll	0x6ec20000	0x6ec4dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x70f80000	0x70fcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
riched32.dll	0x72980000	0x72985fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x73a70000	0x73a82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73dc0000	0x73dfffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x73e40000	0x73e60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x73ed0000	0x73fc4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x740c0000	0x7425dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75070000	0x7508afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75090000	0x7509bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75110000	0x7511afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75180000	0x7518bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x75190000	0x751b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x751c0000	0x752dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x752e0000	0x75329fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x75360000	0x75371fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75410000	0x75545fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75550000	0x7559dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x755a0000	0x75668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x756b0000	0x75706fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75710000	0x7572efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75730000	0x757fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75810000	0x7589efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x758a0000	0x75922fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x75930000	0x75974fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75980000	0x765c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x765e0000	0x7667cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76680000	0x767dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x76840000	0x76934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76940000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x769e0000	0x76ab3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76ac0000	0x76b60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x76b70000	0x76d0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76d10000	0x76dbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x76dc0000	0x76fbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76fc0000	0x770fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77110000	0x77128fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77160000	0x77169fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77170000	0x771eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77200000	0x77200fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Created Files

Filename	File Size	Hash Values	Actions
c:\users\eebsym5\appdata\local\temp\60484525\__tmp_rar_sfx_access_check_18052931	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\eebsym5\appdata\local\temp\60484525\hin.ppt	753.11 KB (771181 bytes)	MD5: b4069d0c0e00f8266018f1263d28314a SHA1: da9e1711e225aa694f28ac81677f0a8840acbd56 SHA256: 017a11f2c47b3329116d74da098437fef15a0283fd7df5b5cf16e167a74bf4bf	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\cvn-nhc	2.88 MB (3022508 bytes)	MD5: de1a6fbf02c16cacd54d414ed4e6f73e SHA1: 645a49fb10d04c18348e6614c3640cb2d732d7e2 SHA256: f0b7de110217d22b745eb45ad6c808974c667bb77dabdf824c7a439bb254d49d	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	732.73 KB (750320 bytes)	MD5: 71d8f6d5dc35517275bc38ebcc815f9f SHA1: cae4e8c730de5a01d30aabeb3e5cb2136090ed8d SHA256: fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\jdl.jpg	0.58 KB (593 bytes)	MD5: 4cf50661adbe97e9144a1ae14e0cc2d4 SHA1: 6cfecd4625e5cac62f73cd766c0695545615a80e SHA256: 01da59d2d9a62cc31d8a28f02e58762f775783d072dc92cd4882472991c6c489	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\vqm.xl	0.51 KB (525 bytes)	MD5: 39f5c28a7805e6993c878e2445b6de4f SHA1: b1a4702db810d76ca9dab4a40b464161447a8485 SHA256: 2fb689a6de68f133a7baab6c6f6458fae38c6dae4d90f62da2b90641a048fc2a	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\bcu.mp4	0.51 KB (521 bytes)	MD5: e800b240b278b15f7e04a9aa5aad5a94 SHA1: 5c57cfd08c138ecb8aaf08638ff708ed0fc11e9c SHA256: d4c33eed67247dbddc3dcd7400bd24fd7209a597f468978f014568c2ee0a7fd1	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\rnr.mp3	0.54 KB (556 bytes)	MD5: a1c50816b65f30e2260479114d0bcab6 SHA1: 74c73a920cbd9ef1057d4d8d7589363d14e4a55b SHA256: c18f5a54575e9b56f95bbeb353318cba41fefbadc7f101589d5fc0df3fd56141	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\cvg.mp4	0.49 KB (505 bytes)	MD5: da230cfbc8a80e350c87d894eebb76b9 SHA1: ea6d7ae1dc826a9344c00a01d47e92ee60bd6d61 SHA256: bdfc89fb5460d262442882b76f31f9853370abd79e86be034afb53e2be694118	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\chm.docx	0.60 KB (614 bytes)	MD5: 84d55a12fc2416df5c1553ee17ad0992 SHA1: b402fc11ff5ef3552be26235e9fd016c7fe912b2 SHA256: 918778adbeba224f4b9dd8910b717cf706563c35e06fbe0d04dfb00ced8678ee	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\vua.jpg	0.50 KB (509 bytes)	MD5: 6dd73a9654139bb6529a72207ddfde0f SHA1: bd67f636d12ed1c4cff28f6a9a84e28b97d7f1a5 SHA256: 42220eec08a393cd359ec79cb610d2a845926b8d8119eb505276564aa25698c9	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\oxl.ico	0.51 KB (520 bytes)	MD5: 22c528e901375639d3a014f6fe12ed43 SHA1: 74f6a3c188759980c3e7dc9de94642f86a18fb59 SHA256: 1af85ae13aa9aa6114ec4c03cfd840fb8222eeceb611aac530411979bd9bede9	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\fun.mp4	0.62 KB (633 bytes)	MD5: 41db425bddeb6edff3829ede53e4b059 SHA1: 8355713e8ff5b27cc72f2a784d597be7d02e3c26 SHA256: 668dff85c71ac5142e3105426be365b7834e1dd8e3e0043674a272af26138f35	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\fqv.xl	0.55 KB (567 bytes)	MD5: 2a8d81d0726edc11e6e4f75207fee58c SHA1: 041b9554b7a23b86240e82c0c18e0c34cfdd4ae1 SHA256: bc2d0c9ff398b2883465e9c5963d0a8933b034ae43f6002481f674b5ade6c839	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\hgu.ico	0.56 KB (569 bytes)	MD5: e9a2566e0a5296cf122c7089e0558baf SHA1: e7d3001b6b6ebf6928e942f4c8343f4f551e0284 SHA256: 418946d3f5ab5a04d537045108c4e8db6dcb48bb465e2d0a01f91723b7948e49	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\brh.ppt	0.58 KB (597 bytes)	MD5: fda5e079dbe06cc05c59ba4e27fa48c2 SHA1: 88181205ec8323e457d5bcd4e7a03cea28ad47c7 SHA256: 75cfe292e1d9d6bd3bdadfe1ce6bef7a57bfc2a6bb7ce6fecd497bf4ec583c37	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\xqa.mp4	0.54 KB (551 bytes)	MD5: d46dd879f8205faa467df9c9a0019a9d SHA1: 25631b0a07e69d1dc8e93e5e51946a27f98d2b17 SHA256: aa93b72e74034ed72878672e776fbe7fa55e93f78e485a337cbeae4bd18f4917	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\jub.bmp	0.56 KB (574 bytes)	MD5: 81932b74d719d9feaee98fd12634ac5b SHA1: a7283637bc88dacb689b39cebfc28a91e32f1e03 SHA256: 1c9ccc3a409e293eadbb70410de3c3405da55ceb47d36a639054b6f5c10a3c91	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\jgu.bmp	0.52 KB (532 bytes)	MD5: 2a84b8aefabec88301c0f50f7cfb46f6 SHA1: e4b2c15448b6dace8cfa8227784b3f9396a2f498 SHA256: ef754e4a3efc638823684023ef2ddbbcdaf1354c290e4c33ef394df4c2a8d2ca	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\tik.icm	0.54 KB (550 bytes)	MD5: 74efb6a98e74a829daafef9945004dca SHA1: c5102cd3b0d7602f51099a27657b37a3bf787561 SHA256: bf1ab35f7bd5d5fc365d2c176bb5c5374e578b8424ed0fde82f55d1eae1d350d	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\wjv.pdf	0.53 KB (539 bytes)	MD5: 1474405a725bc37f9fea9479c11a78bf SHA1: b57f9f373b5323f3b701bf350fd98cf8a827b3ff SHA256: d83ec42f0ff63cf14851f789e85f2dc33d76cb4c2409e1488f7474df2086033f	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\nvl.xl	0.51 KB (526 bytes)	MD5: 90ca387ad342c41ae796173d560ccf84 SHA1: eb03b500bbf683a889c4758d228b55cedddd4c30 SHA256: 0ecf3eb5d0f794e7e32a941580da8641bff3bf248a68df43a35ae16d77eda192	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\xfg.dat	0.51 KB (520 bytes)	MD5: c82da2a4e862c90a2d961098b1d64956 SHA1: 7edf516e6c807d8fa5aa912e23d9460721769207 SHA256: db7f2a223fef17affd13a518ac21c7675942bd475bc416dd78c7c6c186548b64	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\aqa.bmp	0.54 KB (557 bytes)	MD5: f8b9deca33aba33d64623f47e7c88855 SHA1: a70b7a6327133486d04d4d3c57bd8930a3e3a698 SHA256: 449952af1c2bd2a2e1878b3a81044793305185a7d27f0066521645906a5040c7	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\rnj.mp3	0.53 KB (547 bytes)	MD5: 6effc77853a885dd155870e04545880b SHA1: 98ebfdb5b3ef2c2db538a290a0a26bc6cf885916 SHA256: 89b82044c02980606c7d6b39aa2cf08b66ca0db7e1b5ad23a7c0d64e056340d2	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\eff.icm	0.51 KB (522 bytes)	MD5: c2f588f89c85d3c2c97e128f27234f2c SHA1: b2b64e8b77e831f3a16fdd1da61f8f64f514b19e SHA256: 1e8e0cc104f8c880f3a6d312f6bdc99c5f3f4fd3ee081eee7e2534ed511209fd	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\isi.xl	0.50 KB (507 bytes)	MD5: 469067bf5a94e9002cf154a81f397c6a SHA1: 737b86b50e3998052920f02bde3ad487743f1a6a SHA256: 6b418ce9673895fb76b32b67faf05073e577444d82bf42ff21733e1f057c3d60	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\upe.mp3	0.56 KB (578 bytes)	MD5: 62bd082578b0e38bc2b6b731b4a5ec49 SHA1: 3f6c8024888bf3caa19e6ad7db4a8f29859bdaa9 SHA256: 00a79f22f8ed82f6ea362254d04578bfa498dfed0d2ab8f733e6fbace1c2c078	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\fpo.xl	0.57 KB (581 bytes)	MD5: ff594e995d9f6268a047cc2e269eb2b9 SHA1: a0a8692e4560d122d0dd359157544b32fdc57cd0 SHA256: 6cc6a2d2a8196b938e5e332df30d025374d6c98a18c5e707021141966203d7e1	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\wlk.pdf	0.52 KB (536 bytes)	MD5: 747d40f9300dbb3ba36d7310b5ee40da SHA1: 90d715455eb32004107a92bf810df71371ed4047 SHA256: cef051d14bcbc14e12f9d130f71e8b285b37117cd20c23678419b9ab8659300d	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\nlb.pdf	0.53 KB (541 bytes)	MD5: a49efa6c9f872faad2232a4b6a2394a7 SHA1: c8dff7972de40ab025314a8c74b5bb8e1552170e SHA256: 97b1b6f6884f0f92342576a9667c5cb3c1b61fabc8a0b1b23d1f57582b0624d3	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\emv.bmp	0.50 KB (511 bytes)	MD5: 04f1e686525064abfdb4bfd7ff29a0b5 SHA1: 47748ea5978245b49c8136d9e147059afeb06ffe SHA256: 8e3de8ce80c00091cb1aaa93f590226c7ac53a509926cdd815301237dd8e9e1b	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\raq.jpg	0.50 KB (514 bytes)	MD5: e5d188010c3203e2d37d4225d6cae53b SHA1: 430d4c308efdb225a74e10d3facefa8e44252be1 SHA256: 93846c06cef1c5515a1f78e95c040be5c75d3b6c78bf6438cf12fd7345d3c1c8	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\nep.mp4	0.58 KB (589 bytes)	MD5: 498138dfbfbe52214e73e9c1141aa981 SHA1: bc7166b6abe72bb216d77d48185330668186bb88 SHA256: b1b69fb21d93d6bae3fbcf8338aa66ee2791362ec5f918bd9dc45c1c14d4749c	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\neo.ico	0.54 KB (551 bytes)	MD5: a128399da3f11bda3f2164a97cb2b531 SHA1: 0d00f9e17e6445805ef34c8fdb68fe8e38ab4868 SHA256: dcf09d4181263a2a3b0787085f7b8dc8913245c0d6ac535e16f8a77ba17ecc91	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\wxv.mp4	0.51 KB (526 bytes)	MD5: 924bdfca849290fd510d72a39da75d43 SHA1: b5c18c00e3596b8a87d068f67e59f46aba6509da SHA256: b32f0a65698effe8c62e482bf9b6aec6f5fd496d52da525dca2078988956d3d9	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\beb.ppt	0.52 KB (530 bytes)	MD5: afcc6587b4839826588ae54512851ef8 SHA1: e55525356075eba71766e12d7db9d67ef4cdd8cc SHA256: 5fdfa5c8afbda02553bbf95969ca4434c57456b4e51a56330fddd770d9f84277	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\als.txt	0.50 KB (512 bytes)	MD5: a81eeaae706a9e8ab123d3ed140d837e SHA1: 3f0feac929dd6f1f5776298da84a14298f12cb10 SHA256: 169b9a0889e98c8e239c472e3041fccb2433c668f269782b28c74648c5135ba7	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\jkg.txt	0.57 KB (588 bytes)	MD5: 0f7278aeb0c194405013a9963334e38c SHA1: 2b7dab89793af056f56e84b9a1040c2c3e01f5a9 SHA256: 0c9293277fd0325971a2cf297d88460ad8df83d40f09f947fb36a50c59ad9c31	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\idv.xl	0.54 KB (550 bytes)	MD5: 307fe5bd3f52c0aefb503401e2b08505 SHA1: 67ef51104877c6e6ca67e868b2a5d589e415a255 SHA256: 79bb5d0d7e6e403335b863935f832da481a550f7174e77f56a112d5a1f7bff8f	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\erk.ico	0.56 KB (576 bytes)	MD5: 0a5b38cbc77ff6bfd9ca434eb372e88e SHA1: a093894e555294518d98937f61e1eac26298539b SHA256: a3cc42516891627a6ff9dcc5dcca3a4deaefbbf2f9a5411a644a34242b57f6f7	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\jfo.dat	0.54 KB (556 bytes)	MD5: faf4d8efca05d9b305d0970a8417274c SHA1: 847aff73ea3889518231b2a8e5aa2befd843f48b SHA256: 4f081e6dfab65d9c1910303f41fafac0e3652e2af3713140d8cc30d79aed912e	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\pac.ppt	0.55 KB (564 bytes)	MD5: bc062df0b1cf65138efbd74028d417ee SHA1: 4e3254580fc0eea7fcd2daa270b5e94e7fca7560 SHA256: b007b3703bec0526df06de06a88e97f706f09554ac2eb930cad38a80a3c663f7	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\okk.pdf	0.53 KB (538 bytes)	MD5: 7c65637227835e997638cdbbdda237db SHA1: ddd80c708a202210df0c6bab2d53fad31510c77a SHA256: 26f1259b8d53d6b4a43da7ebf431f4aff6617bbad13a188e9b4f534e21fd94b5	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\dxj.docx	0.64 KB (651 bytes)	MD5: 1690024ca4904bc8664deb3b5c046a09 SHA1: d78d488168c4a91dfb4883107bb0b344e47f6103 SHA256: dc2a1291b72a6b56d6acf1a4d52278ff82a9ac18d20f650d7bf1c1527a0675d1	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\tob.ico	0.56 KB (575 bytes)	MD5: 5d4a58ea600887506e113f87226108a7 SHA1: 6fd6c6d7b08df98858f8cd8bab2a8ddbaef39b78 SHA256: f6b0188a75c7fa2bcc06eb7d5de15a84facab9b2e2cc8d54aa7708833888d49b	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\guv.xl	0.54 KB (550 bytes)	MD5: df21088736f29414e1aeacbea6dd4adb SHA1: 2444bd270127ae12148eaf048fe82021f5580952 SHA256: 0bb6caa082e474fd47bdb620aa88536820e95f84cef92dcbda4fb686f29b3c3a	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\hjd.mp4	0.53 KB (543 bytes)	MD5: ce4596068d05d9436fa2512cfe90a81a SHA1: 4e209aede4adcee82bb4a8008291069a3a558f5c SHA256: 54f750492edac60c64348bf5131e7ec5c2e60aa796d80194b673b9e632c9c9cd	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\ain.icm	0.52 KB (532 bytes)	MD5: d997ac87e2adca0fe86fb0ba4a628299 SHA1: 14cae556c130ac9c5fa65168e9680893a4c73899 SHA256: c4a221aabd4c8dbc1ba62bd28e79af98b2e7a2c5d624c5f5c889352499bb47af	File Actions Show Properties Download
c:\users\eebsym5\appdata\local\temp\60484525\ugv.icm	0.54 KB (549 bytes)	MD5: a8ca3dd1e20cbeba4c51df819b7bb68e SHA1: 36d2b3b494d42d9958553cad17fa04819dfa2883 SHA256: d7820ee70bff4ff3f6922ab56d97c88aa79eb8591311d3a6c58b33c1c289d14a	File Actions Show Properties Download

Host Behavior

File (2166)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	__tmp_rar_sfx_access_check_18052931	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	hin.ppt	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	cvn-nhc	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	cih.exe	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	jdl.jpg	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	vqm.xl	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	bcu.mp4	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	rnr.mp3	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	cvg.mp4	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	chm.docx	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	vua.jpg	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	oxl.ico	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	fun.mp4	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	fqv.xl	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	hgu.ico	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	brh.ppt	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	xqa.mp4	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	jub.bmp	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	jgu.bmp	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	tik.icm	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	wjv.pdf	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	nvl.xl	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	xfg.dat	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	aqa.bmp	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	rnj.mp3	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	eff.icm	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	isi.xl	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	upe.mp3	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	fpo.xl	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	wlk.pdf	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	nlb.pdf	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	emv.bmp	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	raq.jpg	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	nep.mp4	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	neo.ico	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	wxv.mp4	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	beb.ppt	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	als.txt	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	jkg.txt	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	idv.xl	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	erk.ico	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	jfo.dat	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	pac.ppt	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	okk.pdf	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	dxj.docx	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	tob.ico	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	guv.xl	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	hjd.mp4	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	ain.icm	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create	ugv.icm	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Create Directory	C:		1	Fn
Create Directory	C:\Users		1	Fn
Create Directory	C:\Users\EEBsYm5		1	Fn
Create Directory	C:\Users\EEBsYm5\AppData		1	Fn
Create Directory	C:\Users\EEBsYm5\AppData\Local		1	Fn
Create Directory	C:\Users\EEBsYm5\AppData\Local\Temp		1	Fn
Create Directory	C:\Users\EEBsYm5\AppData\Local\Temp\60484525		1	Fn
Add Search Path			1	Fn
Get Info	hin.ppt	type = file_attributes	1	Fn
Get Info	hin.ppt	type = file_type	1	Fn
Get Info	cvn-nhc	type = file_attributes	1	Fn
Get Info	cvn-nhc	type = file_type	1	Fn
Get Info	cih.exe	type = file_attributes	1	Fn
Get Info	cih.exe	type = file_type	1	Fn
Get Info	jdl.jpg	type = file_attributes	1	Fn
Get Info	jdl.jpg	type = file_type	1	Fn
Get Info	vqm.xl	type = file_attributes	1	Fn
Get Info	vqm.xl	type = file_type	1	Fn
Get Info	bcu.mp4	type = file_attributes	1	Fn
Get Info	bcu.mp4	type = file_type	1	Fn
Get Info	rnr.mp3	type = file_attributes	1	Fn
Get Info	rnr.mp3	type = file_type	1	Fn
Get Info	cvg.mp4	type = file_attributes	1	Fn
Get Info	cvg.mp4	type = file_type	1	Fn
Get Info	chm.docx	type = file_attributes	1	Fn
Get Info	chm.docx	type = file_type	1	Fn
Get Info	vua.jpg	type = file_attributes	1	Fn
Get Info	vua.jpg	type = file_type	1	Fn
Get Info	oxl.ico	type = file_attributes	1	Fn
Get Info	oxl.ico	type = file_type	1	Fn
Get Info	fun.mp4	type = file_attributes	1	Fn
Get Info	fun.mp4	type = file_type	1	Fn
Get Info	fqv.xl	type = file_attributes	1	Fn
Get Info	fqv.xl	type = file_type	1	Fn
Get Info	hgu.ico	type = file_attributes	1	Fn
Get Info	hgu.ico	type = file_type	1	Fn
Get Info	brh.ppt	type = file_attributes	1	Fn
Get Info	brh.ppt	type = file_type	1	Fn
Get Info	xqa.mp4	type = file_attributes	1	Fn
Get Info	xqa.mp4	type = file_type	1	Fn
Get Info	jub.bmp	type = file_attributes	1	Fn
Get Info	jub.bmp	type = file_type	1	Fn
Get Info	jgu.bmp	type = file_attributes	1	Fn
Get Info	jgu.bmp	type = file_type	1	Fn
Get Info	tik.icm	type = file_attributes	1	Fn
Get Info	tik.icm	type = file_type	1	Fn
Get Info	wjv.pdf	type = file_attributes	1	Fn
Get Info	wjv.pdf	type = file_type	1	Fn
Get Info	nvl.xl	type = file_attributes	1	Fn
Get Info	nvl.xl	type = file_type	1	Fn
Get Info	xfg.dat	type = file_attributes	1	Fn
Get Info	xfg.dat	type = file_type	1	Fn
Get Info	aqa.bmp	type = file_attributes	1	Fn
Get Info	aqa.bmp	type = file_type	1	Fn
Get Info	rnj.mp3	type = file_attributes	1	Fn
Get Info	rnj.mp3	type = file_type	1	Fn
Get Info	eff.icm	type = file_attributes	1	Fn
Get Info	eff.icm	type = file_type	1	Fn
Get Info	isi.xl	type = file_attributes	1	Fn
Get Info	isi.xl	type = file_type	1	Fn
Get Info	upe.mp3	type = file_attributes	1	Fn
Get Info	upe.mp3	type = file_type	1	Fn
Get Info	fpo.xl	type = file_attributes	1	Fn
Get Info	fpo.xl	type = file_type	1	Fn
Get Info	wlk.pdf	type = file_attributes	1	Fn
Get Info	wlk.pdf	type = file_type	1	Fn
Get Info	nlb.pdf	type = file_attributes	1	Fn
Get Info	nlb.pdf	type = file_type	1	Fn
Get Info	emv.bmp	type = file_attributes	1	Fn
Get Info	emv.bmp	type = file_type	1	Fn
Get Info	raq.jpg	type = file_attributes	1	Fn
Get Info	raq.jpg	type = file_type	1	Fn
Get Info	nep.mp4	type = file_attributes	1	Fn
Get Info	nep.mp4	type = file_type	1	Fn
Get Info	neo.ico	type = file_attributes	1	Fn
Get Info	neo.ico	type = file_type	1	Fn
Get Info	wxv.mp4	type = file_attributes	1	Fn
Get Info	wxv.mp4	type = file_type	1	Fn
Get Info	beb.ppt	type = file_attributes	1	Fn
Get Info	beb.ppt	type = file_type	1	Fn
Get Info	als.txt	type = file_attributes	1	Fn
Get Info	als.txt	type = file_type	1	Fn
Get Info	jkg.txt	type = file_attributes	1	Fn
Get Info	jkg.txt	type = file_type	1	Fn
Get Info	idv.xl	type = file_attributes	1	Fn
Get Info	idv.xl	type = file_type	1	Fn
Get Info	erk.ico	type = file_attributes	1	Fn
Get Info	erk.ico	type = file_type	1	Fn
Get Info	jfo.dat	type = file_attributes	1	Fn
Get Info	jfo.dat	type = file_type	1	Fn
Get Info	pac.ppt	type = file_attributes	1	Fn
Get Info	pac.ppt	type = file_type	1	Fn
Get Info	okk.pdf	type = file_attributes	1	Fn
Get Info	okk.pdf	type = file_type	1	Fn
Get Info	dxj.docx	type = file_attributes	1	Fn
Get Info	dxj.docx	type = file_type	1	Fn
Get Info	tob.ico	type = file_attributes	1	Fn
Get Info	tob.ico	type = file_type	1	Fn
Get Info	guv.xl	type = file_attributes	1	Fn
Get Info	guv.xl	type = file_type	1	Fn
Get Info	hjd.mp4	type = file_attributes	1	Fn
Get Info	hjd.mp4	type = file_type	1	Fn
Get Info	ain.icm	type = file_attributes	1	Fn
Get Info	ain.icm	type = file_type	1	Fn
Get Info	ugv.icm	type = file_attributes	1	Fn
Get Info	ugv.icm	type = file_type	1	Fn
Get Info	cih.exe	type = file_attributes	1	Fn
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 8192, size_out = 8192	12	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 7, size_out = 7	6	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 1048560, size_out = 934137	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 6, size_out = 6	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 28, size_out = 28	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 37, size_out = 37	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 2708, size_out = 2708	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 0, size_out = 0	17	Fn
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 7, size_out = 7	56	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 1048560, size_out = 934137	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 6, size_out = 6	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 28, size_out = 28	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 37, size_out = 37	40	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 32768, size_out = 32768	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 32736, size_out = 32736	22	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 10894, size_out = 10894	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 0, size_out = 0	1706	Fn
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 9115, size_out = 9115	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 32, size_out = 32	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 5087, size_out = 5087	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 476, size_out = 476	3	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 36, size_out = 36	7	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 427, size_out = 427	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 425, size_out = 425	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 452, size_out = 452	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 411, size_out = 411	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 38, size_out = 38	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 499, size_out = 499	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 416, size_out = 416	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 506, size_out = 506	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 459, size_out = 459	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 486, size_out = 486	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 446, size_out = 446	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 469, size_out = 469	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 432, size_out = 432	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 449, size_out = 449	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 437, size_out = 437	3	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 428, size_out = 428	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 424, size_out = 424	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 445, size_out = 445	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 426, size_out = 426	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 412, size_out = 412	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 470, size_out = 470	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 468, size_out = 468	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 435, size_out = 435	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 419, size_out = 419	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 444, size_out = 444	2	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 429, size_out = 429	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 421, size_out = 421	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 467, size_out = 467	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 448, size_out = 448	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 456, size_out = 456	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 439, size_out = 439	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 526, size_out = 526	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 462, size_out = 462	1	Fn Data
Read	C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	size = 447, size_out = 447	1	Fn Data
Write	hin.ppt	size = 771181	1	Fn Data
Write	cvn-nhc	size = 3022508	1	Fn
Write	cih.exe	size = 65536	8	Fn Data
Write	cih.exe	size = 2560	2	Fn Data
Write	cih.exe	size = 1792	1	Fn Data
Write	cih.exe	size = 5888	1	Fn Data
Write	cih.exe	size = 768	1	Fn Data
Write	cih.exe	size = 37632	1	Fn Data
Write	cih.exe	size = 8960	1	Fn Data
Write	cih.exe	size = 1536	1	Fn Data
Write	cih.exe	size = 256	1	Fn Data
Write	cih.exe	size = 1024	3	Fn Data
Write	cih.exe	size = 28672	1	Fn Data
Write	cih.exe	size = 95232	1	Fn Data
Write	cih.exe	size = 512	1	Fn Data
Write	cih.exe	size = 7168	1	Fn Data
Write	cih.exe	size = 16896	1	Fn Data
Write	cih.exe	size = 4864	1	Fn Data
Write	cih.exe	size = 7664	1	Fn Data
Write	jdl.jpg	size = 593	1	Fn Data
Write	vqm.xl	size = 525	1	Fn Data
Write	bcu.mp4	size = 521	1	Fn Data
Write	rnr.mp3	size = 556	1	Fn Data
Write	cvg.mp4	size = 505	1	Fn Data
Write	chm.docx	size = 614	1	Fn Data
Write	vua.jpg	size = 509	1	Fn Data
Write	oxl.ico	size = 520	1	Fn Data
Write	fun.mp4	size = 633	1	Fn Data
Write	fqv.xl	size = 567	1	Fn Data
Write	hgu.ico	size = 569	1	Fn Data
Write	brh.ppt	size = 597	1	Fn Data
Write	xqa.mp4	size = 551	1	Fn Data
Write	jub.bmp	size = 574	1	Fn Data
Write	jgu.bmp	size = 532	1	Fn Data
Write	tik.icm	size = 550	1	Fn Data
Write	wjv.pdf	size = 539	1	Fn Data
Write	nvl.xl	size = 526	1	Fn Data
Write	xfg.dat	size = 520	1	Fn Data
Write	aqa.bmp	size = 557	1	Fn Data
Write	rnj.mp3	size = 547	1	Fn Data
Write	eff.icm	size = 522	1	Fn Data
Write	isi.xl	size = 507	1	Fn Data
Write	upe.mp3	size = 578	1	Fn Data
Write	fpo.xl	size = 581	1	Fn Data
Write	wlk.pdf	size = 536	1	Fn Data
Write	nlb.pdf	size = 541	1	Fn Data
Write	emv.bmp	size = 511	1	Fn Data
Write	raq.jpg	size = 514	1	Fn Data
Write	nep.mp4	size = 589	1	Fn Data
Write	neo.ico	size = 551	1	Fn Data
Write	wxv.mp4	size = 526	1	Fn Data
Write	beb.ppt	size = 530	1	Fn Data
Write	als.txt	size = 512	1	Fn Data
Write	jkg.txt	size = 588	1	Fn Data
Write	idv.xl	size = 550	1	Fn Data
Write	erk.ico	size = 576	1	Fn Data
Write	jfo.dat	size = 556	1	Fn Data
Write	pac.ppt	size = 564	1	Fn Data
Write	okk.pdf	size = 538	1	Fn Data
Write	dxj.docx	size = 651	1	Fn Data
Write	tob.ico	size = 575	1	Fn Data
Write	guv.xl	size = 550	1	Fn Data
Write	hjd.mp4	size = 543	1	Fn Data
Write	ain.icm	size = 532	1	Fn Data
Write	ugv.icm	size = 549	1	Fn Data
Delete	__tmp_rar_sfx_access_check_18052931		1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe	show_window = SW_SHOWNORMAL		1	Fn

Module (7)

Operation	Module	Additional Information	Count	Logfile
Load	riched32.dll	base_address = 0x72980000	1	Fn
Load	riched20.dll	base_address = 0x6d740000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x769e0000	1	Fn
Get Handle	c:\users\eebsym5\desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe	base_address = 0x400000	2	Fn
Get Filename		process_name = c:\users\eebsym5\desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 1024	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetDllDirectoryW, address_out = 0x76a6c7cf	1	Fn

Window (2)

Operation	Window Name	Additional Information	Success	Count	Logfile
Set Attribute		index = 18446744073709551600, new_long = 1342341248		1	Fn

System (1877)

Operation	Additional Information	Count	Logfile
Get Time	type = Ticks, time = 52868	20	Fn
Get Time	type = Ticks, time = 52931	1	Fn
Get Time	type = System Time, time = 2017-10-04 02:23:35 (UTC)	1	Fn
Get Time	type = Ticks, time = 53024	4	Fn
Get Time	type = Ticks, time = 53040	30	Fn
Get Time	type = Ticks, time = 53055	1	Fn
Get Time	type = Ticks, time = 53071	63	Fn
Get Time	type = Ticks, time = 53087	109	Fn
Get Time	type = Ticks, time = 53149	1	Fn
Get Time	type = Ticks, time = 53196	4	Fn
Get Time	type = Ticks, time = 53211	37	Fn
Get Time	type = Ticks, time = 53227	19	Fn
Get Time	type = Ticks, time = 53243	37	Fn
Get Time	type = Ticks, time = 53258	72	Fn
Get Time	type = Ticks, time = 53274	61	Fn
Get Time	type = Ticks, time = 53289	32	Fn
Get Time	type = Ticks, time = 53305	68	Fn
Get Time	type = Ticks, time = 53321	76	Fn
Get Time	type = Ticks, time = 53336	66	Fn
Get Time	type = Ticks, time = 53352	70	Fn
Get Time	type = Ticks, time = 53367	60	Fn
Get Time	type = Ticks, time = 53383	79	Fn
Get Time	type = Ticks, time = 53399	71	Fn
Get Time	type = Ticks, time = 53414	33	Fn
Get Time	type = Ticks, time = 53430	71	Fn
Get Time	type = Ticks, time = 53445	66	Fn
Get Time	type = Ticks, time = 53461	69	Fn
Get Time	type = Ticks, time = 53477	70	Fn
Get Time	type = Ticks, time = 53492	69	Fn
Get Time	type = Ticks, time = 53508	34	Fn
Get Time	type = Ticks, time = 53523	61	Fn
Get Time	type = Ticks, time = 53539	47	Fn
Get Time	type = Ticks, time = 53555	67	Fn
Get Time	type = Ticks, time = 53570	19	Fn
Get Time	type = Ticks, time = 53586	73	Fn
Get Time	type = Ticks, time = 53601	83	Fn
Get Time	type = Ticks, time = 53617	68	Fn
Get Time	type = Ticks, time = 53633	64	Fn
Get Info	type = Operating System	1	Fn

Environment (2)

Operation	Additional Information	Success	Count	Logfile
Set Environment String	name = sfxcmd, value = "C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe"		1	Fn
Set Environment String	name = sfxname, value = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe		1	Fn

Process #2: cih.exe

(Host: 256, Network: 0)

Information	Value
ID	#2
File Name	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe
Command Line	"C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe" cvn-nhc
Initial Working Directory	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor	Start Time: 00:00:16, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:55

OS Process Information

Information	Value
PID	0xa20
Parent PID	0xa00 (c:\users\eebsym5\desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A24 0x A28 0x A2C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000080000	0x00080000	0x00081fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000090000	0x00090000	0x0048ffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x00490000	0x004f6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000500000	0x00500000	0x005c7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005d0000	0x005d0000	0x006aefff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006b0000	0x006b0000	0x006b0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000006c0000	0x006c0000	0x006c6fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000006d0000	0x006d0000	0x006dffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000006e0000	0x006e0000	0x007e0fff	Pagefile Backed Memory	Readable	Region Actions
rpcss.dll	0x007f0000	0x0084bfff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000007f0000	0x007f0000	0x007f1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000800000	0x00800000	0x00800fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000810000	0x00810000	0x0088ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000890000	0x00890000	0x0089ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000890000	0x00890000	0x00896fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000008a0000	0x008a0000	0x008a6fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cih.exe	0x008b0000	0x0097bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000980000	0x00980000	0x00a7ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000aa0000	0x00aa0000	0x00e9ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000ea0000	0x00ea0000	0x01a9ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001c00000	0x01c00000	0x01c0ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001c10000	0x01c10000	0x01deffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x01df0000	0x020befff	Memory Mapped File	Readable	Region Actions
private_0x00000000020e0000	0x020e0000	0x024dffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000024e0000	0x024e0000	0x028d2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000029e0000	0x029e0000	0x02ddffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002de0000	0x02de0000	0x02ffffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002de0000	0x02de0000	0x02f9cfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002fc0000	0x02fc0000	0x02ffffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000003000000	0x03000000	0x031fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000003310000	0x03310000	0x0341ffff	Private Memory	Readable, Writable	Region Actions Download Dump
winmm.dll	0x6e3b0000	0x6e3e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x718d0000	0x718e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x72980000	0x72986fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x73a70000	0x73a82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73dc0000	0x73dfffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x740c0000	0x7425dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74660000	0x74668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x747c0000	0x747d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75090000	0x7509bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75110000	0x7511afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75180000	0x7518bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x75190000	0x751b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x751c0000	0x752dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x752e0000	0x75329fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x75360000	0x75371fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75410000	0x75545fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75550000	0x7559dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x755a0000	0x75668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75670000	0x756a4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x756b0000	0x75706fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75710000	0x7572efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75730000	0x757fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75810000	0x7589efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75980000	0x765c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x765d0000	0x765d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x765e0000	0x7667cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76680000	0x767dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x76840000	0x76934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76940000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x769e0000	0x76ab3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76ac0000	0x76b60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x76b70000	0x76d0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76d10000	0x76dbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x76dc0000	0x76fbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76fc0000	0x770fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77100000	0x77104fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77110000	0x77128fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77160000	0x77169fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77170000	0x771eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77200000	0x77200fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\eebsym5\appdata\local\temp\60484525\iwlwk	271.35 KB (277864 bytes)	MD5: 1ddc15ba0f5ad90873d42c41f4a2abc3 SHA1: 4cc438d56cd0317c3cd75f6630f2ce4ce4b31ca0 SHA256: c1492aca20af26af0c906dc391b808f2b227904a8948aa7b34caeddb70fc83cb		File Actions Show Properties Download

Host Behavior

File (171)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	type = file_type	1	Fn
Get Info	.	type = file_attributes	1	Fn
Get Info	ain.icm	type = file_attributes	1	Fn
Get Info	als.txt	type = file_attributes	1	Fn
Get Info	aqa.bmp	type = file_attributes	1	Fn
Get Info	bcu.mp4	type = file_attributes	1	Fn
Get Info	beb.ppt	type = file_attributes	1	Fn
Get Info	brh.ppt	type = file_attributes	1	Fn
Get Info	chm.docx	type = file_attributes	1	Fn
Get Info	cih.exe	type = file_attributes	1	Fn
Get Info	cvg.mp4	type = file_attributes	1	Fn
Get Info	cvn-nhc	type = file_attributes	1	Fn
Get Info	dxj.docx	type = file_attributes	1	Fn
Get Info	eff.icm	type = file_attributes	1	Fn
Get Info	emv.bmp	type = file_attributes	1	Fn
Get Info	erk.ico	type = file_attributes	1	Fn
Get Info	fpo.xl	type = file_attributes	1	Fn
Get Info	fqv.xl	type = file_attributes	1	Fn
Get Info	fun.mp4	type = file_attributes	1	Fn
Get Info	guv.xl	type = file_attributes	1	Fn
Get Info	hgu.ico	type = file_attributes	1	Fn
Get Info	hin.ppt	type = file_attributes	1	Fn
Get Info	hjd.mp4	type = file_attributes	1	Fn
Get Info	idv.xl	type = file_attributes	1	Fn
Get Info	isi.xl	type = file_attributes	1	Fn
Get Info	jdl.jpg	type = file_attributes	1	Fn
Get Info	jfo.dat	type = file_attributes	1	Fn
Get Info	jgu.bmp	type = file_attributes	1	Fn
Get Info	jkg.txt	type = file_attributes	1	Fn
Get Info	jub.bmp	type = file_attributes	1	Fn
Get Info	neo.ico	type = file_attributes	1	Fn
Get Info	nep.mp4	type = file_attributes	1	Fn
Get Info	nlb.pdf	type = file_attributes	1	Fn
Get Info	nvl.xl	type = file_attributes	1	Fn
Get Info	okk.pdf	type = file_attributes	1	Fn
Get Info	oxl.ico	type = file_attributes	1	Fn
Get Info	pac.ppt	type = file_attributes	1	Fn
Get Info	raq.jpg	type = file_attributes	1	Fn
Get Info	rnj.mp3	type = file_attributes	1	Fn
Get Info	rnr.mp3	type = file_attributes	1	Fn
Get Info	tik.icm	type = file_attributes	1	Fn
Get Info	tob.ico	type = file_attributes	1	Fn
Get Info	ugv.icm	type = file_attributes	1	Fn
Get Info	upe.mp3	type = file_attributes	1	Fn
Get Info	vqm.xl	type = file_attributes	1	Fn
Get Info	vua.jpg	type = file_attributes	1	Fn
Get Info	wjv.pdf	type = file_attributes	1	Fn
Get Info	wlk.pdf	type = file_attributes	1	Fn
Get Info	wxv.mp4	type = file_attributes	1	Fn
Get Info	xfg.dat	type = file_attributes	1	Fn
Get Info	xqa.mp4	type = file_attributes	1	Fn
Open	STD_INPUT_HANDLE		2	Fn
Open	STD_OUTPUT_HANDLE		1	Fn
Open	STD_ERROR_HANDLE		1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	size = 65536, size_out = 65536	92	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	size = 65536, size_out = 8772	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	size = 53248, size_out = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	size = 65536, size_out = 20	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	size = 61440, size_out = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	size = 65536, size_out = 7852	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc	size = 65536, size_out = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	size = 65536, size_out = 65536	12	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	size = 65536, size_out = 50285	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	size = 65536, size_out = 0	1	Fn

Registry (3)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Control Panel\Mouse		1	Fn
Open Key	HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt		1	Fn
Read Value	HKEY_CURRENT_USER\Control Panel\Mouse	value_name = SwapMouseButtons, data = 48	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	os_pid = 0xa30, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL		1	Fn

Module (17)

Operation	Module	Additional Information	Count	Logfile
Load	kernel32.dll	base_address = 0x769e0000	1	Fn
Load	uxtheme.dll	base_address = 0x73dc0000	1	Fn
Load	user32.dll	base_address = 0x755a0000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x769e0000	2	Fn
Get Handle	mscoree.dll	base_address = 0x0	1	Fn
Get Filename		process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe, size = 260	3	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsAlloc, address_out = 0x76a3418d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsGetValue, address_out = 0x76a31e16	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsSetValue, address_out = 0x76a376e6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsFree, address_out = 0x76a31f61	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsWow64Process, address_out = 0x76a24785	1	Fn
Get Address	c:\windows\system32\uxtheme.dll	function = IsThemeActive, address_out = 0x73dcf785	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CallWindowProc, address_out = 0x0	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CallWindowProcA, address_out = 0x755d2bd3	1	Fn

Window (2)

Operation	Window Name	Additional Information	Success	Count	Logfile
Create	AutoIt v3	class_name = AutoIt v3, wndproc_parameter = 0		1	Fn

System (6)

Operation	Additional Information	Count	Logfile
Sleep	duration = 750 milliseconds (0.750 seconds)	1	Fn
Get Time	type = System Time, time = 2017-10-04 02:23:36 (UTC)	1	Fn
Get Time	type = Ticks, time = 54132	1	Fn
Get Time	type = System Time, time = 2017-10-04 02:23:37 (UTC)	1	Fn
Get Info	type = Operating System	1	Fn
Get Info	type = Hardware Information	1	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Get Environment String			1	Fn Data

Ini (3)

Operation	Filename	Additional Information	Count	Logfile
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = Dir, data_out = 60484525	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = sK, data_out = 228	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = sN, data_out = rpi.qcn	1	Fn

Debug (1)

Operation	Process	Additional Information	Success	Count	Logfile
Check for Presence	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe			1	Fn

Process #3: cih.exe

(Host: 371, Network: 0)

Information	Value
ID	#3
File Name	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe
Command Line	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK
Initial Working Directory	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor	Start Time: 00:00:16, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:55

OS Process Information

Information	Value
PID	0xa30
Parent PID	0xa20 (c:\users\eebsym5\appdata\local\temp\60484525\cih.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A34 0x A38 0x A3C 0x A40

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x004effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004f0000	0x004f0000	0x005b7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005c0000	0x005c0000	0x006c0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006d0000	0x006d0000	0x006d1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000006e0000	0x006e0000	0x0077ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000006e0000	0x006e0000	0x006e1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006f0000	0x006f0000	0x006f0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000700000	0x00700000	0x00706fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000710000	0x00710000	0x00711fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000720000	0x00720000	0x00720fff	Private Memory	Readable, Writable	Region Actions
tzres.dll	0x00730000	0x00730fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000730000	0x00730000	0x00730fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000740000	0x00740000	0x0077ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000780000	0x00780000	0x00780fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000790000	0x00790000	0x00790fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000007a0000	0x007a0000	0x007a0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000007b0000	0x007b0000	0x007bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000007c0000	0x007c0000	0x0089efff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000008a0000	0x008a0000	0x008a0fff	Private Memory	Readable, Writable, Executable	Region Actions
cih.exe	0x008b0000	0x0097bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcss.dll	0x00980000	0x009dbfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000980000	0x00980000	0x009fffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x00a00000	0x00a3bfff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x00a00000	0x00a3bfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000a00000	0x00a00000	0x00a00fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000a40000	0x00a40000	0x00e3ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000e40000	0x00e40000	0x01a3ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01a40000	0x01d0efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001d10000	0x01d10000	0x01e0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e30000	0x01e30000	0x0222ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002230000	0x02230000	0x02622fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002630000	0x02630000	0x0273ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002740000	0x02740000	0x0293ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002940000	0x02940000	0x02afcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000029e0000	0x029e0000	0x02ddffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002de0000	0x02de0000	0x02f9cfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002ea0000	0x02ea0000	0x0329ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000032a0000	0x032a0000	0x0345cfff	Private Memory	Readable, Writable	Region Actions Download Dump
winmm.dll	0x6e3b0000	0x6e3e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x718d0000	0x718e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x72980000	0x72986fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x73a70000	0x73a82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73dc0000	0x73dfffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x740c0000	0x7425dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74660000	0x74668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x747c0000	0x747d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x749b0000	0x749eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74c10000	0x74c25fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75090000	0x7509bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75110000	0x7511afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75180000	0x7518bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x75190000	0x751b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x751c0000	0x752dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x752e0000	0x75329fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x75360000	0x75371fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75410000	0x75545fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75550000	0x7559dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x755a0000	0x75668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75670000	0x756a4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x756b0000	0x75706fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75710000	0x7572efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75730000	0x757fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75810000	0x7589efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75980000	0x765c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x765d0000	0x765d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x765e0000	0x7667cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76680000	0x767dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x76840000	0x76934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76940000	0x769dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x769e0000	0x76ab3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76ac0000	0x76b60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x76b70000	0x76d0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76d10000	0x76dbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x76dc0000	0x76fbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76fc0000	0x770fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77100000	0x77104fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77110000	0x77128fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77160000	0x77169fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77170000	0x771eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77200000	0x77200fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

File (41)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	type = file_type	1	Fn
Get Info	60484525	type = file_attributes	2	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\spd	type = file_attributes	1	Fn
Get Info	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	type = file_attributes	1	Fn
Get Info	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	type = file_attributes	1	Fn
Open	STD_INPUT_HANDLE		2	Fn
Open	STD_OUTPUT_HANDLE		1	Fn
Open	STD_ERROR_HANDLE		1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	size = 65536, size_out = 65536	8	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	size = 65536, size_out = 15800	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	size = 49152, size_out = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	size = 65536, size_out = 20	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	size = 61440, size_out = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	size = 65536, size_out = 15720	1	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK	size = 65536, size_out = 0	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	size = 65536, size_out = 65536	12	Fn Data
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	size = 65536, size_out = 50285	1	Fn Data
Delete	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK		1	Fn

Registry (5)

Operation	Key	Additional Information	Count	Logfile
Create Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run		1	Fn
Open Key	HKEY_CURRENT_USER\Control Panel\Mouse		1	Fn
Open Key	HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt		1	Fn
Read Value	HKEY_CURRENT_USER\Control Panel\Mouse	value_name = SwapMouseButtons, data = 48	1	Fn
Write Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	value_name = WindowsUpdate, data = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 212, type = REG_SZ	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	os_pid = 0xa4c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE		1	Fn

Thread (3)

Operation	Process	Additional Information	Count	Logfile
Get Context	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	os_tid = 0xa34	1	Fn
Set Context	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	os_tid = 0xa34	1	Fn
Resume	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe	os_tid = 0xa34	1	Fn

Memory (7)

Operation	Process	Additional Information	Count	Logfile
Allocate	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 106496	1	Fn
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	address = 0x400000, size = 4096	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	address = 0x401000, size = 69632	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	address = 0x412000, size = 24576	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	address = 0x418000, size = 4096	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	address = 0x419000, size = 4096	1	Fn Data
Write	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	address = 0x7ffd3008, size = 4	1	Fn Data

Module (48)

Operation	Module	Additional Information	Count	Logfile
Load	kernel32.dll	base_address = 0x769e0000	1	Fn
Load	uxtheme.dll	base_address = 0x73dc0000	1	Fn
Load	Advapi32.dll	base_address = 0x76940000	1	Fn
Load	user32.dll	base_address = 0x755a0000	1	Fn
Load	kernel32	base_address = 0x769e0000	17	Fn
Load	ntdll	base_address = 0x76fc0000	8	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x769e0000	2	Fn
Get Handle	mscoree.dll	base_address = 0x0	1	Fn
Get Filename		process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe, size = 260	2	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsAlloc, address_out = 0x76a3418d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsGetValue, address_out = 0x76a31e16	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsSetValue, address_out = 0x76a376e6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsFree, address_out = 0x76a31f61	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsWow64Process, address_out = 0x76a24785	1	Fn
Get Address	c:\windows\system32\uxtheme.dll	function = IsThemeActive, address_out = 0x73dcf785	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptAcquireContext, address_out = 0x0	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptAcquireContextA, address_out = 0x769491dd	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptCreateHash, address_out = 0x7694df4e	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptHashData, address_out = 0x7694df36	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDeriveKey, address_out = 0x76983188	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDestroyHash, address_out = 0x7694df66	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDecrypt, address_out = 0x76983178	1	Fn
Get Address	c:\windows\system32\user32.dll	function = CallWindowProcW, address_out = 0x755b1b3c	1	Fn

Service (1)

Operation	Additional Information	Success	Count	Logfile
Open Manager	database_name = SERVICES_ACTIVE_DATABASE		1	Fn

Window (2)

Operation	Window Name	Additional Information	Success	Count	Logfile
Create	AutoIt v3	class_name = AutoIt v3, wndproc_parameter = 0		1	Fn

System (235)

Operation	Additional Information	Count	Logfile
Sleep	duration = 750 milliseconds (0.750 seconds)	7	Fn
Sleep	duration = 10 milliseconds (0.010 seconds)	219	Fn
Get Time	type = System Time, time = 2017-10-04 02:23:37 (UTC)	3	Fn
Get Time	type = Ticks, time = 54881	1	Fn
Get Info	type = Operating System	1	Fn
Get Info	type = Hardware Information	1	Fn
Get Info	type = Windows Directory, result_out = C:\Windows	3	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Get Environment String			1	Fn Data

Ini (22)

Operation	Filename	Additional Information	Count	Logfile
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = Dir, data_out = 60484525	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = msg	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = _S0x20057179D673181B71D4593BFB2A0450	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = VM	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = SandBox	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = duac	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = drpt	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = btklr	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = taskmnrg	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = hSUps	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = StartUps, data_out = lju-0W23JhA138k76msH67J30	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = Key, data_out = WindowsUpdate	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = AuEx, data_out = cvn-nhc	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = ExEc, data_out = cih.exe	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = Down	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = Net	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = eof	2	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = RP, data_out = qkr.xul	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = Keys, data_out = jom	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = fb	1	Fn
Read	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt	section_name = Setting, key_name = btkl	1	Fn

Debug (1)

Operation	Process	Additional Information	Success	Count	Logfile
Check for Presence	c:\users\eebsym5\appdata\local\temp\60484525\cih.exe			1	Fn

Process #4: regsvcs.exe

(Host: 274, Network: 39)

Information	Value
ID	#4
File Name	c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Initial Working Directory	C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor	Start Time: 00:00:19, Reason: Child Process
Unmonitor	End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration	00:01:52

OS Process Information

Information	Value
PID	0xa4c
Parent PID	0xa30 (c:\users\eebsym5\appdata\local\temp\60484525\cih.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	CRH2YWU7\EEBsYm5
Groups	CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A50 0x A54 0x A58 0x A5C 0x A60 0x A64 0x A68 0x A74 0x A80 0x A84 0x A88 0x A8C 0x AC8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x001effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001f0000	0x001f0000	0x002b7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002c0000	0x002c0000	0x003c0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003d0000	0x003d0000	0x003d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003e0000	0x003e0000	0x003e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x003f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x00419fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000460000	0x00460000	0x0055ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000580000	0x00580000	0x0067ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000680000	0x00680000	0x0077ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007e0000	0x007e0000	0x008dffff	Private Memory	Readable, Writable	Region Actions
regsvcs.exe	0x008e0000	0x008edfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000008f0000	0x008f0000	0x014effff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001580000	0x01580000	0x0167ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016b0000	0x016b0000	0x017affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000017b0000	0x017b0000	0x018affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001960000	0x01960000	0x01a5ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01a60000	0x01d2efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001d30000	0x01d30000	0x01efffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001d30000	0x01d30000	0x01e9ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001d30000	0x01d30000	0x01e1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e90000	0x01e90000	0x01e9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ec0000	0x01ec0000	0x01efffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f00000	0x01f00000	0x020fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001f00000	0x01f00000	0x01feffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ff0000	0x01ff0000	0x020effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000020f0000	0x020f0000	0x020fffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000021c0000	0x021c0000	0x022bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002320000	0x02320000	0x0241ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002420000	0x02420000	0x0261ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002460000	0x02460000	0x0255ffff	Private Memory	Readable, Writable	Region Actions Download Dump
msvcp60.dll	0x6d750000	0x6d7b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winrnr.dll	0x6de10000	0x6de17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pnrpnsp.dll	0x6de20000	0x6de31fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
napinsp.dll	0x6de50000	0x6de5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x6e3b0000	0x6e3e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasadhlp.dll	0x714a0000	0x714a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fwpuclnt.dll	0x73310000	0x73347fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x73670000	0x73676fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x73690000	0x736abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x73890000	0x7389ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdiplus.dll	0x73c30000	0x73dbffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x746f0000	0x746f4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x74a90000	0x74ad3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x74bd0000	0x74c0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75070000	0x7508afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75180000	0x7518bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x751c0000	0x752dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x752e0000	0x75329fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75410000	0x75545fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75550000	0x7559dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x755a0000	0x75668fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75670000	0x756a4fff