Petya/NotPetya/ExPetr | Sequential Behavior

Involved Hosts

Host	Resolved to	Country	City	Protocol
192.168.0.0				TCP
192.168.0.1				TCP
192.168.0.2				TCP
192.168.0.3				TCP

Monitored Processes

Behavior Information - Sequential View

Process #1: Petya.dll

(Host: 493, Network: 23)

Information	Value
ID	#1
File Name	c:\windows\syswow64\agakmvmr.exe
Command Line	"C:\Windows\SysWOW64\AGakmVMR.exe" "C:\Users\HJRD1K~1\Desktop\Petya.dll" #1
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:00:21, Reason: Analysis Target
Unmonitor	End Time: 00:00:58, Reason: Terminated by Timeout
Monitor Duration	00:00:37

OS Process Information

Information	Value
PID	0x948
Parent PID	0x108 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e144 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 94C 0x 950 0x 968 0x 96C 0x 980 0x 994 0x 998 0x 9A8 0x 9AC 0x 9B0 0x 9B8 0x 9BC 0x A44

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x0013dfff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f6fff	Pagefile Backed Memory	Readable, Writable	Region Actions
mpr.dll.mui	0x00140000	0x00140fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001a0000	0x001a0000	0x001dffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x001e0000	0x0021bfff	Memory Mapped File	Readable	Region Actions
private_0x00000000001e0000	0x001e0000	0x0021ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000230000	0x00230000	0x002affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x0042ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000470000	0x00470000	0x0056ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005a0000	0x005a0000	0x0069ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000006b0000	0x006b0000	0x006bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000006c0000	0x006c0000	0x00847fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000850000	0x00850000	0x009d0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000009e0000	0x009e0000	0x00afffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000009e0000	0x009e0000	0x00a1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a70000	0x00a70000	0x00aaffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a80000	0x00a80000	0x00abffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ac0000	0x00ac0000	0x00afffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x00b00000	0x00dcefff	Memory Mapped File	Readable	Region Actions
private_0x0000000000ba0000	0x00ba0000	0x00bdffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e50000	0x00e50000	0x00f4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f50000	0x00f50000	0x0104ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001050000	0x01050000	0x0114ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001060000	0x01060000	0x0109ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001150000	0x01150000	0x0118ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001190000	0x01190000	0x011cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000011e0000	0x011e0000	0x0121ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001220000	0x01220000	0x0131ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001230000	0x01230000	0x0132ffff	Private Memory	Readable, Writable	Region Actions
agakmvmr.exe	0x01390000	0x013adfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000013b0000	0x013b0000	0x027affff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000027d0000	0x027d0000	0x0280ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002800000	0x02800000	0x028fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002830000	0x02830000	0x0292ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002930000	0x02930000	0x02a2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b60000	0x02b60000	0x02c5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d50000	0x02d50000	0x02e4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ed0000	0x02ed0000	0x02fcffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003080000	0x03080000	0x0317ffff	Private Memory	Readable, Writable	Region Actions
api-ms-win-core-synch-l1-2-0.dll	0x74700000	0x74702fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74710000	0x7476bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74770000	0x747aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntlanman.dll	0x74920000	0x74933fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x74940000	0x74968fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
drprov.dll	0x74970000	0x74977fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x74a30000	0x74a34fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
davclnt.dll	0x74a40000	0x74a56fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x74a60000	0x74a9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
davhlpr.dll	0x74aa0000	0x74aa7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x74ab0000	0x74ac1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscapi.dll	0x74ad0000	0x74adafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x74ae0000	0x74b23fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74ae0000	0x74b1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74b20000	0x74b35fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
adsldpc.dll	0x74b30000	0x74b63fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x74b40000	0x74b83fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dsauth.dll	0x74b70000	0x74b7afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x74b80000	0x74b8efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpsapi.dll	0x74b90000	0x74ba5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
adsldpc.dll	0x74b90000	0x74bc3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
browcli.dll	0x74bb0000	0x74bbcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x74bc0000	0x74bcefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x74bd0000	0x74be8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dsauth.dll	0x74bd0000	0x74bdafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x74be0000	0x74beefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x74bf0000	0x74bf8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpsapi.dll	0x74bf0000	0x74c05fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x74c00000	0x74c10fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
browcli.dll	0x74c10000	0x74c1cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x74c20000	0x74c31fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x74c20000	0x74c2efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x74c30000	0x74c48fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x74c40000	0x74c46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x74c50000	0x74c6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x74c50000	0x74c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x74c60000	0x74c70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
petya.dll	0x74c70000	0x74ccdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
mpr.dll	0x74c80000	0x74c91fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x74ca0000	0x74ca6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x74cb0000	0x74ccbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74dd0000	0x74dd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74e00000	0x74e0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74e10000	0x74e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x74e70000	0x74f7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75150000	0x75d99fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75e00000	0x75f5bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75f60000	0x75ffffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76020000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x762b0000	0x7637bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x76430000	0x76474fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76480000	0x7657ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76580000	0x7661cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76890000	0x768e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x76900000	0x76934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76940000	0x769ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x769f0000	0x769f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x76a00000	0x76b1cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76b20000	0x76b65fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76b70000	0x76b88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76b90000	0x76beffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76bf0000	0x76c7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076eb0000	0x76eb0000	0x76fcefff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076fd0000	0x76fd0000	0x770c9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x770d0000	0x77278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x77280000	0x7728bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772b0000	0x7742ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007ef9b000	0x7ef9b000	0x7ef9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef9e000	0x7ef9e000	0x7efa0fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa1000	0x7efa1000	0x7efa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa4000	0x7efa4000	0x7efa6fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa7000	0x7efa7000	0x7efa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Created Files

Filename	File Size	Hash Values	Actions
c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp	55.00 KB (56320 bytes)	MD5: 7e37ab34ecdcc3e77e24522ddfd4852d SHA1: 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf SHA256: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f	File Actions Show Properties Download
c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp	55.00 KB (56320 bytes)	MD5: bfd70118226e2e6391b6a0992f8b5b22 SHA1: 4f9e3810d346b368b7c2437eb4bb040d3f6daed3 SHA256: f8d214080544676394eea8dda1cbd79db436414860e1809cccd56b2da039c724	File Actions Show Properties Download
c:\windows\dllhost.dat	372.87 KB (381816 bytes)	MD5: aeee996fd3484f28e5cd85fe26b6bdcd SHA1: cd23b7c9e0edef184930bc8e0ca2264f0608bcb3 SHA256: f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5	File Actions Show Properties Download
c:\readme.txt	2.11 KB (2164 bytes)	MD5: e0e4d4e05040bae07d42939024791284 SHA1: 4cc56bb43bb7fc38b3640a819e49161b03ec2924 SHA256: d42dffe59c922d99fb0531e9f47e7f4d091d3848318fb0dd89b1e928b43f2785	File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\hjrd1k~1\desktop\petya.dll	353.87 KB (362360 bytes)	MD5: 9a7ffe65e0912f9379ba6e8e0b079fde SHA1: 532bea84179e2336caed26e31805ceaa7eec53dd SHA256: 4b336c3cc9b6c691fe581077e3dd9ea7df3bf48f79e35b05cf87e079ec8e0651		File Actions Show Properties Download

Token Modifications

Action	Attribute	Value
Token attribute value added	Enabled Privileges	SeShutdownPrivilege
Token attribute value added	Enabled Privileges	SeDebugPrivilege

Threads

Thread 0x94c

(Host: 269, Network: 1)

Category	Operation	Information	Count	Logfile
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeShutdownPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeShutdownPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeDebugPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeDebugPrivilege	1	Fn
PROC	OPEN_TOKEN	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE	1	Fn
USER	LOOKUP_PRIVILEGE	server_name = Localhost, privilege = SeTcbPrivilege	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeTcbPrivilege	1	Fn
MOD	GET_FILENAME	file_name = C:\Users\HJRD1K~1\Desktop\Petya.dll	1	Fn
FILE	CREATE	file_name = c:\users\hjrd1k~1\desktop\petya.dll, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = c:\users\hjrd1k~1\desktop\petya.dll, size = 362360	1	Fn Data
FILE	CREATE	file_name = c:\users\hjrd1k~1\desktop\petya.dll, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	CREATE	file_name = c:\users\hjrd1k~1\desktop\petya.dll, desired_access = GENERIC_WRITE, create_disposition = CREATE_ALWAYS	1	Fn
FILE	WRITE	file_name = c:\users\hjrd1k~1\desktop\petya.dll, size = 362360	1	Fn Data
FILE	DELETE	file_name = c:\users\hjrd1k~1\desktop\petya.dll	1	Fn
MOD	LOAD	module_name = KERNEL32.dll, base_address = 0x74e70000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = ConnectNamedPipe, address = 0x74f040fb	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address = 0x74e834b0	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = CreateNamedPipeW, address = 0x74f0414b	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address = 0x74e87a2f	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = DisconnectNamedPipe, address = 0x74f041df	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address = 0x74e8469b	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathW, address = 0x74e9d4dc	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address = 0x74e81222	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileW, address = 0x74e889b3	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibrary, address = 0x74e834c8	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GlobalAlloc, address = 0x74e8588e	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryW, address = 0x74e8492b	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameExW, address = 0x74eabb9e	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFree, address = 0x74e85558	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address = 0x74e87a10	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExW, address = 0x74e81ae5	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address = 0x74e84950	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = DisableThreadLibraryCalls, address = 0x74e848e5	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = ResumeThread, address = 0x74e843ef	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address = 0x74e81b48	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address = 0x74e8196e	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address = 0x74e817d1	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address = 0x74e811a9	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = LoadResource, address = 0x74e8594c	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThread, address = 0x74e817ec	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address = 0x74e81986	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address = 0x74e85063	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = SizeofResource, address = 0x74e85ac9	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetLocalTime, address = 0x74e85aa6	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = Process32FirstW, address = 0x74ea8baf	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = LockResource, address = 0x74e85959	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = Process32NextW, address = 0x74ea896c	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address = 0x74e81245	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address = 0x74ea828e	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address = 0x74ea735f	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address = 0x74e81809	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address = 0x74e8186e	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address = 0x74e81856	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address = 0x74e849d7	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address = 0x74e8435f	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = WideCharToMultiByte, address = 0x74e8170d	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetExitCodeProcess, address = 0x74e9174d	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = WaitForMultipleObjects, address = 0x74e84220	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessW, address = 0x74e8103d	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = PeekNamedPipe, address = 0x74f04821	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetTempFileNameW, address = 0x74ead1b6	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = InterlockedExchange, address = 0x74e81462	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address = 0x772d2270	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address = 0x74e8192e	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileA, address = 0x74e853c6	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address = 0x74e8110c	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address = 0x74e834d5	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address = 0x74e82d3c	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address = 0x74e854ee	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileMappingW, address = 0x74e81909	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = LocalAlloc, address = 0x74e8168c	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address = 0x74e84442	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSizeEx, address = 0x74e859e2	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address = 0x74e83f5c	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address = 0x74e810ff	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = FlushViewOfFile, address = 0x74eab909	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalDrives, address = 0x74e85371	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address = 0x74e81136	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetDriveTypeW, address = 0x74e8418b	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = UnmapViewOfFile, address = 0x74e81826	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = MapViewOfFile, address = 0x74e818f1	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address = 0x74e84435	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address = 0x74e81410	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = DeviceIoControl, address = 0x74e8322f	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address = 0x74e811c0	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryA, address = 0x74e9b66c	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address = 0x74e83ed3	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address = 0x74e81282	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address = 0x74e814e9	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSection, address = 0x772e2c42	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = HeapReAlloc, address = 0x772f1f6e	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = GetWindowsDirectoryW, address = 0x74e843e2	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address = 0x772d22b0	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address = 0x74e814c9	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointerEx, address = 0x74e9c807	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address = 0x772de026	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = FindResourceW, address = 0x74e85971	1	Fn
MOD	LOAD	module_name = USER32.dll, base_address = 0x76480000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\user32.dll, function = ExitWindowsEx, address = 0x764e1497	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address = 0x764aae5f	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address = 0x764be061	1	Fn
MOD	LOAD	module_name = ADVAPI32.dll, base_address = 0x75f60000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address = 0x75f6dfc8	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextA, address = 0x75f691dd	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = CryptExportKey, address = 0x75f691ea	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextW, address = 0x75f6df14	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = CreateProcessAsUserW, address = 0x75f6c592	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = InitiateSystemShutdownExW, address = 0x75fbdb3a	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = DuplicateTokenEx, address = 0x75f6ca24	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = SetTokenInformation, address = 0x75f69a92	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address = 0x75f7431c	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthorityCount, address = 0x75f70e0c	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = OpenThreadToken, address = 0x75f7432c	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthority, address = 0x75f70e24	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = AdjustTokenPrivileges, address = 0x75f7418e	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = LookupPrivilegeValueW, address = 0x75f741b3	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address = 0x75f74304	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = SetThreadToken, address = 0x75f6c7ce	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateW, address = 0x75fa7481	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = CredFree, address = 0x75f6b2ec	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = SetSecurityDescriptorDacl, address = 0x75f7415e	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = InitializeSecurityDescriptor, address = 0x75f74620	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyKey, address = 0x75f6c51a	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenKey, address = 0x75f68ee9	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address = 0x75f8779b	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = CryptImportKey, address = 0x75f6c532	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = CryptSetKeyParam, address = 0x75f877b3	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address = 0x75f6e124	1	Fn
MOD	LOAD	module_name = SHELL32.dll, base_address = 0x75150000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\shell32.dll, function = CommandLineToArgvW, address = 0x75169ee8	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\shell32.dll, function = SHGetFolderPathW, address = 0x751d5708	1	Fn
MOD	LOAD	module_name = ole32.dll, base_address = 0x75e00000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ole32.dll, function = CoCreateGuid, address = 0x75e415d5	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ole32.dll, function = CoTaskMemFree, address = 0x75e56f41	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ole32.dll, function = StringFromCLSID, address = 0x75e1eb17	1	Fn
MOD	LOAD	module_name = CRYPT32.dll, base_address = 0x76a00000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\crypt32.dll, function = CryptStringToBinaryW, address = 0x76a35f65	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\crypt32.dll, function = CryptBinaryToStringW, address = 0x76a3a546	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\crypt32.dll, function = CryptDecodeObjectEx, address = 0x76a0d718	1	Fn
MOD	LOAD	module_name = SHLWAPI.dll, base_address = 0x76890000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\shlwapi.dll, function = PathAppendW, address = 0x768a81ef	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\shlwapi.dll, function = StrToIntW, address = 0x768a50be	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindFileNameW, address = 0x768abb71	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFileExistsW, address = 0x768a45bf	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\shlwapi.dll, function = StrCmpW, address = 0x768a8277	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\shlwapi.dll, function = StrCmpIW, address = 0x768aa147	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\shlwapi.dll, function = StrChrW, address = 0x768a4640	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\shlwapi.dll, function = StrCatW, address = 0x768ce105	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\shlwapi.dll, function = StrStrW, address = 0x7689e52d	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\shlwapi.dll, function = PathFindExtensionW, address = 0x768aa1b9	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\shlwapi.dll, function = PathCombineW, address = 0x768ac39c	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\shlwapi.dll, function = StrStrIW, address = 0x768a46e9	1	Fn
MOD	LOAD	module_name = IPHLPAPI.DLL, base_address = 0x74cb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\users\hjrd1k~1\desktop\petya.dll, function = GetIpNetTable, address = 0x74cbe52a	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\users\hjrd1k~1\desktop\petya.dll, function = GetAdaptersInfo, address = 0x74cb9263	1	Fn
MOD	LOAD	module_name = WS2_32.dll, base_address = 0x76900000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ws2_32.dll, function = 12, address = 0x7690b131	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ws2_32.dll, function = 52, address = 0x76917673	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ws2_32.dll, function = 151, address = 0x76906a8a	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ws2_32.dll, function = 14, address = 0x76902d57	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ws2_32.dll, function = 10, address = 0x76903084	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ws2_32.dll, function = 4, address = 0x76906bdd	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ws2_32.dll, function = 11, address = 0x7690311b	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ws2_32.dll, function = 18, address = 0x76906989	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ws2_32.dll, function = 16, address = 0x76906b0e	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ws2_32.dll, function = 19, address = 0x76906f01	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ws2_32.dll, function = 9, address = 0x76902d8b	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ws2_32.dll, function = 3, address = 0x76903918	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ws2_32.dll, function = 23, address = 0x76903eb8	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ws2_32.dll, function = 115, address = 0x76903ab2	1	Fn
MOD	LOAD	module_name = MPR.dll, base_address = 0x74c80000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\users\hjrd1k~1\desktop\petya.dll, function = WNetOpenEnumW, address = 0x74c82f06	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\users\hjrd1k~1\desktop\petya.dll, function = WNetEnumResourceW, address = 0x74c83058	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\users\hjrd1k~1\desktop\petya.dll, function = WNetCancelConnection2W, address = 0x74c88cd1	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\users\hjrd1k~1\desktop\petya.dll, function = WNetAddConnection2W, address = 0x74c84744	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\users\hjrd1k~1\desktop\petya.dll, function = WNetCloseEnum, address = 0x74c82dd6	1	Fn
MOD	LOAD	module_name = NETAPI32.dll, base_address = 0x74c60000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\iphlpapi.dll, function = NetServerEnum, address = 0x74c12f61	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\iphlpapi.dll, function = NetApiBufferFree, address = 0x74c513d2	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\iphlpapi.dll, function = NetServerGetInfo, address = 0x74c33cfa	1	Fn
MOD	LOAD	module_name = DHCPSAPI.DLL, base_address = 0x74bf0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\netutils.dll, function = DhcpEnumSubnetClients, address = 0x74bf77b5	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\netutils.dll, function = DhcpRpcFreeMemory, address = 0x74bf79ed	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\netutils.dll, function = DhcpGetSubnetInfo, address = 0x74bf7003	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\netutils.dll, function = DhcpEnumSubnets, address = 0x74bf6b7c	1	Fn
MOD	LOAD	module_name = msvcrt.dll, base_address = 0x76940000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\msvcrt.dll, function = malloc, address = 0x76949cee	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\msvcrt.dll, function = _itoa, address = 0x76964218	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\msvcrt.dll, function = free, address = 0x76949894	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\msvcrt.dll, function = memset, address = 0x76949790	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\msvcrt.dll, function = rand, address = 0x7694c070	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\msvcrt.dll, function = memcpy, address = 0x76949910	1	Fn
FILE	EXIST	file_name = C:\Windows\Petya	1	Fn
FILE	CREATE	file_name = c:\windows\petya, desired_access = GENERIC_WRITE, create_disposition = CREATE_ALWAYS, file_attributes = FILE_FLAG_DELETE_ON_CLOSE	1	Fn
FILE	CREATE	file_name = c:, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
DRV	CONTROL	file_name = c:, control_code = 0x70000	1	Fn
FILE	WRITE	file_name = c:, size = 512	1	Fn Data
FILE	CREATE	file_name = c:, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
DRV	CONTROL	file_name = c:, control_code = 0x560000	1	Fn
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
DRV	CONTROL	file_name = \device\harddisk0\dr0, control_code = 0x70048	1	Fn
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	READ	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	WRITE	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	WRITE	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	WRITE	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	WRITE	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	WRITE	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	WRITE	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	WRITE	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	WRITE	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	WRITE	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	WRITE	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	WRITE	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	WRITE	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	WRITE	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	WRITE	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	WRITE	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	WRITE	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	WRITE	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	WRITE	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	WRITE	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	WRITE	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	WRITE	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
FILE	CREATE	file_name = \device\harddisk0\dr0, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
FILE	WRITE	file_name = \device\harddisk0\dr0, size = 512	1	Fn Data
PROC	CREATE	process_name = C:\Windows\system32\cmd.exe, os_tid = 0x964, os_pid = 0x960, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
SYS	SLEEP	duration = 0 milliseconds (0.000 seconds)	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74e70000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address = 0x74e8195e	1	Fn
FILE	CREATE_TMPFILE	file_name = c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp, path = C:\Users\HJRD1K~1\AppData\Local\Temp\	1	Fn
FILE	CREATE	file_name = c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp, desired_access = GENERIC_WRITE, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_HIDDEN	1	Fn
FILE	WRITE	file_name = c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp, size = 56320	1	Fn Data
PROC	CREATE	process_name = C:\Users\HJRD1K~1\AppData\Local\Temp\6B4.tmp, os_tid = 0x974, os_pid = 0x970, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
FILE	CREATE	file_name = c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp, desired_access = GENERIC_WRITE, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_HIDDEN	1	Fn
FILE	WRITE	file_name = c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp, size = 56320	1	Fn Data
FILE	DELETE	file_name = c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp	1	Fn
FILE	CREATE	file_name = c:\windows\dllhost.dat, desired_access = GENERIC_WRITE, create_disposition = CREATE_NEW	1	Fn
FILE	WRITE	file_name = c:\windows\dllhost.dat, size = 381816	1	Fn Data
NET	HOST_GET_INFO		1	Fn
SYS	SLEEP	duration = 0 milliseconds (0.000 seconds)	2	Fn
SYS	SLEEP	duration = 60000 milliseconds (60.000 seconds)	1	Fn
PROC	CREATE	process_name = C:\Windows\system32\cmd.exe, os_tid = 0x9d4, os_pid = 0x9d0, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
SYS	SLEEP	duration = 3000 milliseconds (3.000 seconds)	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x772b0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\ntdll.dll, function = NtRaiseHardError, address = 0x772d15f4	1	Fn

Thread 0x968

(Host: 3, Network: 1)

Category	Operation	Information	Count	Logfile
MOD	LOAD	module_name = iphlpapi.dll, base_address = 0x74cb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\users\hjrd1k~1\desktop\petya.dll, function = GetExtendedTcpTable, address = 0x74cc1a8a	1	Fn
NET	HOST_ENUMERATE		1	Fn
SYS	SLEEP	duration = 180000 milliseconds (180.000 seconds)	1	Fn

Thread 0x96c

(Host: 3, Network: 0)

Category	Operation	Information	Success	Count	Logfile
FILE	CREATE_PIPE	file_name = \device\namedpipe\{0d32ab4e-3bee-44d4-a8cc-67331e9e7f80}, open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, pipe_mode = PIPE_READMODE_MESSAGE, PIPE_TYPE_MESSAGE, max_instances = 1		1	Fn
SYS	SLEEP	duration = 1000 milliseconds (1.000 seconds)		2	Fn

Thread 0x980

(Host: 0, Network: 1)

Category	Operation	Information	Success	Count	Logfile
NET	HOST_GET_INFO			1	Fn

Thread 0x998

(Host: 0, Network: 16)

Category	Operation	Information	Count	Logfile
SCK	CREATE	address_family = AF_INET, type = SOCK_STREAM, protocol = IPPROTO_IP	1	Fn
SCK	CONNECT	remote_address = 192.168.0.0, remote_port = 445	1	Fn
SCK	CREATE	address_family = AF_INET, type = SOCK_STREAM, protocol = IPPROTO_IP	1	Fn
SCK	CONNECT	remote_address = 192.168.0.0, remote_port = 139	1	Fn
SCK	CREATE	address_family = AF_INET, type = SOCK_STREAM, protocol = IPPROTO_IP	1	Fn
SCK	CONNECT	remote_address = 192.168.0.1, remote_port = 445	1	Fn
SCK	CREATE	address_family = AF_INET, type = SOCK_STREAM, protocol = IPPROTO_IP	1	Fn
SCK	CONNECT	remote_address = 192.168.0.1, remote_port = 139	1	Fn
SCK	CREATE	address_family = AF_INET, type = SOCK_STREAM, protocol = IPPROTO_IP	1	Fn
SCK	CONNECT	remote_address = 192.168.0.2, remote_port = 445	1	Fn
SCK	CREATE	address_family = AF_INET, type = SOCK_STREAM, protocol = IPPROTO_IP	1	Fn
SCK	CONNECT	remote_address = 192.168.0.2, remote_port = 139	1	Fn
SCK	CREATE	address_family = AF_INET, type = SOCK_STREAM, protocol = IPPROTO_IP	1	Fn
SCK	CONNECT	remote_address = 192.168.0.3, remote_port = 445	1	Fn
SCK	CREATE	address_family = AF_INET, type = SOCK_STREAM, protocol = IPPROTO_IP	1	Fn
SCK	CONNECT	remote_address = 192.168.0.3, remote_port = 139	1	Fn

Thread 0x9a8

(Host: 3, Network: 1)

Category	Operation	Information	Count	Logfile
SHARE	ENUMERATE_CONNECTIONS		1	Fn
SYS	SLEEP	duration = 0 milliseconds (0.000 seconds)	1	Fn
SYS	SLEEP	duration = 10000 milliseconds (10.000 seconds)	2	Fn

Thread 0x9ac

(Host: 2, Network: 2)

Category	Operation	Information	Count	Logfile
SYS	SLEEP	duration = 0 milliseconds (0.000 seconds)	1	Fn
SCK	CREATE	address_family = AF_INET, type = SOCK_STREAM, protocol = IPPROTO_TCP	1	Fn
SCK	CONNECT	remote_address = 192.168.0.1, remote_port = 445	1	Fn
SYS	SLEEP	duration = 10000 milliseconds (10.000 seconds)	1	Fn

Thread 0x9b0

(Host: 213, Network: 0)

Category	Operation	Information	Count	Logfile
FILE	FIND	file_name = C:\*	1	Fn
FILE	FIND	file_name = C:\$Recycle.Bin\*	1	Fn
FILE	FIND	file_name = C:\$Recycle.Bin\S-1-5-21-1463843789-3877896393-3178144628-1000\*	1	Fn
FILE	FIND	file_name = C:\Boot\*	1	Fn
FILE	FIND	file_name = C:\Boot\cs-CZ\*	1	Fn
FILE	FIND	file_name = C:\Boot\da-DK\*	1	Fn
FILE	FIND	file_name = C:\Boot\de-DE\*	1	Fn
FILE	FIND	file_name = C:\Boot\el-GR\*	1	Fn
FILE	FIND	file_name = C:\Boot\en-US\*	1	Fn
FILE	FIND	file_name = C:\Boot\es-ES\*	1	Fn
FILE	FIND	file_name = C:\Boot\fi-FI\*	1	Fn
FILE	FIND	file_name = C:\Boot\Fonts\*	1	Fn
FILE	FIND	file_name = C:\Boot\fr-FR\*	1	Fn
FILE	FIND	file_name = C:\Boot\hu-HU\*	1	Fn
FILE	FIND	file_name = C:\Boot\it-IT\*	1	Fn
FILE	FIND	file_name = C:\Boot\ja-JP\*	1	Fn
FILE	FIND	file_name = C:\Boot\ko-KR\*	1	Fn
FILE	FIND	file_name = C:\Boot\nb-NO\*	1	Fn
FILE	FIND	file_name = C:\Boot\nl-NL\*	1	Fn
FILE	FIND	file_name = C:\Boot\pl-PL\*	1	Fn
FILE	FIND	file_name = C:\Boot\pt-BR\*	1	Fn
FILE	FIND	file_name = C:\Boot\pt-PT\*	1	Fn
FILE	FIND	file_name = C:\Boot\ru-RU\*	1	Fn
FILE	FIND	file_name = C:\Boot\sv-SE\*	1	Fn
FILE	FIND	file_name = C:\Boot\tr-TR\*	1	Fn
FILE	FIND	file_name = C:\Boot\zh-CN\*	1	Fn
FILE	FIND	file_name = C:\Boot\zh-HK\*	1	Fn
FILE	FIND	file_name = C:\Boot\zh-TW\*	1	Fn
FILE	CREATE	file_name = c:\bootsect.bak, desired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = OPEN_EXISTING	1	Fn
FILE	FIND	file_name = C:\PerfLogs\*	1	Fn
FILE	FIND	file_name = C:\PerfLogs\Admin\*	1	Fn
FILE	FIND	file_name = C:\Program Files\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\en-US\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\MSInfo\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\Stationery\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\TextConv\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\Triedit\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\VC\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Microsoft Shared\VGX\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\Services\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\SpeechEngines\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\SpeechEngines\Microsoft\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\System\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\System\ado\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\System\ado\en-US\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\System\en-US\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\System\msadc\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\System\msadc\en-US\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\System\Ole DB\*	1	Fn
FILE	FIND	file_name = C:\Program Files\Common Files\System\Ole DB\en-US\*	1	Fn
FILE	FIND	file_name = C:\Program Files\DVD Maker\*	1	Fn
FILE	FIND	file_name = C:\Program Files\DVD Maker\en-US\*	1	Fn
FILE	FIND	file_name = C:\Program Files\DVD Maker\Shared\*	1	Fn
FILE	FIND	file_name = C:\Program Files\DVD Maker\Shared\DvdStyles\*	1	Fn
FILE	FIND	file_name = C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\*	1	Fn
FILE	FIND	file_name = C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\*	1	Fn
FILE	FIND	file_name = C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\*	1	Fn
FILE	FIND	file_name = C:\Program Files\DVD Maker\Shared\DvdStyles\Full\*	1	Fn
FILE	FIND	file_name = C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\*	1	Fn
FILE	FIND	file_name = C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\*	1	Fn
FILE	FIND	file_name = C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\*	1	Fn
FILE	FIND	file_name = C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\*	1	Fn
FILE	FIND	file_name = C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\*	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x2b0000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x2b0000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x2b0000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x2b0000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x2b0000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x2b0000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x2b0000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x2b0000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x2b0000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x2b0000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x2b0000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x190000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x2b0000	1	Fn
FILE	CRYPT		1	Fn
MOD	UNMAP	process_name = c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, base_address = 0x2b0000	1	Fn
SYS	SLEEP	duration = 0 milliseconds (0.000 seconds)	1	Fn
FILE	CREATE	file_name = c:\readme.txt, desired_access = GENERIC_WRITE, create_disposition = CREATE_ALWAYS	1	Fn
FILE	WRITE	file_name = c:\readme.txt, size = 1074	1	Fn Data
FILE	WRITE	file_name = c:\readme.txt, size = 76	1	Fn Data
FILE	WRITE	file_name = c:\readme.txt, size = 142	1	Fn Data
FILE	WRITE	file_name = c:\readme.txt, size = 56	1	Fn Data
FILE	WRITE	file_name = c:\readme.txt, size = 72	1	Fn Data
FILE	WRITE	file_name = c:\readme.txt, size = 744	1	Fn Data

Thread 0x9bc

(Host: 0, Network: 1)

Category	Operation	Information	Success	Count	Logfile
SHARE	CONNECT			1	Fn

Process #2: cmd.exe

(Host: 39, Network: 0)

Information	Value
ID	#2
File Name	c:\windows\syswow64\cmd.exe
Command Line	/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 17:15
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:00:35, Reason: Child Process
Unmonitor	End Time: 00:00:40, Reason: Terminated
Monitor Duration	00:00:05

OS Process Information

Information	Value
PID	0x960
Parent PID	0x948 (c:\windows\syswow64\agakmvmr.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e144 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 964

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
cmd.exe.mui	0x000e0000	0x000fffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x002affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000390000	0x00390000	0x0040ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004f0000	0x004f0000	0x005effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000730000	0x00730000	0x0073ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000740000	0x00740000	0x008c7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000008d0000	0x008d0000	0x00a50fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000a60000	0x00a60000	0x01e5ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01e60000	0x0212efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x49ef0000	0x49f3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74710000	0x7476bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74770000	0x747aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x74aa0000	0x74aa6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74dd0000	0x74dd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74e00000	0x74e0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74e10000	0x74e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x74e70000	0x74f7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75f60000	0x75ffffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76020000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x762b0000	0x7637bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76480000	0x7657ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76580000	0x7661cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76940000	0x769ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76b20000	0x76b65fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76b70000	0x76b88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76b90000	0x76beffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76bf0000	0x76c7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076eb0000	0x76eb0000	0x76fcefff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076fd0000	0x76fd0000	0x770c9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x770d0000	0x77278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772b0000	0x7742ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Token Modifications

Action	Attribute	Value
Token attribute value added	Enabled Privileges	SeShutdownPrivilege, SeDebugPrivilege

Threads

Thread 0x964

(Host: 39, Network: 0)

Category	Operation	Information	Count	Logfile
MOD	GET_HANDLE	module_name = c:\windows\syswow64\cmd.exe, base_address = 0x49ef0000	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74e70000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address = 0x74e9a84f	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
FILE	OPEN	file_name = STD_OUTPUT_HANDLE	3	Fn
FILE	OPEN	file_name = STD_INPUT_HANDLE	2	Fn
REG	OPEN_KEY	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data_ident_out = 0	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data_ident_out = 1	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data_ident_out = 1	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data_ident_out = 0	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data_ident_out = 64	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data_ident_out = 64	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data_ident_out = 64	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data_ident_out = 64	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data_ident_out = 1	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data_ident_out = 1	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data_ident_out = 0	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data_ident_out = 9	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data_ident_out = 9	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data_ident_out = 9	1	Fn
MOD	GET_FILENAME	file_name = C:\Windows\SysWOW64\cmd.exe	1	Fn
FILE	FIND	file_name = C:\Windows\system32	1	Fn
FILE	FIND	file_name = C:\Windows	1	Fn
FILE	FIND	file_name = C:\Windows\system32	1	Fn
FILE	FIND	file_name = C:\Windows\System32	1	Fn
PROC	SET_CURDIR	process_name = c:\windows\syswow64\cmd.exe, os_pid = 0x960, new_path_name = c:\windows\system32	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74e70000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address = 0x74ea3b92	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address = 0x74e84a5d	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address = 0x74e9a79d	1	Fn
PROC	CREATE	process_name = C:\Windows\system32\schtasks.exe, os_tid = 0x9a0, os_pid = 0x99c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, current_directory = C:\Windows\system32, show_window = SW_SHOWNORMAL	1	Fn
FILE	OPEN	file_name = STD_OUTPUT_HANDLE	2	Fn
FILE	OPEN	file_name = STD_INPUT_HANDLE	1	Fn

Process #3: 6b4.tmp

(Host: 801, Network: 0)

Information	Value
ID	#3
File Name	c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp
Command Line	"C:\Users\HJRD1K~1\AppData\Local\Temp\6B4.tmp" \\.\pipe\{0D32AB4E-3BEE-44D4-A8CC-67331E9E7F80}
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:00:35, Reason: Child Process
Unmonitor	End Time: 00:00:40, Reason: Terminated
Monitor Duration	00:00:05

OS Process Information

Information	Value
PID	0x970
Parent PID	0x948 (c:\windows\syswow64\agakmvmr.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e144 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 974

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00040000	0x000a6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000b0000	0x000b0000	0x001affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001c0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000220000	0x00220000	0x0031ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003b0000	0x003b0000	0x003bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004a0000	0x004a0000	0x0059ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005a0000	0x005a0000	0x00727fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000760000	0x00760000	0x0076ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000770000	0x00770000	0x008f0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000900000	0x00900000	0x01cfffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001d00000	0x01d00000	0x01e67fff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01d00000	0x01fcefff	Memory Mapped File	Readable	Region Actions
kernel32.dll	0x76eb0000	0x76fcefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76fd0000	0x770c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x770d0000	0x77278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fffe000	0x7fffe000	0x7fffefff	Private Memory	Readable, Writable	Region Actions
6b4.tmp	0x13f060000	0x13f072fff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
bcryptprimitives.dll	0x7fefc550000	0x7fefc59bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x7fefca80000	0x7fefcaa1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd260000	0x7fefd2cafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefd650000	0x7fefd77cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefd910000	0x7fefda18fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefdd00000	0x7fefdd70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefdd90000	0x7fefddaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefddb0000	0x7fefde16fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefde20000	0x7fefdefafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefdf50000	0x7fefdfeefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefe090000	0x7fefe158fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe160000	0x7fefe18dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe230000	0x7fefe23dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff3f0000	0x7feff3f0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Token Modifications

Action	Attribute	Value
Token attribute value added	Enabled Privileges	SeShutdownPrivilege, SeDebugPrivilege

Threads

Thread 0x974

(Host: 801, Network: 0)

Category	Operation	Information	Count	Logfile
FILE	OPEN	file_name = STD_INPUT_HANDLE	1	Fn
FILE	OPEN	file_name = STD_OUTPUT_HANDLE	1	Fn
FILE	OPEN	file_name = STD_ERROR_HANDLE	1	Fn
MOD	GET_FILENAME	file_name = C:\Users\HJRD1K~1\AppData\Local\Temp\6B4.tmp	1	Fn
FILE	CREATE	file_name = \device\namedpipe\{0d32ab4e-3bee-44d4-a8cc-67331e9e7f80}, desired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = OPEN_EXISTING	1	Fn
USER	SET_PRIVILEGE	server_name = Localhost, privilege = SeDebugPrivilege, disable_all_privileges = False	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryW, address = 0x76ec6f80	1	Fn
MOD	LOAD	module_name = bcrypt, base_address = 0x7fefca80000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\bcrypt.dll, function = BCryptOpenAlgorithmProvider, address = 0x7fefca82640	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\bcrypt.dll, function = BCryptSetProperty, address = 0x7fefca85160	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\bcrypt.dll, function = BCryptGetProperty, address = 0x7fefca81510	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\bcrypt.dll, function = BCryptGenerateSymmetricKey, address = 0x7fefca81aa0	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\bcrypt.dll, function = BCryptEncrypt, address = 0x7fefca81130	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\bcrypt.dll, function = BCryptDecrypt, address = 0x7fefca81030	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\bcrypt.dll, function = BCryptDestroyKey, address = 0x7fefca816a0	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\bcrypt.dll, function = BCryptCloseAlgorithmProvider, address = 0x7fefca832b0	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
SYS	GET_INFO	type = SYSTEM_PROCESS_INFORMATION	1	Fn
PROC	OPEN	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, desired_access = PROCESS_VM_READ, PROCESS_QUERY_LIMITED_INFORMATION	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
PROC	GET_INFO	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0	1	Fn
MEM	READ	address = 0x7fffffda000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 32	1	Fn Data
MEM	READ	address = 0x77202640, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MEM	READ	address = 0x1024a0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x102336, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 20	1	Fn Data
MEM	READ	address = 0xffb00000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0xffb000f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0xffb000f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x102590, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x771e53f8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 20	1	Fn Data
MEM	READ	address = 0x770d0000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x770d00e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x770d00e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x102910, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1028e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
MEM	READ	address = 0x76eb0000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x76eb00e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x76eb00e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x102a80, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x102a58, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 30	1	Fn Data
MEM	READ	address = 0x7fefd260000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefd2600f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefd2600f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x1037b0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x103788, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
MEM	READ	address = 0x7fefdf50000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefdf500e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefdf500e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x1039e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1039b8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
MEM	READ	address = 0x7fefd650000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefd6500f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefd6500f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x103ef0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x103ec8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MEM	READ	address = 0x7fefce00000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefce000f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefce000f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x1177d0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1177a8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
MEM	READ	address = 0x7fefcc90000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcc900e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcc900e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x1178c0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x117758, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MEM	READ	address = 0x7fefdd90000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefdd900e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefdd900e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x1175a0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x117578, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MEM	READ	address = 0x7fefcee0000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcee00e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcee00e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x1179b0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x117528, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
MEM	READ	address = 0x7fefde20000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefde200e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefde200e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x117aa0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1176b8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
MEM	READ	address = 0x76fd0000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x76fd00f8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x76fd00f8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x117b90, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x117708, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 20	1	Fn Data
MEM	READ	address = 0x7fefddb0000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefddb00f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefddb00f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x117c80, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1161c8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 16	1	Fn Data
MEM	READ	address = 0x7fefe230000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefe2300e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefe2300e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x117dc0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x117d98, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 20	1	Fn Data
MEM	READ	address = 0x7fefe090000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefe0900e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefe0900e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x118980, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x118958, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
MEM	READ	address = 0x7fefcbd0000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcbd00f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcbd00f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x119a70, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x118b18, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
MEM	READ	address = 0x7fefcbb0000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcbb00e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcbb00e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x119b90, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x118ac8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
MEM	READ	address = 0x7fefd0c0000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefd0c00e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefd0c00e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x119c80, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x118bb8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MEM	READ	address = 0x7fefcb40000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcb400f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcb400f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x119d70, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x118b68, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 20	1	Fn Data
MEM	READ	address = 0x7fefe160000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefe1600f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefe1600f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x119e60, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x118c08, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 20	1	Fn Data
MEM	READ	address = 0x7fefd910000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefd9100f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefd9100f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x119f50, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x119068, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
MEM	READ	address = 0x7fefcb30000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcb300e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcb300e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11a040, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1190b8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 20	1	Fn Data
MEM	READ	address = 0x7fefcb00000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcb000f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcb000f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11a130, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x118e38, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
MEM	READ	address = 0x7fefcab0000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcab00f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcab00f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11a220, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x118cf8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
MEM	READ	address = 0x7fefca80000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefca800f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefca800f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11a310, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x118d98, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MEM	READ	address = 0x74df0000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x74df00b8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x74df00b8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11a400, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x119018, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MEM	READ	address = 0x7fefca20000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefca200e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefca200e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11a4f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x119298, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
MEM	READ	address = 0x7fefc9f0000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc9f00e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc9f00e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11a5e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1192e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MEM	READ	address = 0x7fefceb0000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefceb00f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefceb00f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11a6d0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x119338, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 28	1	Fn Data
MEM	READ	address = 0x7fefcf10000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcf100f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcf100f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11a7c0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x119478, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
MEM	READ	address = 0x7fefc930000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc9300f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc9300f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11a8b0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x119568, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MEM	READ	address = 0x7fefc910000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc9100e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc9100e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11a9a0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1195b8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
MEM	READ	address = 0x7fefdf00000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefdf000e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefdf000e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11aa90, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x138588, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 16	1	Fn Data
MEM	READ	address = 0x7fefdd80000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefdd800f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefdd800f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11ab80, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x119658, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MEM	READ	address = 0x7fefc8b0000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc8b00e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc8b00e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11ac70, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1196a8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
MEM	READ	address = 0x7fefc8a0000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc8a00f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc8a00f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11ad60, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1197e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
MEM	READ	address = 0x7fefc840000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc8400e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc8400e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11ae50, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x119928, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
MEM	READ	address = 0x7fefc790000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc7900e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc7900e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11af40, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x119978, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
MEM	READ	address = 0x7fefc730000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc7300e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc7300e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11b030, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1199c8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
MEM	READ	address = 0x7fefc700000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc7000e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc7000e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11b120, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1406c8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
MEM	READ	address = 0x7fefc6a0000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc6a00e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc6a00e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11b210, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x140678, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MEM	READ	address = 0x7fefd0f0000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefd0f00f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefd0f00f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11b300, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x146218, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MEM	READ	address = 0x7fefc660000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc6600e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc6600e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11b3f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x146358, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
MEM	READ	address = 0x7fefc610000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc6100f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc6100f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11b4e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x146498, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 20	1	Fn Data
MEM	READ	address = 0x7fefc5f0000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc5f00e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc5f00e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11b5d0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1465d8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 20	1	Fn Data
MEM	READ	address = 0x7fefc5a0000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc5a00f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc5a00f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11b6c0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1486c8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 42	1	Fn Data
MEM	READ	address = 0x7fefc550000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc5500e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc5500e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11b7b0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x118e88, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 32	1	Fn Data
MEM	READ	address = 0x7fefd000000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefd0000e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefd0000e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11b8a0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1467b8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 28	1	Fn Data
MEM	READ	address = 0x7fefc530000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc5300f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc5300f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x11b990, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x146998, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x176680, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x146a88, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MEM	READ	address = 0x7fefc510000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc5100e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc5100e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x176770, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x173f98, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
MEM	READ	address = 0x7fefcfc0000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcfc00e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcfc00e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x176950, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x174448, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
MEM	READ	address = 0x7fefab10000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefab100f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefab100f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x176860, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x174498, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
MEM	READ	address = 0x7fefab00000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefab000f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefab000f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x176a40, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x174768, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
MEM	READ	address = 0x7fefb260000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefb2600e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefb2600e0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x176c20, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x174858, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MEM	READ	address = 0x7fefc3c0000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc3c00e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc3c00e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x176d10, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1748a8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MEM	READ	address = 0x7fefd020000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefd0200f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefd0200f0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x1773a0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1d8488, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
MEM	READ	address = 0x7fefc2b0000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc2b00e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefc2b00e8, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
PROC	GET_INFO	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcc90000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 1470464	1	Fn
MEM	READ	address = 0x7fefcd35ada, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 4	1	Fn Data
MEM	READ	address = 0x7fefcd35ac3, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 4	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcc90000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 1470464	1	Fn
MEM	READ	address = 0x7fefccffc17, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 4	1	Fn Data
MEM	READ	address = 0x7fefcddc840, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 16	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefccffb9f, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 4	1	Fn Data
MEM	READ	address = 0x7fefcddc830, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 8	1	Fn Data
MEM	READ	address = 0x490000, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 32	1	Fn Data
MEM	READ	address = 0x490020, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 32	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x49003c, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefccffbf5, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 4	1	Fn Data
MEM	READ	address = 0x7fefcde14b0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 8	1	Fn Data
MEM	READ	address = 0x490200, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 32	1	Fn Data
MEM	READ	address = 0x490220, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 32	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x49023c, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 16	1	Fn Data
MEM	READ	address = 0x7fefcdd97c0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 4	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x7fefcddd440, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 8	1	Fn Data
MEM	READ	address = 0x1a1400, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1762d0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 32	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1c16a0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
MEM	READ	address = 0x1b9431, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 1	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1b9430, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 12	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1b0ec0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x16dfe0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 36	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x186250, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 14	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x16e020, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 12	1	Fn Data
MEM	READ	address = 0x16dfb1, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 1	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x16dfb0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 28	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1a4540, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x16df50, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 36	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1860b0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 14	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x16df90, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 12	1	Fn Data
MEM	READ	address = 0x16df21, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 1	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x16df20, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 28	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x192d30, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x181860, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 28	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x1818c0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
MEM	READ	address = 0x185fd1, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 1	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x185fd0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 12	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x16d5b0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x185db0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 16	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x185dd0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 20	1	Fn Data
MEM	READ	address = 0x185df1, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 1	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x185df0, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 12	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x13f590, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MEM	READ	address = 0x1, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 1	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x12ff40, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x134400, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 16	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x134420, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 20	1	Fn Data
MEM	READ	address = 0x12e611, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 1	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MEM	READ	address = 0x12e610, process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 12	1	Fn Data
MOD	GET_HANDLE	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76eb0000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address = 0x76ec47c0	1	Fn
MOD	GET_HANDLE	module_name = mscoree.dll, base_address = 0x0	1	Fn

Process #4: schtasks.exe

(Host: 29, Network: 0)

Information	Value
ID	#4
File Name	c:\windows\syswow64\schtasks.exe
Command Line	schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 17:15
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:00:37, Reason: Child Process
Unmonitor	End Time: 00:00:41, Reason: Terminated
Monitor Duration	00:00:04

OS Process Information

Information	Value
PID	0x99c
Parent PID	0x960 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e144 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9A0 0x 9A4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
schtasks.exe.mui	0x00070000	0x00081fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000a0000	0x000a0000	0x000a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000b0000	0x000b0000	0x000b0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0010ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00190000	0x001f6fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x002affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002c0000	0x002c0000	0x002cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000350000	0x00350000	0x003cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003d0000	0x003d0000	0x00557fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000590000	0x00590000	0x0068ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000690000	0x00690000	0x0076efff	Pagefile Backed Memory	Readable	Region Actions
schtasks.exe	0x007b0000	0x007ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000007e0000	0x007e0000	0x00960fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000970000	0x00970000	0x01d6ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01d70000	0x0203efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002040000	0x02040000	0x021bffff	Private Memory	Readable, Writable	Region Actions
uxtheme.dll	0x74680000	0x746fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74710000	0x7476bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74770000	0x747aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
xmllite.dll	0x74980000	0x749aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskschd.dll	0x749b0000	0x74a2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74a40000	0x74a48fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x74a50000	0x74a58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74dd0000	0x74dd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74e00000	0x74e0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74e10000	0x74e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x74e70000	0x74f7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x750c0000	0x75142fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75e00000	0x75f5bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75f60000	0x75ffffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76020000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76110000	0x7619efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x762b0000	0x7637bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76480000	0x7657ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76580000	0x7661cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76890000	0x768e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76940000	0x769ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76b20000	0x76b65fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76b70000	0x76b88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76b90000	0x76beffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76bf0000	0x76c7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076eb0000	0x76eb0000	0x76fcefff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076fd0000	0x76fd0000	0x770c9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x770d0000	0x77278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772b0000	0x7742ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Token Modifications

Action	Attribute	Value
Token attribute value added	Enabled Privileges	SeShutdownPrivilege, SeDebugPrivilege

Threads

Thread 0x9a0

(Host: 29, Network: 0)

Category	Operation	Information	Count	Logfile
MOD	GET_HANDLE	module_name = c:\windows\syswow64\schtasks.exe, base_address = 0x7b0000	1	Fn
MOD	GET_FILENAME	file_name = C:\Windows\SysWOW64\schtasks.exe	1	Fn
MOD	LOAD	module_name = VERSION.dll, base_address = 0x74a40000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\version.dll, function = GetFileVersionInfoSizeW, address = 0x74a419d9	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\version.dll, function = GetFileVersionInfoW, address = 0x74a419f4	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\version.dll, function = VerQueryValueW, address = 0x74a41b51	1	Fn
MOD	GET_FILENAME	file_name = C:\Windows\SysWOW64\schtasks.exe	1	Fn
COM	CREATE	class_name = TaskScheduler, interface = ITaskService, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
COM	METHOD	class_name = TaskScheduler, interface = ITaskService, method = Connect	1	Fn
COM	METHOD	class_name = TaskScheduler, interface = ITaskService, method = AddRef	1	Fn
COM	METHOD	class_name = TaskScheduler, interface = ITaskService, new_interface = ITaskFolder, method = GetFolder	1	Fn
COM	METHOD	class_name = TaskScheduler, interface = ITaskService, new_interface = ITaskDefinition, method = NewTask	1	Fn
COM	METHOD	class_name = TaskScheduler, interface = ITaskDefinition, new_interface = IActionCollection, method = get_Actions	1	Fn
COM	METHOD	class_name = TaskScheduler, interface = IActionCollection, new_interface = IAction, method = Create	1	Fn
COM	METHOD	class_name = TaskScheduler, interface = ITaskDefinition, new_interface = ITriggerCollection, method = get_Triggers	1	Fn
COM	METHOD	class_name = TaskScheduler, interface = ITriggerCollection, new_interface = ITrigger, method = Create	1	Fn
COM	METHOD	class_name = TaskScheduler, interface = ITrigger, method = put_StartBoundary	1	Fn
COM	METHOD	class_name = TaskScheduler, interface = ITaskDefinition, new_interface = ITaskSettings, method = get_Settings	1	Fn
MOD	LOAD	module_name = ADVAPI32.dll, base_address = 0x75f60000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address = 0x75f7157a	1	Fn
USER	GET_CURRENT	user_name = hJrD1KOKY DS8lUjv	1	Fn
COM	METHOD	class_name = TaskScheduler, interface = ITaskDefinition, new_interface = IRegistrationInfo, method = get_RegistrationInfo	1	Fn
COM	METHOD	class_name = TaskScheduler, interface = IRegistrationInfo, method = put_Author	1	Fn
COM	METHOD	class_name = TaskScheduler, interface = IRegistrationInfo, method = put_Date	1	Fn
COM	METHOD	class_name = TaskScheduler, interface = ITaskFolder, new_interface = IRegisteredTask, method = RegisterTaskDefinition	1	Fn
FILE	OPEN	file_name = STD_OUTPUT_HANDLE	3	Fn
FILE	WRITE	file_name = STD_OUTPUT_HANDLE, size = 62	1	Fn Data

Process #5: taskeng.exe

Information	Value
ID	#5
File Name	c:\windows\system32\taskeng.exe
Command Line	taskeng.exe {0D1FD9A9-3A1B-4884-B8AD-2AF772DB274D} S-1-5-21-1463843789-3877896393-3178144628-1000:1R6PFH\hJrD1KOKY DS8lUjv:Interactive:Highest[1]
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:00:39, Reason: Created Scheduled Job
Unmonitor	End Time: 00:00:58, Reason: Terminated by Timeout
Monitor Duration	00:00:19
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x564
Parent PID	0x35c (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e144 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 5A4 0x 5A0 0x 598 0x 580 0x 570 0x 568 0x A9C

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
taskeng.exe.mui	0x00020000	0x00020fff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000f0000	0x000f0000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000230000	0x00230000	0x002affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003d0000	0x003d0000	0x004cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000530000	0x00530000	0x005affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005c0000	0x005c0000	0x005cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005d0000	0x005d0000	0x00757fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000760000	0x00760000	0x008e0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000008f0000	0x008f0000	0x01ceffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001cf0000	0x01cf0000	0x01d6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d70000	0x01d70000	0x01deffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e40000	0x01e40000	0x01ebffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ec0000	0x01ec0000	0x01fbffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01fc0000	0x0228efff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002290000	0x02290000	0x0236efff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000023d0000	0x023d0000	0x0244ffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x76eb0000	0x76fcefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76fd0000	0x770c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x770d0000	0x77278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
taskeng.exe	0xffc80000	0xffcf3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
tschannel.dll	0x7fef9070000	0x7fef9078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x7fef9ed0000	0x7fef9ed9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
xmllite.dll	0x7fefb500000	0x7fefb534fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefb540000	0x7fefb557fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefb970000	0x7fefb9c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefc610000	0x7fefc656fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefc910000	0x7fefc926fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefcb40000	0x7fefcbacfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefcee0000	0x7fefcf04fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefcf10000	0x7fefcf1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd000000	0x7fefd013fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd260000	0x7fefd2cafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefd3f0000	0x7fefd4c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefd650000	0x7fefd77cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefd910000	0x7fefda18fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefdd00000	0x7fefdd70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefdd90000	0x7fefddaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefddb0000	0x7fefde16fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefde20000	0x7fefdefafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefdf50000	0x7fefdfeefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefdff0000	0x7fefe088fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefe090000	0x7fefe158fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe160000	0x7fefe18dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe230000	0x7fefe23dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff1d0000	0x7feff3d2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff3f0000	0x7feff3f0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #6: cmd.exe

(Host: 43, Network: 0)

Information	Value
ID	#6
File Name	c:\windows\syswow64\cmd.exe
Command Line	/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:00:50, Reason: Child Process
Unmonitor	End Time: 00:00:54, Reason: Terminated
Monitor Duration	00:00:04

OS Process Information

Information	Value
PID	0x9d0
Parent PID	0x948 (c:\windows\syswow64\agakmvmr.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e144 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9D4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
cmd.exe.mui	0x000e0000	0x000fffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x0013ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000140000	0x00140000	0x00140fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000420000	0x00420000	0x0051ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000520000	0x00520000	0x006a7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000700000	0x00700000	0x0070ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000710000	0x00710000	0x00890fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000008a0000	0x008a0000	0x01c9ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01ca0000	0x01f6efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x4a080000	0x4a0cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74710000	0x7476bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74770000	0x747aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x74a20000	0x74a26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74dd0000	0x74dd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74e00000	0x74e0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74e10000	0x74e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x74e70000	0x74f7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75f60000	0x75ffffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76020000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x762b0000	0x7637bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76480000	0x7657ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76580000	0x7661cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76940000	0x769ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76b20000	0x76b65fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76b70000	0x76b88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76b90000	0x76beffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76bf0000	0x76c7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076eb0000	0x76eb0000	0x76fcefff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076fd0000	0x76fd0000	0x770c9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x770d0000	0x77278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772b0000	0x7742ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Token Modifications

Action	Attribute	Value
Token attribute value added	Enabled Privileges	SeShutdownPrivilege, SeDebugPrivilege

Threads

Thread 0x9d4

(Host: 43, Network: 0)

Category	Operation	Information	Count	Logfile
MOD	GET_HANDLE	module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a080000	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74e70000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address = 0x74e9a84f	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
FILE	OPEN	file_name = STD_OUTPUT_HANDLE	3	Fn
FILE	OPEN	file_name = STD_INPUT_HANDLE	2	Fn
REG	OPEN_KEY	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data_ident_out = 0	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data_ident_out = 1	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data_ident_out = 1	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data_ident_out = 0	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data_ident_out = 64	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data_ident_out = 64	1	Fn
REG	READ_VALUE	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data_ident_out = 64	1	Fn
REG	OPEN_KEY	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data_ident_out = 64	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data_ident_out = 1	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data_ident_out = 1	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data_ident_out = 0	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data_ident_out = 9	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data_ident_out = 9	1	Fn
REG	READ_VALUE	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data_ident_out = 9	1	Fn
MOD	GET_FILENAME	file_name = C:\Windows\SysWOW64\cmd.exe	1	Fn
FILE	FIND	file_name = C:\Windows\system32	1	Fn
FILE	FIND	file_name = C:\Windows	1	Fn
FILE	FIND	file_name = C:\Windows\system32	1	Fn
FILE	FIND	file_name = C:\Windows\System32	1	Fn
PROC	SET_CURDIR	process_name = c:\windows\syswow64\cmd.exe, os_pid = 0x9d0, new_path_name = c:\windows\system32	1	Fn
MOD	GET_HANDLE	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74e70000	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address = 0x74ea3b92	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address = 0x74e84a5d	1	Fn
MOD	GET_PROC_ADDRESS	module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address = 0x74e9a79d	1	Fn
PROC	CREATE	process_name = C:\Windows\system32\wevtutil.exe, os_tid = 0x9e8, os_pid = 0x9e4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, current_directory = C:\Windows\system32, show_window = SW_SHOWNORMAL	1	Fn
PROC	CREATE	process_name = C:\Windows\system32\wevtutil.exe, os_tid = 0x9f4, os_pid = 0x9f0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, current_directory = C:\Windows\system32, show_window = SW_SHOWNORMAL	1	Fn
PROC	CREATE	process_name = C:\Windows\system32\wevtutil.exe, os_tid = 0xa00, os_pid = 0x9fc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, current_directory = C:\Windows\system32, show_window = SW_SHOWNORMAL	1	Fn
PROC	CREATE	process_name = C:\Windows\system32\wevtutil.exe, os_tid = 0xa0c, os_pid = 0xa08, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, current_directory = C:\Windows\system32, show_window = SW_SHOWNORMAL	1	Fn
PROC	CREATE	process_name = C:\Windows\system32\fsutil.exe, os_tid = 0xa18, os_pid = 0xa14, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, current_directory = C:\Windows\system32, show_window = SW_SHOWNORMAL	1	Fn
FILE	OPEN	file_name = STD_OUTPUT_HANDLE	2	Fn
FILE	OPEN	file_name = STD_INPUT_HANDLE	1	Fn

Process #7: wevtutil.exe

Information	Value
ID	#7
File Name	c:\windows\syswow64\wevtutil.exe
Command Line	wevtutil cl Setup
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:00:51, Reason: Child Process
Unmonitor	End Time: 00:00:52, Reason: Terminated
Monitor Duration	00:00:01
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x9e4
Parent PID	0x9d0 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e144 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9E8 0x 9EC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
wevtutil.exe.mui	0x00030000	0x0003afff	Memory Mapped File	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00101fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000170000	0x00170000	0x001effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000240000	0x00240000	0x0027ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000280000	0x00280000	0x002bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003c0000	0x003c0000	0x004bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005c0000	0x005c0000	0x005cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005d0000	0x005d0000	0x00757fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000760000	0x00760000	0x008e0fff	Pagefile Backed Memory	Readable	Region Actions
wevtutil.exe	0x00e60000	0x00e8cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000e90000	0x00e90000	0x0228ffff	Pagefile Backed Memory	Readable	Region Actions
comctl32.dll	0x744c0000	0x7465dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74710000	0x7476bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74770000	0x747aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x749a0000	0x749e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credui.dll	0x749f0000	0x74a1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74dd0000	0x74dd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74e00000	0x74e0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74e10000	0x74e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x74e70000	0x74f7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75e00000	0x75f5bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75f60000	0x75ffffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76020000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76110000	0x7619efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x762b0000	0x7637bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76480000	0x7657ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76580000	0x7661cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76890000	0x768e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76940000	0x769ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76b20000	0x76b65fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76b70000	0x76b88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76b90000	0x76beffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76bf0000	0x76c7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076eb0000	0x76eb0000	0x76fcefff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076fd0000	0x76fd0000	0x770c9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x770d0000	0x77278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772b0000	0x7742ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Token Modifications

Action	Attribute	Value
Token attribute value added	Enabled Privileges	SeShutdownPrivilege, SeDebugPrivilege
Token attribute value added	Enabled Privileges	SeSecurityPrivilege
Token attribute value added	Enabled Privileges	SeBackupPrivilege
Token attribute value removed	Enabled Privileges	SeBackupPrivilege
Token attribute value removed	Enabled Privileges	SeSecurityPrivilege

Process #8: wevtutil.exe

Information	Value
ID	#8
File Name	c:\windows\syswow64\wevtutil.exe
Command Line	wevtutil cl System
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:00:51, Reason: Child Process
Unmonitor	End Time: 00:00:53, Reason: Terminated
Monitor Duration	00:00:02
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x9f0
Parent PID	0x9d0 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e144 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9F4 0x 9F8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
wevtutil.exe.mui	0x00030000	0x0003afff	Memory Mapped File	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000090000	0x00090000	0x00091fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000a0000	0x000a0000	0x000dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x0011ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00120000	0x00186fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001b0000	0x001b0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x002dffff	Private Memory	Readable, Writable	Region Actions
wevtutil.exe	0x00330000	0x0035cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000003f0000	0x003f0000	0x004effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004f0000	0x004f0000	0x00677fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000680000	0x00680000	0x00800fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000810000	0x00810000	0x01c0ffff	Pagefile Backed Memory	Readable	Region Actions
comctl32.dll	0x74320000	0x744bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74710000	0x7476bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74770000	0x747aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x748d0000	0x74911fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credui.dll	0x749c0000	0x749eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74dd0000	0x74dd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74e00000	0x74e0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74e10000	0x74e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x74e70000	0x74f7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75e00000	0x75f5bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75f60000	0x75ffffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76020000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76110000	0x7619efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x762b0000	0x7637bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76480000	0x7657ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76580000	0x7661cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76890000	0x768e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76940000	0x769ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76b20000	0x76b65fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76b70000	0x76b88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76b90000	0x76beffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76bf0000	0x76c7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076eb0000	0x76eb0000	0x76fcefff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076fd0000	0x76fd0000	0x770c9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x770d0000	0x77278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772b0000	0x7742ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Token Modifications

Action	Attribute	Value
Token attribute value added	Enabled Privileges	SeShutdownPrivilege, SeDebugPrivilege
Token attribute value added	Enabled Privileges	SeSecurityPrivilege
Token attribute value added	Enabled Privileges	SeBackupPrivilege
Token attribute value removed	Enabled Privileges	SeBackupPrivilege
Token attribute value removed	Enabled Privileges	SeSecurityPrivilege

Process #9: wevtutil.exe

Information	Value
ID	#9
File Name	c:\windows\syswow64\wevtutil.exe
Command Line	wevtutil cl Security
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:00:52, Reason: Child Process
Unmonitor	End Time: 00:00:53, Reason: Terminated
Monitor Duration	00:00:01
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x9fc
Parent PID	0x9d0 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e144 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A00 0x A04

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
wevtutil.exe.mui	0x00030000	0x0003afff	Memory Mapped File	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000090000	0x00090000	0x00091fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0010ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00110000	0x00176fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000230000	0x00230000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x003fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000440000	0x00440000	0x004bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004c0000	0x004c0000	0x00647fff	Pagefile Backed Memory	Readable	Region Actions
wevtutil.exe	0x006e0000	0x0070cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000710000	0x00710000	0x00890fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000008e0000	0x008e0000	0x009dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000009e0000	0x009e0000	0x01ddffff	Pagefile Backed Memory	Readable	Region Actions
comctl32.dll	0x744c0000	0x7465dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74710000	0x7476bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74770000	0x747aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x749a0000	0x749e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credui.dll	0x749f0000	0x74a1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74dd0000	0x74dd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74e00000	0x74e0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74e10000	0x74e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x74e70000	0x74f7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75e00000	0x75f5bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75f60000	0x75ffffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76020000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76110000	0x7619efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x762b0000	0x7637bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76480000	0x7657ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76580000	0x7661cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76890000	0x768e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76940000	0x769ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76b20000	0x76b65fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76b70000	0x76b88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76b90000	0x76beffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76bf0000	0x76c7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076eb0000	0x76eb0000	0x76fcefff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076fd0000	0x76fd0000	0x770c9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x770d0000	0x77278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772b0000	0x7742ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Token Modifications

Action	Attribute	Value
Token attribute value added	Enabled Privileges	SeShutdownPrivilege, SeDebugPrivilege
Token attribute value added	Enabled Privileges	SeSecurityPrivilege
Token attribute value added	Enabled Privileges	SeBackupPrivilege
Token attribute value removed	Enabled Privileges	SeBackupPrivilege
Token attribute value removed	Enabled Privileges	SeSecurityPrivilege

Process #10: wevtutil.exe

Information	Value
ID	#10
File Name	c:\windows\syswow64\wevtutil.exe
Command Line	wevtutil cl Application
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:00:52, Reason: Child Process
Unmonitor	End Time: 00:00:53, Reason: Terminated
Monitor Duration	00:00:01
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xa08
Parent PID	0x9d0 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e144 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A0C 0x A10

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
wevtutil.exe.mui	0x00030000	0x0003afff	Memory Mapped File	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00101fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001fffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002c0000	0x002c0000	0x002cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000330000	0x00330000	0x003affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004e0000	0x004e0000	0x005dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005e0000	0x005e0000	0x00767fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000770000	0x00770000	0x008f0fff	Pagefile Backed Memory	Readable	Region Actions
wevtutil.exe	0x00dd0000	0x00dfcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000e00000	0x00e00000	0x021fffff	Pagefile Backed Memory	Readable	Region Actions
comctl32.dll	0x74320000	0x744bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74710000	0x7476bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74770000	0x747aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x748d0000	0x74911fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credui.dll	0x749c0000	0x749eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74dd0000	0x74dd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74e00000	0x74e0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74e10000	0x74e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x74e70000	0x74f7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75e00000	0x75f5bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75f60000	0x75ffffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76020000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76110000	0x7619efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x762b0000	0x7637bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76480000	0x7657ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76580000	0x7661cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76890000	0x768e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76940000	0x769ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76b20000	0x76b65fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76b70000	0x76b88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76b90000	0x76beffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76bf0000	0x76c7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076eb0000	0x76eb0000	0x76fcefff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076fd0000	0x76fd0000	0x770c9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x770d0000	0x77278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772b0000	0x7742ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Token Modifications

Action	Attribute	Value
Token attribute value added	Enabled Privileges	SeShutdownPrivilege, SeDebugPrivilege
Token attribute value added	Enabled Privileges	SeSecurityPrivilege
Token attribute value added	Enabled Privileges	SeBackupPrivilege
Token attribute value removed	Enabled Privileges	SeBackupPrivilege
Token attribute value removed	Enabled Privileges	SeSecurityPrivilege

Process #11: fsutil.exe

Information	Value
ID	#11
File Name	c:\windows\syswow64\fsutil.exe
Command Line	fsutil usn deletejournal /D C:
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:00:52, Reason: Child Process
Unmonitor	End Time: 00:00:54, Reason: Terminated
Monitor Duration	00:00:02
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xa14
Parent PID	0x9d0 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e144 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A18

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000120000	0x00120000	0x0012ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000230000	0x00230000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003e0000	0x003e0000	0x0045ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005d0000	0x005d0000	0x006cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000006d0000	0x006d0000	0x00857fff	Pagefile Backed Memory	Readable	Region Actions
fsutil.exe	0x00e10000	0x00e23fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74710000	0x7476bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74770000	0x747aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x74a10000	0x74a18fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x74c20000	0x74c2efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x74c30000	0x74c48fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x74c50000	0x74c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x74c60000	0x74c70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74dd0000	0x74dd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74e00000	0x74e0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74e10000	0x74e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x74e70000	0x74f7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75e00000	0x75f5bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75f60000	0x75ffffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76020000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x762b0000	0x7637bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76480000	0x7657ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76580000	0x7661cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76940000	0x769ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76b20000	0x76b65fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76b70000	0x76b88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76b90000	0x76beffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76bf0000	0x76c7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076eb0000	0x76eb0000	0x76fcefff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076fd0000	0x76fd0000	0x770c9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x770d0000	0x77278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772b0000	0x7742ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Token Modifications

Action	Attribute	Value
Token attribute value added	Enabled Privileges	SeShutdownPrivilege, SeDebugPrivilege