Analysis Report

Involved Hosts

Host	Resolved to	Country	City	Protocol
ipinfo.io	52.57.214.72	US	Wilmington	HTTP
127.0.0.1
85.93.0.0		DE		UDP
85.93.0.1		DE		UDP
85.93.0.2		DE		UDP
85.93.0.3		DE		UDP
85.93.0.4		DE		UDP
85.93.0.5		DE		UDP
85.93.0.6		DE		UDP
85.93.0.7		DE		UDP
85.93.0.8		DE		UDP
85.93.0.9		DE		UDP
85.93.0.10		DE		UDP
85.93.0.11		DE		UDP
85.93.0.12		DE		UDP
85.93.0.13		DE		UDP
85.93.0.14		DE		UDP
85.93.0.15		DE		UDP
85.93.0.16		DE		UDP
85.93.0.17		DE		UDP
85.93.0.18		DE		UDP
85.93.0.19		DE		UDP
85.93.0.20		DE		UDP
85.93.0.21		DE		UDP
85.93.0.22		DE		UDP
85.93.0.23		DE		UDP
85.93.0.24		DE		UDP
85.93.0.25		DE		UDP
85.93.0.26		DE		UDP
85.93.0.27		DE		UDP
85.93.0.28		DE		UDP
85.93.0.29		DE		UDP
85.93.0.30		DE		UDP
85.93.0.31		DE		UDP
85.93.0.32		DE		UDP
85.93.0.33		DE		UDP
85.93.0.34		DE		UDP
85.93.0.35		DE		UDP
85.93.0.36		DE		UDP
85.93.0.37		DE		UDP
85.93.0.38		DE		UDP
85.93.0.39		DE		UDP
85.93.0.40		DE		UDP
85.93.0.41		DE		UDP
85.93.0.42		DE		UDP
85.93.0.43		DE		UDP
85.93.0.44		DE		UDP
85.93.0.45		DE		UDP
85.93.0.46		DE		UDP
85.93.0.47		DE		UDP
85.93.0.48		DE		UDP
85.93.0.49		DE		UDP
85.93.0.50		DE		UDP
85.93.0.51		DE		UDP
85.93.0.52		DE		UDP
85.93.0.53		DE		UDP
85.93.0.54		DE		UDP
85.93.0.55		DE		UDP
85.93.0.56		DE		UDP
85.93.0.57		DE		UDP
85.93.0.58		DE		UDP
85.93.0.59		DE		UDP
85.93.0.60		DE		UDP
85.93.0.61		DE		UDP
85.93.0.62		DE		UDP
85.93.0.63		DE		UDP
85.93.0.64		DE		UDP
85.93.0.65		DE		UDP
85.93.0.66		DE		UDP
85.93.0.67		DE		UDP
85.93.0.68		DE		UDP
85.93.0.69		DE		UDP
85.93.0.70		DE		UDP
85.93.0.71		DE		UDP
85.93.0.72		DE		UDP
85.93.0.73		DE		UDP
85.93.0.74		DE		UDP
85.93.0.75		DE		UDP
85.93.0.76		DE		UDP
85.93.0.77		DE		UDP
85.93.0.78		DE		UDP
85.93.0.79		DE		UDP
85.93.0.80		DE		UDP
85.93.0.81		DE		UDP
85.93.0.82		DE		UDP
85.93.0.83		DE		UDP
85.93.0.84		DE		UDP
85.93.0.85		DE		UDP
85.93.0.86		DE		UDP
85.93.0.87		DE		UDP
85.93.0.88		DE		UDP
85.93.0.89		DE		UDP
85.93.0.90		DE		UDP
85.93.0.91		DE		UDP
85.93.0.92		DE		UDP
85.93.0.93		DE		UDP
85.93.0.94		DE		UDP
85.93.0.95		DE		UDP
85.93.0.96		DE		UDP
85.93.0.97		DE		UDP
85.93.0.98		DE		UDP
85.93.0.99		DE		UDP
85.93.0.100		DE		UDP
85.93.0.101		DE		UDP
85.93.0.102		DE		UDP
85.93.0.103		DE		UDP
85.93.0.104		DE		UDP
85.93.0.105		DE		UDP
85.93.0.106		DE		UDP
85.93.0.107		DE		UDP
85.93.0.108		DE		UDP
85.93.0.109		DE		UDP
85.93.0.110		DE		UDP
85.93.0.111		DE		UDP
85.93.0.112		DE		UDP
85.93.0.113		DE		UDP
85.93.0.114		DE		UDP
85.93.0.115		DE		UDP
85.93.0.116		DE		UDP
85.93.0.117		DE		UDP
85.93.0.118		DE		UDP
85.93.0.119		DE		UDP
85.93.0.120		DE		UDP
85.93.0.121		DE		UDP
85.93.0.122		DE		UDP
85.93.0.123		DE		UDP
85.93.0.124		DE		UDP
85.93.0.125		DE		UDP
85.93.0.126		DE		UDP
85.93.0.127		DE		UDP
85.93.0.128		DE		UDP
85.93.0.129		DE		UDP
85.93.0.130		DE		UDP
85.93.0.131		DE		UDP
85.93.0.132		DE		UDP
85.93.0.133		DE		UDP
85.93.0.134		DE		UDP
85.93.0.135		DE		UDP
85.93.0.136		DE		UDP
85.93.0.137		DE		UDP
85.93.0.138		DE		UDP
85.93.0.139		DE		UDP
85.93.0.140		DE		UDP
85.93.0.141		DE		UDP
85.93.0.142		DE		UDP
85.93.0.143		DE		UDP
85.93.0.144		DE		UDP
85.93.0.145		DE		UDP
85.93.0.146		DE		UDP
85.93.0.147		DE		UDP
85.93.0.148		DE		UDP
85.93.0.149		DE		UDP
85.93.0.150		DE		UDP
85.93.0.151		DE		UDP
85.93.0.152		DE		UDP
85.93.0.153		DE		UDP
85.93.0.154		DE		UDP
85.93.0.155		DE		UDP
85.93.0.156		DE		UDP
85.93.0.157		DE		UDP
85.93.0.158		DE		UDP
85.93.0.159		DE		UDP
85.93.0.160		DE		UDP
85.93.0.161		DE		UDP
85.93.0.162		DE		UDP
85.93.0.163		DE		UDP
85.93.0.164		DE		UDP
85.93.0.165		DE		UDP
85.93.0.166		DE		UDP
85.93.0.167		DE		UDP
85.93.0.168		DE		UDP
85.93.0.169		DE		UDP
85.93.0.170		DE		UDP
85.93.0.171		DE		UDP
85.93.0.172		DE		UDP
85.93.0.173		DE		UDP
85.93.0.174		DE		UDP
85.93.0.175		DE		UDP
85.93.0.176		DE		UDP
85.93.0.177		DE		UDP
85.93.0.178		DE		UDP
85.93.0.179		DE		UDP
85.93.0.180		DE		UDP
85.93.0.181		DE		UDP
85.93.0.182		DE		UDP
85.93.0.183		DE		UDP
85.93.0.184		DE		UDP
85.93.0.185		DE		UDP
85.93.0.186		DE		UDP
85.93.0.187		DE		UDP
85.93.0.188		DE		UDP
85.93.0.189		DE		UDP
85.93.0.190		DE		UDP
85.93.0.191		DE		UDP
85.93.0.192		DE		UDP
85.93.0.193		DE		UDP
85.93.0.194		DE		UDP
85.93.0.195		DE		UDP
85.93.0.196		DE		UDP
85.93.0.197		DE		UDP
85.93.0.198		DE		UDP
85.93.0.199		DE		UDP
85.93.0.200		DE		UDP
85.93.0.201		DE		UDP
85.93.0.202		DE		UDP
85.93.0.203		DE		UDP
85.93.0.204		DE		UDP
85.93.0.205		DE		UDP
85.93.0.206		DE		UDP
85.93.0.207		DE		UDP
85.93.0.208		DE		UDP
85.93.0.209		DE		UDP
85.93.0.210		DE		UDP
85.93.0.211		DE		UDP
85.93.0.212		DE		UDP
85.93.0.213		DE		UDP
85.93.0.214		DE		UDP
85.93.0.215		DE		UDP
85.93.0.216		DE		UDP
85.93.0.217		DE		UDP
85.93.0.218		DE		UDP
85.93.0.219		DE		UDP
85.93.0.220		DE		UDP
85.93.0.221		DE		UDP
85.93.0.222		DE		UDP
85.93.0.223		DE		UDP
85.93.0.224		DE		UDP
85.93.0.225		DE		UDP
85.93.0.226		DE		UDP
85.93.0.227		DE		UDP
85.93.0.228		DE		UDP
85.93.0.229		DE		UDP
85.93.0.230		DE		UDP
85.93.0.231		DE		UDP
85.93.0.232		DE		UDP
85.93.0.233		DE		UDP
85.93.0.234		DE		UDP
85.93.0.235		DE		UDP
85.93.0.236		DE		UDP
85.93.0.237		DE		UDP
85.93.0.238		DE		UDP
85.93.0.239		DE		UDP
85.93.0.240		DE		UDP
85.93.0.241		DE		UDP
85.93.0.242		DE		UDP
85.93.0.243		DE		UDP
85.93.0.244		DE		UDP
85.93.0.245		DE		UDP
85.93.0.246		DE		UDP
85.93.0.247		DE		UDP
85.93.0.248		DE		UDP
85.93.0.249		DE		UDP
85.93.0.250		DE		UDP
85.93.0.251		DE		UDP
85.93.0.252		DE		UDP
85.93.0.253		DE		UDP
85.93.0.254		DE		UDP
85.93.0.255		DE		UDP
85.93.1.0		DE		UDP
85.93.1.1		DE		UDP
85.93.1.2		DE		UDP
85.93.1.3		DE		UDP
85.93.1.4		DE		UDP
85.93.1.5		DE		UDP
85.93.1.6		DE		UDP
85.93.1.7		DE		UDP
85.93.1.8		DE		UDP
85.93.1.9		DE		UDP
85.93.1.10		DE		UDP
85.93.1.11		DE		UDP
85.93.1.12		DE		UDP
85.93.1.13		DE		UDP
85.93.1.14		DE		UDP
85.93.1.15		DE		UDP
85.93.1.16		DE		UDP
85.93.1.17		DE		UDP
85.93.1.18		DE		UDP
85.93.1.19		DE		UDP
85.93.1.20		DE		UDP
85.93.1.21		DE		UDP
85.93.1.22		DE		UDP
85.93.1.23		DE		UDP
85.93.1.24		DE		UDP
85.93.1.25		DE		UDP
85.93.1.26		DE		UDP
85.93.1.27		DE		UDP
85.93.1.28		DE		UDP
85.93.1.29		DE		UDP
85.93.1.30		DE		UDP
85.93.1.31		DE		UDP
85.93.1.32		DE		UDP
85.93.1.33		DE		UDP
85.93.1.34		DE		UDP
85.93.1.35		DE		UDP
85.93.1.36		DE		UDP
85.93.1.37		DE		UDP
85.93.1.38		DE		UDP
85.93.1.39		DE		UDP
85.93.1.40		DE		UDP
85.93.1.41		DE		UDP
85.93.1.42		DE		UDP
85.93.1.43		DE		UDP
85.93.1.44		DE		UDP
85.93.1.45		DE		UDP
85.93.1.46		DE		UDP
85.93.1.47		DE		UDP
85.93.1.48		DE		UDP
85.93.1.49		DE		UDP
85.93.1.50		DE		UDP
85.93.1.51		DE		UDP
85.93.1.52		DE		UDP
85.93.1.53		DE		UDP
85.93.1.54		DE		UDP
85.93.1.55		DE		UDP
85.93.1.56		DE		UDP
85.93.1.57		DE		UDP
85.93.1.58		DE		UDP
85.93.1.59		DE		UDP
85.93.1.60		DE		UDP
85.93.1.61		DE		UDP
85.93.1.62		DE		UDP
85.93.1.63		DE		UDP
85.93.1.64		DE		UDP
85.93.1.65		DE		UDP
85.93.1.66		DE		UDP
85.93.1.67		DE		UDP
85.93.1.68		DE		UDP
85.93.1.69		DE		UDP
85.93.1.70		DE		UDP
o14.okulhaberler.com	85.93.1.71	DE		UDP
85.93.1.72		DE		UDP
85.93.1.73		DE		UDP
85.93.1.74		DE		UDP
85.93.1.75		DE		UDP
85.93.1.76		DE		UDP
85.93.1.77		DE		UDP
85.93.1.78		DE		UDP
85.93.1.79		DE		UDP
85.93.1.80		DE		UDP
85.93.1.81		DE		UDP
85.93.1.82		DE		UDP
85.93.1.83		DE		UDP
a7.afeastforyoureyes.com	85.93.1.84	DE		UDP
85.93.1.85		DE		UDP
85.93.1.86		DE		UDP
85.93.1.87		DE		UDP
85.93.1.88		DE		UDP
85.93.1.89		DE		UDP
85.93.1.90		DE		UDP
85.93.1.91		DE		UDP
85.93.1.92		DE		UDP
85.93.1.93		DE		UDP
85.93.1.94		DE		UDP
85.93.1.95		DE		UDP
85.93.1.96		DE		UDP
85.93.1.97		DE		UDP
85.93.1.98		DE		UDP
85.93.1.99		DE		UDP
85.93.1.100		DE		UDP
85.93.1.101		DE		UDP
85.93.1.102		DE		UDP
85.93.1.103		DE		UDP
85.93.1.104		DE		UDP
85.93.1.105		DE		UDP
85.93.1.106		DE		UDP
85.93.1.107		DE		UDP
85.93.1.108		DE		UDP
85.93.1.109		DE		UDP
85.93.1.110		DE		UDP
85.93.1.111		DE		UDP
85.93.1.112		DE		UDP
85.93.1.113		DE		UDP
85.93.1.114		DE		UDP
85.93.1.115		DE		UDP
85.93.1.116		DE		UDP
85.93.1.117		DE		UDP
85.93.1.118		DE		UDP
85.93.1.119		DE		UDP
85.93.1.120		DE		UDP
85.93.1.121		DE		UDP
85.93.1.122		DE		UDP
85.93.1.123		DE		UDP
85.93.1.124		DE		UDP
85.93.1.125		DE		UDP
85.93.1.126		DE		UDP
85.93.1.127		DE		UDP
85.93.1.128		DE		UDP
85.93.1.129		DE		UDP
85.93.1.130		DE		UDP
85.93.1.131		DE		UDP
85.93.1.132		DE		UDP
85.93.1.133		DE		UDP
85.93.1.134		DE		UDP
85.93.1.135		DE		UDP
85.93.1.136		DE		UDP
85.93.1.137		DE		UDP
85.93.1.138		DE		UDP
85.93.1.139		DE		UDP
85.93.1.140		DE		UDP
85.93.1.141		DE		UDP
85.93.1.142		DE		UDP
85.93.1.143		DE		UDP
85.93.1.144		DE		UDP
85.93.1.145		DE		UDP
85.93.1.146		DE		UDP
85.93.1.147		DE		UDP
85.93.1.148		DE		UDP
85.93.1.149		DE		UDP
85.93.1.150		DE		UDP
c17.bshtrack.com	85.93.1.151	DE		UDP
85.93.1.152		DE		UDP
85.93.1.153		DE		UDP
85.93.1.154		DE		UDP
85.93.1.155		DE		UDP
85.93.1.156		DE		UDP
85.93.1.157		DE		UDP
85.93.1.158		DE		UDP
85.93.1.159		DE		UDP
85.93.1.160		DE		UDP
85.93.1.161		DE		UDP
85.93.1.162		DE		UDP
85.93.1.163		DE		UDP
85.93.1.164		DE		UDP
85.93.1.165		DE		UDP
85.93.1.166		DE		UDP
85.93.1.167		DE		UDP
85.93.1.168		DE		UDP
85.93.1.169		DE		UDP
85.93.1.170		DE		UDP
85.93.1.171		DE		UDP
85.93.1.172		DE		UDP
85.93.1.173		DE		UDP
85.93.1.174		DE		UDP
85.93.1.175		DE		UDP
85.93.1.176		DE		UDP
85.93.1.177		DE		UDP
85.93.1.178		DE		UDP
85.93.1.179		DE		UDP
85.93.1.180		DE		UDP
85.93.1.181		DE		UDP
85.93.1.182		DE		UDP
85.93.1.183		DE		UDP
85.93.1.184		DE		UDP
85.93.1.185		DE		UDP
85.93.1.186		DE		UDP
85.93.1.187		DE		UDP
85.93.1.188		DE		UDP
85.93.1.189		DE		UDP
85.93.1.190		DE		UDP
85.93.1.191		DE		UDP
85.93.1.192		DE		UDP
85.93.1.193		DE		UDP
85.93.1.194		DE		UDP
85.93.1.195		DE		UDP
85.93.1.196		DE		UDP
85.93.1.197		DE		UDP
85.93.1.198		DE		UDP
85.93.1.199		DE		UDP
85.93.1.200		DE		UDP
85.93.1.201		DE		UDP
85.93.1.202		DE		UDP
85.93.1.203		DE		UDP
85.93.1.204		DE		UDP
85.93.1.205		DE		UDP
85.93.1.206		DE		UDP
85.93.1.207		DE		UDP
85.93.1.208		DE		UDP
85.93.1.209		DE		UDP
85.93.1.210		DE		UDP
85.93.1.211		DE		UDP
85.93.1.212		DE		UDP
85.93.1.213		DE		UDP
85.93.1.214		DE		UDP
85.93.1.215		DE		UDP
85.93.1.216		DE		UDP
85.93.1.217		DE		UDP
85.93.1.218		DE		UDP
85.93.1.219		DE		UDP
85.93.1.220		DE		UDP
85.93.1.221		DE		UDP
85.93.1.222		DE		UDP
85.93.1.223		DE		UDP
85.93.1.224		DE		UDP
85.93.1.225		DE		UDP
85.93.1.226		DE		UDP
85.93.1.227		DE		UDP
85.93.1.228		DE		UDP
85.93.1.229		DE		UDP
85.93.1.230		DE		UDP
85.93.1.231		DE		UDP
85.93.1.232		DE		UDP
85.93.1.233		DE		UDP
85.93.1.234		DE		UDP
85.93.1.235		DE		UDP
85.93.1.236		DE		UDP
85.93.1.237		DE		UDP
85.93.1.238		DE		UDP
85.93.1.239		DE		UDP
85.93.1.240		DE		UDP
85.93.1.241		DE		UDP
85.93.1.242		DE		UDP
85.93.1.243		DE		UDP
85.93.1.244		DE		UDP
85.93.1.245		DE		UDP
85.93.1.246		DE		UDP
85.93.1.247		DE		UDP
85.93.1.248		DE		UDP
85.93.1.249		DE		UDP
85.93.1.250		DE		UDP
85.93.1.251		DE		UDP
85.93.1.252		DE		UDP
85.93.1.253		DE		UDP
85.93.1.254		DE		UDP
85.93.1.255		DE		UDP
85.93.2.0		DE		UDP
85.93.2.1		DE		UDP
85.93.2.2		DE		UDP
85.93.2.3		DE		UDP
85.93.2.4		DE		UDP
85.93.2.5		DE		UDP
85.93.2.6		DE		UDP
85.93.2.7		DE		UDP
85.93.2.8		DE		UDP
85.93.2.9		DE		UDP
85.93.2.10		DE		UDP
85.93.2.11		DE		UDP
85.93.2.12		DE		UDP
85.93.2.13		DE		UDP
85.93.2.14		DE		UDP
85.93.2.15		DE		UDP
85.93.2.16		DE		UDP
85.93.2.17		DE		UDP
85.93.2.18		DE		UDP
85.93.2.19		DE		UDP
85.93.2.20		DE		UDP
85.93.2.21		DE		UDP
85.93.2.22		DE		UDP
85.93.2.23		DE		UDP
85.93.2.24		DE		UDP
85.93.2.25		DE		UDP
85.93.2.26		DE		UDP
85.93.2.27		DE		UDP
85.93.2.28		DE		UDP
85.93.2.29		DE		UDP
85.93.2.30		DE		UDP
85.93.2.31		DE		UDP
85.93.2.32		DE		UDP
85.93.2.33		DE		UDP
85.93.2.34		DE		UDP
85.93.2.35		DE		UDP
85.93.2.36		DE		UDP
85.93.2.37		DE		UDP
85.93.2.38		DE		UDP
85.93.2.39		DE		UDP
85.93.2.40		DE		UDP
85.93.2.41		DE		UDP
85.93.2.42		DE		UDP
85.93.2.43		DE		UDP
85.93.2.44		DE		UDP
85.93.2.45		DE		UDP
85.93.2.46		DE		UDP
85.93.2.47		DE		UDP
85.93.2.48		DE		UDP
85.93.2.49		DE		UDP
85.93.2.50		DE		UDP
85.93.2.51		DE		UDP
85.93.2.52		DE		UDP
85.93.2.53		DE		UDP
85.93.2.54		DE		UDP
85.93.2.55		DE		UDP
85.93.2.56		DE		UDP
85.93.2.57		DE		UDP
85.93.2.58		DE		UDP
85.93.2.59		DE		UDP
85.93.2.60		DE		UDP
85.93.2.61		DE		UDP
85.93.2.62		DE		UDP
85.93.2.63		DE		UDP
85.93.2.64		DE		UDP
85.93.2.65		DE		UDP
85.93.2.66		DE		UDP
85.93.2.67		DE		UDP
85.93.2.68		DE		UDP
85.93.2.69		DE		UDP
85.93.2.70		DE		UDP
85.93.2.71		DE		UDP
85.93.2.72		DE		UDP
85.93.2.73		DE		UDP
85.93.2.74		DE		UDP
85.93.2.75		DE		UDP
85.93.2.76		DE		UDP
85.93.2.77		DE		UDP
85.93.2.78		DE		UDP
85.93.2.79		DE		UDP
85.93.2.80		DE		UDP
85.93.2.81		DE		UDP
85.93.2.82		DE		UDP
85.93.2.83		DE		UDP
85.93.2.84		DE		UDP
85.93.2.85		DE		UDP
85.93.2.86		DE		UDP
85.93.2.87		DE		UDP
85.93.2.88		DE		UDP
85.93.2.89		DE		UDP
85.93.2.90		DE		UDP
85.93.2.91		DE		UDP
85.93.2.92		DE		UDP
85.93.2.93		DE		UDP
85.93.2.94		DE		UDP
85.93.2.95		DE		UDP
85.93.2.96		DE		UDP
85.93.2.97		DE		UDP
85.93.2.98		DE		UDP
85.93.2.99		DE		UDP
85.93.2.100		DE		UDP
85.93.2.101		DE		UDP
85.93.2.102		DE		UDP
85.93.2.103		DE		UDP
85.93.2.104		DE		UDP
85.93.2.105		DE		UDP
85.93.2.106		DE		UDP
85.93.2.107		DE		UDP
85.93.2.108		DE		UDP
85.93.2.109		DE		UDP
85.93.2.110		DE		UDP
85.93.2.111		DE		UDP
85.93.2.112		DE		UDP
85.93.2.113		DE		UDP
85.93.2.114		DE		UDP
85.93.2.115		DE		UDP
85.93.2.116		DE		UDP
85.93.2.117		DE		UDP
85.93.2.118		DE		UDP
85.93.2.119		DE		UDP
85.93.2.120		DE		UDP
85.93.2.121		DE		UDP
85.93.2.122		DE		UDP
85.93.2.123		DE		UDP
85.93.2.124		DE		UDP
85.93.2.125		DE		UDP
85.93.2.126		DE		UDP
85.93.2.127		DE		UDP
85.93.2.128		DE		UDP
85.93.2.129		DE		UDP
85.93.2.130		DE		UDP
85.93.2.131		DE		UDP
85.93.2.132		DE		UDP
85.93.2.133		DE		UDP
85.93.2.134		DE		UDP
85.93.2.135		DE		UDP
85.93.2.136		DE		UDP
85.93.2.137		DE		UDP
85.93.2.138		DE		UDP
85.93.2.139		DE		UDP
85.93.2.140		DE		UDP
85.93.2.141		DE		UDP
85.93.2.142		DE		UDP
85.93.2.143		DE		UDP
85.93.2.144		DE		UDP
85.93.2.145		DE		UDP
85.93.2.146		DE		UDP
85.93.2.147		DE		UDP
85.93.2.148		DE		UDP
85.93.2.149		DE		UDP
85.93.2.150		DE		UDP
85.93.2.151		DE		UDP
85.93.2.152		DE		UDP
85.93.2.153		DE		UDP
85.93.2.154		DE		UDP
85.93.2.155		DE		UDP
85.93.2.156		DE		UDP
85.93.2.157		DE		UDP
85.93.2.158		DE		UDP
85.93.2.159		DE		UDP
85.93.2.160		DE		UDP
85.93.2.161		DE		UDP
85.93.2.162		DE		UDP
85.93.2.163		DE		UDP
85.93.2.164		DE		UDP
85.93.2.165		DE		UDP
85.93.2.166		DE		UDP
85.93.2.167		DE		UDP
85.93.2.168		DE		UDP
85.93.2.169		DE		UDP
85.93.2.170		DE		UDP
85.93.2.171		DE		UDP
85.93.2.172		DE		UDP
85.93.2.173		DE		UDP
85.93.2.174		DE		UDP
85.93.2.175		DE		UDP
85.93.2.176		DE		UDP
85.93.2.177		DE		UDP
85.93.2.178		DE		UDP
85.93.2.179		DE		UDP
85.93.2.180		DE		UDP
85.93.2.181		DE		UDP
85.93.2.182		DE		UDP
85.93.2.183		DE		UDP
85.93.2.184		DE		UDP
85.93.2.185		DE		UDP
85.93.2.186		DE		UDP
85.93.2.187		DE		UDP
85.93.2.188		DE		UDP
85.93.2.189		DE		UDP
85.93.2.190		DE		UDP
85.93.2.191		DE		UDP
85.93.2.192		DE		UDP
85.93.2.193		DE		UDP
85.93.2.194		DE		UDP
85.93.2.195		DE		UDP
85.93.2.196		DE		UDP
85.93.2.197		DE		UDP
85.93.2.198		DE		UDP
85.93.2.199		DE		UDP
85.93.2.200		DE		UDP
85.93.2.201		DE		UDP
85.93.2.202		DE		UDP
85.93.2.203		DE		UDP
85.93.2.204		DE		UDP
85.93.2.205		DE		UDP
85.93.2.206		DE		UDP
85.93.2.207		DE		UDP
85.93.2.208		DE		UDP
85.93.2.209		DE		UDP
85.93.2.210		DE		UDP
85.93.2.211		DE		UDP
85.93.2.212		DE		UDP
85.93.2.213		DE		UDP
85.93.2.214		DE		UDP
85.93.2.215		DE		UDP
85.93.2.216		DE		UDP
85.93.2.217		DE		UDP
85.93.2.218		DE		UDP
85.93.2.219		DE		UDP
85.93.2.220		DE		UDP
85.93.2.221		DE		UDP
85.93.2.222		DE		UDP
85.93.2.223		DE		UDP
85.93.2.224		DE		UDP
85.93.2.225		DE		UDP
85.93.2.226		DE		UDP
85.93.2.227		DE		UDP
85.93.2.228		DE		UDP
85.93.2.229		DE		UDP
85.93.2.230		DE		UDP
85.93.2.231		DE		UDP
85.93.2.232		DE		UDP
85.93.2.233		DE		UDP
85.93.2.234		DE		UDP
85.93.2.235		DE		UDP
85.93.2.236		DE		UDP
85.93.2.237		DE		UDP
85.93.2.238		DE		UDP
85.93.2.239		DE		UDP
85.93.2.240		DE		UDP
85.93.2.241		DE		UDP
85.93.2.242		DE		UDP
85.93.2.243		DE		UDP
85.93.2.244		DE		UDP
85.93.2.245		DE		UDP
85.93.2.246		DE		UDP
85.93.2.247		DE		UDP
85.93.2.248		DE		UDP
85.93.2.249		DE		UDP
85.93.2.250		DE		UDP
85.93.2.251		DE		UDP
85.93.2.252		DE		UDP
85.93.2.253		DE		UDP
85.93.2.254		DE		UDP
85.93.2.255		DE		UDP
85.93.3.0		DE		UDP
85.93.3.1		DE		UDP
85.93.3.2		DE		UDP
85.93.3.3		DE		UDP
85.93.3.4		DE		UDP
85.93.3.5		DE		UDP
85.93.3.6		DE		UDP
85.93.3.7		DE		UDP
85.93.3.8		DE		UDP
85.93.3.9		DE		UDP
85.93.3.10		DE		UDP
85.93.3.11		DE		UDP
85.93.3.12		DE		UDP
85.93.3.13		DE		UDP
85.93.3.14		DE		UDP
85.93.3.15		DE		UDP
85.93.3.16		DE		UDP
85.93.3.17		DE		UDP
85.93.3.18		DE		UDP
85.93.3.19		DE		UDP
85.93.3.20		DE		UDP
85.93.3.21		DE		UDP
85.93.3.22		DE		UDP
85.93.3.23		DE		UDP
85.93.3.24		DE		UDP
85.93.3.25		DE		UDP
85.93.3.26		DE		UDP
85.93.3.27		DE		UDP
85.93.3.28		DE		UDP
85.93.3.29		DE		UDP
85.93.3.30		DE		UDP
85.93.3.31		DE		UDP
85.93.3.32		DE		UDP
85.93.3.33		DE		UDP
85.93.3.34		DE		UDP
85.93.3.35		DE		UDP
85.93.3.36		DE		UDP
host5.aceimportant.com	85.93.3.37	DE		UDP
85.93.3.38		DE		UDP
85.93.3.39		DE		UDP
85.93.3.40		DE		UDP
85.93.3.41		DE		UDP
85.93.3.42		DE		UDP
85.93.3.43		DE		UDP
85.93.3.44		DE		UDP
85.93.3.45		DE		UDP
85.93.3.46		DE		UDP
85.93.3.47		DE		UDP
85.93.3.48		DE		UDP
85.93.3.49		DE		UDP
85.93.3.50		DE		UDP
85.93.3.51		DE		UDP
85.93.3.52		DE		UDP
85.93.3.53		DE		UDP
85.93.3.54		DE		UDP
85.93.3.55		DE		UDP
85.93.3.56		DE		UDP
85.93.3.57		DE		UDP
85.93.3.58		DE		UDP
85.93.3.59		DE		UDP
85.93.3.60		DE		UDP
85.93.3.61		DE		UDP
85.93.3.62		DE		UDP
85.93.3.63		DE		UDP
85.93.3.64		DE		UDP
85.93.3.65		DE		UDP
85.93.3.66		DE		UDP
85.93.3.67		DE		UDP
85.93.3.68		DE		UDP
85.93.3.69		DE		UDP
85.93.3.70		DE		UDP
85.93.3.71		DE		UDP
85.93.3.72		DE		UDP
85.93.3.73		DE		UDP
85.93.3.74		DE		UDP
85.93.3.75		DE		UDP
85.93.3.76		DE		UDP
85.93.3.77		DE		UDP
85.93.3.78		DE		UDP
85.93.3.79		DE		UDP
85.93.3.80		DE		UDP
85.93.3.81		DE		UDP
85.93.3.82		DE		UDP
85.93.3.83		DE		UDP
85.93.3.84		DE		UDP
85.93.3.85		DE		UDP
85.93.3.86		DE		UDP
85.93.3.87		DE		UDP
85.93.3.88		DE		UDP
85.93.3.89		DE		UDP
85.93.3.90		DE		UDP
85.93.3.91		DE		UDP
85.93.3.92		DE		UDP
85.93.3.93		DE		UDP
85.93.3.94		DE		UDP
85.93.3.95		DE		UDP
85.93.3.96		DE		UDP
85.93.3.97		DE		UDP
85.93.3.98		DE		UDP
85.93.3.99		DE		UDP
85.93.3.100		DE		UDP
85.93.3.101		DE		UDP
85.93.3.102		DE		UDP
85.93.3.103		DE		UDP
85.93.3.104		DE		UDP
85.93.3.105		DE		UDP
85.93.3.106		DE		UDP
85.93.3.107		DE		UDP
85.93.3.108		DE		UDP
85.93.3.109		DE		UDP
85.93.3.110		DE		UDP
85.93.3.111		DE		UDP
85.93.3.112		DE		UDP
85.93.3.113		DE		UDP
85.93.3.114		DE		UDP
85.93.3.115		DE		UDP
85.93.3.116		DE		UDP
85.93.3.117		DE		UDP
85.93.3.118		DE		UDP
85.93.3.119		DE		UDP
85.93.3.120		DE		UDP
85.93.3.121		DE		UDP
85.93.3.122		DE		UDP
85.93.3.123		DE		UDP
85.93.3.124		DE		UDP
85.93.3.125		DE		UDP
85.93.3.126		DE		UDP
85.93.3.127		DE		UDP
85.93.3.128		DE		UDP
85.93.3.129		DE		UDP
85.93.3.130		DE		UDP
85.93.3.131		DE		UDP
85.93.3.132		DE		UDP
85.93.3.133		DE		UDP
85.93.3.134		DE		UDP
85.93.3.135		DE		UDP
85.93.3.136		DE		UDP
85.93.3.137		DE		UDP
85.93.3.138		DE		UDP
85.93.3.139		DE		UDP
85.93.3.140		DE		UDP
85.93.3.141		DE		UDP
85.93.3.142		DE		UDP
85.93.3.143		DE		UDP
85.93.3.144		DE		UDP
85.93.3.145		DE		UDP
85.93.3.146		DE		UDP
85.93.3.147		DE		UDP
85.93.3.148		DE		UDP
85.93.3.149		DE		UDP
85.93.3.150		DE		UDP
85.93.3.151		DE		UDP
85.93.3.152		DE		UDP
85.93.3.153		DE		UDP
85.93.3.154		DE		UDP
85.93.3.155		DE		UDP
85.93.3.156		DE		UDP
85.93.3.157		DE		UDP
85.93.3.158		DE		UDP
85.93.3.159		DE		UDP
85.93.3.160		DE		UDP
85.93.3.161		DE		UDP
85.93.3.162		DE		UDP
85.93.3.163		DE		UDP
85.93.3.164		DE		UDP
85.93.3.165		DE		UDP
85.93.3.166		DE		UDP
85.93.3.167		DE		UDP
85.93.3.168		DE		UDP
85.93.3.169		DE		UDP
85.93.3.170		DE		UDP
85.93.3.171		DE		UDP
85.93.3.172		DE		UDP
85.93.3.173		DE		UDP
85.93.3.174		DE		UDP
85.93.3.175		DE		UDP
85.93.3.176		DE		UDP
85.93.3.177		DE		UDP
85.93.3.178		DE		UDP
85.93.3.179		DE		UDP
85.93.3.180		DE		UDP
85.93.3.181		DE		UDP
85.93.3.182		DE		UDP
85.93.3.183		DE		UDP
85.93.3.184		DE		UDP
85.93.3.185		DE		UDP
85.93.3.186		DE		UDP
85.93.3.187		DE		UDP
85.93.3.188		DE		UDP
85.93.3.189		DE		UDP
85.93.3.190		DE		UDP
85.93.3.191		DE		UDP
85.93.3.192		DE		UDP
85.93.3.193		DE		UDP
85.93.3.194		DE		UDP
85.93.3.195		DE		UDP
85.93.3.196		DE		UDP
85.93.3.197		DE		UDP
85.93.3.198		DE		UDP
85.93.3.199		DE		UDP
85.93.3.200		DE		UDP
85.93.3.201		DE		UDP
85.93.3.202		DE		UDP
85.93.3.203		DE		UDP
85.93.3.204		DE		UDP
85.93.3.205		DE		UDP
85.93.3.206		DE		UDP
85.93.3.207		DE		UDP
85.93.3.208		DE		UDP
85.93.3.209		DE		UDP
85.93.3.210		DE		UDP
85.93.3.211		DE		UDP
85.93.3.212		DE		UDP
85.93.3.213		DE		UDP
85.93.3.214		DE		UDP
85.93.3.215		DE		UDP
85.93.3.216		DE		UDP
85.93.3.217		DE		UDP
85.93.3.218		DE		UDP
85.93.3.219		DE		UDP
85.93.3.220		DE		UDP
85.93.3.221		DE		UDP
85.93.3.222		DE		UDP
thermostat60.maturebrokerage.com	85.93.3.223	DE		UDP
benzine60.maturebrokerage.com	85.93.3.224	DE		UDP
85.93.3.225		DE		UDP
85.93.3.226		DE		UDP
85.93.3.227		DE		UDP
85.93.3.228		DE		UDP
85.93.3.229		DE		UDP
conflux6.maturebrokerage.com	85.93.3.230	DE		UDP
85.93.3.231		DE		UDP

Monitored Processes

Behavior Information - Grouped by Category

Process #1: d8891477315db13a640ed5956a636951.exe

(Host: 258, Network: 0)

Information	Value
ID / OS PID	#1 / 0x6ec
OS Parent PID	0x560 (c:\windows\explorer.exe)
Initial Working Directory	C:\Users\hJrD1KOKY DS8lUjv\Desktop
File Name	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe
Command Line	"C:\Users\hJrD1KOKY DS8lUjv\Desktop\d8891477315db13a640ed5956a636951.exe"
Monitor	Start Time: 00:00:08, Reason: Analysis Target
Unmonitor	End Time: 00:00:14, Reason: Terminated
Monitor Duration	00:00:06
OS Thread IDs	#1 0x6DC #2 0x6D0 #3 0x6C8 #4 0x5AC #5 0x7E8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001a0000	0x001a0000	0x001b5fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000200000	0x00200000	0x0027ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000280000	0x00280000	0x0029cfff	Private Memory	Readable, Writable, Executable	Region Actions
C_1251.NLS	0x002a0000	0x002b0fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000002c0000	0x002c0000	0x002c0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000002d0000	0x002d0000	0x002d0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002d0000	0x002d0000	0x002d0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002d0000	0x002d0000	0x002d0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000002e0000	0x002e0000	0x003dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003e0000	0x003e0000	0x003e0fff	Pagefile Backed Memory	Readable	Region Actions
cversions.1.db	0x003f0000	0x003f3fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000003f0000	0x003f0000	0x003f6fff	Pagefile Backed Memory	Readable	Region Actions
d8891477315db13a640ed5956a636951.exe	0x00400000	0x0042afff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download
locale.nls	0x00430000	0x00496fff	Memory Mapped File	Readable	Region Actions
private_0x00000000004a0000	0x004a0000	0x004dffff	Private Memory	Readable, Writable	Region Actions
{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000009.db	0x004e0000	0x004f5fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000500000	0x00500000	0x00501fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000510000	0x00510000	0x00510fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000520000	0x00520000	0x00521fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000530000	0x00530000	0x00531fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cversions.2.db	0x00540000	0x00543fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000550000	0x00550000	0x0058ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000590000	0x00590000	0x005cffff	Private Memory	Readable, Writable	Region Actions
cversions.2.db	0x005d0000	0x005d3fff	Memory Mapped File	Readable	Region Actions
private_0x00000000005f0000	0x005f0000	0x005fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000600000	0x00600000	0x00787fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000790000	0x00790000	0x00910fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000920000	0x00920000	0x01d1ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001d20000	0x01d20000	0x01dfefff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001e00000	0x01e00000	0x01efffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f20000	0x01f20000	0x01f2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f30000	0x01f30000	0x0202ffff	Private Memory	Readable, Writable	Region Actions
{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db	0x02030000	0x0205ffff	Memory Mapped File	Readable	Region Actions
private_0x0000000002060000	0x02060000	0x0209ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000020a0000	0x020a0000	0x0219ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000021a0000	0x021a0000	0x021dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002200000	0x02200000	0x0223ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x02240000	0x0250efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002510000	0x02510000	0x0260ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002610000	0x02610000	0x02a02fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002a10000	0x02a10000	0x02b0ffff	Private Memory	Readable, Writable	Region Actions
{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db	0x02b10000	0x02b75fff	Memory Mapped File	Readable	Region Actions
taskschd.dll	0x74520000	0x7459cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samlib.dll	0x745a0000	0x745b1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x745c0000	0x7475dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x74760000	0x74780fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x74790000	0x74884fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x74890000	0x7489afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x748a0000	0x748b2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x748c0000	0x748fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74900000	0x74915fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x74920000	0x7492efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x74930000	0x7493efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x74940000	0x74958fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x74960000	0x74968fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x74970000	0x74980fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x74990000	0x749a1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x749b0000	0x749b8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x749c0000	0x74a10fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x74a20000	0x74a9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x74aa0000	0x74adbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74ae0000	0x74ae7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74af0000	0x74b4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74b50000	0x74b8efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74c90000	0x74c9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ca0000	0x74cfffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74d00000	0x74d5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x74d90000	0x74eebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x74f50000	0x74f55fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x74f60000	0x7500bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75010000	0x75104fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x75110000	0x75192fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x751a0000	0x751f6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75200000	0x7528ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75290000	0x7538ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x75390000	0x753d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x75470000	0x7550cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75510000	0x75519fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75520000	0x75655fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x75660000	0x75671fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x75680000	0x7581cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75820000	0x7592ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75930000	0x759cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x759e0000	0x759ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x759f0000	0x75a7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x75a80000	0x75aa9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75ab0000	0x766f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x76700000	0x768fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76900000	0x769effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x769f0000	0x76a24fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76a30000	0x76a48fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x76a50000	0x76a76fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76a80000	0x76b4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x76b50000	0x76c6cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x76c70000	0x76cb4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076d40000	0x76d40000	0x76e5efff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076e60000	0x76e60000	0x76f59fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f60000	0x77108fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77140000	0x772bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Created Files

Filename	File Size	Hash Values	Actions
c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft\windows\start menu\programs\startup\esentutl.lnk	1.22 KB (1252 bytes)	MD5: 67cd3a3b1ce7ddb9773fb62685ccec50 SHA1: 9603fd2454b2c4e81307bceda814ea139cd4a089 SHA256: 3ab432c75c02fbd597e41a99e3956455472af6bd9bcc93d8444df0fb3f200561	File Actions Show Properties Download
c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	116.50 KB (119296 bytes)	MD5: d8891477315db13a640ed5956a636951 SHA1: abb3fd6a48b0881f4d01ff468ea81cd81e24e97b SHA256: ddffb78d1b7dd7831fc074911671fa5e3b9d7b33f10ab3a9933cf563b570f756	File Actions Show Properties Download

Host Behavior

File (8)

Operation	Filename	Additional Information	Count	Logfile
CREATE	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
CREATE	c:\windows\syswow64\kernel32.dll	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING, file_attributes = FILE_FLAG_BACKUP_SEMANTICS	2	Fn
CREATE	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	desired_access = FILE_WRITE_ATTRIBUTES, create_disposition = OPEN_EXISTING, file_attributes = FILE_FLAG_BACKUP_SEMANTICS	1	Fn
CREATE	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}	desired_access = FILE_WRITE_ATTRIBUTES, create_disposition = OPEN_EXISTING, file_attributes = FILE_FLAG_BACKUP_SEMANTICS	1	Fn
CREATE_DIR	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}		1	Fn
CREATE_SHORTCUT	C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\esentutl.lnk	file_target = C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe	1	Fn
COPY	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	source_file_name = c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe, fail_if_exists = 0	1	Fn

Process (7)

Operation	Process Name	Additional Information	Count	Logfile
CREATE	C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe	os_tid = 0x6a0, os_pid = 0x7b8, creation_flags = CREATE_BREAKAWAY_FROM_JOB, show_window = SW_HIDE	1	Fn
CREATE	C:\Windows\system32\cmd.exe	os_tid = 0x65c, os_pid = 0x744, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
OPEN_TOKEN	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe	os_pid = 0x6ec, desired_access = PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, desired_access = PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION	1	Fn
OPEN_TOKEN	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe	os_pid = 0x6ec, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
OPEN_TOKEN	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe	os_pid = 0x6ec, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE	1	Fn
OPEN_TOKEN	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe	os_pid = 0x6ec, desired_access = PROCESS_VM_OPERATION, READ_CONTROL, desired_access = PROCESS_VM_OPERATION, READ_CONTROL	1	Fn
TERMINATE	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe	os_pid = 0x6ec	1	Fn

Module (134)

Operation	Module	Additional Information	Count	Logfile
LOAD	CRYPT32.dll	base_address = 0x0	1	Fn
LOAD	WININET.dll	base_address = 0x0	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x0	1	Fn
LOAD	VERSION.dll	base_address = 0x0	1	Fn
LOAD	MPR.dll	base_address = 0x0	1	Fn
LOAD	imagehlp.dll	base_address = 0x0	1	Fn
LOAD	WS2_32.dll	base_address = 0x0	1	Fn
LOAD	KERNEL32.dll	base_address = 0x0	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x0	1	Fn
LOAD	USER32.dll	base_address = 0x0	1	Fn
LOAD	ole32.dll	base_address = 0x0	1	Fn
LOAD	SHELL32.dll	base_address = 0x0	1	Fn
LOAD	ntdll.dll	base_address = 0x0	1	Fn
LOAD	OLEAUT32.dll	base_address = 0x0	1	Fn
LOAD	GDI32.dll	base_address = 0x0	1	Fn
LOAD	NETAPI32.dll	base_address = 0x0	1	Fn
GET_HANDLE	c:\windows\syswow64\kernel32.dll	base_address = 0x75820000	3	Fn
GET_HANDLE	c:\windows\syswow64\user32.dll	base_address = 0x75290000	1	Fn
GET_HANDLE	c:\windows\syswow64\mswsock.dll	base_address = 0x74aa0000	1	Fn
GET_HANDLE	c:\windows\syswow64\gdi32.dll	base_address = 0x75200000	1	Fn
GET_HANDLE	it	base_address = 0x0	24	Fn
GET_HANDLE	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe	base_address = 0x400000	5	Fn
CREATE_MAPPING	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe	module_name = Nameless FileMapping, maximum_size = 0, protection = PAGE_READONLY	1	Fn
MAP	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe	process_name = c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe, os_pid = 0x6ec, module_name = Nameless FileMapping, desired_access = FILE_MAP_READ, file_offset = 0, address = 0x2c0000	1	Fn
UNMAP	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe	os_pid = 0x6ec, base_address = 0x2c0000	1	Fn
GET_FILENAME	NETAPI32.dll	file_name = C:\Users\hJrD1KOKY DS8lUjv\Desktop\d8891477315db13a640ed5956a636951.exe	1	Fn
GET_FILENAME	c:\windows\syswow64\kernel32.dll	file_name = C:\Windows\syswow64\kernel32.dll	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualProtect, address = 0x7583435f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = IMPGetIMEA, address = 0x75307331	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = SetForegroundWindow, address = 0x752cf170	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = ShowWindow, address = 0x752b0dfb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetSysColor, address = 0x752a6c3c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetKeyboardLayoutNameA, address = 0x75306bd9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = IsWindow, address = 0x752a7136	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetSystemMetrics, address = 0x752a7d2f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = SetWindowPos, address = 0x752a8e4e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetFocus, address = 0x752b0dee	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = SetMenuInfo, address = 0x752fd222	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = DispatchMessageA, address = 0x752a7bbb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = InvalidateRect, address = 0x752b1381	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = WSPStartup, address = 0x74aa8a9b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = dn_expand, address = 0x74abb97c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = sethostname, address = 0x74ab6582	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = MigrateWinsockConfiguration, address = 0x74aacd27	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = NPLoadNameSpaces, address = 0x74ac1a3e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetNameByTypeA, address = 0x74abe59f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = TransmitFile, address = 0x74abc7e2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = inet_network, address = 0x74ab6597	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetAddressByNameA, address = 0x74abddb5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetAcceptExSockaddrs, address = 0x74abc9da	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetTypeByNameW, address = 0x74abdfd7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = WSARecvEx, address = 0x74ac1b55	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetServiceW, address = 0x74abf340	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = SetServiceA, address = 0x74abefae	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = EnumProtocolsW, address = 0x74abcc25	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetTypeByNameA, address = 0x74abe260	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = SetServiceW, address = 0x74abf118	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = StartWsdpService, address = 0x74ab633d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = EnumProtocolsA, address = 0x74abd368	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = rexec, address = 0x74ab656d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = StopWsdpService, address = 0x74ab5e56	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentThreadId, address = 0x75831450	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = InterlockedDecrement, address = 0x758313f0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapCreate, address = 0x75834a2d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetThreadLocale, address = 0x758335cf	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = QueryPerformanceCounter, address = 0x75831725	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = lstrlenW, address = 0x75831700	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FileTimeToSystemTime, address = 0x7583542c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = UnhandledExceptionFilter, address = 0x7585772f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x758387c9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address = 0x7583110c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetStringTypeW, address = 0x75831946	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetConsoleAliasesA, address = 0x758d6680	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = lstrlenA, address = 0x75835a4b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = lstrcmpiA, address = 0x75833e8e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address = 0x7584d802	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FreeEnvironmentStringsA, address = 0x7583e349	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FreeEnvironmentStringsW, address = 0x758351cb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address = 0x77181f6e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetFileAttributesW, address = 0x75831b18	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCPInfo, address = 0x75835189	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address = 0x75831809	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LCMapStringA, address = 0x7585bc39	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetOEMCP, address = 0x7585d1a1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address = 0x758334b0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentStringsW, address = 0x758351e3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x75833509	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address = 0x75831856	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address = 0x758311f8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address = 0x7583170d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LCMapStringW, address = 0x758317b9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetHandleCount, address = 0x7583cb29	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetStringTypeA, address = 0x75858266	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = lstrcmpiW, address = 0x7584d5cd	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentStrings, address = 0x7583e361	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetSystemTime, address = 0x75835a96	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetStdHandle, address = 0x758b454f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GlobalSize, address = 0x7584d16f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreateICW, address = 0x7521c040	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreateICA, address = 0x75217c2e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = GetCharWidth32W, address = 0x7521c93c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = DeleteObject, address = 0x75215689	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreatePen, address = 0x7521ba4f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreateRectRgnIndirect, address = 0x7521a764	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreateDCA, address = 0x75217bcc	1	Fn

Com (20)

Operation	Class	Interface	Additional Information	Count	Logfile
CREATE	ShellLink	IShellLinkW	cls_context = CLSCTX_INPROC_SERVER	4	Fn
CREATE	TaskScheduler	ITaskService	cls_context = CLSCTX_INPROC_SERVER	1	Fn
QUERY	ShellLink	IShellLinkW	new_interface = IPersistFile,	4	Fn
METHOD	ShellLink	IPersistFile	method = Load	2	Fn
METHOD	ShellLink	IShellLinkW	method = SetPath	1	Fn
METHOD	ShellLink	IShellLinkW	method = SetWorkingDirectory	1	Fn
METHOD	ShellLink	IShellLinkW	method = SetDescription	1	Fn
METHOD	ShellLink	IPersistFile	method = Save	1	Fn
METHOD	ShellLink	IPersistFile	method = Load	1	Fn
METHOD	ShellLink	IShellLinkW	method = GetPath	1	Fn
METHOD	TaskScheduler	ITaskService	method = Connect	1	Fn
METHOD	TaskScheduler	ITaskService	new_interface = ITaskFolder, method = GetFolder	1	Fn
METHOD	TaskScheduler	ITaskFolder	method = DeleteTask	1	Fn

Registry (76)

Operation	Key	Additional Information	Count	Logfile
CREATE_KEY	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}		6	Fn
CREATE_KEY	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion		2	Fn
CREATE_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\Run		1	Fn
CREATE_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce		1	Fn
CREATE_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer		1	Fn
CREATE_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Command Processor		1	Fn
CREATE_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Control Panel\Desktop		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1463843789-3877896393-3178144628-1000		2	Fn
OPEN_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\Run		2	Fn
OPEN_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce		2	Fn
OPEN_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer		2	Fn
OPEN_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Command Processor		2	Fn
OPEN_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Control Panel\Desktop		2	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1463843789-3877896393-3178144628-500		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1463843789-3877896393-3178144628-501		1	Fn
OPEN_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-500\Software\Microsoft\Windows\CurrentVersion\Run		1	Fn
OPEN_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-500\Software\Microsoft\Windows\CurrentVersion\RunOnce		1	Fn
OPEN_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer		1	Fn
OPEN_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-500\Software\Microsoft\Command Processor		1	Fn
OPEN_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-500\Control Panel\Desktop		1	Fn
OPEN_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-501\Software\Microsoft\Windows\CurrentVersion\Run		1	Fn
OPEN_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-501\Software\Microsoft\Windows\CurrentVersion\RunOnce		1	Fn
OPEN_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-501\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer		1	Fn
OPEN_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-501\Software\Microsoft\Command Processor		1	Fn
OPEN_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-501\Control Panel\Desktop		1	Fn
OPEN_KEY	HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run		1	Fn
OPEN_KEY	HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce		1	Fn
OPEN_KEY	HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer		1	Fn
OPEN_KEY	HKEY_USERS\.DEFAULT\Software\Microsoft\Command Processor		1	Fn
OPEN_KEY	HKEY_USERS\.DEFAULT\Control Panel\Desktop		1	Fn
READ_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_02	2	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	value_name = ProgramFilesDir (x86)	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	value_name = ProgramFilesDir (x86), data_ident_out = 67	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	value_name = ProgramFilesDir	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	value_name = ProgramFilesDir, data_ident_out = 67	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_00	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_00	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_00, data_ident_out = 154	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_01, data_ident_out = 103	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1463843789-3877896393-3178144628-1000	value_name = ProfileImagePath, data_ident_out = 67	2	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = Run	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Command Processor	value_name = AutoRun	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Control Panel\Desktop	value_name = SCRNSAVE.EXE	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\Run	value_name = esentutl	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\Run	value_name = esentutl, data_ident_out = 34	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	value_name = esentutl	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	value_name = esentutl, data_ident_out = 34	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = Run	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = Run, data_ident_out = 34	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Command Processor	value_name = AutoRun	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Command Processor	value_name = AutoRun, data_ident_out = 34	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Control Panel\Desktop	value_name = SCRNSAVE.EXE	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Control Panel\Desktop	value_name = SCRNSAVE.EXE, data_ident_out = 34	1	Fn
READ_VALUE	HKEY_USERS\.DEFAULT\Software\Microsoft\Command Processor	value_name = AutoRun	1	Fn
READ_VALUE	HKEY_USERS\.DEFAULT\Control Panel\Desktop	value_name = SCRNSAVE.EXE	1	Fn
WRITE_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_01	1	Fn Data
WRITE_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_00	1	Fn Data
WRITE_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\Run	value_name = esentutl, data = "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe"	1	Fn
WRITE_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	value_name = esentutl, data = "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe"	1	Fn
WRITE_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = Run, data = "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe"	1	Fn
WRITE_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Command Processor	value_name = AutoRun, data = "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe"	1	Fn
WRITE_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Control Panel\Desktop	value_name = SCRNSAVE.EXE, data = "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe"	1	Fn

User (10)

Operation	User/Group/Server	Additional Information	Count	Logfile
LOOKUP_PRIVILEGE	Localhost	privilege = SeDebugPrivilege	1	Fn
SET_PRIVILEGE	Localhost	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe, os_pid = 0x6ec, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeDebugPrivilege	1	Fn
GET_INFO	Administrator	server_name = Localhost	2	Fn
GET_INFO	Guest	server_name = Localhost	2	Fn
GET_INFO	hJrD1KOKY DS8lUjv	server_name = Localhost	2	Fn
ENUMERATE	Administrator, Guest, hJrD1KOKY DS8lUjv	server_name = Localhost, filter = FILTER_NORMAL_ACCOUNT	2	Fn

Window (1)

Operation	Window Name	Additional Information	Success	Count	Logfile
CREATE		class_name = HV#pz[VRUySm[k]kYebgt1}U mRQCyI&3WXos3wXqI~t_%y~12N}aMq>b=A<+<V6)BG5r5s))U[<Dx&%PS^i$cz(lV=#KM}w(^V)}Jd27A~ILxSH2>me3!0)-sWogD@Dg=25@P7scdFojbEh2oS1Y_wWvhG[l=la{0FWfpF8vBXBJkIr]6NvtV#-kq%2j<T2sRkz[sM+fMBPJ{yE%%ouz(q}Gie$)E$EKpc+MkxU6!<eoEd* BRCvtndF9SC*, x_coordinate = 1, y_coordinate = 1, width = 1, height = 1, window_parameter = 0		1	Fn

System (1)

Operation	Information	Success	Count	Logfile
SLEEP	duration = -1 (infinite)		1	Fn

Mutex (1)

Operation	Name	Additional Information	Success	Count	Logfile
OPEN	shell.{0835FA03-68AC-09B6-0CE4-703246A746AB}	desired_access = SYNCHRONIZE		1	Fn

Process #2: esentutl.exe

(Host: 208, Network: 1003)

Information	Value
ID / OS PID	#2 / 0x7b8
OS Parent PID	0x6ec (c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe)
Initial Working Directory	C:\Users\hJrD1KOKY DS8lUjv\Desktop
File Name	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe
Command Line	"C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe"
Monitor	Start Time: 00:00:13, Reason: Child Process
Unmonitor	End Time: 00:00:35, Reason: Terminated
Monitor Duration	00:00:22
OS Thread IDs	#6 0x6A0 #7 0x448 #11 0x478 #12 0x4A4 #13 0x634 #15 0x314 #108 0x880 #114 0x8B0 #116 0x8CC #118 0x8E8 #119 0x8EC #120 0x8F0 #121 0x8F8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x001a0000	0x00206fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x00225fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000230000	0x00230000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x002affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002b0000	0x002b0000	0x002ccfff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000002d0000	0x002d0000	0x0034ffff	Private Memory	Readable, Writable	Region Actions
C_1251.NLS	0x00350000	0x00360fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000370000	0x00370000	0x003affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003b0000	0x003b0000	0x003b0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000003c0000	0x003c0000	0x003c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003d0000	0x003d0000	0x003d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000003e0000	0x003e0000	0x003effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003f0000	0x003f0000	0x003f1fff	Pagefile Backed Memory	Readable	Region Actions
esentutl.exe	0x00400000	0x0042afff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download
pagefile_0x0000000000430000	0x00430000	0x0050efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000510000	0x00510000	0x0054ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000510000	0x00510000	0x00511fff	Pagefile Backed Memory	Readable	Region Actions
index.dat	0x00520000	0x0052bfff	Memory Mapped File	Readable, Writable	Region Actions Download
index.dat	0x00530000	0x00533fff	Memory Mapped File	Readable, Writable	Region Actions Download
index.dat	0x00540000	0x00547fff	Memory Mapped File	Readable, Writable	Region Actions Download
pagefile_0x0000000000550000	0x00550000	0x00550fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000550000	0x00550000	0x00550fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000560000	0x00560000	0x0065ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000660000	0x00660000	0x007e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007f0000	0x007f0000	0x007f1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000800000	0x00800000	0x0080ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000810000	0x00810000	0x00990fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000009a0000	0x009a0000	0x01d9ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001da0000	0x01da0000	0x01e9ffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll.mui	0x01ea0000	0x01f5ffff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x0000000001f60000	0x01f60000	0x01f60fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x01f70000	0x01f73fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001f80000	0x01f80000	0x01fbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001fc0000	0x01fc0000	0x020bffff	Private Memory	Readable, Writable	Region Actions
{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000009.db	0x020c0000	0x020d5fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000020e0000	0x020e0000	0x020e0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cversions.2.db	0x020f0000	0x020f3fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002100000	0x02100000	0x0213ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x02140000	0x0240efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002410000	0x02410000	0x0250ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002510000	0x02510000	0x0260ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002510000	0x02510000	0x0254ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002550000	0x02550000	0x0258ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002560000	0x02560000	0x0256ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000025b0000	0x025b0000	0x025bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000025d0000	0x025d0000	0x025dffff	Private Memory	Readable, Writable	Region Actions
{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db	0x02610000	0x0263ffff	Memory Mapped File	Readable	Region Actions
{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db	0x02640000	0x026a5fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000026b0000	0x026b0000	0x02aa2fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002ab0000	0x02ab0000	0x02ab0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000002ac0000	0x02ac0000	0x02afffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b00000	0x02b00000	0x02bfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c00000	0x02c00000	0x02c3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c40000	0x02c40000	0x02d3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d40000	0x02d40000	0x02e3ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002e40000	0x02e40000	0x02e40fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cversions.2.db	0x02e50000	0x02e53fff	Memory Mapped File	Readable	Region Actions
oleaccrc.dll	0x02e60000	0x02e60fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002e60000	0x02e60000	0x02f5ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002e70000	0x02e70000	0x02e71fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002f60000	0x02f60000	0x02f9ffff	Private Memory	Readable, Writable	Region Actions
index.dat	0x02fa0000	0x02fdffff	Memory Mapped File	Readable, Writable	Region Actions Download
private_0x0000000002fe0000	0x02fe0000	0x0301ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003020000	0x03020000	0x0311ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003120000	0x03120000	0x0321ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003220000	0x03220000	0x0325ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000032f0000	0x032f0000	0x0332ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000003330000	0x03330000	0x03672fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000003680000	0x03680000	0x0377ffff	Private Memory	Readable, Writable	Region Actions
ieframe.dll	0x739d0000	0x7444ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc6.dll	0x742e0000	0x742ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x742f0000	0x74301fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
npmproxy.dll	0x74310000	0x74317fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x74320000	0x7432dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74330000	0x7436afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74370000	0x74385fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netprofm.dll	0x74390000	0x743e9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FWPUCLNT.DLL	0x743f0000	0x74427fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x74430000	0x74435fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WSHTCPIP.DLL	0x74440000	0x74444fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x74450000	0x7445afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x74460000	0x74480fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x74490000	0x7462dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x74630000	0x74724fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winrnr.dll	0x74730000	0x74737fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pnrpnsp.dll	0x74740000	0x74751fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
NapiNSP.dll	0x74760000	0x7476ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasadhlp.dll	0x74770000	0x74775fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x74780000	0x7478ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
SensApi.dll	0x74790000	0x74795fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x747a0000	0x747b2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rtutils.dll	0x747c0000	0x747ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasman.dll	0x747d0000	0x747e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasapi32.dll	0x747f0000	0x74841fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x74850000	0x74856fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IPHLPAPI.DLL	0x74860000	0x7487bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x74880000	0x748c3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleacc.dll	0x74890000	0x748cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x748d0000	0x7491bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x74920000	0x7492efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x74930000	0x7493efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x74940000	0x74958fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x74960000	0x74968fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x74970000	0x74980fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x74990000	0x749a1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x749b0000	0x749b8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x749c0000	0x74a10fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x74a20000	0x74a9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x74aa0000	0x74adbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74ae0000	0x74ae7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74af0000	0x74b4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74b50000	0x74b8efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74c90000	0x74c9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ca0000	0x74cfffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74d00000	0x74d5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x74d90000	0x74eebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x74f50000	0x74f55fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x74f60000	0x7500bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75010000	0x75104fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x75110000	0x75192fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x751a0000	0x751f6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75200000	0x7528ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75290000	0x7538ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x75390000	0x753d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x75470000	0x7550cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75510000	0x75519fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75520000	0x75655fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x75660000	0x75671fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x75680000	0x7581cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75820000	0x7592ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75930000	0x759cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x759e0000	0x759ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x759f0000	0x75a7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x75a80000	0x75aa9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75ab0000	0x766f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x76700000	0x768fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76900000	0x769effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x769f0000	0x76a24fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76a30000	0x76a48fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x76a50000	0x76a76fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76a80000	0x76b4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x76b50000	0x76c6cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x76c70000	0x76cb4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076d40000	0x76d40000	0x76e5efff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076e60000	0x76e60000	0x76f59fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f60000	0x77108fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77110000	0x77114fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77140000	0x772bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007ef9e000	0x7ef9e000	0x7efa0fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa1000	0x7efa1000	0x7efa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa4000	0x7efa4000	0x7efa6fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa7000	0x7efa7000	0x7efa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\hjrd1koky ds8lujv\appdata\local\microsoft\windows\temporary internet files\content.ie5\pmmr5k9k\json[1]	0.21 KB (219 bytes)	MD5: 09fe17a7ae104aaf72f596d1b61ebaaf SHA1: b2d708cc49d7d0bdb63a7f2baaaa77dec116c56f SHA256: 6645aae9e4f1b450e44748f0438e9beed49ce51a280b286e27f47b46ba70d6c7		File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	Actions
c:\users\hjrd1koky ds8lujv\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat	48.00 KB (49152 bytes)	MD5: e6b1de6678d90bcb09e9f80b9a7e9b19 SHA1: 60fba1f703325131737b4d497239dba8af92491c SHA256: 744862c62b36201f4cf54b2809fc4e21e5819df25f51bebe5d88c65c7963790a	File Actions Show Properties Download
c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft\windows\cookies\index.dat	16.00 KB (16384 bytes)	MD5: d7a950fefd60dbaa01df2d85fefb3862 SHA1: 15740b197555ba8e162c37a60ba655151e3bebae SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a	File Actions Show Properties Download
c:\users\hjrd1koky ds8lujv\appdata\local\microsoft\windows\history\history.ie5\index.dat	32.00 KB (32768 bytes)	MD5: 5a8d4270f45ec3e2b9386f235de25fea SHA1: aa48c9431ecf28d39c56ea43b084039a4f9e1f7e SHA256: a079616c415e9e394bbb8175baeadbd23a306f534b7c8c4d9ea75c6f5e368169	File Actions Show Properties Download
c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft\windows\ietldcache\index.dat	256.00 KB (262144 bytes)	MD5: 523c9c2f0803c81fb5baf9ae734c5313 SHA1: 2bdb52c4b4920a39084818ab848a39bde4e6fe19 SHA256: 8f32b74a611bdcf55195007d815d1028c287d4068c1feea68061aeec9626455f	File Actions Show Properties Download

Host Behavior

File (2)

Operation	Filename	Additional Information	Success	Count	Logfile
CREATE	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING		2	Fn

Process (12)

Operation	Process Name	Additional Information	Count	Logfile
CREATE	C:\Windows\system32\vssadmin.exe	operation = runas, show_window = SW_HIDE	1	Fn
CREATE	C:\Windows\system32\wbem\wmic.exe	operation = runas, show_window = SW_HIDE	1	Fn
CREATE	bcdedit.exe	operation = runas, show_window = SW_HIDE	2	Fn
OPEN	c:\windows\system32\conhost.exe	os_pid = 0x7b8, desired_access = PROCESS_ALL_ACCESS	1	Fn
OPEN	c:\windows\system32\conhost.exe	os_pid = 0x7b8, desired_access = PROCESS_ALL_ACCESS	1	Fn
OPEN_TOKEN	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe	os_pid = 0x6ec, desired_access = PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, desired_access = PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION	2	Fn
OPEN_TOKEN	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe	os_pid = 0x6ec, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
OPEN_TOKEN	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe	os_pid = 0x6ec, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE	1	Fn
OPEN_TOKEN	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe	os_pid = 0x6ec, desired_access = PROCESS_VM_OPERATION, READ_CONTROL, desired_access = PROCESS_VM_OPERATION, READ_CONTROL	1	Fn
SET_CURDIR	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	os_pid = 0x7b8, new_path_name = c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}	1	Fn

Module (139)

Operation	Module	Additional Information	Count	Logfile
LOAD	CRYPT32.dll	base_address = 0x0	1	Fn
LOAD	WININET.dll	base_address = 0x0	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x0	1	Fn
LOAD	VERSION.dll	base_address = 0x0	1	Fn
LOAD	MPR.dll	base_address = 0x0	1	Fn
LOAD	imagehlp.dll	base_address = 0x0	1	Fn
LOAD	WS2_32.dll	base_address = 0x0	1	Fn
LOAD	KERNEL32.dll	base_address = 0x0	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x0	1	Fn
LOAD	USER32.dll	base_address = 0x0	1	Fn
LOAD	ole32.dll	base_address = 0x0	1	Fn
LOAD	SHELL32.dll	base_address = 0x0	1	Fn
LOAD	ntdll.dll	base_address = 0x0	1	Fn
LOAD	OLEAUT32.dll	base_address = 0x0	1	Fn
LOAD	GDI32.dll	base_address = 0x0	1	Fn
LOAD	NETAPI32.dll	base_address = 0x0	1	Fn
GET_HANDLE	c:\windows\syswow64\kernel32.dll	base_address = 0x75820000	4	Fn
GET_HANDLE	c:\windows\syswow64\user32.dll	base_address = 0x75290000	1	Fn
GET_HANDLE	c:\windows\syswow64\mswsock.dll	base_address = 0x74aa0000	1	Fn
GET_HANDLE	c:\windows\syswow64\gdi32.dll	base_address = 0x75200000	1	Fn
GET_HANDLE	it	base_address = 0x0	24	Fn
GET_HANDLE	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	base_address = 0x400000	5	Fn
CREATE_MAPPING	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	module_name = Nameless FileMapping, maximum_size = 0, protection = PAGE_READONLY	2	Fn
MAP	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	process_name = c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe, os_pid = 0x7b8, module_name = Nameless FileMapping, desired_access = FILE_MAP_READ, file_offset = 0, address = 0x370000	1	Fn
MAP	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	process_name = c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe, os_pid = 0x7b8, module_name = Nameless FileMapping, desired_access = FILE_MAP_READ, file_offset = 0, address = 0x25e0000	1	Fn
UNMAP	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	os_pid = 0x7b8, base_address = 0x370000	1	Fn
UNMAP	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	os_pid = 0x7b8, base_address = 0x25e0000	1	Fn
GET_FILENAME	NETAPI32.dll	file_name = C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualProtect, address = 0x7583435f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = IMPGetIMEA, address = 0x75307331	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = SetForegroundWindow, address = 0x752cf170	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = ShowWindow, address = 0x752b0dfb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetSysColor, address = 0x752a6c3c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetKeyboardLayoutNameA, address = 0x75306bd9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = IsWindow, address = 0x752a7136	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetSystemMetrics, address = 0x752a7d2f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = SetWindowPos, address = 0x752a8e4e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetFocus, address = 0x752b0dee	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = SetMenuInfo, address = 0x752fd222	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = DispatchMessageA, address = 0x752a7bbb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = InvalidateRect, address = 0x752b1381	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = WSPStartup, address = 0x74aa8a9b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = dn_expand, address = 0x74abb97c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = sethostname, address = 0x74ab6582	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = MigrateWinsockConfiguration, address = 0x74aacd27	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = NPLoadNameSpaces, address = 0x74ac1a3e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetNameByTypeA, address = 0x74abe59f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = TransmitFile, address = 0x74abc7e2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = inet_network, address = 0x74ab6597	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetAddressByNameA, address = 0x74abddb5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetAcceptExSockaddrs, address = 0x74abc9da	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetTypeByNameW, address = 0x74abdfd7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = WSARecvEx, address = 0x74ac1b55	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetServiceW, address = 0x74abf340	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = SetServiceA, address = 0x74abefae	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = EnumProtocolsW, address = 0x74abcc25	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetTypeByNameA, address = 0x74abe260	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = SetServiceW, address = 0x74abf118	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = StartWsdpService, address = 0x74ab633d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = EnumProtocolsA, address = 0x74abd368	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = rexec, address = 0x74ab656d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = StopWsdpService, address = 0x74ab5e56	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentThreadId, address = 0x75831450	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = InterlockedDecrement, address = 0x758313f0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapCreate, address = 0x75834a2d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetThreadLocale, address = 0x758335cf	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = QueryPerformanceCounter, address = 0x75831725	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = lstrlenW, address = 0x75831700	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FileTimeToSystemTime, address = 0x7583542c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = UnhandledExceptionFilter, address = 0x7585772f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x758387c9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address = 0x7583110c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetStringTypeW, address = 0x75831946	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetConsoleAliasesA, address = 0x758d6680	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = lstrlenA, address = 0x75835a4b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = lstrcmpiA, address = 0x75833e8e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address = 0x7584d802	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FreeEnvironmentStringsA, address = 0x7583e349	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FreeEnvironmentStringsW, address = 0x758351cb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address = 0x77181f6e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetFileAttributesW, address = 0x75831b18	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCPInfo, address = 0x75835189	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address = 0x75831809	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LCMapStringA, address = 0x7585bc39	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetOEMCP, address = 0x7585d1a1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address = 0x758334b0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentStringsW, address = 0x758351e3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x75833509	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address = 0x75831856	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address = 0x758311f8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address = 0x7583170d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LCMapStringW, address = 0x758317b9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetHandleCount, address = 0x7583cb29	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetStringTypeA, address = 0x75858266	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = lstrcmpiW, address = 0x7584d5cd	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentStrings, address = 0x7583e361	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetSystemTime, address = 0x75835a96	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetStdHandle, address = 0x758b454f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GlobalSize, address = 0x7584d16f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreateICW, address = 0x7521c040	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreateICA, address = 0x75217c2e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = GetCharWidth32W, address = 0x7521c93c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = DeleteObject, address = 0x75215689	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreatePen, address = 0x7521ba4f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreateRectRgnIndirect, address = 0x7521a764	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreateDCA, address = 0x75217bcc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = IsWow64Process, address = 0x7583195e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = Wow64DisableWow64FsRedirection, address = 0x7584d650	1	Fn

Com (4)

Operation	Class	Interface	Additional Information	Count	Logfile
CREATE	ShellLink	IShellLinkW	cls_context = CLSCTX_INPROC_SERVER	1	Fn
QUERY	ShellLink	IShellLinkW	new_interface = IPersistFile,	1	Fn
METHOD	ShellLink	IPersistFile	method = Load	1	Fn
METHOD	ShellLink	IShellLinkW	method = GetPath	1	Fn

Registry (45)

Operation	Key	Additional Information	Count	Logfile
CREATE_KEY	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}		5	Fn
CREATE_KEY	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion		2	Fn
CREATE_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\Run		1	Fn
CREATE_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce		1	Fn
CREATE_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer		1	Fn
CREATE_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Command Processor		1	Fn
CREATE_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Control Panel\Desktop		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1463843789-3877896393-3178144628-1000		1	Fn
OPEN_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\Run		1	Fn
OPEN_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce		1	Fn
OPEN_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer		1	Fn
OPEN_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Command Processor		1	Fn
OPEN_KEY	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Control Panel\Desktop		1	Fn
READ_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_02	2	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	value_name = ProgramFilesDir (x86)	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	value_name = ProgramFilesDir (x86), data_ident_out = 67	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	value_name = ProgramFilesDir	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	value_name = ProgramFilesDir, data_ident_out = 67	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_00	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_00, data_ident_out = 154	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_01, data_ident_out = 103	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1463843789-3877896393-3178144628-1000	value_name = ProfileImagePath, data_ident_out = 67	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\Run	value_name = esentutl	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\Run	value_name = esentutl, data_ident_out = 34	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	value_name = esentutl	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	value_name = esentutl, data_ident_out = 34	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = Run	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = Run, data_ident_out = 34	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Command Processor	value_name = AutoRun	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Command Processor	value_name = AutoRun, data_ident_out = 34	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Control Panel\Desktop	value_name = SCRNSAVE.EXE	1	Fn
READ_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Control Panel\Desktop	value_name = SCRNSAVE.EXE, data_ident_out = 34	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Installed, data_ident_out = 0	2	Fn
WRITE_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\Run	value_name = esentutl, data = "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe"	1	Fn
WRITE_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	value_name = esentutl, data = "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe"	1	Fn
WRITE_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = Run, data = "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe"	1	Fn
WRITE_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Software\Microsoft\Command Processor	value_name = AutoRun, data = "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe"	1	Fn
WRITE_VALUE	HKEY_USERS\S-1-5-21-1463843789-3877896393-3178144628-1000\Control Panel\Desktop	value_name = SCRNSAVE.EXE, data = "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe"	1	Fn

User (2)

Operation	User/Group/Server	Additional Information	Success	Count	Logfile
LOOKUP_PRIVILEGE	Localhost	privilege = SeDebugPrivilege		1	Fn
SET_PRIVILEGE	Localhost	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe, os_pid = 0x6ec, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeDebugPrivilege		1	Fn

Window (1)

Operation	Window Name	Additional Information	Success	Count	Logfile
CREATE		class_name = ia2%bd_$!C(~ow(Be(^WcO-77 WO=3OU9QxCnL{TC+w0b^]a7G}Hou00N]5@M!1iZVh<4mCyn9+Mx%Uu^B+q~zP=]eF8=xXdoCF+t{NHhbI7sj ]#UzjG3J8OUV8yV+r510#}f88(oz&~g6@1[aRV[zu$Qbu3W62R8!LuZ1ILE8*dkm-TY1BCC52Q3c>Y}m1R9&b(mblCv<soKw^LCyf3F+L!Jt%8p{V3!eOP@fhW5Xo9)M$oXLv)2E}-52, x_coordinate = 1, y_coordinate = 1, width = 1, height = 1, window_parameter = 0		1	Fn

Keyboard (2)

Operation	Virtual Key Code	Additional Information	Success	Count	Logfile
GET_INFO	KB_LOCALE_ID			2	Fn

Mutex (1)

Operation	Name	Additional Information	Success	Count	Logfile
CREATE	shell.{0835FA03-68AC-09B6-0CE4-703246A746AB}	initial_owner = 0		1	Fn

Network Behavior

HTTP Session (1)

Remote Address	Remote Port	Username	Password	Success	Count
ipinfo.io	80				1

HTTP Request (1)

Method	URL	Success	Count
GET	http://ipinfo.io/json		1

TCP Outgoing Connection (1)

Remote Address	Remote Port	L7Protocol	Success	Count
ipinfo.io	80	http		1

UDP Outgoing Message (1000)

Remote Address	Remote Port	Packet Size	Success	Count
85.93.0.0	6892	9		1000

Process #3: cmd.exe

(Host: 55, Network: 0)

Information	Value
ID / OS PID	#3 / 0x744
OS Parent PID	0x6ec (c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe)
Initial Working Directory	C:\Users\hJrD1KOKY DS8lUjv\Desktop
File Name	c:\windows\syswow64\cmd.exe
Command Line	/d /c taskkill /t /f /im "d8891477315db13a640ed5956a636951.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\hJrD1KOKY DS8lUjv\Desktop\d8891477315db13a640ed5956a636951.exe" > NUL
Monitor	Start Time: 00:00:13, Reason: Child Process
Unmonitor	End Time: 00:00:19, Reason: Terminated
Monitor Duration	00:00:06
OS Thread IDs	#8 0x65C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x000effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x0010ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000120000	0x00120000	0x00120fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00290000	0x002f6fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000360000	0x00360000	0x0045ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000460000	0x00460000	0x005e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005f0000	0x005f0000	0x00770fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000780000	0x00780000	0x01b7ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001b80000	0x01b80000	0x01ec2fff	Pagefile Backed Memory	Readable	Region Actions
cmd.exe	0x4aae0000	0x4ab2bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x74910000	0x74916fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74ae0000	0x74ae7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74af0000	0x74b4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74b50000	0x74b8efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74c90000	0x74c9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ca0000	0x74cfffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74d00000	0x74d5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x74f60000	0x7500bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75200000	0x7528ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75290000	0x7538ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x75390000	0x753d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x75470000	0x7550cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75510000	0x75519fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75820000	0x7592ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75930000	0x759cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76900000	0x769effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76a30000	0x76a48fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76a80000	0x76b4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076d40000	0x76d40000	0x76e5efff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076e60000	0x76e60000	0x76f59fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f60000	0x77108fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77140000	0x772bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

File (27)

Operation	Filename	Additional Information	Count	Logfile
CREATE	\device\null	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	3	Fn
OPEN	STD_OUTPUT_HANDLE		9	Fn
OPEN	STD_INPUT_HANDLE		3	Fn
OPEN	\device\null		11	Fn
DELETE	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe		1	Fn

Process (3)

Operation	Process Name	Additional Information	Count	Logfile
CREATE	C:\Windows\system32\taskkill.exe	os_tid = 0x490, os_pid = 0x484, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, current_directory = C:\Users\hJrD1KOKY DS8lUjv\Desktop, show_window = SW_SHOWNORMAL	1	Fn
CREATE	C:\Windows\system32\PING.EXE	os_tid = 0x830, os_pid = 0x82c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, current_directory = C:\Users\hJrD1KOKY DS8lUjv\Desktop, show_window = SW_SHOWNORMAL	1	Fn
SET_CURDIR	c:\windows\syswow64\cmd.exe	os_pid = 0x744, new_path_name = c:\users\hjrd1koky ds8lujv\desktop	1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
GET_HANDLE	c:\windows\syswow64\cmd.exe	base_address = 0x4aae0000	1	Fn
GET_HANDLE	c:\windows\syswow64\kernel32.dll	base_address = 0x75820000	2	Fn
GET_FILENAME	C:\Windows\SysWOW64\cmd.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetThreadUILanguage, address = 0x7584a84f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address = 0x75853b92	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address = 0x75834a5d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetConsoleInputExeNameW, address = 0x7584a79d	1	Fn

Registry (17)

Operation	Key	Additional Information	Count	Logfile
OPEN_KEY	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor		1	Fn
OPEN_KEY	HKEY_CURRENT_USER\Software\Microsoft\Command Processor		1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data_ident_out = 0	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data_ident_out = 1	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data_ident_out = 1	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data_ident_out = 0	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data_ident_out = 64	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data_ident_out = 64	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data_ident_out = 64	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data_ident_out = 64	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data_ident_out = 1	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data_ident_out = 1	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data_ident_out = 0	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data_ident_out = 9	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data_ident_out = 9	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data_ident_out = "C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe"	1	Fn

Process #4: taskkill.exe

Information	Value
ID / OS PID	#4 / 0x484
OS Parent PID	0x744 (c:\windows\syswow64\cmd.exe)
Initial Working Directory	C:\Users\hJrD1KOKY DS8lUjv\Desktop
File Name	c:\windows\syswow64\taskkill.exe
Command Line	taskkill /t /f /im "d8891477315db13a640ed5956a636951.exe"
Monitor	Start Time: 00:00:14, Reason: Child Process
Unmonitor	End Time: 00:00:18, Reason: Terminated
Monitor Duration	00:00:04
OS Thread IDs	#9 0x490 #10 0x474 #14 0x7BC #16 0x7EC #17 0x310
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x000affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000b0000	0x000b0000	0x000b1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
taskkill.exe.mui	0x000c0000	0x000c3fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000100000	0x00100000	0x0017ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00180000	0x001e6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000001f0000	0x001f0000	0x001f0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002a0000	0x002a0000	0x0039ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003a0000	0x003a0000	0x00527fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000550000	0x00550000	0x0055ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000560000	0x00560000	0x006e0fff	Pagefile Backed Memory	Readable	Region Actions
KernelBase.dll.mui	0x006f0000	0x007affff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000007b0000	0x007b0000	0x007effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000820000	0x00820000	0x0085ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000880000	0x00880000	0x008bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000900000	0x00900000	0x0093ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000960000	0x00960000	0x0099ffff	Private Memory	Readable, Writable	Region Actions
taskkill.exe	0x00a40000	0x00a55fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000a60000	0x00a60000	0x01e5ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001e60000	0x01e60000	0x01f5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f70000	0x01f70000	0x01faffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x01fb0000	0x0227efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002280000	0x02280000	0x022bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000022c0000	0x022c0000	0x022fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002350000	0x02350000	0x0238ffff	Private Memory	Readable, Writable	Region Actions
wmiutils.dll	0x742c0000	0x742d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdsapi.dll	0x742e0000	0x742f7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fastprox.dll	0x74300000	0x74395fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemsvc.dll	0x743a0000	0x743aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x743b0000	0x743bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x743c0000	0x743fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74400000	0x74415fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x74420000	0x74448fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemcomn.dll	0x74730000	0x7478bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemprox.dll	0x74790000	0x74799fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dbghelp.dll	0x747c0000	0x748aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x748b0000	0x748bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
framedynos.dll	0x748c0000	0x748f4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x74900000	0x74907fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x74930000	0x7493efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x74940000	0x74958fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x74960000	0x74968fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x74970000	0x74980fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x74990000	0x749a1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x749b0000	0x749b8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74ae0000	0x74ae7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74af0000	0x74b4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74b50000	0x74b8efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74c90000	0x74c9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ca0000	0x74cfffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74d00000	0x74d5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x74d90000	0x74eebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x74f50000	0x74f55fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x74f60000	0x7500bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x75110000	0x75192fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x751a0000	0x751f6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75200000	0x7528ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75290000	0x7538ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x75390000	0x753d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x75470000	0x7550cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75510000	0x75519fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75820000	0x7592ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75930000	0x759cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x759f0000	0x75a7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76900000	0x769effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x769f0000	0x76a24fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76a30000	0x76a48fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76a80000	0x76b4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076d40000	0x76d40000	0x76e5efff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076e60000	0x76e60000	0x76f59fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f60000	0x77108fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77140000	0x772bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Process #6: vssadmin.exe

Information	Value
ID / OS PID	#6 / 0x698
OS Parent PID	0x7b8 (c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe)
Initial Working Directory	C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}
File Name	c:\windows\system32\vssadmin.exe
Command Line	"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
Monitor	Start Time: 00:00:17, Reason: Child Process
Unmonitor	End Time: 00:00:24, Reason: Terminated
Monitor Duration	00:00:07
OS Thread IDs	#61 0x57C #62 0x454 #63 0x338 #64 0x6C4 #65 0x540
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
vssadmin.exe.mui	0x000e0000	0x000ecfff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000110000	0x00110000	0x00110fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x00120fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001b0000	0x001b0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000230000	0x00230000	0x0032ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000370000	0x00370000	0x0037ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000410000	0x00410000	0x0050ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000510000	0x00510000	0x00697fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006a0000	0x006a0000	0x00820fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000830000	0x00830000	0x01c2ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001c80000	0x01c80000	0x01cfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001dd0000	0x01dd0000	0x01e4ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x01e50000	0x0211efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002250000	0x02250000	0x022cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002300000	0x02300000	0x0237ffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x76d40000	0x76e5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76e60000	0x76f59fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f60000	0x77108fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff2000	0x7fff2000	0x7fff2fff	Private Memory	Readable, Writable	Region Actions
vssadmin.exe	0xff400000	0xff42cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vss_ps.dll	0x7fef5800000	0x7fef5813fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vsstrace.dll	0x7fefa0b0000	0x7fefa0c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vssapi.dll	0x7fefa0d0000	0x7fefa27ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefaa80000	0x7fefaa98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefc4a0000	0x7fefc4e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefc7a0000	0x7fefc7b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefcda0000	0x7fefcdaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefce90000	0x7fefcea3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefd0d0000	0x7fefd13afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefd290000	0x7fefd2aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefd430000	0x7fefd632fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefd8d0000	0x7fefd9aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefe740000	0x7fefe7a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefe7b0000	0x7fefe886fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe890000	0x7fefe89dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe8a0000	0x7fefe9ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefe9d0000	0x7fefea68fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefea70000	0x7fefea9dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefeb20000	0x7fefebe8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefed40000	0x7fefeddefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feff160000	0x7feff268fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff280000	0x7feff280fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #11: ping.exe

(Host: 11, Network: 2)

Information	Value
ID / OS PID	#11 / 0x82c
OS Parent PID	0x744 (c:\windows\syswow64\cmd.exe)
Initial Working Directory	C:\Users\hJrD1KOKY DS8lUjv\Desktop
File Name	c:\windows\syswow64\ping.exe
Command Line	ping -n 1 127.0.0.1
Monitor	Start Time: 00:00:18, Reason: Child Process
Unmonitor	End Time: 00:00:19, Reason: Terminated
Monitor Duration	00:00:01
OS Thread IDs	#104 0x830 #105 0x838 #106 0x840 #107 0x844

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable, Writable	Region Actions
ping.exe.mui	0x00080000	0x00082fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000a0000	0x000a0000	0x000a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000b0000	0x000b0000	0x000effff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x000f0000	0x00156fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000170000	0x00170000	0x001affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000230000	0x00230000	0x002affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000330000	0x00330000	0x0042ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000440000	0x00440000	0x0047ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000490000	0x00490000	0x004cffff	Private Memory	Readable, Writable	Region Actions
PING.EXE	0x00510000	0x00517fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000520000	0x00520000	0x0055ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000570000	0x00570000	0x005affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005d0000	0x005d0000	0x0060ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000650000	0x00650000	0x0065ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000660000	0x00660000	0x007e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007f0000	0x007f0000	0x00970fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000980000	0x00980000	0x01d7ffff	Pagefile Backed Memory	Readable	Region Actions
SortDefault.nls	0x01d80000	0x0204efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002220000	0x02220000	0x0225ffff	Private Memory	Readable, Writable	Region Actions
WSHTCPIP.DLL	0x748d0000	0x748d4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x748e0000	0x748e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IPHLPAPI.DLL	0x748f0000	0x7490bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x74aa0000	0x74adbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74ae0000	0x74ae7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74af0000	0x74b4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74b50000	0x74b8efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74c90000	0x74c9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ca0000	0x74cfffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74d00000	0x74d5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x74f50000	0x74f55fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x74f60000	0x7500bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75200000	0x7528ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75290000	0x7538ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x75390000	0x753d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x75470000	0x7550cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75510000	0x75519fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75820000	0x7592ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75930000	0x759cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76900000	0x769effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x769f0000	0x76a24fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76a30000	0x76a48fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76a80000	0x76b4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076d40000	0x76d40000	0x76e5efff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076e60000	0x76e60000	0x76f59fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f60000	0x77108fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77140000	0x772bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

File (8)

Operation	Additional Information	Count	Logfile
WRITE	size = 20	1	Fn Data
WRITE	size = 24	1	Fn Data
WRITE	size = 22	1	Fn Data
WRITE	size = 9	3	Fn Data
WRITE	size = 92	1	Fn Data
WRITE	size = 97	1	Fn Data

Module (1)

Operation	Module	Additional Information	Success	Count	Logfile
GET_HANDLE	c:\windows\syswow64\ping.exe	base_address = 0x510000		1	Fn

Registry (2)

Operation	Key	Additional Information	Success	Count	Logfile
OPEN_KEY	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters			1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters	value_name = DefaultTTL, data_ident_out = 0		1	Fn

Network Behavior

DNS (1)

Operation	Host	Additional Information	Success	Count	Logfile
RESOLVE_NAME	127.0.0.1			1	Fn

ICMP (1)

Operation	Host	Additional Information	Success	Count	Logfile
SEND	127.0.0.1	source_address = 0.0.0.0, timeout = 4000		1	Fn

Process #12: wmic.exe

Information	Value
ID / OS PID	#12 / 0x884
OS Parent PID	0x7b8 (c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe)
Initial Working Directory	C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}
File Name	c:\windows\system32\wbem\wmic.exe
Command Line	"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
Monitor	Start Time: 00:00:24, Reason: Child Process
Unmonitor	End Time: 00:00:24, Reason: Terminated
Monitor Duration	00:00:00
OS Thread IDs	#109 0x888 #110 0x89C #111 0x8A0 #112 0x8A4 #113 0x8A8
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
WMIC.exe.mui	0x000e0000	0x000effff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000110000	0x00110000	0x00110fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x00120fff	Pagefile Backed Memory	Readable	Region Actions
msxml3r.dll	0x00130000	0x00130fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000140000	0x00140000	0x0015ffff	Private Memory	-	Region Actions
pagefile_0x0000000000160000	0x00160000	0x00161fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000170000	0x00170000	0x00170fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000180000	0x00180000	0x00181fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000190000	0x00190000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
index.dat	0x00210000	0x0021bfff	Memory Mapped File	Readable, Writable	Region Actions
index.dat	0x00220000	0x00223fff	Memory Mapped File	Readable, Writable	Region Actions
index.dat	0x00230000	0x00237fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x0038ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000390000	0x00390000	0x0048ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004b0000	0x004b0000	0x0052ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000530000	0x00530000	0x0053ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000540000	0x00540000	0x006c7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006d0000	0x006d0000	0x00850fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000860000	0x00860000	0x01c5ffff	Pagefile Backed Memory	Readable	Region Actions
KernelBase.dll.mui	0x01c60000	0x01d1ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000001d90000	0x01d90000	0x01e0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e30000	0x01e30000	0x01eaffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ee0000	0x01ee0000	0x01f5ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x01f60000	0x0222efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002300000	0x02300000	0x0237ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002450000	0x02450000	0x024cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000024d0000	0x024d0000	0x025aefff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000025d0000	0x025d0000	0x0264ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002650000	0x02650000	0x02a4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b20000	0x02b20000	0x02b9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ba0000	0x02ba0000	0x02c1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c20000	0x02c20000	0x02c9ffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x76d40000	0x76e5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76e60000	0x76f59fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f60000	0x77108fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fffb000	0x7fffb000	0x7fffbfff	Private Memory	Readable, Writable	Region Actions
WMIC.exe	0xff840000	0xff8ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msxml3.dll	0x7fef49f0000	0x7fef4bc3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
framedynos.dll	0x7fef53f0000	0x7fef543bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemsvc.dll	0x7fef8f10000	0x7fef8f23fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemprox.dll	0x7fef9180000	0x7fef918efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdsapi.dll	0x7fef9190000	0x7fef91b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fastprox.dll	0x7fef91c0000	0x7fef92a1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemcomn.dll	0x7fef9430000	0x7fef94b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefa960000	0x7fefa96afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IPHLPAPI.DLL	0x7fefa970000	0x7fefa996fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefae20000	0x7fefae4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefb200000	0x7fefb210fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefb7d0000	0x7fefb825fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefb980000	0x7fefbb73fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefc4a0000	0x7fefc4e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x7fefc5c0000	0x7fefc61afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefc7a0000	0x7fefc7b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefcd40000	0x7fefcd4afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefcd70000	0x7fefcd94fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefcda0000	0x7fefcdaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefce90000	0x7fefcea3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefceb0000	0x7fefcebefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefcf50000	0x7fefcf5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefcf60000	0x7fefd0c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefd0d0000	0x7fefd13afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7fefd280000	0x7fefd287fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefd290000	0x7fefd2aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefd2b0000	0x7fefd427fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefd430000	0x7fefd632fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7fefd640000	0x7fefd68cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x7fefd690000	0x7fefd6e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefd8d0000	0x7fefd9aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7fefd9b0000	0x7fefe737fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefe740000	0x7fefe7a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefe7b0000	0x7fefe886fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe890000	0x7fefe89dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe8a0000	0x7fefe9ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefe9d0000	0x7fefea68fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefea70000	0x7fefea9dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefeaa0000	0x7fefeb10fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefeb20000	0x7fefebe8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefec10000	0x7fefed39fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefed40000	0x7fefeddefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7fefede0000	0x7feff038fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7feff160000	0x7feff268fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff280000	0x7feff280fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #13: bcdedit.exe

Information	Value
ID / OS PID	#13 / 0x8b4
OS Parent PID	0x7b8 (c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe)
Initial Working Directory	C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}
File Name	c:\windows\system32\bcdedit.exe
Command Line	"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
Monitor	Start Time: 00:00:24, Reason: Child Process
Unmonitor	End Time: 00:00:24, Reason: Terminated
Monitor Duration	00:00:00
OS Thread IDs	#115 0x8B8
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x0036ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003b0000	0x003b0000	0x003bffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x76d40000	0x76e5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f60000	0x77108fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fff0fff	Private Memory	Readable, Writable	Region Actions
bcdedit.exe	0xfffd0000	0x100026fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefd0d0000	0x7fefd13afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefd290000	0x7fefd2aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefd8d0000	0x7fefd9aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe8a0000	0x7fefe9ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefed40000	0x7fefeddefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff280000	0x7feff280fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #14: bcdedit.exe

Information	Value
ID / OS PID	#14 / 0x8d0
OS Parent PID	0x7b8 (c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe)
Initial Working Directory	C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}
File Name	c:\windows\system32\bcdedit.exe
Command Line	"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
Monitor	Start Time: 00:00:24, Reason: Child Process
Unmonitor	End Time: 00:00:24, Reason: Terminated
Monitor Duration	00:00:00
OS Thread IDs	#117 0x8D4
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x000effff	Private Memory	Readable, Writable	Region Actions
ntdll.dll	0x76f60000	0x77108fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fffb000	0x7fffb000	0x7fffbfff	Private Memory	Readable, Writable	Region Actions
bcdedit.exe	0xff410000	0xff466fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff280000	0x7feff280fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #16: System

Information	Value
ID / OS PID	#16 / 0x4
OS Parent PID	0xffffffffffffffff (Unknown)
Initial Working Directory
File Name	System
Command Line
Monitor	Start Time: 00:00:42, Reason: Kernel Analysis
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:46
OS Thread IDs	#159 0x8 #160 0x14 #161 0x2C #162 0x50 #163 0x5C #164 0x6C #165 0x44 #166 0x98 #167 0x9C #168 0x40 #169 0x94 #170 0x3C #171 0x64 #172 0xAC #173 0x28 #174 0xB0 #175 0xC0 #176 0xB8 #177 0x24 #178 0x20 #179 0x30 #180 0x34 #181 0xBC #182 0x78 #183 0xC4 #184 0xC8 #185 0xCC #186 0xD0 #187 0xD4 #189 0xE0 #190 0x38 #192 0xE8 #194 0x48 #195 0xF8 #196 0x100 #197 0xA8 #198 0x80 #199 0x84 #200 0x104 #201 0x110 #202 0x114 #205 0x118 #206 0x4C #207 0x108 #209 0x130 #210 0x134 #211 0x138 #212 0x13C #229 0x190 #236 0x60 #240 0x68 #252 0xFC #254 0x8C #280 0x90 #282 0x74 #288 0x274 #315 0x2E8 #336 0x88 #366 0x3C0 #405 0x278 #454 0x47C #470 0x4E8 #514 0x4F0 #519 0x4EC #523 0x5D0 #525 0xB4 #551 0x644 #552 0x1C #555 0x650 #570 0x690 #571 0x694 #602 0x714 #619 0x758 #623 0x768 #625 0x770 #627 0x778 #628 0x77C #630 0x784
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Monitored	Dump	YARA Match	Actions
pagefile_0x0000000000010000	0x00010000	0x00032fff	Pagefile Backed Memory	Readable, Writable				Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable				Region Actions

Process #17: smss.exe

Information	Value
ID / OS PID	#17 / 0xd8
OS Parent PID	0x4 (System)
Initial Working Directory	C:\Windows
File Name	c:\windows\system32\smss.exe
Command Line	\SystemRoot\System32\smss.exe
Monitor	Start Time: 00:00:48, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:40
OS Thread IDs	#188 0xDC #191 0xEC #203 0x11C #217 0x160
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x (null)	0x00000000	0x000fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00101fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
smss.exe	0x47600000	0x4761ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions

Process #18: autochk.exe

Information	Value
ID / OS PID	#18 / 0xf0
OS Parent PID	0xd8 (c:\windows\system32\smss.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\autochk.exe
Command Line	\??\C:\Windows\system32\autochk.exe *
Monitor	Start Time: 00:00:49, Reason: Child Process
Unmonitor	End Time: 00:00:50, Reason: Terminated
Monitor Duration	00:00:01
OS Thread IDs	#193 0xF4
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000050000	0x00050000	0x000cffff	Private Memory	Readable, Writable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
autochk.exe	0xffc70000	0xffd30fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #19: smss.exe

Information	Value
ID / OS PID	#19 / 0x120
OS Parent PID	0xd8 (c:\windows\system32\smss.exe)
Initial Working Directory	C:\Windows
File Name	c:\windows\system32\smss.exe
Command Line	\SystemRoot\System32\smss.exe 00000000 0000003c
Monitor	Start Time: 00:00:52, Reason: Child Process
Unmonitor	End Time: 00:00:54, Reason: Terminated
Monitor Duration	00:00:02
OS Thread IDs	#204 0x124
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
smss.exe	0x47600000	0x4761ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #20: csrss.exe

Information	Value
ID / OS PID	#20 / 0x128
OS Parent PID	0x120 (c:\windows\system32\smss.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\csrss.exe
Command Line	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Monitor	Start Time: 00:00:53, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:35
OS Thread IDs	#208 0x12C #213 0x140 #214 0x144 #215 0x148 #216 0x14C #220 0x16C #230 0x194 #231 0x198 #237 0x1B4 #246 0x1D8
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x (null)	0x00000000	0x000fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00100000	0x00166fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000170000	0x00170000	0x00176fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000180000	0x00180000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000290000	0x00290000	0x00291fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions
vgasys.fon	0x002b0000	0x002b1fff	Memory Mapped File	Readable	Region Actions
private_0x00000000002c0000	0x002c0000	0x002c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x0030ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002d0000	0x002d0000	0x002dffff	Pagefile Backed Memory	Readable, Writable	Region Actions
marlett.ttf	0x002e0000	0x002e6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000002f0000	0x002f0000	0x00307fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000310000	0x00310000	0x0040ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000410000	0x00410000	0x00590fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005a0000	0x005a0000	0x00992fff	Pagefile Backed Memory	Readable	Region Actions
segoeui.ttf	0x009a0000	0x00a1efff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000a20000	0x00a20000	0x00a4ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000ae0000	0x00ae0000	0x00b1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000b20000	0x00b20000	0x00b5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000bf0000	0x00bf0000	0x00c2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c60000	0x00c60000	0x00c9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000cb0000	0x00cb0000	0x00ceffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000cf0000	0x00cf0000	0x00e77fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000eb0000	0x00eb0000	0x00eeffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f20000	0x00f20000	0x00f5ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000f60000	0x00f60000	0x0235ffff	Pagefile Backed Memory	Readable	Region Actions
csrss.exe	0x498a0000	0x498a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
cryptbase.dll	0x7fefd940000	0x7fefd94efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x7fefd950000	0x7fefd9e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxssrv.dll	0x7fefda60000	0x7fefda6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsrv.dll	0x7fefda70000	0x7fefdaa7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
basesrv.dll	0x7fefdab0000	0x7fefdac0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
csrsrv.dll	0x7fefdad0000	0x7fefdae2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #21: smss.exe

Information	Value
ID / OS PID	#21 / 0x150
OS Parent PID	0xd8 (c:\windows\system32\smss.exe)
Initial Working Directory	C:\Windows
File Name	c:\windows\system32\smss.exe
Command Line	\SystemRoot\System32\smss.exe 00000001 0000003c
Monitor	Start Time: 00:00:54, Reason: Child Process
Unmonitor	End Time: 00:00:54, Reason: Terminated
Monitor Duration	00:00:00
OS Thread IDs	#218 0x154
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000210000	0x00210000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
smss.exe	0x47600000	0x4761ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #22: wininit.exe

Information	Value
ID / OS PID	#22 / 0x158
OS Parent PID	0x120 (c:\windows\system32\smss.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\wininit.exe
Command Line	wininit.exe
Monitor	Start Time: 00:00:54, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:34
OS Thread IDs	#219 0x15C #226 0x188 #227 0x18C #233 0x1A0 #234 0x1A4 #235 0x1B0 #253 0x1F0 #301 0x2B4
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x0003ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000060000	0x00060000	0x00060fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000070000	0x00070000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00210000	0x00276fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000280000	0x00280000	0x0037ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000380000	0x00380000	0x00507fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000510000	0x00510000	0x00690fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006a0000	0x006a0000	0x00a92fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000aa0000	0x00aa0000	0x00acffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000b10000	0x00b10000	0x00b8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000bd0000	0x00bd0000	0x00c4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c60000	0x00c60000	0x00cdffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d40000	0x00d40000	0x00dbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e40000	0x00e40000	0x00ebffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f30000	0x00f30000	0x00faffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001090000	0x01090000	0x0110ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001110000	0x01110000	0x0250ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002520000	0x02520000	0x0259ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000025f0000	0x025f0000	0x0266ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x02670000	0x0293efff	Memory Mapped File	Readable	Region Actions
private_0x00000000029f0000	0x029f0000	0x02a6ffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
wininit.exe	0xff0b0000	0xff0d2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WSHTCPIP.DLL	0x7fefcce0000	0x7fefcce6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcf10000	0x7fefcf19fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd2d0000	0x7fefd2d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd2e0000	0x7fefd334fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd340000	0x7fefd356fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd8b0000	0x7fefd8bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd910000	0x7fefd934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd940000	0x7fefd94efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WlS0WndH.dll	0x7fefd9e0000	0x7fefd9e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KBDUS.DLL	0x7fefda20000	0x7fefda23fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefda30000	0x7fefda43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda50000	0x7fefda5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7fefe3f0000	0x7fefe43cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe980000	0x7fefe99efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe9a0000	0x7fefe9cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefec80000	0x7fefed88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7fefef10000	0x7fefef17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #23: csrss.exe

Information	Value
ID / OS PID	#23 / 0x164
OS Parent PID	0x150 (c:\windows\system32\smss.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\csrss.exe
Command Line	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Monitor	Start Time: 00:00:54, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:34
OS Thread IDs	#221 0x168 #222 0x170 #223 0x174 #224 0x178 #225 0x17C #232 0x19C #244 0x1D0 #245 0x1D4
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x (null)	0x00000000	0x000fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00106fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000110000	0x00110000	0x0011ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x00121fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000130000	0x00130000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x00170fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000180000	0x00180000	0x0027ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00280000	0x002e6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000002f0000	0x002f0000	0x003effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003f0000	0x003f0000	0x00570fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000580000	0x00580000	0x00972fff	Pagefile Backed Memory	Readable	Region Actions
vgasys.fon	0x00980000	0x00981fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000990000	0x00990000	0x009cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000af0000	0x00af0000	0x00b2ffff	Private Memory	Readable, Writable	Region Actions
csrss.exe	0x498a0000	0x498a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
sxssrv.dll	0x7fefda60000	0x7fefda6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsrv.dll	0x7fefda70000	0x7fefdaa7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
basesrv.dll	0x7fefdab0000	0x7fefdac0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
csrsrv.dll	0x7fefdad0000	0x7fefdae2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #24: winlogon.exe

Information	Value
ID / OS PID	#24 / 0x180
OS Parent PID	0x150 (c:\windows\system32\smss.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\winlogon.exe
Command Line	winlogon.exe
Monitor	Start Time: 00:00:54, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:34
OS Thread IDs	#228 0x184 #238 0x1C8 #239 0x1CC #306 0x2C4 #325 0x314 #386 0x100 #387 0x108 #390 0x134
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
locale.nls	0x00020000	0x00086fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000090000	0x00090000	0x00096fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000a0000	0x000a0000	0x000a1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000b0000	0x000b0000	0x000b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x0015ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000160000	0x00160000	0x0018ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000190000	0x00190000	0x00190fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001a0000	0x001a0000	0x001a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000230000	0x00230000	0x00247fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000250000	0x00250000	0x002cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003d0000	0x003d0000	0x004cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004d0000	0x004d0000	0x00657fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000660000	0x00660000	0x007e0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007f0000	0x007f0000	0x00be2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000c00000	0x00c00000	0x00c00fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c50000	0x00c50000	0x00ccffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000cf0000	0x00cf0000	0x00d6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d70000	0x00d70000	0x00deffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000df0000	0x00df0000	0x00eeffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ef0000	0x00ef0000	0x00f6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000fb0000	0x00fb0000	0x0102ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001040000	0x01040000	0x010bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001190000	0x01190000	0x0120ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001270000	0x01270000	0x012effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001300000	0x01300000	0x0137ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013b0000	0x013b0000	0x0142ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001470000	0x01470000	0x014effff	Private Memory	Readable, Writable	Region Actions
aero.msstyles	0x014f0000	0x0160dfff	Memory Mapped File	Readable	Region Actions
private_0x00000000014f0000	0x014f0000	0x015effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001660000	0x01660000	0x016dffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x016e0000	0x019aefff	Memory Mapped File	Readable	Region Actions
private_0x00000000019b0000	0x019b0000	0x023affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000019b0000	0x019b0000	0x02daffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002f80000	0x02f80000	0x02ffffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
winlogon.exe	0xff650000	0xff6b1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x7fefb430000	0x7fefb447fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
UXInit.dll	0x7fefb570000	0x7fefb579fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb5f0000	0x7fefb5fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x7fefbc70000	0x7fefbc84fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x7fefbc90000	0x7fefbc9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WindowsCodecs.dll	0x7fefbe00000	0x7fefbf29fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc3a0000	0x7fefc3f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd040000	0x7fefd086fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd340000	0x7fefd356fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netjoin.dll	0x7fefd450000	0x7fefd481fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd910000	0x7fefd934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd940000	0x7fefd94efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefd9f0000	0x7fefda2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefda30000	0x7fefda43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda50000	0x7fefda5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe440000	0x7fefe642fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe980000	0x7fefe99efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe9a0000	0x7fefe9cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefec80000	0x7fefed88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #25: services.exe

Information	Value
ID / OS PID	#25 / 0x1a8
OS Parent PID	0x158 (c:\windows\system32\wininit.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\services.exe
Command Line	C:\Windows\system32\services.exe
Monitor	Start Time: 00:00:55, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:33
OS Thread IDs	#241 0x1AC #260 0x208 #261 0x20C #262 0x210 #263 0x214 #264 0x218 #265 0x21C #266 0x220 #267 0x224 #268 0x228 #269 0x22C #270 0x230 #287 0x270 #388 0xE8 #480 0x518 #491 0x550 #498 0x56C #500 0x578 #608 0x72C
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x000affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000b0000	0x000b0000	0x000b3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c0fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x000d0000	0x00136fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00141fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000160000	0x00160000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x00170fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000180000	0x00180000	0x00186fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000210000	0x00210000	0x0030ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000310000	0x00310000	0x0040ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000410000	0x00410000	0x00597fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005a0000	0x005a0000	0x00720fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000730000	0x00730000	0x007effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007f0000	0x007f0000	0x00be2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000c70000	0x00c70000	0x00ceffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d80000	0x00d80000	0x00dbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000de0000	0x00de0000	0x00e5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ee0000	0x00ee0000	0x00f5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001130000	0x01130000	0x011affff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
services.exe	0xffdf0000	0xffe42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ubpm.dll	0x7fefced0000	0x7fefcf08fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcf10000	0x7fefcf19fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd340000	0x7fefd356fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
authz.dll	0x7fefd510000	0x7fefd53efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x7fefd810000	0x7fefd832fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
scesrv.dll	0x7fefd840000	0x7fefd8a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd8b0000	0x7fefd8bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
scext.dll	0x7fefd8c0000	0x7fefd8d8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd910000	0x7fefd934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd940000	0x7fefd94efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefda30000	0x7fefda43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda50000	0x7fefda5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe980000	0x7fefe99efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe9a0000	0x7fefe9cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefec80000	0x7fefed88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #26: lsass.exe

Information	Value
ID / OS PID	#26 / 0x1b8
OS Parent PID	0x158 (c:\windows\system32\wininit.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\lsass.exe
Command Line	C:\Windows\system32\lsass.exe
Monitor	Start Time: 00:00:55, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:33
OS Thread IDs	#242 0x1BC #247 0x1DC #248 0x1E0 #249 0x1E4 #250 0x1E8 #251 0x1EC #255 0x1F4 #256 0x1F8 #257 0x1FC #258 0x200 #259 0x204 #326 0x318 #330 0x328 #389 0x130 #414 0xC4
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00020fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x0017ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000180000	0x00180000	0x00180fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000210000	0x00210000	0x00210fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000220000	0x00220000	0x0022ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000230000	0x00230000	0x0023ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000240000	0x00240000	0x00246fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000250000	0x00250000	0x00251fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000260000	0x00260000	0x0026ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
C_28591.NLS	0x00270000	0x00280fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000290000	0x00290000	0x00290fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002b0000	0x002b0000	0x002b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002c0000	0x002c0000	0x003bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003c0000	0x003c0000	0x004bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004c0000	0x004c0000	0x004c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004d0000	0x004d0000	0x004d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004e0000	0x004e0000	0x004e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004f0000	0x004f0000	0x004f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000500000	0x00500000	0x00500fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000510000	0x00510000	0x00510fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000520000	0x00520000	0x0052ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000530000	0x00530000	0x00530fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000540000	0x00540000	0x005bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000630000	0x00630000	0x006affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000006b0000	0x006b0000	0x00837fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000840000	0x00840000	0x009c0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000009f0000	0x009f0000	0x00a6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a80000	0x00a80000	0x00afffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000b00000	0x00b00000	0x00b7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000be0000	0x00be0000	0x00c5ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000c60000	0x00c60000	0x01052fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001120000	0x01120000	0x0119ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x011a0000	0x0146efff	Memory Mapped File	Readable	Region Actions
private_0x00000000014a0000	0x014a0000	0x0151ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015b0000	0x015b0000	0x0162ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001660000	0x01660000	0x016dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016f0000	0x016f0000	0x0176ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001700000	0x01700000	0x0177ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001780000	0x01780000	0x0187ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000018c0000	0x018c0000	0x0193ffff	Private Memory	Readable, Writable	Region Actions
msprivs.dll	0x75820000	0x75821fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
lsass.exe	0xffa40000	0xffa4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefb510000	0x7fefb51afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IPHLPAPI.DLL	0x7fefb520000	0x7fefb546fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x7fefbc90000	0x7fefbc9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefce00000	0x7fefce1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcf10000	0x7fefcf19fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
scecli.dll	0x7fefcf20000	0x7fefcf5dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcf50000	0x7fefcf59fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
efslsaext.dll	0x7fefcf60000	0x7fefcf71fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x7fefcf80000	0x7fefcfcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pku2u.dll	0x7fefcfd0000	0x7fefd014fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
TSpkg.dll	0x7fefd020000	0x7fefd037fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd040000	0x7fefd086fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wdigest.dll	0x7fefd090000	0x7fefd0c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
schannel.dll	0x7fefd0d0000	0x7fefd126fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
logoncli.dll	0x7fefd130000	0x7fefd15ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x7fefd160000	0x7fefd1bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netlogon.dll	0x7fefd1c0000	0x7fefd26dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msv1_0.dll	0x7fefd270000	0x7fefd2c0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd2d0000	0x7fefd2d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd2e0000	0x7fefd334fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd340000	0x7fefd356fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kerberos.dll	0x7fefd360000	0x7fefd413fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
negoexts.dll	0x7fefd420000	0x7fefd443fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netjoin.dll	0x7fefd450000	0x7fefd481fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x7fefd490000	0x7fefd4b1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ncrypt.dll	0x7fefd4c0000	0x7fefd50dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
authz.dll	0x7fefd510000	0x7fefd53efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cngaudit.dll	0x7fefd540000	0x7fefd548fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefd550000	0x7fefd5bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptdll.dll	0x7fefd5c0000	0x7fefd5d3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samsrv.dll	0x7fefd5e0000	0x7fefd69cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lsasrv.dll	0x7fefd6a0000	0x7fefd806fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd8b0000	0x7fefd8bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspisrv.dll	0x7fefd900000	0x7fefd90afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd910000	0x7fefd934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd940000	0x7fefd94efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefd9f0000	0x7fefda2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefda30000	0x7fefda43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda50000	0x7fefda5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdaf0000	0x7fefdafefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc00000	0x7fefdd66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7fefe3f0000	0x7fefe43cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe980000	0x7fefe99efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe9a0000	0x7fefe9cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefec80000	0x7fefed88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7fefef10000	0x7fefef17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #27: lsm.exe

Information	Value
ID / OS PID	#27 / 0x1c0
OS Parent PID	0x158 (c:\windows\system32\wininit.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\lsm.exe
Command Line	C:\Windows\system32\lsm.exe
Monitor	Start Time: 00:00:55, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:33
OS Thread IDs	#243 0x1C4 #272 0x23C #303 0x2B8 #305 0x2C0 #307 0x2C8 #309 0x2D0 #312 0x2DC #313 0x2E0 #314 0x2E4 #317 0x2F0
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x001cffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x001d0000	0x00236fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000280000	0x00280000	0x002fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000310000	0x00310000	0x0031ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000320000	0x00320000	0x0041ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000480000	0x00480000	0x004fffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00500000	0x007cefff	Memory Mapped File	Readable	Region Actions
private_0x0000000000810000	0x00810000	0x0088ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a20000	0x00a20000	0x00a9ffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
lsm.exe	0xff460000	0xff4b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pcwum.dll	0x7fefcda0000	0x7fefcdacfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcf10000	0x7fefcf19fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd340000	0x7fefd356fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd8b0000	0x7fefd8bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wmsgapi.dll	0x7fefd8e0000	0x7fefd8e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sysntfy.dll	0x7fefd8f0000	0x7fefd8f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd910000	0x7fefd934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd940000	0x7fefd94efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefda30000	0x7fefda43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe980000	0x7fefe99efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #28: svchost.exe

Information	Value
ID / OS PID	#28 / 0x234
OS Parent PID	0x1a8 (c:\windows\system32\services.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe -k DcomLaunch
Monitor	Start Time: 00:00:57, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:31
OS Thread IDs	#271 0x238 #273 0x240 #274 0x244 #275 0x248 #276 0x24C #277 0x250 #278 0x254 #279 0x258 #281 0x25C #283 0x260 #284 0x264 #285 0x268 #286 0x26C #289 0x278 #291 0x284 #292 0x288 #294 0x290 #554 0x64C #609 0x730 #621 0x760
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00100fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x0011ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000120000	0x00120000	0x0019ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001b0000	0x001b0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000230000	0x00230000	0x0032ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000330000	0x00330000	0x00330fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000340000	0x00340000	0x00340fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000350000	0x00350000	0x003cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000350000	0x00350000	0x003cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x004effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004f0000	0x004f0000	0x005affff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005b0000	0x005b0000	0x0062ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000640000	0x00640000	0x006bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000710000	0x00710000	0x0078ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00790000	0x00a5efff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000a60000	0x00a60000	0x00be7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000bf0000	0x00bf0000	0x00d70fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000d80000	0x00d80000	0x01172fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001220000	0x01220000	0x0122ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001240000	0x01240000	0x012bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000012c0000	0x012c0000	0x013bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013d0000	0x013d0000	0x0144ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014a0000	0x014a0000	0x0151ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001580000	0x01580000	0x015fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001630000	0x01630000	0x016affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016b0000	0x016b0000	0x0172ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001740000	0x01740000	0x017bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000017f0000	0x017f0000	0x0186ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001920000	0x01920000	0x0199ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000019f0000	0x019f0000	0x01a6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a70000	0x01a70000	0x01b6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ba0000	0x01ba0000	0x01c1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c50000	0x01c50000	0x01ccffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e90000	0x01e90000	0x01f0ffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xffa20000	0xffa2afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemprox.dll	0x7fef8330000	0x7fef833efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdsapi.dll	0x7fef83d0000	0x7fef83f6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fastprox.dll	0x7fef8400000	0x7fef84e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WmiDcPrv.dll	0x7fef84f0000	0x7fef8521fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemcomn.dll	0x7fef8700000	0x7fef8785fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefb9c0000	0x7fefb9ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefbdd0000	0x7fefbde0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcss.dll	0x7fefcd10000	0x7fefcd90fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x7fefcd70000	0x7fefcd9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pcwum.dll	0x7fefcda0000	0x7fefcdacfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
umpo.dll	0x7fefcdb0000	0x7fefcddbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7fefcde0000	0x7fefcdfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefce00000	0x7fefce1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devrtl.dll	0x7fefce20000	0x7fefce31fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
SPInf.dll	0x7fefce40000	0x7fefce5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
umpnpmgr.dll	0x7fefce60000	0x7fefcec6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcf10000	0x7fefcf19fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd340000	0x7fefd356fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd910000	0x7fefd934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd940000	0x7fefd94efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefd9f0000	0x7fefda2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefda30000	0x7fefda43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda50000	0x7fefda5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdaf0000	0x7fefdafefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x7fefdb00000	0x7fefdb39fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefdb40000	0x7fefdb59fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc00000	0x7fefdd66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefdd70000	0x7fefdda5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefe090000	0x7fefe166fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7fefe170000	0x7fefe346fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefe350000	0x7fefe3e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7fefe3f0000	0x7fefe43cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe440000	0x7fefe642fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe980000	0x7fefe99efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe9a0000	0x7fefe9cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x7fefec20000	0x7fefec71fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefec80000	0x7fefed88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7fefef10000	0x7fefef17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff9c000	0x7fffff9c000	0x7fffff9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #29: svchost.exe

Information	Value
ID / OS PID	#29 / 0x27c
OS Parent PID	0x1a8 (c:\windows\system32\services.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe -k RPCSS
Monitor	Start Time: 00:00:58, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:30
OS Thread IDs	#290 0x280 #293 0x28C #295 0x294 #296 0x298 #297 0x29C #298 0x2A0 #299 0x2A4 #300 0x2A8 #548 0x638 #590 0x6E4 #592 0x6EC #595 0x6F8 #612 0x73C
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00100fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000110000	0x00110000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000290000	0x00290000	0x00290fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000002e0000	0x002e0000	0x003dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003e0000	0x003e0000	0x0045ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004e0000	0x004e0000	0x0055ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000610000	0x00610000	0x0068ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000690000	0x00690000	0x0074ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000006e0000	0x006e0000	0x0075ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00760000	0x00a2efff	Memory Mapped File	Readable	Region Actions
private_0x0000000000ac0000	0x00ac0000	0x00b3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000b70000	0x00b70000	0x00beffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c80000	0x00c80000	0x00cfffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000d00000	0x00d00000	0x00e87fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000e90000	0x00e90000	0x01010fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001020000	0x01020000	0x01412fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001420000	0x01420000	0x0151ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001610000	0x01610000	0x0168ffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xffa20000	0xffa2afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FWPUCLNT.DLL	0x7fefab70000	0x7fefabc2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcc10000	0x7fefcc1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FirewallAPI.dll	0x7fefcc20000	0x7fefccdafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WSHTCPIP.DLL	0x7fefcce0000	0x7fefcce6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcEpMap.dll	0x7fefccf0000	0x7fefcd03fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcss.dll	0x7fefcd10000	0x7fefcd90fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcf10000	0x7fefcf19fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd040000	0x7fefd086fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd2d0000	0x7fefd2d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd2e0000	0x7fefd334fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd340000	0x7fefd356fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd8b0000	0x7fefd8bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd910000	0x7fefd934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd940000	0x7fefd94efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefda30000	0x7fefda43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefe090000	0x7fefe166fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefe350000	0x7fefe3e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7fefe3f0000	0x7fefe43cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe440000	0x7fefe642fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe980000	0x7fefe99efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe9a0000	0x7fefe9cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefec80000	0x7fefed88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7fefef10000	0x7fefef17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #30: svchost.exe

Information	Value
ID / OS PID	#30 / 0x2ac
OS Parent PID	0x1a8 (c:\windows\system32\services.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
Monitor	Start Time: 00:00:59, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:29
OS Thread IDs	#302 0x2B0 #304 0x2BC #308 0x2CC #310 0x2D4 #311 0x2D8 #316 0x2EC #324 0x2FC #333 0x338 #334 0x33C #335 0x340 #337 0x344 #338 0x348 #353 0x388 #354 0x38C #355 0x390 #358 0x3A0 #359 0x3A4 #416 0xFC #421 0x40C #423 0x418 #426 0x428 #433 0x444 #434 0x448 #512 0x5AC #561 0x66C #565 0x67C #569 0x68C #572 0x698 #575 0x6A4 #576 0x6A8
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00051fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000060000	0x00060000	0x00060fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000070000	0x00070000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00170000	0x001d6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001e0000	0x001e0000	0x001e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000210000	0x00210000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x002cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x002d7fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002e0000	0x002e0000	0x002fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000300000	0x00300000	0x0031ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000320000	0x00320000	0x0032ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000330000	0x00330000	0x0042ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000430000	0x00430000	0x005b7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005c0000	0x005c0000	0x00740fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000750000	0x00750000	0x0080ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000810000	0x00810000	0x00c02fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000c10000	0x00c10000	0x00c10fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000c20000	0x00c20000	0x00c20fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000c30000	0x00c30000	0x00c30fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c40000	0x00c40000	0x00c40fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000c50000	0x00c50000	0x00c50fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000c70000	0x00c70000	0x00ceffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d10000	0x00d10000	0x00d8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000db0000	0x00db0000	0x00e2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e30000	0x00e30000	0x00f2ffff	Private Memory	Readable, Writable	Region Actions
winlogon.exe	0x00f30000	0x00f91fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000f90000	0x00f90000	0x0100ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x01010000	0x012defff	Memory Mapped File	Readable	Region Actions
private_0x0000000001320000	0x01320000	0x0139ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013e0000	0x013e0000	0x0145ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014c0000	0x014c0000	0x0153ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001580000	0x01580000	0x015fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001600000	0x01600000	0x0167ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001640000	0x01640000	0x016bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016e0000	0x016e0000	0x0175ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001760000	0x01760000	0x0185ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001890000	0x01890000	0x0190ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001940000	0x01940000	0x019bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000019d0000	0x019d0000	0x01a4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a60000	0x01a60000	0x01adffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a80000	0x01a80000	0x01afffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b00000	0x01b00000	0x01cfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d60000	0x01d60000	0x01ddffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e40000	0x01e40000	0x01ebffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f10000	0x01f10000	0x01f8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002050000	0x02050000	0x020cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002100000	0x02100000	0x0217ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002210000	0x02210000	0x0228ffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
winlogon.exe	0xff650000	0xff6b1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
svchost.exe	0xffa20000	0xffa2afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
services.exe	0xffdf0000	0xffe42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x7fefab20000	0x7fefab37fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc6.dll	0x7fefab40000	0x7fefab50fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcore6.dll	0x7fefac00000	0x7fefac3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcore.dll	0x7fefac40000	0x7fefac90fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nrpsrv.dll	0x7fefacb0000	0x7fefacb7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lmhsvc.dll	0x7fefacc0000	0x7fefacc9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefb510000	0x7fefb51afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IPHLPAPI.DLL	0x7fefb520000	0x7fefb546fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
avrt.dll	0x7fefba10000	0x7fefba18fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x7fefba20000	0x7fefba4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
audiosrv.dll	0x7fefba50000	0x7fefbafbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x7fefbad0000	0x7fefbafbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
MMDevAPI.dll	0x7fefbf90000	0x7fefbfdafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc400000	0x7fefc52bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtsvc.dll	0x7fefca70000	0x7fefcc05fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcc10000	0x7fefcc1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FirewallAPI.dll	0x7fefcc20000	0x7fefccdafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WSHTCPIP.DLL	0x7fefcce0000	0x7fefcce6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7fefcde0000	0x7fefcdfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcf10000	0x7fefcf19fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x7fefd160000	0x7fefd1bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd2d0000	0x7fefd2d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd2e0000	0x7fefd334fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd340000	0x7fefd356fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefd550000	0x7fefd5bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd8b0000	0x7fefd8bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd910000	0x7fefd934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd940000	0x7fefd94efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefd9f0000	0x7fefda2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefda30000	0x7fefda43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefdb40000	0x7fefdb59fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefdd70000	0x7fefdda5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefe090000	0x7fefe166fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7fefe170000	0x7fefe346fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefe350000	0x7fefe3e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7fefe3f0000	0x7fefe43cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe440000	0x7fefe642fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe980000	0x7fefe99efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe9a0000	0x7fefe9cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefec80000	0x7fefed88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7fefef10000	0x7fefef17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff96000	0x7fffff96000	0x7fffff97fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff98000	0x7fffff98000	0x7fffff99fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9a000	0x7fffff9a000	0x7fffff9bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9c000	0x7fffff9c000	0x7fffff9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #31: logonui.exe

Information	Value
ID / OS PID	#31 / 0x2f4
OS Parent PID	0x180 (c:\windows\system32\winlogon.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\logonui.exe
Command Line	"LogonUI.exe" /flags:0x0
Monitor	Start Time: 00:00:59, Reason: Child Process
Unmonitor	End Time: 00:01:15, Reason: Terminated
Monitor Duration	00:00:16
OS Thread IDs	#318 0x2F8 #319 0x300 #320 0x304 #321 0x308 #322 0x30C #323 0x310 #327 0x31C #328 0x320 #329 0x324
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000effff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00100fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000110000	0x00110000	0x00110fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x00121fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000130000	0x00130000	0x00131fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00141fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000150000	0x00150000	0x00151fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000160000	0x00160000	0x00166fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000170000	0x00170000	0x001effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x002effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002f0000	0x002f0000	0x002f1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000300000	0x00300000	0x003fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000400000	0x00400000	0x00587fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000590000	0x00590000	0x005cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005d0000	0x005d0000	0x005d1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005e0000	0x005e0000	0x005effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005f0000	0x005f0000	0x00770fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000780000	0x00780000	0x00780fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000790000	0x00790000	0x00790fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007a0000	0x007a0000	0x007a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007b0000	0x007b0000	0x007b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007c0000	0x007c0000	0x007c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007d0000	0x007d0000	0x007d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007e0000	0x007e0000	0x007e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007f0000	0x007f0000	0x007f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000800000	0x00800000	0x00800fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000810000	0x00810000	0x00810fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000820000	0x00820000	0x00820fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000830000	0x00830000	0x00830fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000840000	0x00840000	0x00840fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000850000	0x00850000	0x00850fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000860000	0x00860000	0x0086ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000870000	0x00870000	0x00870fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000880000	0x00880000	0x008fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000900000	0x00900000	0x00900fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000910000	0x00910000	0x00910fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000920000	0x00920000	0x00920fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000930000	0x00930000	0x009affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000009b0000	0x009b0000	0x00a2ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00a30000	0x00cfefff	Memory Mapped File	Readable	Region Actions
private_0x0000000000d00000	0x00d00000	0x00d00fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d10000	0x00d10000	0x00d10fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d20000	0x00d20000	0x00d20fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d40000	0x00d40000	0x00d40fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d50000	0x00d50000	0x00d50fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d60000	0x00d60000	0x00d60fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d70000	0x00d70000	0x00d70fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d80000	0x00d80000	0x00d80fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d90000	0x00d90000	0x00d90fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000da0000	0x00da0000	0x00e1ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000e20000	0x00e20000	0x01212fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001220000	0x01220000	0x0131ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001320000	0x01320000	0x01320fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001330000	0x01330000	0x01330fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001340000	0x01340000	0x01340fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001350000	0x01350000	0x01350fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001360000	0x01360000	0x01360fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001370000	0x01370000	0x01370fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001380000	0x01380000	0x01380fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001390000	0x01390000	0x01390fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013a0000	0x013a0000	0x013a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013b0000	0x013b0000	0x013b6fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013c0000	0x013c0000	0x013c9fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013d0000	0x013d0000	0x013d6fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013e0000	0x013e0000	0x01403fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001410000	0x01410000	0x01419fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001420000	0x01420000	0x01426fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001430000	0x01430000	0x01439fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001440000	0x01440000	0x01446fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001450000	0x01450000	0x01487fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001490000	0x01490000	0x01499fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014a0000	0x014a0000	0x014a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014b0000	0x014b0000	0x014b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014c0000	0x014c0000	0x014c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014d0000	0x014d0000	0x014d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014e0000	0x014e0000	0x014e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014f0000	0x014f0000	0x014f1fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001500000	0x01500000	0x01500fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001510000	0x01510000	0x01511fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001520000	0x01520000	0x01520fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001530000	0x01530000	0x01531fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001540000	0x01540000	0x01540fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001550000	0x01550000	0x01551fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001560000	0x01560000	0x01560fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001570000	0x01570000	0x01570fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001580000	0x01580000	0x01580fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001590000	0x01590000	0x01590fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015a0000	0x015a0000	0x015a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015b0000	0x015b0000	0x015b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015c0000	0x015c0000	0x015c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015d0000	0x015d0000	0x015d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015e0000	0x015e0000	0x015e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015f0000	0x015f0000	0x015f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001600000	0x01600000	0x01600fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001610000	0x01610000	0x01610fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001620000	0x01620000	0x01620fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001630000	0x01630000	0x01630fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001640000	0x01640000	0x01640fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001650000	0x01650000	0x01650fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001660000	0x01660000	0x01660fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001670000	0x01670000	0x01670fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001680000	0x01680000	0x0177ffff	Private Memory	Readable, Writable	Region Actions
imageres.dll	0x01780000	0x02ad4fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002ae0000	0x02ae0000	0x02ae0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002af0000	0x02af0000	0x02b01fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002b10000	0x02b10000	0x02b11fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002b20000	0x02b20000	0x02b21fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002b30000	0x02b30000	0x02b32fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002b40000	0x02b40000	0x02b4ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
KernelBase.dll.mui	0x02b50000	0x02c0ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000002c10000	0x02c10000	0x02c15fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c20000	0x02c20000	0x02c20fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c30000	0x02c30000	0x02caffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002cb0000	0x02cb0000	0x02cb7fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002cc0000	0x02cc0000	0x02d9efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002da0000	0x02da0000	0x02da0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000002db0000	0x02db0000	0x02dbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002dc0000	0x02dc0000	0x02e3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002e70000	0x02e70000	0x02eeffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002fa0000	0x02fa0000	0x0301ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003070000	0x03070000	0x030effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003120000	0x03120000	0x0319ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003390000	0x03390000	0x0340ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000034d0000	0x034d0000	0x034d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000034e0000	0x034e0000	0x034e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000034f0000	0x034f0000	0x035effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000035f0000	0x035f0000	0x035f1fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003600000	0x03600000	0x03af1fff	Private Memory	Readable, Writable	Region Actions
StaticCache.dat	0x03b00000	0x0442ffff	Memory Mapped File	Readable	Region Actions
private_0x0000000004430000	0x04430000	0x04430fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004440000	0x04440000	0x04440fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004450000	0x04450000	0x04450fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004460000	0x04460000	0x04460fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004470000	0x04470000	0x04470fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004480000	0x04480000	0x0467ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004680000	0x04680000	0x04680fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004690000	0x04690000	0x04690fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000046a0000	0x046a0000	0x046a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000046b0000	0x046b0000	0x046b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000046c0000	0x046c0000	0x046c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000046d0000	0x046d0000	0x046d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000046e0000	0x046e0000	0x046e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000046f0000	0x046f0000	0x046f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004700000	0x04700000	0x04700fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004710000	0x04710000	0x04710fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004720000	0x04720000	0x04720fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004730000	0x04730000	0x04730fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004740000	0x04740000	0x04740fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004750000	0x04750000	0x04750fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004760000	0x04760000	0x04760fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004770000	0x04770000	0x04770fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004780000	0x04780000	0x04780fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004790000	0x04790000	0x04790fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000047a0000	0x047a0000	0x047a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000047b0000	0x047b0000	0x047b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000047c0000	0x047c0000	0x047c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000047d0000	0x047d0000	0x047d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000047e0000	0x047e0000	0x047e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000047f0000	0x047f0000	0x047f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004800000	0x04800000	0x04800fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004810000	0x04810000	0x04810fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004820000	0x04820000	0x04820fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004830000	0x04830000	0x04830fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004840000	0x04840000	0x04840fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004850000	0x04850000	0x04856fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004860000	0x04860000	0x04869fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004870000	0x04870000	0x04876fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004880000	0x04880000	0x048a3fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000048b0000	0x048b0000	0x048b9fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000048c0000	0x048c0000	0x048c6fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000048d0000	0x048d0000	0x048d9fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000048e0000	0x048e0000	0x048e6fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000048f0000	0x048f0000	0x04927fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004930000	0x04930000	0x04939fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004940000	0x04940000	0x04940fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004950000	0x04950000	0x04950fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004960000	0x04960000	0x04960fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004970000	0x04970000	0x04970fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004980000	0x04980000	0x04980fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004990000	0x04990000	0x04991fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000049a0000	0x049a0000	0x049a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000049b0000	0x049b0000	0x049b1fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000049c0000	0x049c0000	0x049c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000049d0000	0x049d0000	0x049d1fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000049e0000	0x049e0000	0x049e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000049f0000	0x049f0000	0x049f1fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a00000	0x04a00000	0x04a00fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a10000	0x04a10000	0x04a10fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a20000	0x04a20000	0x04a20fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a30000	0x04a30000	0x04a30fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a40000	0x04a40000	0x04a40fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a50000	0x04a50000	0x04a50fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a60000	0x04a60000	0x04a60fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a70000	0x04a70000	0x04a70fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a80000	0x04a80000	0x04a80fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a90000	0x04a90000	0x04a90fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004aa0000	0x04aa0000	0x04aa0fff	Private Memory	Readable, Writable	Region Actions
imageres.dll	0x744c0000	0x75815fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
LogonUI.exe	0xff3f0000	0xff3fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rtutils.dll	0x7fefbb00000	0x7fefbb10fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasman.dll	0x7fefbb20000	0x7fefbb3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasapi32.dll	0x7fefbb40000	0x7fefbba1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasplap.dll	0x7fefbbb0000	0x7fefbc17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
certCredProvider.dll	0x7fefbc20000	0x7fefbc42fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x7fefbc50000	0x7fefbc63fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x7fefbc70000	0x7fefbc84fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x7fefbc90000	0x7fefbc9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x7fefbca0000	0x7fefbcb5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vaultcli.dll	0x7fefbcc0000	0x7fefbccdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credui.dll	0x7fefbcd0000	0x7fefbd03fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbio.dll	0x7fefbd10000	0x7fefbd26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
BioCredProv.dll	0x7fefbd30000	0x7fefbd61fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
SmartcardCredentialProvider.dll	0x7fefbd70000	0x7fefbda1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
VaultCredProvider.dll	0x7fefbdb0000	0x7fefbdc7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefbdd0000	0x7fefbde0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x7fefbdf0000	0x7fefbdf7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WindowsCodecs.dll	0x7fefbe00000	0x7fefbf29fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
xmllite.dll	0x7fefbf30000	0x7fefbf64fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefbf70000	0x7fefbf87fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
MMDevAPI.dll	0x7fefbf90000	0x7fefbfdafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
hid.dll	0x7fefbfe0000	0x7fefbfeafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
SndVolSSO.dll	0x7fefbff0000	0x7fefc02afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
duser.dll	0x7fefc030000	0x7fefc072fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dui70.dll	0x7fefc080000	0x7fefc171fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
GdiPlus.dll	0x7fefc180000	0x7fefc394fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc3a0000	0x7fefc3f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc400000	0x7fefc52bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samlib.dll	0x7fefc530000	0x7fefc54cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shacct.dll	0x7fefc550000	0x7fefc573fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefc580000	0x7fefc773fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptui.dll	0x7fefc780000	0x7fefc888fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
authui.dll	0x7fefc890000	0x7fefca69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd040000	0x7fefd086fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd340000	0x7fefd356fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netjoin.dll	0x7fefd450000	0x7fefd481fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x7fefd810000	0x7fefd832fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd8b0000	0x7fefd8bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd910000	0x7fefd934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd940000	0x7fefd94efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefd9f0000	0x7fefda2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefda30000	0x7fefda43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdaf0000	0x7fefdafefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x7fefdb00000	0x7fefdb39fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefdb40000	0x7fefdb59fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc00000	0x7fefdd66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefdd70000	0x7fefdda5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefe090000	0x7fefe166fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7fefe170000	0x7fefe346fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefe350000	0x7fefe3e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7fefe3f0000	0x7fefe43cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe440000	0x7fefe642fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefe860000	0x7fefe8d0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe980000	0x7fefe99efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe9a0000	0x7fefe9cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefec80000	0x7fefed88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7fefef10000	0x7fefef17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #32: svchost.exe

Information	Value
ID / OS PID	#32 / 0x32c
OS Parent PID	0x1a8 (c:\windows\system32\services.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Monitor	Start Time: 00:01:02, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:26
OS Thread IDs	#331 0x330 #332 0x334 #339 0x34C #340 0x350 #341 0x354 #343 0x360 #345 0x368 #346 0x36C #347 0x370 #348 0x374 #363 0x3B4 #364 0x3B8 #368 0x3CC #369 0x3D0 #370 0x3D4 #372 0x3DC #376 0x3F0 #377 0x3F4 #412 0x3BC #413 0x100 #427 0x42C #429 0x434 #601 0x710 #603 0x718 #604 0x71C #605 0x720 #607 0x728
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00051fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000060000	0x00060000	0x00060fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000070000	0x00070000	0x000effff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x000f0000	0x00156fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000160000	0x00160000	0x00160fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x0036ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000370000	0x00370000	0x00370fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000380000	0x00380000	0x00380fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000390000	0x00390000	0x00390fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003a0000	0x003a0000	0x003a0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003b0000	0x003b0000	0x003b1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003c0000	0x003c0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003d0000	0x003d0000	0x00557fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000560000	0x00560000	0x006e0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006f0000	0x006f0000	0x007affff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007b0000	0x007b0000	0x00ba2fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000bb0000	0x00bb0000	0x00bb1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000bc0000	0x00bc0000	0x00bc1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000bf0000	0x00bf0000	0x00c6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c70000	0x00c70000	0x00ceffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000cf0000	0x00cf0000	0x00d6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00daffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d70000	0x00d70000	0x00deffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000df0000	0x00df0000	0x00e6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e10000	0x00e10000	0x00e8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000eb0000	0x00eb0000	0x00f2ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00f30000	0x011fefff	Memory Mapped File	Readable	Region Actions
private_0x0000000001290000	0x01290000	0x0130ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001330000	0x01330000	0x013affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013e0000	0x013e0000	0x0145ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014d0000	0x014d0000	0x0154ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001550000	0x01550000	0x015cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015d0000	0x015d0000	0x0164ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016e0000	0x016e0000	0x0175ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000017d0000	0x017d0000	0x0184ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000018c0000	0x018c0000	0x0193ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000019e0000	0x019e0000	0x019effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a50000	0x01a50000	0x01acffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ad0000	0x01ad0000	0x01b4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b80000	0x01b80000	0x01bfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c00000	0x01c00000	0x01c0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c70000	0x01c70000	0x01ceffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d30000	0x01d30000	0x01daffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e80000	0x01e80000	0x01efffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f00000	0x01f00000	0x01ffffff	Private Memory	Readable, Writable	Region Actions
sfc.dll	0x74e10000	0x74e12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xffa20000	0xffa2afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
trkwks.dll	0x7fef87d0000	0x7fef87f1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sysmain.dll	0x7fef8800000	0x7fef89adfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sfc_os.dll	0x7fef89b0000	0x7fef89bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
aepic.dll	0x7fef89c0000	0x7fef89d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pcasvc.dll	0x7fef89e0000	0x7fef8a11fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscobj.dll	0x7fef9510000	0x7fef954efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxsms.dll	0x7fefaff0000	0x7fefaffffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x7fefb200000	0x7fefb256fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mstask.dll	0x7fefb620000	0x7fefb65cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskschd.dll	0x7fefb660000	0x7fefb786fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
PeerDist.dll	0x7fefb8e0000	0x7fefb90ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscsvc.dll	0x7fefb910000	0x7fefb9bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefb9c0000	0x7fefb9ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
avrt.dll	0x7fefba10000	0x7fefba18fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x7fefba20000	0x7fefba4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
audiosrv.dll	0x7fefba50000	0x7fefbafbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefbdd0000	0x7fefbde0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
MMDevAPI.dll	0x7fefbf90000	0x7fefbfdafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc400000	0x7fefc52bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefc580000	0x7fefc773fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcc10000	0x7fefcc1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pcwum.dll	0x7fefcda0000	0x7fefcdacfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7fefcde0000	0x7fefcdfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefce00000	0x7fefce1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd040000	0x7fefd086fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd340000	0x7fefd356fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
authz.dll	0x7fefd510000	0x7fefd53efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefd550000	0x7fefd5bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd910000	0x7fefd934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd940000	0x7fefd94efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefd9f0000	0x7fefda2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefda30000	0x7fefda43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda50000	0x7fefda5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefdb40000	0x7fefdb59fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefdd70000	0x7fefdda5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefe090000	0x7fefe166fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7fefe170000	0x7fefe346fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefe350000	0x7fefe3e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe440000	0x7fefe642fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefe860000	0x7fefe8d0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe980000	0x7fefe99efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe9a0000	0x7fefe9cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x7fefec20000	0x7fefec71fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefec80000	0x7fefed88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7feff080000	0x7feffe07fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff92000	0x7fffff92000	0x7fffff93fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff94000	0x7fffff94000	0x7fffff95fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff96000	0x7fffff96000	0x7fffff97fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff98000	0x7fffff98000	0x7fffff99fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9a000	0x7fffff9a000	0x7fffff9bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9c000	0x7fffff9c000	0x7fffff9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #33: svchost.exe

Information	Value
ID / OS PID	#33 / 0x358
OS Parent PID	0x1a8 (c:\windows\system32\services.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe -k netsvcs
Monitor	Start Time: 00:01:02, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:26
OS Thread IDs	#342 0x35C #344 0x364 #349 0x378 #350 0x37C #351 0x380 #352 0x384 #365 0x3BC #367 0x3C8 #371 0x3D8 #374 0x3E8 #375 0x3EC #383 0xF0 #385 0x104 #391 0x138 #399 0x1A0 #400 0x1FC #440 0x460 #442 0x468 #463 0x4C0 #465 0x4D0 #466 0x278 #467 0x4D8 #475 0xC4 #481 0x51C #606 0x724 #610 0x734 #611 0x738 #613 0x740 #614 0x744 #615 0x748 #616 0x74C #617 0x750 #618 0x754 #620 0x75C #622 0x764 #624 0x76C #626 0x774 #629 0x780 #631 0x788
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x001bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001c0000	0x001c0000	0x001c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000250000	0x00250000	0x0030ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000310000	0x00310000	0x00310fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000320000	0x00320000	0x00320fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000330000	0x00330000	0x00330fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000340000	0x00340000	0x00340fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000350000	0x00350000	0x00350fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000360000	0x00360000	0x00360fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000370000	0x00370000	0x0046ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000470000	0x00470000	0x005f7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000600000	0x00600000	0x00601fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x00610000	0x00613fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000620000	0x00620000	0x00621fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000630000	0x00630000	0x0063ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000640000	0x00640000	0x007c0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007d0000	0x007d0000	0x00bc2fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x00bd0000	0x00bd3fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000bf0000	0x00bf0000	0x00c6ffff	Private Memory	Readable, Writable	Region Actions
{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db	0x00c70000	0x00c9ffff	Memory Mapped File	Readable	Region Actions
private_0x0000000000cd0000	0x00cd0000	0x00d4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d90000	0x00d90000	0x00e0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e50000	0x00e50000	0x00e5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e60000	0x00e60000	0x00edffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00ee0000	0x011aefff	Memory Mapped File	Readable	Region Actions
private_0x00000000011b0000	0x011b0000	0x0122ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001250000	0x01250000	0x012cffff	Private Memory	Readable, Writable	Region Actions
{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db	0x012d0000	0x01335fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001340000	0x01340000	0x0134ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001350000	0x01350000	0x013cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001370000	0x01370000	0x013effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001430000	0x01430000	0x014affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001500000	0x01500000	0x0157ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001510000	0x01510000	0x0158ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015a0000	0x015a0000	0x0161ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001620000	0x01620000	0x0169ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016a0000	0x016a0000	0x0171ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016c0000	0x016c0000	0x0173ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001780000	0x01780000	0x017fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001830000	0x01830000	0x018affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001900000	0x01900000	0x0197ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000019b0000	0x019b0000	0x01a2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a30000	0x01a30000	0x01aaffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a60000	0x01a60000	0x01adffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b20000	0x01b20000	0x01b9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001bb0000	0x01bb0000	0x01c2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c50000	0x01c50000	0x01ccffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d30000	0x01d30000	0x01daffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001dd0000	0x01dd0000	0x01e4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e90000	0x01e90000	0x01f0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f10000	0x01f10000	0x0200ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002030000	0x02030000	0x020affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000020b0000	0x020b0000	0x0212ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002140000	0x02140000	0x021bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002200000	0x02200000	0x0227ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000022c0000	0x022c0000	0x0233ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000022c0000	0x022c0000	0x0233ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000022e0000	0x022e0000	0x0235ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023a0000	0x023a0000	0x0241ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002420000	0x02420000	0x0249ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002500000	0x02500000	0x0257ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000025a0000	0x025a0000	0x0261ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002650000	0x02650000	0x026cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000026d0000	0x026d0000	0x0274ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000027d0000	0x027d0000	0x0284ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002850000	0x02850000	0x0294ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000002950000	0x02950000	0x02a4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a50000	0x02a50000	0x02b4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002bf0000	0x02bf0000	0x02bfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c00000	0x02c00000	0x02c7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c80000	0x02c80000	0x02d7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002e00000	0x02e00000	0x02e0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002e70000	0x02e70000	0x02eeffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002f50000	0x02f50000	0x02fcffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000030a0000	0x030a0000	0x0311ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003150000	0x03150000	0x031cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003300000	0x03300000	0x0337ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000033f0000	0x033f0000	0x0346ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000034b0000	0x034b0000	0x0352ffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xffa20000	0xffa2afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
repdrvfs.dll	0x7fef7f30000	0x7fef7fa2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wmiutils.dll	0x7fef7fb0000	0x7fef7fd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netprofm.dll	0x7fef7fe0000	0x7fef8053fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
hnetcfg.dll	0x7fef8060000	0x7fef80cafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemsvc.dll	0x7fef80d0000	0x7fef80e3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
esscli.dll	0x7fef80f0000	0x7fef815efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemcore.dll	0x7fef8160000	0x7fef828efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
resutils.dll	0x7fef8290000	0x7fef82a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clusapi.dll	0x7fef82b0000	0x7fef82fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sscore.dll	0x7fef8300000	0x7fef8307fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nci.dll	0x7fef8310000	0x7fef8329fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemprox.dll	0x7fef8330000	0x7fef833efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netcfgx.dll	0x7fef8340000	0x7fef83c3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdsapi.dll	0x7fef83d0000	0x7fef83f6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fastprox.dll	0x7fef8400000	0x7fef84e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
browser.dll	0x7fef8530000	0x7fef8554fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvsvc.dll	0x7fef8560000	0x7fef859cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wdscore.dll	0x7fef85a0000	0x7fef85e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sqmapi.dll	0x7fef85f0000	0x7fef8631fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rtutils.dll	0x7fef8640000	0x7fef8650fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpsvc.dll	0x7fef8660000	0x7fef86f1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemcomn.dll	0x7fef8700000	0x7fef8785fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WMIsvc.dll	0x7fef8790000	0x7fef87cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vsstrace.dll	0x7fef8b00000	0x7fef8b16fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vssapi.dll	0x7fef8b20000	0x7fef8ccffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskcomp.dll	0x7fefa0c0000	0x7fefa136fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wiarpc.dll	0x7fefa300000	0x7fefa30efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x7fefa310000	0x7fefa319fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
schedsvc.dll	0x7fefa320000	0x7fefa431fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
actxprxy.dll	0x7fefa950000	0x7fefaa3dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fvecerts.dll	0x7fefaa40000	0x7fefaa48fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
tbs.dll	0x7fefaa50000	0x7fefaa58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fveapi.dll	0x7fefaa60000	0x7fefaab5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shsvcs.dll	0x7fefaac0000	0x7fefab1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x7fefab20000	0x7fefab37fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc6.dll	0x7fefab40000	0x7fefab50fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FWPUCLNT.DLL	0x7fefab70000	0x7fefabc2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefb510000	0x7fefb51afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IPHLPAPI.DLL	0x7fefb520000	0x7fefb546fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Sens.dll	0x7fefb550000	0x7fefb563fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
es.dll	0x7fefb580000	0x7fefb5e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb5f0000	0x7fefb5fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dsrole.dll	0x7fefb600000	0x7fefb60bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
themeservice.dll	0x7fefb610000	0x7fefb61ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefb790000	0x7fefb7a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profsvc.dll	0x7fefb7b0000	0x7fefb7e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x7fefb7f0000	0x7fefb804fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpsvc.dll	0x7fefb810000	0x7fefb8d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefb9c0000	0x7fefb9ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mmcss.dll	0x7fefb9f0000	0x7fefba0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
avrt.dll	0x7fefba10000	0x7fefba18fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x7fefbc50000	0x7fefbc63fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x7fefbc70000	0x7fefbc84fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x7fefbc90000	0x7fefbc9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x7fefbca0000	0x7fefbcb5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefbdd0000	0x7fefbde0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
xmllite.dll	0x7fefbf30000	0x7fefbf64fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc3a0000	0x7fefc3f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc400000	0x7fefc52bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samlib.dll	0x7fefc530000	0x7fefc54cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefc580000	0x7fefc773fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcc10000	0x7fefcc1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FirewallAPI.dll	0x7fefcc20000	0x7fefccdafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WSHTCPIP.DLL	0x7fefcce0000	0x7fefcce6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pcwum.dll	0x7fefcda0000	0x7fefcdacfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7fefcde0000	0x7fefcdfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefce00000	0x7fefce1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devrtl.dll	0x7fefce20000	0x7fefce31fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ubpm.dll	0x7fefced0000	0x7fefcf08fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcf10000	0x7fefcf19fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd040000	0x7fefd086fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
logoncli.dll	0x7fefd130000	0x7fefd15ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x7fefd160000	0x7fefd1bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd2d0000	0x7fefd2d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd2e0000	0x7fefd334fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd340000	0x7fefd356fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netjoin.dll	0x7fefd450000	0x7fefd481fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
authz.dll	0x7fefd510000	0x7fefd53efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefd550000	0x7fefd5bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptdll.dll	0x7fefd5c0000	0x7fefd5d3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x7fefd810000	0x7fefd832fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd8b0000	0x7fefd8bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sysntfy.dll	0x7fefd8f0000	0x7fefd8f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd910000	0x7fefd934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd940000	0x7fefd94efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x7fefd950000	0x7fefd9e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefd9f0000	0x7fefda2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefda30000	0x7fefda43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda50000	0x7fefda5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdaf0000	0x7fefdafefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x7fefdb00000	0x7fefdb39fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefdb40000	0x7fefdb59fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc00000	0x7fefdd66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefdd70000	0x7fefdda5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefe090000	0x7fefe166fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7fefe170000	0x7fefe346fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefe350000	0x7fefe3e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7fefe3f0000	0x7fefe43cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe440000	0x7fefe642fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefe860000	0x7fefe8d0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe980000	0x7fefe99efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe9a0000	0x7fefe9cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x7fefec20000	0x7fefec71fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefec80000	0x7fefed88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7fefef10000	0x7fefef17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7feff080000	0x7feffe07fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff7c000	0x7fffff7c000	0x7fffff7dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff7e000	0x7fffff7e000	0x7fffff7ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff80000	0x7fffff80000	0x7fffff81fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff82000	0x7fffff82000	0x7fffff83fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff84000	0x7fffff84000	0x7fffff85fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff86000	0x7fffff86000	0x7fffff87fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff88000	0x7fffff88000	0x7fffff89fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff8a000	0x7fffff8a000	0x7fffff8bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff8c000	0x7fffff8c000	0x7fffff8dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff8e000	0x7fffff8e000	0x7fffff8ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff90000	0x7fffff90000	0x7fffff91fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff92000	0x7fffff92000	0x7fffff93fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff92000	0x7fffff92000	0x7fffff93fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff94000	0x7fffff94000	0x7fffff95fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff96000	0x7fffff96000	0x7fffff97fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff98000	0x7fffff98000	0x7fffff99fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9a000	0x7fffff9a000	0x7fffff9bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9c000	0x7fffff9c000	0x7fffff9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #34: audiodg.exe

Information	Value
ID / OS PID	#34 / 0x394
OS Parent PID	0x2ac (c:\windows\system32\svchost.exe)
Initial Working Directory	C:\Windows
File Name	c:\windows\system32\audiodg.exe
Command Line	C:\Windows\system32\AUDIODG.EXE 0x2bc
Monitor	Start Time: 00:01:02, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:26
OS Thread IDs	#356 0x398 #357 0x39C #360 0x3A8 #361 0x3AC #362 0x3B0 #529 0x5E4 #535 0x5FC #540 0x618 #547 0x634 #549 0x640 #550 0x63C
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
locale.nls	0x00020000	0x00086fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000090000	0x00090000	0x00096fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000a0000	0x000a0000	0x000a1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
audiodg.exe.mui	0x000b0000	0x000b0fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000f0000	0x000f0000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x0027ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000280000	0x00280000	0x0033ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000340000	0x00340000	0x0043ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000440000	0x00440000	0x005c7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005d0000	0x005d0000	0x00750fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000760000	0x00760000	0x00761fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000770000	0x00770000	0x00770fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000780000	0x00780000	0x00781fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000790000	0x00790000	0x00791fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007a0000	0x007a0000	0x007a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007b0000	0x007b0000	0x007b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007c0000	0x007c0000	0x0083ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000840000	0x00840000	0x00841fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000850000	0x00850000	0x00850fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000860000	0x00860000	0x00861fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000880000	0x00880000	0x008fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000900000	0x00900000	0x0097ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00980000	0x00c4efff	Memory Mapped File	Readable	Region Actions
private_0x0000000000c60000	0x00c60000	0x00cdffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ce0000	0x00ce0000	0x010e2fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000010f0000	0x010f0000	0x014f2fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001500000	0x01500000	0x018f2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001900000	0x01900000	0x01d02fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d10000	0x01d10000	0x01d51fff	Private Memory	Readable, Writable	Region Actions
ksuser.dll	0x73f70000	0x73f75fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
audiodg.exe	0xffb80000	0xffba3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mfplat.dll	0x7fef9bf0000	0x7fef9c5bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WMALFXGFXDSP.dll	0x7fef9c60000	0x7fef9de7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
AUDIOKSE.dll	0x7fef9ea0000	0x7fef9f1ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
AudioEng.dll	0x7fef9f20000	0x7fef9f90fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefb9c0000	0x7fefb9ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
avrt.dll	0x7fefba10000	0x7fefba18fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
AudioSes.dll	0x7fefbd80000	0x7fefbdcefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
MMDevAPI.dll	0x7fefbf90000	0x7fefbfdafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc400000	0x7fefc52bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd040000	0x7fefd086fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd340000	0x7fefd356fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd940000	0x7fefd94efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefda30000	0x7fefda43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdaf0000	0x7fefdafefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x7fefdb00000	0x7fefdb39fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefdb40000	0x7fefdb59fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc00000	0x7fefdd66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefdd70000	0x7fefdda5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefe090000	0x7fefe166fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7fefe170000	0x7fefe346fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefe350000	0x7fefe3e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7fefe3f0000	0x7fefe43cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe440000	0x7fefe642fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefe860000	0x7fefe8d0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe980000	0x7fefe99efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe9a0000	0x7fefe9cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x7fefec20000	0x7fefec71fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefec80000	0x7fefed88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7fefef10000	0x7fefef17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #35: svchost.exe

Information	Value
ID / OS PID	#35 / 0x3e0
OS Parent PID	0x1a8 (c:\windows\system32\services.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe -k LocalService
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:25
OS Thread IDs	#373 0x3E4 #378 0x3F8 #379 0x3FC #380 0xC0 #381 0xC4 #382 0xF4 #384 0xF8 #418 0x3BC #520 0x5C4
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00051fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000060000	0x00060000	0x0015ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00160000	0x001c6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001d0000	0x001d0000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x0034ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000350000	0x00350000	0x00350fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000360000	0x00360000	0x00360fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000370000	0x00370000	0x00370fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000390000	0x00390000	0x0039ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003a0000	0x003a0000	0x00527fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000530000	0x00530000	0x006b0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006c0000	0x006c0000	0x0077ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000780000	0x00780000	0x00b72fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000b80000	0x00b80000	0x00bfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c20000	0x00c20000	0x00c9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ca0000	0x00ca0000	0x00d1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d50000	0x00d50000	0x00dcffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00dd0000	0x0109efff	Memory Mapped File	Readable	Region Actions
private_0x00000000010c0000	0x010c0000	0x0113ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001140000	0x01140000	0x0123ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001260000	0x01260000	0x012dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013d0000	0x013d0000	0x0144ffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xffa20000	0xffa2afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsisvc.dll	0x7fefaca0000	0x7fefaca9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
es.dll	0x7fefb580000	0x7fefb5e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd040000	0x7fefd086fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd340000	0x7fefd356fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd940000	0x7fefd94efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefda30000	0x7fefda43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefe090000	0x7fefe166fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefe350000	0x7fefe3e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe440000	0x7fefe642fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe980000	0x7fefe99efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe9a0000	0x7fefe9cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefec80000	0x7fefed88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7fefef10000	0x7fefef17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #36: dllhost.exe

Information	Value
ID / OS PID	#36 / 0x12c
OS Parent PID	0x234 (c:\windows\system32\svchost.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\dllhost.exe
Command Line	C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
Monitor	Start Time: 00:01:05, Reason: Child Process
Unmonitor	End Time: 00:01:13, Reason: Terminated
Monitor Duration	00:00:08
OS Thread IDs	#392 0x124 #393 0x120 #394 0x13C #395 0x168 #396 0x154 #397 0x150 #398 0xFC
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000040000	0x00040000	0x00040fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00050fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00070fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00190000	0x001f6fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000270000	0x00270000	0x0027ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000310000	0x00310000	0x0040ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000410000	0x00410000	0x0050ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000510000	0x00510000	0x00697fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006a0000	0x006a0000	0x00820fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000830000	0x00830000	0x008effff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000950000	0x00950000	0x00a4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ab0000	0x00ab0000	0x00baffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c00000	0x00c00000	0x00cfffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00d00000	0x00fcefff	Memory Mapped File	Readable	Region Actions
private_0x0000000001040000	0x01040000	0x0113ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000011d0000	0x011d0000	0x011dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001220000	0x01220000	0x0131ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001320000	0x01320000	0x0141ffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
dllhost.exe	0xffe60000	0xffe66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IDStore.dll	0x7fefb450000	0x7fefb461fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefb470000	0x7fefb50ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefb9c0000	0x7fefb9ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samlib.dll	0x7fefc530000	0x7fefc54cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shacct.dll	0x7fefc550000	0x7fefc573fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefce00000	0x7fefce1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd040000	0x7fefd086fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd340000	0x7fefd356fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd940000	0x7fefd94efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefda30000	0x7fefda43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda50000	0x7fefda5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefe090000	0x7fefe166fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefe350000	0x7fefe3e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe440000	0x7fefe642fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefe860000	0x7fefe8d0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe980000	0x7fefe99efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe9a0000	0x7fefe9cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x7fefec20000	0x7fefec71fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefec80000	0x7fefed88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7feff080000	0x7feffe07fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #37: userinit.exe

Information	Value
ID / OS PID	#37 / 0x10c
OS Parent PID	0x180 (c:\windows\system32\winlogon.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\userinit.exe
Command Line	C:\Windows\system32\userinit.exe
Monitor	Start Time: 00:01:06, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:22
OS Thread IDs	#401 0x1BC #507 0x598 #509 0x5A0
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x000affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000b0000	0x000b0000	0x000b3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c0fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x000d0000	0x00136fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000140000	0x00140000	0x0023ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000240000	0x00240000	0x00241fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000260000	0x00260000	0x00260fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x00270fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000280000	0x00280000	0x00280fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002b0000	0x002b0000	0x003affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003b0000	0x003b0000	0x00537fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000590000	0x00590000	0x0059ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005a0000	0x005a0000	0x00720fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000730000	0x00730000	0x01b2ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001b30000	0x01b30000	0x01f22fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001f30000	0x01f30000	0x0200efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002050000	0x02050000	0x020cffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
userinit.exe	0xffe00000	0xffe0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefbf70000	0x7fefbf87fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc3a0000	0x7fefc3f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefce00000	0x7fefce1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda50000	0x7fefda5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdaf0000	0x7fefdafefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc00000	0x7fefdd66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe9a0000	0x7fefe9cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefec80000	0x7fefed88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #38: explorer.exe

Information	Value
ID / OS PID	#38 / 0x200
OS Parent PID	0x10c (c:\windows\system32\userinit.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\explorer.exe
Command Line	C:\Windows\Explorer.EXE
Monitor	Start Time: 00:01:06, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:22
OS Thread IDs	#402 0x1F8 #403 0x110 #404 0x248 #406 0x298 #407 0x2E8 #408 0x354 #409 0x360 #410 0x388 #411 0x38C #443 0x46C #444 0x470 #445 0x474 #446 0x478 #447 0x484 #448 0x488 #449 0x48C #450 0x490 #451 0x494 #452 0x498 #453 0x4B4 #460 0x4C4 #461 0x4C8 #462 0x4CC #464 0x4D4 #477 0x50C #478 0x510 #489 0x544 #502 0x588 #515 0x5B4 #526 0x5D8 #530 0x5E8 #531 0x5EC #533 0x5F4 #534 0x5F8 #538 0x610 #539 0x614 #542 0x620 #546 0x630
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00021fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x0013ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00140fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x001cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001d0000	0x001d0000	0x001d1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001e0000	0x001e0000	0x001e0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001f0000	0x001f0000	0x001f1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000200000	0x00200000	0x00211fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000220000	0x00220000	0x00220fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000230000	0x00230000	0x00230fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000240000	0x00240000	0x00251fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000260000	0x00260000	0x00261fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000270000	0x00270000	0x00270fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000280000	0x00280000	0x0037ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000380000	0x00380000	0x0047ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000480000	0x00480000	0x0055efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000560000	0x00560000	0x0056ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000570000	0x00570000	0x006f7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000700000	0x00700000	0x00880fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000890000	0x00890000	0x01c8ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001c90000	0x01c90000	0x02082fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002090000	0x02090000	0x02090fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000020a0000	0x020a0000	0x020a1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000020b0000	0x020b0000	0x020b1fff	Pagefile Backed Memory	Readable	Region Actions
comctl32.dll.mui	0x020c0000	0x020c2fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000020d0000	0x020d0000	0x020d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000020e0000	0x020e0000	0x020effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000020f0000	0x020f0000	0x020f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002100000	0x02100000	0x02108fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002110000	0x02110000	0x02117fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002120000	0x02120000	0x0219ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000021a0000	0x021a0000	0x021a0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000021b0000	0x021b0000	0x0222ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x02230000	0x024fefff	Memory Mapped File	Readable	Region Actions
private_0x0000000002500000	0x02500000	0x025fffff	Private Memory	Readable, Writable	Region Actions
{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000a.db	0x02500000	0x02515fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002520000	0x02520000	0x0259ffff	Private Memory	Readable, Writable	Region Actions
cversions.2.db	0x025a0000	0x025a3fff	Memory Mapped File	Readable	Region Actions
{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db	0x025b0000	0x025dffff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x025e0000	0x025e3fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000025f0000	0x025f0000	0x025f1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002600000	0x02600000	0x026b7fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000026c0000	0x026c0000	0x02839fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002840000	0x02840000	0x0293ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002940000	0x02940000	0x02941fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002950000	0x02950000	0x02953fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002960000	0x02960000	0x029dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029e0000	0x029e0000	0x02bdffff	Private Memory	Readable, Writable	Region Actions
thumbcache_32.db	0x029e0000	0x02adffff	Memory Mapped File	Readable, Writable	Region Actions Download
thumbcache_96.db	0x02ae0000	0x02bdffff	Memory Mapped File	Readable, Writable	Region Actions Download
pagefile_0x0000000002be0000	0x02be0000	0x02f22fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002f30000	0x02f30000	0x02faffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002f30000	0x02f30000	0x02f33fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002f40000	0x02f40000	0x02f6ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002f40000	0x02f40000	0x02f40fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000002f50000	0x02f50000	0x02f51fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x02f60000	0x02f63fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002f70000	0x02f70000	0x02f71fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002f80000	0x02f80000	0x02f8ffff	Private Memory	Readable, Writable	Region Actions
{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db	0x02f80000	0x02f80fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002f90000	0x02f90000	0x02f90fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002fa0000	0x02fa0000	0x02fa0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002fb0000	0x02fb0000	0x02fb0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002fc0000	0x02fc0000	0x0303ffff	Private Memory	Readable, Writable	Region Actions
{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db	0x03040000	0x030a5fff	Memory Mapped File	Readable	Region Actions
private_0x00000000030b0000	0x030b0000	0x030b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000030c0000	0x030c0000	0x0313ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003140000	0x03140000	0x03140fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003150000	0x03150000	0x03150fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003160000	0x03160000	0x03160fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003170000	0x03170000	0x03170fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003180000	0x03180000	0x03180fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003190000	0x03190000	0x0320ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003210000	0x03210000	0x03210fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003220000	0x03220000	0x0329ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000032a0000	0x032a0000	0x0339ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000033a0000	0x033a0000	0x033a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000033b0000	0x033b0000	0x033b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000033c0000	0x033c0000	0x033c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000033d0000	0x033d0000	0x033d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000033e0000	0x033e0000	0x033e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000033f0000	0x033f0000	0x033f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003400000	0x03400000	0x03403fff	Private Memory	Readable, Writable	Region Actions
thumbcache_1024.db	0x03410000	0x03410fff	Memory Mapped File	Readable, Writable	Region Actions
thumbcache_sr.db	0x03420000	0x03420fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000003430000	0x03430000	0x0347ffff	Private Memory	Readable, Writable	Region Actions
thumbcache_idx.db	0x03480000	0x03480fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000003490000	0x03490000	0x0350ffff	Private Memory	Readable, Writable	Region Actions
StaticCache.dat	0x03510000	0x03e3ffff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000003e40000	0x03e40000	0x03e41fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000003e50000	0x03e50000	0x03ecffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003ed0000	0x03ed0000	0x03f02fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003f10000	0x03f10000	0x03f8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003f90000	0x03f90000	0x03fd7fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003fe0000	0x03fe0000	0x0405ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004060000	0x04060000	0x04061fff	Private Memory	Readable, Writable	Region Actions
thumbcache_1024.db	0x04070000	0x04070fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000004080000	0x04080000	0x040fffff	Private Memory	Readable, Writable	Region Actions
thumbcache_sr.db	0x04100000	0x04100fff	Memory Mapped File	Readable, Writable	Region Actions
thumbcache_idx.db	0x04110000	0x04110fff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x0000000004120000	0x04120000	0x04120fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000004130000	0x04130000	0x041affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000041b0000	0x041b0000	0x0422ffff	Private Memory	Readable, Writable	Region Actions
TranscodedWallpaper.jpg	0x041b0000	0x0424cfff	Memory Mapped File	Readable	Region Actions
private_0x00000000041b0000	0x041b0000	0x0422ffff	Private Memory	Readable, Writable	Region Actions
thumbcache_32.db	0x04230000	0x0432ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000004250000	0x04250000	0x042cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004290000	0x04290000	0x0430ffff	Private Memory	Readable, Writable	Region Actions
wdmaud.drv.mui	0x04330000	0x04330fff	Memory Mapped File	Readable, Writable	Region Actions
MMDevAPI.dll.mui	0x04340000	0x04340fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000004350000	0x04350000	0x04351fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004360000	0x04360000	0x04361fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000004370000	0x04370000	0x04371fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x04380000	0x04383fff	Memory Mapped File	Readable	Region Actions
private_0x0000000004390000	0x04390000	0x0440ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004410000	0x04410000	0x04410fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000004420000	0x04420000	0x0449ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000044a0000	0x044a0000	0x044a1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000044b0000	0x044b0000	0x044b1fff	Pagefile Backed Memory	Readable	Region Actions
thumbcache_1024.db	0x044c0000	0x044c0fff	Memory Mapped File	Readable, Writable	Region Actions Download
thumbcache_sr.db	0x044d0000	0x044d0fff	Memory Mapped File	Readable, Writable	Region Actions Download
thumbcache_idx.db	0x044e0000	0x044e0fff	Memory Mapped File	Readable, Writable	Region Actions Download
pagefile_0x00000000044f0000	0x044f0000	0x044f1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000004500000	0x04500000	0x0457ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004580000	0x04580000	0x04581fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000045d0000	0x045d0000	0x045d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000045f0000	0x045f0000	0x0466ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004670000	0x04670000	0x0486ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004870000	0x04870000	0x04f07fff	Private Memory	Readable, Writable	Region Actions
thumbcache_96.db	0x04870000	0x0496ffff	Memory Mapped File	Readable, Writable	Region Actions
thumbcache_256.db	0x04970000	0x04a6ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000004a70000	0x04a70000	0x04aeffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004b10000	0x04b10000	0x04b8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004b90000	0x04b90000	0x04f92fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005000000	0x05000000	0x0507ffff	Private Memory	Readable, Writable	Region Actions
thumbcache_32.db	0x05080000	0x0517ffff	Memory Mapped File	Readable, Writable	Region Actions
thumbcache_96.db	0x05180000	0x0527ffff	Memory Mapped File	Readable, Writable	Region Actions
thumbcache_256.db	0x05280000	0x0537ffff	Memory Mapped File	Readable, Writable	Region Actions
imageres.dll	0x05380000	0x066d4fff	Memory Mapped File	Readable	Region Actions
private_0x00000000066e0000	0x066e0000	0x0675ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006760000	0x06760000	0x067dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000067e0000	0x067e0000	0x068dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006840000	0x06840000	0x068bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006910000	0x06910000	0x0698ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006990000	0x06990000	0x0699ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006a20000	0x06a20000	0x06a2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006ac0000	0x06ac0000	0x06b3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006b70000	0x06b70000	0x06beffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006bf0000	0x06bf0000	0x06c6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006cc0000	0x06cc0000	0x06d3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006d40000	0x06d40000	0x06e40fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006d70000	0x06d70000	0x06deffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006d90000	0x06d90000	0x06e0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006e60000	0x06e60000	0x06e6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006f10000	0x06f10000	0x06f8ffff	Private Memory	Readable, Writable	Region Actions
KernelBase.dll.mui	0x06f90000	0x0704ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000007050000	0x07050000	0x070cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007100000	0x07100000	0x0717ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000071e0000	0x071e0000	0x0725ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007260000	0x07260000	0x0765ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007660000	0x07660000	0x0795ffff	Private Memory	Readable, Writable	Region Actions
ksuser.dll	0x73f70000	0x73f75fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imageres.dll	0x744c0000	0x75815fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FXSRESM.dll	0x74ff0000	0x750d2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77cc0000	0x77cc6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
explorer.exe	0xff080000	0xff33ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleacc.dll	0x7fef84c0000	0x7fef8513fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ieframe.dll	0x7fef8520000	0x7fef90d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
webcheck.dll	0x7fef90e0000	0x7fef9129fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FXSAPI.dll	0x7fef9130000	0x7fef91ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FXSST.dll	0x7fef91d0000	0x7fef92a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ActionCenter.dll	0x7fef92b0000	0x7fef9371fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srchadmin.dll	0x7fef9380000	0x7fef93d7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
webio.dll	0x7fef93e0000	0x7fef9443fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winhttp.dll	0x7fef9450000	0x7fef94c0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ncsi.dll	0x7fef94d0000	0x7fef9507fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mlang.dll	0x7fef94d0000	0x7fef950afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscobj.dll	0x7fef9510000	0x7fef954efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
QUTIL.DLL	0x7fef9550000	0x7fef956efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pnidui.dll	0x7fef9570000	0x7fef972cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
PortableDeviceApi.dll	0x7fef9730000	0x7fef97ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
PortableDeviceTypes.dll	0x7fef97f0000	0x7fef9828fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WPDShServiceObj.dll	0x7fef9830000	0x7fef984ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
AltTab.dll	0x7fef9850000	0x7fef985ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netshell.dll	0x7fef98d0000	0x7fef9b5afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ehSSO.dll	0x7fef9b60000	0x7fef9b6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
DXP.dll	0x7fef9b70000	0x7fef9be3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x7fef9fa0000	0x7fefa010fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
networkexplorer.dll	0x7fefa140000	0x7fefa2dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
thumbcache.dll	0x7fefa2e0000	0x7fefa2fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
tiptsf.dll	0x7fefa440000	0x7fefa4befff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msls31.dll	0x7fefa4c0000	0x7fefa4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msftedit.dll	0x7fefa500000	0x7fefa5c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wer.dll	0x7fefa5d0000	0x7fefa64bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gameux.dll	0x7fefa650000	0x7fefa8f2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
linkinfo.dll	0x7fefa900000	0x7fefa90bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shdocvw.dll	0x7fefa910000	0x7fefa943fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
actxprxy.dll	0x7fefa950000	0x7fefaa3dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x7fefab20000	0x7fefab37fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc6.dll	0x7fefab40000	0x7fefab50fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FWPUCLNT.DLL	0x7fefab70000	0x7fefabc2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
timedate.cpl	0x7fefb000000	0x7fefb082fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IconCodecService.dll	0x7fefb090000	0x7fefb097fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntshrui.dll	0x7fefb0a0000	0x7fefb11ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscapi.dll	0x7fefb120000	0x7fefb12efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscdll.dll	0x7fefb130000	0x7fefb13bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscui.dll	0x7fefb140000	0x7fefb1bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
EhStorShell.dll	0x7fefb1c0000	0x7fefb1f4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x7fefb200000	0x7fefb256fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ExplorerFrame.dll	0x7fefb260000	0x7fefb429fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wdmaud.drv	0x7fefb490000	0x7fefb4cafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x7fefb4d0000	0x7fefb50afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefb510000	0x7fefb51afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IPHLPAPI.DLL	0x7fefb520000	0x7fefb546fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
es.dll	0x7fefb580000	0x7fefb5e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb5f0000	0x7fefb5fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskschd.dll	0x7fefb660000	0x7fefb786fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefb790000	0x7fefb7a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x7fefb7f0000	0x7fefb804fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefb9c0000	0x7fefb9ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
avrt.dll	0x7fefba10000	0x7fefba18fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x7fefba20000	0x7fefba4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Syncreg.dll	0x7fefbb00000	0x7fefbb15fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
prnfldr.dll	0x7fefbb20000	0x7fefbb88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
batmeter.dll	0x7fefbb90000	0x7fefbc49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x7fefbc50000	0x7fefbc63fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x7fefbc90000	0x7fefbc9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
midimap.dll	0x7fefbd00000	0x7fefbd08fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msacm32.dll	0x7fefbd10000	0x7fefbd27fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
stobject.dll	0x7fefbd30000	0x7fefbd72fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
AudioSes.dll	0x7fefbd80000	0x7fefbdcefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefbdd0000	0x7fefbde0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msacm32.drv	0x7fefbdf0000	0x7fefbdf9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WindowsCodecs.dll	0x7fefbe00000	0x7fefbf29fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
xmllite.dll	0x7fefbf30000	0x7fefbf64fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefbf70000	0x7fefbf87fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
MMDevAPI.dll	0x7fefbf90000	0x7fefbfdafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
hid.dll	0x7fefbfe0000	0x7fefbfeafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
SndVolSSO.dll	0x7fefbff0000	0x7fefc02afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
duser.dll	0x7fefc030000	0x7fefc072fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dui70.dll	0x7fefc080000	0x7fefc171fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
GdiPlus.dll	0x7fefc180000	0x7fefc394fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc3a0000	0x7fefc3f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc400000	0x7fefc52bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samlib.dll	0x7fefc530000	0x7fefc54cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shacct.dll	0x7fefc550000	0x7fefc573fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefc580000	0x7fefc773fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptui.dll	0x7fefc780000	0x7fefc888fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
authui.dll	0x7fefc890000	0x7fefca69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcc10000	0x7fefcc1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefce00000	0x7fefce1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcf10000	0x7fefcf19fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd040000	0x7fefd086fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd340000	0x7fefd356fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefd550000	0x7fefd5bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x7fefd810000	0x7fefd832fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd8b0000	0x7fefd8bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd910000	0x7fefd934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd940000	0x7fefd94efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefd9f0000	0x7fefda2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefda30000	0x7fefda43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda50000	0x7fefda5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdaf0000	0x7fefdafefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x7fefdb00000	0x7fefdb39fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefdb40000	0x7fefdb59fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc00000	0x7fefdd66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefdd70000	0x7fefdda5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x7fefde30000	0x7fefe088fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefe090000	0x7fefe166fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7fefe170000	0x7fefe346fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefe350000	0x7fefe3e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7fefe3f0000	0x7fefe43cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe440000	0x7fefe642fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x7fefe650000	0x7fefe779fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefe860000	0x7fefe8d0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe980000	0x7fefe99efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe9a0000	0x7fefe9cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x7fefec20000	0x7fefec71fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefec80000	0x7fefed88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x7fefed90000	0x7fefef07fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7fefef10000	0x7fefef17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7feff080000	0x7feffe07fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff82000	0x7fffff82000	0x7fffff83fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff84000	0x7fffff84000	0x7fffff85fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff86000	0x7fffff86000	0x7fffff87fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff88000	0x7fffff88000	0x7fffff89fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff8a000	0x7fffff8a000	0x7fffff8bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff8c000	0x7fffff8c000	0x7fffff8dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff8e000	0x7fffff8e000	0x7fffff8ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff90000	0x7fffff90000	0x7fffff91fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff90000	0x7fffff90000	0x7fffff91fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff92000	0x7fffff92000	0x7fffff93fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff94000	0x7fffff94000	0x7fffff95fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff96000	0x7fffff96000	0x7fffff97fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff98000	0x7fffff98000	0x7fffff99fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9a000	0x7fffff9a000	0x7fffff9bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9c000	0x7fffff9c000	0x7fffff9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #39: dwm.exe

Information	Value
ID / OS PID	#39 / 0x104
OS Parent PID	0x32c (c:\windows\system32\svchost.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\dwm.exe
Command Line	"C:\Windows\system32\Dwm.exe"
Monitor	Start Time: 00:01:07, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:21
OS Thread IDs	#415 0x134 #417 0x404 #419 0x408 #420 0x410 #422 0x414
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001a0000	0x001a0000	0x001affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x0034ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000380000	0x00380000	0x0047ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000480000	0x00480000	0x00607fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000610000	0x00610000	0x00790fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007a0000	0x007a0000	0x01b9ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001ba0000	0x01ba0000	0x01f92fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002160000	0x02160000	0x021dffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77cc0000	0x77cc6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
dwm.exe	0xff620000	0xff642fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dxgi.dll	0x7fefacd0000	0x7fefad76fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d10_1core.dll	0x7fefad80000	0x7fefadd4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d10_1.dll	0x7fefade0000	0x7fefae13fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmcore.dll	0x7fefae20000	0x7fefafb1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmredir.dll	0x7fefafc0000	0x7fefafe6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WindowsCodecs.dll	0x7fefbe00000	0x7fefbf29fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefbf70000	0x7fefbf87fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc3a0000	0x7fefc3f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcc10000	0x7fefcc1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe440000	0x7fefe642fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe980000	0x7fefe99efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe9a0000	0x7fefe9cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefec80000	0x7fefed88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #40: svchost.exe

Information	Value
ID / OS PID	#40 / 0x41c
OS Parent PID	0x1a8 (c:\windows\system32\services.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe -k NetworkService
Monitor	Start Time: 00:01:08, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:20
OS Thread IDs	#424 0x420 #425 0x424 #428 0x430 #430 0x438 #431 0x43C #432 0x440 #435 0x44C #436 0x450 #437 0x454 #438 0x458 #439 0x45C #441 0x464 #455 0x480 #479 0x514 #566 0x680 #574 0x6A0 #577 0x6AC #578 0x6B4 #580 0x6BC #585 0x6D0 #591 0x6E8 #598 0x704 #599 0x708 #600 0x70C
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x000affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000b0000	0x000b0000	0x000b3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c0fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x000d0000	0x00136fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000140000	0x00140000	0x0023ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000240000	0x00240000	0x00241fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000260000	0x00260000	0x00260fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x0036ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000370000	0x00370000	0x0042ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000430000	0x00430000	0x004affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004b0000	0x004b0000	0x004bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004c0000	0x004c0000	0x00647fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000650000	0x00650000	0x007d0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007e0000	0x007e0000	0x00bd2fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000be0000	0x00be0000	0x00be0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000bf0000	0x00bf0000	0x00bf0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000c00000	0x00c00000	0x00c00fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c10000	0x00c10000	0x00c8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ce0000	0x00ce0000	0x00d5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d90000	0x00d90000	0x00e0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000eb0000	0x00eb0000	0x00f2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f40000	0x00f40000	0x00fbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001000000	0x01000000	0x0107ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x01080000	0x0134efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001350000	0x01350000	0x0144ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001460000	0x01460000	0x014dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001540000	0x01540000	0x015bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001630000	0x01630000	0x016affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016b0000	0x016b0000	0x0172ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001730000	0x01730000	0x017affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000017e0000	0x017e0000	0x0185ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001870000	0x01870000	0x018effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001940000	0x01940000	0x0194ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000019c0000	0x019c0000	0x01a3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a40000	0x01a40000	0x01abffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ac0000	0x01ac0000	0x01bbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001af0000	0x01af0000	0x01b6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001bc0000	0x01bc0000	0x01bcffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c00000	0x01c00000	0x01c0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c30000	0x01c30000	0x01caffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001cb0000	0x01cb0000	0x01daffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xffa20000	0xffa2afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ssdpapi.dll	0x7fef8a40000	0x7fef8a50fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ncsi.dll	0x7fef8a60000	0x7fef8a97fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlasvc.dll	0x7fef8aa0000	0x7fef8aedfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vsstrace.dll	0x7fef8b00000	0x7fef8b16fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vssapi.dll	0x7fef8b20000	0x7fef8ccffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsvc.dll	0x7fef8d00000	0x7fef8d2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkssvc.dll	0x7fef8d30000	0x7fef8d4ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
webio.dll	0x7fef93e0000	0x7fef9443fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winhttp.dll	0x7fef9450000	0x7fef94c0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x7fefab20000	0x7fefab37fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc6.dll	0x7fefab40000	0x7fefab50fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsext.dll	0x7fefab60000	0x7fefab66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FWPUCLNT.DLL	0x7fefab70000	0x7fefabc2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsrslvr.dll	0x7fefabd0000	0x7fefabfffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefb510000	0x7fefb51afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IPHLPAPI.DLL	0x7fefb520000	0x7fefb546fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
es.dll	0x7fefb580000	0x7fefb5e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefb790000	0x7fefb7a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x7fefbc50000	0x7fefbc63fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x7fefbc90000	0x7fefbc9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc400000	0x7fefc52bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samlib.dll	0x7fefc530000	0x7fefc54cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WSHTCPIP.DLL	0x7fefcce0000	0x7fefcce6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7fefcde0000	0x7fefcdfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefce00000	0x7fefce1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcf10000	0x7fefcf19fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd040000	0x7fefd086fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x7fefd160000	0x7fefd1bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd2d0000	0x7fefd2d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd2e0000	0x7fefd334fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd340000	0x7fefd356fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netjoin.dll	0x7fefd450000	0x7fefd481fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefd550000	0x7fefd5bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd8b0000	0x7fefd8bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd910000	0x7fefd934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd940000	0x7fefd94efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefda30000	0x7fefda43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda50000	0x7fefda5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdaf0000	0x7fefdafefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdc00000	0x7fefdd66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefdd70000	0x7fefdda5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefe090000	0x7fefe166fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefe350000	0x7fefe3e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7fefe3f0000	0x7fefe43cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe440000	0x7fefe642fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe980000	0x7fefe99efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe9a0000	0x7fefe9cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefec80000	0x7fefed88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7fefef10000	0x7fefef17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #41: esentutl.exe

(Host: 179, Network: 0)

Information	Value
ID / OS PID	#41 / 0x49c
OS Parent PID	0x200 (c:\windows\explorer.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe
Command Line	"C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe"
Monitor	Start Time: 00:01:10, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:18
OS Thread IDs	#456 0x4A0 #476 0x508 #522 0x5CC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x0003ffff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001a0000	0x001a0000	0x001a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000230000	0x00230000	0x00230fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000240000	0x00240000	0x0033ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00340000	0x003a6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000003b0000	0x003b0000	0x003c5fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000003d0000	0x003d0000	0x003ecfff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x00000000003f0000	0x003f0000	0x003f6fff	Pagefile Backed Memory	Readable	Region Actions
esentutl.exe	0x00400000	0x0042afff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download
pagefile_0x0000000000430000	0x00430000	0x005b7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005c0000	0x005c0000	0x00740fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000750000	0x00750000	0x01b4ffff	Pagefile Backed Memory	Readable	Region Actions
C_1251.NLS	0x01b50000	0x01b60fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000001b70000	0x01b70000	0x01b71fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000001b80000	0x01b80000	0x01bbffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001bc0000	0x01bc0000	0x01c9efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001ca0000	0x01ca0000	0x01cdffff	Private Memory	Readable, Writable	Region Actions
AdapterTroubleshooter.exe	0x01ce0000	0x01ce9fff	Memory Mapped File	Readable	Region Actions
AdapterTroubleshooter.exe	0x01ce0000	0x01ce9fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001cf0000	0x01cf0000	0x01d2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d30000	0x01d30000	0x01d6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d70000	0x01d70000	0x01d7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d80000	0x01d80000	0x01e7ffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll.mui	0x01e80000	0x01f3ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000001f50000	0x01f50000	0x01f8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f90000	0x01f90000	0x0208ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x02090000	0x0235efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002360000	0x02360000	0x0245ffff	Private Memory	Readable, Writable	Region Actions
samcli.dll	0x73f80000	0x73f8efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x73f90000	0x73f9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x73fa0000	0x73fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x73fc0000	0x73fc8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x73fd0000	0x73fe0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x73ff0000	0x74001fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74010000	0x74018fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x74150000	0x741a0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x74350000	0x743cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x743d0000	0x7440bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74410000	0x74417fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74420000	0x7447bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74480000	0x744befff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x75800000	0x75812fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75830000	0x7583bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75840000	0x7589ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x758a0000	0x758fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75900000	0x75a0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75a10000	0x75b6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75b70000	0x75c0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75c20000	0x75c54fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75c60000	0x75c69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75c70000	0x75da5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75dc0000	0x75dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75dd0000	0x75e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75e30000	0x75f2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75f30000	0x76024fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76030000	0x760ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76150000	0x761dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x761e0000	0x76e29fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x76ec0000	0x76ee9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76ef0000	0x76f7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76f80000	0x7704bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x77050000	0x7713ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x771f0000	0x77235fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77240000	0x772ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x772f0000	0x7740cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77410000	0x77428fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x77540000	0x7773afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000778e0000	0x778e0000	0x779d9fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000779e0000	0x779e0000	0x77afefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x77cb0000	0x77cb5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ce0000	0x77e5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Created Files

Filename	File Size	Hash Values	Actions
c:\users\hjrd1k~1\appdata\local\temp\8055.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\hjrd1k~1\appdata\local\temp\8055.tmp	1.74 MB (1828352 bytes)	MD5: 6ef5f3f18413c367195f06e503ab86a6 SHA1: 74e5861dd61d6ddec17dc802664e26196d628bc9 SHA256: 6f8b87fb4d67f9e76a51ef759b58a95d903c4aac9c789a65a3fa1fc4f253d978	File Actions Show Properties Download
c:\users\hjrd1k~1\appdata\local\temp\8055.tmp	1.75 MB (1832448 bytes)	MD5: 511e8601a8e32a68f6ae78d52ab6ed48 SHA1: 474db26020869f581a8c4fd562ef4c1d8c33406f SHA256: c42ea6b812750bc54771d4ed044f654536a657db4dfebba6f0c2b6863f779a4a	File Actions Show Properties Download

Host Behavior

File (7)

Operation	Filename	Additional Information	Count	Logfile
CREATE	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
CREATE	c:\windows\syswow64\adaptertroubleshooter.exe	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
CREATE	c:\users\hjrd1k~1\appdata\local\temp\8055.tmp	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
CREATE	c:\users\hjrd1k~1\appdata\local\temp\8055.tmp	desired_access = GENERIC_WRITE, create_disposition = CREATE_ALWAYS	1	Fn
CREATE_TMPFILE	c:\users\hjrd1k~1\appdata\local\temp\8055.tmp	path = C:\Users\HJRD1K~1\AppData\Local\Temp\	1	Fn
COPY	c:\users\hjrd1k~1\appdata\local\temp\8055.tmp	source_file_name = c:\windows\syswow64\d3d9.dll, fail_if_exists = 0	1	Fn
WRITE	c:\users\hjrd1k~1\appdata\local\temp\8055.tmp	size = 1832448	1	Fn

Process (5)

Operation	Process Name	Additional Information	Count	Logfile
CREATE	"C:\Windows\SysWOW64\explorer.exe"	os_tid = 0x60c, os_pid = 0x608, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, CREATE_BREAKAWAY_FROM_JOB, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
OPEN_TOKEN	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe	os_pid = 0x6ec, desired_access = PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, desired_access = PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION	2	Fn
OPEN_TOKEN	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe	os_pid = 0x6ec, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
GET_INFO	"C:\Windows\SysWOW64\explorer.exe"	os_pid = 0x608	1	Fn

Memory (6)

Operation	Address	Additional Information	Count	Logfile
ALLOC	0x70000	process_name = "C:\Windows\SysWOW64\explorer.exe", os_pid = 0x608, size = 135136, allocation_type = MEM_COMMIT, protection = PAGE_EXECUTE_READWRITE	1	Fn
READ	0x7efde000	process_name = "C:\Windows\SysWOW64\explorer.exe", os_pid = 0x608, size = 584	1	Fn Data
READ	0x440000	process_name = "C:\Windows\SysWOW64\explorer.exe", os_pid = 0x608, size = 1024	1	Fn Data
WRITE	0x70000	process_name = "C:\Windows\SysWOW64\explorer.exe", os_pid = 0x608, size = 131072	1	Fn Data
WRITE	0x90000	process_name = "C:\Windows\SysWOW64\explorer.exe", os_pid = 0x608, size = 4064	1	Fn Data
WRITE	0x470efa	process_name = "C:\Windows\SysWOW64\explorer.exe", os_pid = 0x608, size = 14	1	Fn Data

Thread (1)

Operation	Process Name	Additional Information	Success	Count	Logfile
RESUME	c:\windows\system32\svchost.exe	os_tid = 0x60c, os_pid = 0x35c		1	Fn

Module (142)

Operation	Module	Additional Information	Count	Logfile
LOAD	CRYPT32.dll	base_address = 0x0	1	Fn
LOAD	WININET.dll	base_address = 0x0	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x0	1	Fn
LOAD	VERSION.dll	base_address = 0x0	1	Fn
LOAD	MPR.dll	base_address = 0x0	1	Fn
LOAD	imagehlp.dll	base_address = 0x0	1	Fn
LOAD	WS2_32.dll	base_address = 0x0	1	Fn
LOAD	KERNEL32.dll	base_address = 0x0	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x0	1	Fn
LOAD	USER32.dll	base_address = 0x0	1	Fn
LOAD	ole32.dll	base_address = 0x0	1	Fn
LOAD	SHELL32.dll	base_address = 0x0	1	Fn
LOAD	ntdll.dll	base_address = 0x0	1	Fn
LOAD	OLEAUT32.dll	base_address = 0x0	1	Fn
LOAD	GDI32.dll	base_address = 0x0	1	Fn
LOAD	NETAPI32.dll	base_address = 0x0	1	Fn
LOAD	shell32.dll	base_address = 0x761e0000	1	Fn
LOAD	C:\Windows\SysWOW64\AdapterTroubleshooter.exe	base_address = 0x1ce0001	1	Fn
GET_HANDLE	c:\windows\syswow64\kernel32.dll	base_address = 0x75900000	2	Fn
GET_HANDLE	c:\windows\syswow64\user32.dll	base_address = 0x75e30000	1	Fn
GET_HANDLE	c:\windows\syswow64\mswsock.dll	base_address = 0x743d0000	1	Fn
GET_HANDLE	c:\windows\syswow64\gdi32.dll	base_address = 0x76150000	1	Fn
GET_HANDLE	it	base_address = 0x0	24	Fn
GET_HANDLE	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	base_address = 0x400000	5	Fn
CREATE_MAPPING	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	module_name = Nameless FileMapping, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	c:\windows\syswow64\adaptertroubleshooter.exe	module_name = Nameless FileMapping, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	c:\users\hjrd1k~1\appdata\local\temp\8055.tmp	module_name = Nameless FileMapping, maximum_size = 0, protection = PAGE_READONLY	1	Fn
MAP	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	process_name = c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe, os_pid = 0x49c, module_name = Nameless FileMapping, desired_access = FILE_MAP_READ, file_offset = 0, address = 0x1d30000	1	Fn
MAP	c:\windows\syswow64\adaptertroubleshooter.exe	process_name = c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe, os_pid = 0x49c, module_name = Nameless FileMapping, desired_access = FILE_MAP_READ, file_offset = 0, address = 0x1ce0000	1	Fn
MAP	c:\users\hjrd1k~1\appdata\local\temp\8055.tmp	process_name = c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe, os_pid = 0x49c, module_name = Nameless FileMapping, desired_access = FILE_MAP_READ, file_offset = 0, address = 0x2460000	1	Fn
UNMAP	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	os_pid = 0x49c, base_address = 0x1d30000	1	Fn
UNMAP	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	os_pid = 0x49c, base_address = 0x2460000	1	Fn
GET_FILENAME	C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe		3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualProtect, address = 0x7591435f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = IMPGetIMEA, address = 0x75ea7331	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = SetForegroundWindow, address = 0x75e6f170	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = ShowWindow, address = 0x75e50dfb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetSysColor, address = 0x75e46c3c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetKeyboardLayoutNameA, address = 0x75ea6bd9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = IsWindow, address = 0x75e47136	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetSystemMetrics, address = 0x75e47d2f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = SetWindowPos, address = 0x75e48e4e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetFocus, address = 0x75e50dee	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = SetMenuInfo, address = 0x75e9d222	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = DispatchMessageA, address = 0x75e47bbb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = InvalidateRect, address = 0x75e51381	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = WSPStartup, address = 0x743d8a9b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = dn_expand, address = 0x743eb97c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = sethostname, address = 0x743e6582	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = MigrateWinsockConfiguration, address = 0x743dcd27	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = NPLoadNameSpaces, address = 0x743f1a3e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetNameByTypeA, address = 0x743ee59f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = TransmitFile, address = 0x743ec7e2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = inet_network, address = 0x743e6597	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetAddressByNameA, address = 0x743eddb5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetAcceptExSockaddrs, address = 0x743ec9da	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetTypeByNameW, address = 0x743edfd7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = WSARecvEx, address = 0x743f1b55	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetServiceW, address = 0x743ef340	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = SetServiceA, address = 0x743eefae	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = EnumProtocolsW, address = 0x743ecc25	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetTypeByNameA, address = 0x743ee260	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = SetServiceW, address = 0x743ef118	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = StartWsdpService, address = 0x743e633d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = EnumProtocolsA, address = 0x743ed368	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = rexec, address = 0x743e656d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = StopWsdpService, address = 0x743e5e56	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentThreadId, address = 0x75911450	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = InterlockedDecrement, address = 0x759113f0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapCreate, address = 0x75914a2d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetThreadLocale, address = 0x759135cf	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = QueryPerformanceCounter, address = 0x75911725	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = lstrlenW, address = 0x75911700	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FileTimeToSystemTime, address = 0x7591542c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = UnhandledExceptionFilter, address = 0x7593772f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x759187c9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address = 0x7591110c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetStringTypeW, address = 0x75911946	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetConsoleAliasesA, address = 0x759b6680	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = lstrlenA, address = 0x75915a4b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = lstrcmpiA, address = 0x75913e8e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address = 0x7592d802	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FreeEnvironmentStringsA, address = 0x7591e349	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FreeEnvironmentStringsW, address = 0x759151cb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address = 0x77d21f6e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetFileAttributesW, address = 0x75911b18	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCPInfo, address = 0x75915189	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address = 0x75911809	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LCMapStringA, address = 0x7593bc39	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetOEMCP, address = 0x7593d1a1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address = 0x759134b0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentStringsW, address = 0x759151e3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x75913509	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address = 0x75911856	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address = 0x759111f8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address = 0x7591170d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LCMapStringW, address = 0x759117b9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetHandleCount, address = 0x7591cb29	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetStringTypeA, address = 0x75938266	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = lstrcmpiW, address = 0x7592d5cd	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentStrings, address = 0x7591e361	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetSystemTime, address = 0x75915a96	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetStdHandle, address = 0x7599454f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GlobalSize, address = 0x7592d16f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreateICW, address = 0x7616c040	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreateICA, address = 0x76167c2e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = GetCharWidth32W, address = 0x7616c93c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = DeleteObject, address = 0x76165689	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreatePen, address = 0x7616ba4f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreateRectRgnIndirect, address = 0x7616a764	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreateDCA, address = 0x76167bcc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shell32.dll	function = SHCreateItemFromParsingName, address = 0x76234215	1	Fn

Registry (16)

Operation	Key	Additional Information	Count	Logfile
CREATE_KEY	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}		3	Fn
CREATE_KEY	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion		2	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System		1	Fn
READ_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_02	2	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	value_name = ProgramFilesDir (x86)	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	value_name = ProgramFilesDir (x86), data_ident_out = 67	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	value_name = ProgramFilesDir	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	value_name = ProgramFilesDir, data_ident_out = 67	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_00	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_00, data_ident_out = 154	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_01, data_ident_out = 103	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	value_name = EnableLUA, data_ident_out = 1	1	Fn

Window (1)

Operation	Window Name	Additional Information	Success	Count	Logfile
CREATE		class_name = hGHAEnFbRS~aFtQb(dljXoUlxI>K$xU@[V}Dlk^YrX u8bqG^A6[hbAR=#(DJ{B@V6~<>Uf+6R4)l{@Hg3_c6)uviZ j2mf N<LwxP7ctYMI[$p9x<N5k9]oG$j=&+=jY&wMxCBg+D[L1z+i_dNMf1GVIR)PtHp&gjb&]@T-ZJS9rTMvFxe4sYSA&PV{&g_sQECmoxy$5K+yD6CG~M7<X6xokm@3[%oipsvO+5rt28<Xv=)gnPp6mwG70, x_coordinate = 1, y_coordinate = 1, width = 1, height = 1, window_parameter = 0		1	Fn

Mutex (1)

Operation	Name	Additional Information	Success	Count	Logfile
OPEN	shell.{0835FA03-68AC-09B6-0CE4-703246A746AB}	desired_access = SYNCHRONIZE		1	Fn

Process #42: runonce.exe

Information	Value
ID / OS PID	#42 / 0x4a4
OS Parent PID	0x200 (c:\windows\explorer.exe)
Initial Working Directory	C:\Windows\SysWOW64
File Name	c:\windows\syswow64\runonce.exe
Command Line	C:\Windows\SysWOW64\runonce.exe /Run6432
Monitor	Start Time: 00:01:10, Reason: Child Process
Unmonitor	End Time: 00:01:16, Reason: Terminated
Monitor Duration	00:00:06
OS Thread IDs	#457 0x4A8 #468 0x4DC #469 0x4E4 #472 0x4FC #496 0x564
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00031fff	Pagefile Backed Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable	Region Actions
runonce.exe.mui	0x00070000	0x00070fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x000cffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x000d0000	0x00136fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000140000	0x00140000	0x00140fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000150000	0x00150000	0x00150fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000160000	0x00160000	0x00161fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000170000	0x00170000	0x001a3fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001c0000	0x001c0000	0x001c0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001d0000	0x001d0000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000210000	0x00210000	0x00210fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x00220000	0x00223fff	Memory Mapped File	Readable	Region Actions
{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000a.db	0x00230000	0x00245fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000250000	0x00250000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x002cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002d0000	0x002d0000	0x002d0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cversions.2.db	0x002e0000	0x002e3fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000300000	0x00300000	0x0037ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000380000	0x00380000	0x003bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003d0000	0x003d0000	0x0040ffff	Private Memory	Readable, Writable	Region Actions
{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db	0x00410000	0x0043ffff	Memory Mapped File	Readable	Region Actions
private_0x0000000000470000	0x00470000	0x0056ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000570000	0x00570000	0x0064efff	Pagefile Backed Memory	Readable	Region Actions
runonce.exe	0x00680000	0x0068efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000690000	0x00690000	0x00817fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000850000	0x00850000	0x0085ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000860000	0x00860000	0x009e0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000009f0000	0x009f0000	0x01deffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001e40000	0x01e40000	0x01e7ffff	Private Memory	Readable, Writable	Region Actions
{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db	0x01e80000	0x01ee5fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001f00000	0x01f00000	0x01f3ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x01f40000	0x0220efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002210000	0x02210000	0x0224ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002250000	0x02250000	0x02642fff	Pagefile Backed Memory	Readable	Region Actions
profapi.dll	0x73f60000	0x73f6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x74020000	0x74040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x74050000	0x74144fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x741b0000	0x7434dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x74350000	0x743cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74410000	0x74417fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74420000	0x7447bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74480000	0x744befff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75830000	0x7583bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75840000	0x7589ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x758a0000	0x758fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75900000	0x75a0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75a10000	0x75b6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75b70000	0x75c0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75c60000	0x75c69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75c70000	0x75da5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75dc0000	0x75dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75dd0000	0x75e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75e30000	0x75f2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75f30000	0x76024fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76030000	0x760ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x760d0000	0x760e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76150000	0x761dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x761e0000	0x76e29fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76ef0000	0x76f7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76f80000	0x7704bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x77050000	0x7713ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x771c0000	0x771e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x771f0000	0x77235fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77240000	0x772ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x772f0000	0x7740cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77410000	0x77428fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x77460000	0x774e2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x774f0000	0x77534fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x77540000	0x7773afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x77740000	0x778dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000778e0000	0x778e0000	0x779d9fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000779e0000	0x779e0000	0x77afefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ce0000	0x77e5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Process #43: esentutl.exe

(Host: 179, Network: 0)

Information	Value
ID / OS PID	#43 / 0x4ac
OS Parent PID	0x200 (c:\windows\explorer.exe)
Initial Working Directory	C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}
File Name	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe
Command Line	"C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe"
Monitor	Start Time: 00:01:10, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:18
OS Thread IDs	#458 0x4B0 #474 0x504 #553 0x648

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x001a0000	0x00206fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x002a5fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000002b0000	0x002b0000	0x002ccfff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x00000000002d0000	0x002d0000	0x002d0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000002e0000	0x002e0000	0x002effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002f0000	0x002f0000	0x002f6fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000300000	0x00300000	0x003fffff	Private Memory	Readable, Writable	Region Actions
esentutl.exe	0x00400000	0x0042afff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download
pagefile_0x0000000000430000	0x00430000	0x005b7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005c0000	0x005c0000	0x00740fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000750000	0x00750000	0x01b4ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001b50000	0x01b50000	0x01c2efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001c30000	0x01c30000	0x01c6ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001c70000	0x01c70000	0x01c71fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000001c80000	0x01c80000	0x01cbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001cc0000	0x01cc0000	0x01dbffff	Private Memory	Readable, Writable	Region Actions
C_1251.NLS	0x01dc0000	0x01dd0fff	Memory Mapped File	Readable	Region Actions
AdapterTroubleshooter.exe	0x01de0000	0x01de9fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001e00000	0x01e00000	0x01e0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e20000	0x01e20000	0x01e5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e60000	0x01e60000	0x01e9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f40000	0x01f40000	0x01f7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f80000	0x01f80000	0x0207ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x02080000	0x0234efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002350000	0x02350000	0x0244ffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll.mui	0x02450000	0x0250ffff	Memory Mapped File	Readable, Writable	Region Actions
samcli.dll	0x73f80000	0x73f8efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x73f90000	0x73f9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x73fa0000	0x73fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x73fc0000	0x73fc8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x73fd0000	0x73fe0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x73ff0000	0x74001fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74010000	0x74018fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x74150000	0x741a0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x74350000	0x743cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x743d0000	0x7440bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74410000	0x74417fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74420000	0x7447bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74480000	0x744befff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x75800000	0x75812fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75830000	0x7583bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75840000	0x7589ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x758a0000	0x758fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75900000	0x75a0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75a10000	0x75b6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75b70000	0x75c0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75c20000	0x75c54fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75c60000	0x75c69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75c70000	0x75da5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75dc0000	0x75dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75dd0000	0x75e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75e30000	0x75f2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75f30000	0x76024fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76030000	0x760ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76150000	0x761dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x761e0000	0x76e29fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x76ec0000	0x76ee9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76ef0000	0x76f7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76f80000	0x7704bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x77050000	0x7713ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x771f0000	0x77235fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77240000	0x772ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x772f0000	0x7740cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77410000	0x77428fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x77540000	0x7773afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000778e0000	0x778e0000	0x779d9fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000779e0000	0x779e0000	0x77afefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x77cb0000	0x77cb5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ce0000	0x77e5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Created Files

Filename	File Size	Hash Values	Actions
c:\users\hjrd1k~1\appdata\local\temp\90d9.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\hjrd1k~1\appdata\local\temp\90d9.tmp	1.74 MB (1828352 bytes)	MD5: 6ef5f3f18413c367195f06e503ab86a6 SHA1: 74e5861dd61d6ddec17dc802664e26196d628bc9 SHA256: 6f8b87fb4d67f9e76a51ef759b58a95d903c4aac9c789a65a3fa1fc4f253d978	File Actions Show Properties Download
c:\users\hjrd1k~1\appdata\local\temp\90d9.tmp	1.75 MB (1832448 bytes)	MD5: 511e8601a8e32a68f6ae78d52ab6ed48 SHA1: 474db26020869f581a8c4fd562ef4c1d8c33406f SHA256: c42ea6b812750bc54771d4ed044f654536a657db4dfebba6f0c2b6863f779a4a	File Actions Show Properties Download

Host Behavior

File (7)

Operation	Filename	Additional Information	Count	Logfile
CREATE	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
CREATE	c:\windows\syswow64\adaptertroubleshooter.exe	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
CREATE	c:\users\hjrd1k~1\appdata\local\temp\90d9.tmp	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
CREATE	c:\users\hjrd1k~1\appdata\local\temp\90d9.tmp	desired_access = GENERIC_WRITE, create_disposition = CREATE_ALWAYS	1	Fn
CREATE_TMPFILE	c:\users\hjrd1k~1\appdata\local\temp\90d9.tmp	path = C:\Users\HJRD1K~1\AppData\Local\Temp\	1	Fn
COPY	c:\users\hjrd1k~1\appdata\local\temp\90d9.tmp	source_file_name = c:\windows\syswow64\d3d9.dll, fail_if_exists = 0	1	Fn
WRITE	c:\users\hjrd1k~1\appdata\local\temp\90d9.tmp	size = 1832448	1	Fn

Process (5)

Operation	Process Name	Additional Information	Count	Logfile
CREATE	"C:\Windows\SysWOW64\explorer.exe"	os_tid = 0x668, os_pid = 0x664, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, CREATE_BREAKAWAY_FROM_JOB, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
OPEN_TOKEN	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe	os_pid = 0x6ec, desired_access = PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, desired_access = PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION	2	Fn
OPEN_TOKEN	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe	os_pid = 0x6ec, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
GET_INFO	"C:\Windows\SysWOW64\explorer.exe"	os_pid = 0x664	1	Fn

Memory (6)

Operation	Address	Additional Information	Count	Logfile
ALLOC	0x70000	process_name = "C:\Windows\SysWOW64\explorer.exe", os_pid = 0x664, size = 135136, allocation_type = MEM_COMMIT, protection = PAGE_EXECUTE_READWRITE	1	Fn
READ	0x7efde000	process_name = "C:\Windows\SysWOW64\explorer.exe", os_pid = 0x664, size = 584	1	Fn Data
READ	0x440000	process_name = "C:\Windows\SysWOW64\explorer.exe", os_pid = 0x664, size = 1024	1	Fn Data
WRITE	0x70000	process_name = "C:\Windows\SysWOW64\explorer.exe", os_pid = 0x664, size = 131072	1	Fn Data
WRITE	0x90000	process_name = "C:\Windows\SysWOW64\explorer.exe", os_pid = 0x664, size = 4064	1	Fn Data
WRITE	0x470efa	process_name = "C:\Windows\SysWOW64\explorer.exe", os_pid = 0x664, size = 14	1	Fn Data

Thread (1)

Operation	Process Name	Additional Information	Success	Count	Logfile
RESUME	c:\windows\syswow64\explorer.exe	os_tid = 0x668, os_pid = 0x664		1	Fn

Module (142)

Operation	Module	Additional Information	Count	Logfile
LOAD	CRYPT32.dll	base_address = 0x0	1	Fn
LOAD	WININET.dll	base_address = 0x0	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x0	1	Fn
LOAD	VERSION.dll	base_address = 0x0	1	Fn
LOAD	MPR.dll	base_address = 0x0	1	Fn
LOAD	imagehlp.dll	base_address = 0x0	1	Fn
LOAD	WS2_32.dll	base_address = 0x0	1	Fn
LOAD	KERNEL32.dll	base_address = 0x0	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x0	1	Fn
LOAD	USER32.dll	base_address = 0x0	1	Fn
LOAD	ole32.dll	base_address = 0x0	1	Fn
LOAD	SHELL32.dll	base_address = 0x0	1	Fn
LOAD	ntdll.dll	base_address = 0x0	1	Fn
LOAD	OLEAUT32.dll	base_address = 0x0	1	Fn
LOAD	GDI32.dll	base_address = 0x0	1	Fn
LOAD	NETAPI32.dll	base_address = 0x0	1	Fn
LOAD	shell32.dll	base_address = 0x761e0000	1	Fn
LOAD	C:\Windows\SysWOW64\AdapterTroubleshooter.exe	base_address = 0x1de0001	1	Fn
GET_HANDLE	c:\windows\syswow64\kernel32.dll	base_address = 0x75900000	2	Fn
GET_HANDLE	c:\windows\syswow64\user32.dll	base_address = 0x75e30000	1	Fn
GET_HANDLE	c:\windows\syswow64\mswsock.dll	base_address = 0x743d0000	1	Fn
GET_HANDLE	c:\windows\syswow64\gdi32.dll	base_address = 0x76150000	1	Fn
GET_HANDLE	it	base_address = 0x0	24	Fn
GET_HANDLE	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	base_address = 0x400000	5	Fn
CREATE_MAPPING	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	module_name = Nameless FileMapping, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	c:\windows\syswow64\adaptertroubleshooter.exe	module_name = Nameless FileMapping, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	c:\users\hjrd1k~1\appdata\local\temp\90d9.tmp	module_name = Nameless FileMapping, maximum_size = 0, protection = PAGE_READONLY	1	Fn
MAP	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	process_name = c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe, os_pid = 0x4ac, module_name = Nameless FileMapping, desired_access = FILE_MAP_READ, file_offset = 0, address = 0x1de0000	1	Fn
MAP	c:\windows\syswow64\adaptertroubleshooter.exe	process_name = c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe, os_pid = 0x4ac, module_name = Nameless FileMapping, desired_access = FILE_MAP_READ, file_offset = 0, address = 0x1de0000	1	Fn
MAP	c:\users\hjrd1k~1\appdata\local\temp\90d9.tmp	process_name = c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe, os_pid = 0x4ac, module_name = Nameless FileMapping, desired_access = FILE_MAP_READ, file_offset = 0, address = 0x2510000	1	Fn
UNMAP	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	os_pid = 0x4ac, base_address = 0x1de0000	1	Fn
UNMAP	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	os_pid = 0x4ac, base_address = 0x2510000	1	Fn
GET_FILENAME	C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe		3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualProtect, address = 0x7591435f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = IMPGetIMEA, address = 0x75ea7331	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = SetForegroundWindow, address = 0x75e6f170	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = ShowWindow, address = 0x75e50dfb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetSysColor, address = 0x75e46c3c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetKeyboardLayoutNameA, address = 0x75ea6bd9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = IsWindow, address = 0x75e47136	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetSystemMetrics, address = 0x75e47d2f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = SetWindowPos, address = 0x75e48e4e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetFocus, address = 0x75e50dee	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = SetMenuInfo, address = 0x75e9d222	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = DispatchMessageA, address = 0x75e47bbb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = InvalidateRect, address = 0x75e51381	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = WSPStartup, address = 0x743d8a9b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = dn_expand, address = 0x743eb97c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = sethostname, address = 0x743e6582	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = MigrateWinsockConfiguration, address = 0x743dcd27	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = NPLoadNameSpaces, address = 0x743f1a3e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetNameByTypeA, address = 0x743ee59f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = TransmitFile, address = 0x743ec7e2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = inet_network, address = 0x743e6597	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetAddressByNameA, address = 0x743eddb5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetAcceptExSockaddrs, address = 0x743ec9da	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetTypeByNameW, address = 0x743edfd7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = WSARecvEx, address = 0x743f1b55	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetServiceW, address = 0x743ef340	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = SetServiceA, address = 0x743eefae	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = EnumProtocolsW, address = 0x743ecc25	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetTypeByNameA, address = 0x743ee260	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = SetServiceW, address = 0x743ef118	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = StartWsdpService, address = 0x743e633d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = EnumProtocolsA, address = 0x743ed368	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = rexec, address = 0x743e656d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = StopWsdpService, address = 0x743e5e56	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentThreadId, address = 0x75911450	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = InterlockedDecrement, address = 0x759113f0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapCreate, address = 0x75914a2d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetThreadLocale, address = 0x759135cf	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = QueryPerformanceCounter, address = 0x75911725	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = lstrlenW, address = 0x75911700	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FileTimeToSystemTime, address = 0x7591542c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = UnhandledExceptionFilter, address = 0x7593772f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x759187c9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address = 0x7591110c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetStringTypeW, address = 0x75911946	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetConsoleAliasesA, address = 0x759b6680	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = lstrlenA, address = 0x75915a4b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = lstrcmpiA, address = 0x75913e8e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address = 0x7592d802	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FreeEnvironmentStringsA, address = 0x7591e349	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FreeEnvironmentStringsW, address = 0x759151cb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address = 0x77d21f6e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetFileAttributesW, address = 0x75911b18	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCPInfo, address = 0x75915189	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address = 0x75911809	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LCMapStringA, address = 0x7593bc39	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetOEMCP, address = 0x7593d1a1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address = 0x759134b0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentStringsW, address = 0x759151e3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x75913509	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address = 0x75911856	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address = 0x759111f8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address = 0x7591170d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LCMapStringW, address = 0x759117b9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetHandleCount, address = 0x7591cb29	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetStringTypeA, address = 0x75938266	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = lstrcmpiW, address = 0x7592d5cd	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentStrings, address = 0x7591e361	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetSystemTime, address = 0x75915a96	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetStdHandle, address = 0x7599454f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GlobalSize, address = 0x7592d16f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreateICW, address = 0x7616c040	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreateICA, address = 0x76167c2e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = GetCharWidth32W, address = 0x7616c93c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = DeleteObject, address = 0x76165689	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreatePen, address = 0x7616ba4f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreateRectRgnIndirect, address = 0x7616a764	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreateDCA, address = 0x76167bcc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shell32.dll	function = SHCreateItemFromParsingName, address = 0x76234215	1	Fn

Registry (16)

Operation	Key	Additional Information	Count	Logfile
CREATE_KEY	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}		3	Fn
CREATE_KEY	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion		2	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System		1	Fn
READ_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_02	2	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	value_name = ProgramFilesDir (x86)	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	value_name = ProgramFilesDir (x86), data_ident_out = 67	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	value_name = ProgramFilesDir	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	value_name = ProgramFilesDir, data_ident_out = 67	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_00	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_00, data_ident_out = 154	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_01, data_ident_out = 103	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	value_name = EnableLUA, data_ident_out = 1	1	Fn

Window (1)

Operation	Window Name	Additional Information	Success	Count	Logfile
CREATE		class_name = INuDS~K$<F<pyNm^VhBhBg[8MP)]kngCljkp^L)}1X%Nbeti&BOBPKA76h[LjWv>a8{j%2(Pd9S(ru9a[D#qpxh60mROmuaybP)KKGrgOHjb^c_e8pija#!g)X=}_C+nBep1A$j$#qu<R}mygj39{>L^O4GSK~DB5B>N]M%^}Jgacj=[0RSxg~e=GD>-@ZJG&[8aN%icI)OfzNcpJ xh1D6u+6oj4jQT6~RtMO%>Tm45[KBz#OR(4$i#b[!<, x_coordinate = 1, y_coordinate = 1, width = 1, height = 1, window_parameter = 0		1	Fn

Mutex (1)

Operation	Name	Additional Information	Success	Count	Logfile
OPEN	shell.{0835FA03-68AC-09B6-0CE4-703246A746AB}	desired_access = SYNCHRONIZE		1	Fn

Process #44: esentutl.exe

(Host: 179, Network: 0)

Information	Value
ID / OS PID	#44 / 0x4b8
OS Parent PID	0x200 (c:\windows\explorer.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe
Command Line	"C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe"
Monitor	Start Time: 00:01:10, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:18
OS Thread IDs	#459 0x4BC #473 0x500 #527 0x5DC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x001a0000	0x00206fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000210000	0x00210000	0x002eefff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000002f0000	0x002f0000	0x00305fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000310000	0x00310000	0x0034ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000350000	0x00350000	0x00350fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000360000	0x00360000	0x0036ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000370000	0x00370000	0x003effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003f0000	0x003f0000	0x003f6fff	Pagefile Backed Memory	Readable	Region Actions
esentutl.exe	0x00400000	0x0042afff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download
pagefile_0x0000000000430000	0x00430000	0x005b7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005c0000	0x005c0000	0x005dcfff	Private Memory	Readable, Writable, Executable	Region Actions
C_1251.NLS	0x005e0000	0x005f0fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000600000	0x00600000	0x006fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000700000	0x00700000	0x00880fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000890000	0x00890000	0x01c8ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001c90000	0x01c90000	0x01ccffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001cd0000	0x01cd0000	0x01cd1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
AdapterTroubleshooter.exe	0x01ce0000	0x01ce9fff	Memory Mapped File	Readable	Region Actions
AdapterTroubleshooter.exe	0x01ce0000	0x01ce9fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001d00000	0x01d00000	0x01d0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d10000	0x01d10000	0x01e0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e10000	0x01e10000	0x01e4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e50000	0x01e50000	0x01f4ffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll.mui	0x01f50000	0x0200ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000002010000	0x02010000	0x0204ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002050000	0x02050000	0x0214ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002220000	0x02220000	0x0225ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x02260000	0x0252efff	Memory Mapped File	Readable	Region Actions
samcli.dll	0x73f80000	0x73f8efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x73f90000	0x73f9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x73fa0000	0x73fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x73fc0000	0x73fc8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x73fd0000	0x73fe0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x73ff0000	0x74001fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74010000	0x74018fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x74150000	0x741a0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x74350000	0x743cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x743d0000	0x7440bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74410000	0x74417fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74420000	0x7447bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74480000	0x744befff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x75800000	0x75812fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75830000	0x7583bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75840000	0x7589ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x758a0000	0x758fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75900000	0x75a0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75a10000	0x75b6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75b70000	0x75c0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75c20000	0x75c54fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75c60000	0x75c69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75c70000	0x75da5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75dc0000	0x75dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75dd0000	0x75e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75e30000	0x75f2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75f30000	0x76024fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76030000	0x760ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76150000	0x761dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x761e0000	0x76e29fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x76ec0000	0x76ee9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76ef0000	0x76f7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76f80000	0x7704bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x77050000	0x7713ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x771f0000	0x77235fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77240000	0x772ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x772f0000	0x7740cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77410000	0x77428fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x77540000	0x7773afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000778e0000	0x778e0000	0x779d9fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000779e0000	0x779e0000	0x77afefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x77cb0000	0x77cb5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ce0000	0x77e5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Created Files

Filename	File Size	Hash Values	Actions
c:\users\hjrd1k~1\appdata\local\temp\8361.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\hjrd1k~1\appdata\local\temp\8361.tmp	1.74 MB (1828352 bytes)	MD5: 6ef5f3f18413c367195f06e503ab86a6 SHA1: 74e5861dd61d6ddec17dc802664e26196d628bc9 SHA256: 6f8b87fb4d67f9e76a51ef759b58a95d903c4aac9c789a65a3fa1fc4f253d978	File Actions Show Properties Download
c:\users\hjrd1k~1\appdata\local\temp\8361.tmp	1.75 MB (1832448 bytes)	MD5: 511e8601a8e32a68f6ae78d52ab6ed48 SHA1: 474db26020869f581a8c4fd562ef4c1d8c33406f SHA256: c42ea6b812750bc54771d4ed044f654536a657db4dfebba6f0c2b6863f779a4a	File Actions Show Properties Download

Host Behavior

File (7)

Operation	Filename	Additional Information	Count	Logfile
CREATE	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
CREATE	c:\windows\syswow64\adaptertroubleshooter.exe	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
CREATE	c:\users\hjrd1k~1\appdata\local\temp\8361.tmp	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
CREATE	c:\users\hjrd1k~1\appdata\local\temp\8361.tmp	desired_access = GENERIC_WRITE, create_disposition = CREATE_ALWAYS	1	Fn
CREATE_TMPFILE	c:\users\hjrd1k~1\appdata\local\temp\8361.tmp	path = C:\Users\HJRD1K~1\AppData\Local\Temp\	1	Fn
COPY	c:\users\hjrd1k~1\appdata\local\temp\8361.tmp	source_file_name = c:\windows\syswow64\d3d9.dll, fail_if_exists = 0	1	Fn
WRITE	c:\users\hjrd1k~1\appdata\local\temp\8361.tmp	size = 1832448	1	Fn

Process (5)

Operation	Process Name	Additional Information	Count	Logfile
CREATE	"C:\Windows\SysWOW64\explorer.exe"	os_tid = 0x604, os_pid = 0x600, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, CREATE_BREAKAWAY_FROM_JOB, CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
OPEN_TOKEN	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe	os_pid = 0x6ec, desired_access = PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, desired_access = PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION	2	Fn
OPEN_TOKEN	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe	os_pid = 0x6ec, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
GET_INFO	"C:\Windows\SysWOW64\explorer.exe"	os_pid = 0x600	1	Fn

Memory (6)

Operation	Address	Additional Information	Count	Logfile
ALLOC	0xb0000	process_name = "C:\Windows\SysWOW64\explorer.exe", os_pid = 0x600, size = 135136, allocation_type = MEM_COMMIT, protection = PAGE_EXECUTE_READWRITE	1	Fn
READ	0x7efde000	process_name = "C:\Windows\SysWOW64\explorer.exe", os_pid = 0x600, size = 584	1	Fn Data
READ	0x440000	process_name = "C:\Windows\SysWOW64\explorer.exe", os_pid = 0x600, size = 1024	1	Fn Data
WRITE	0xb0000	process_name = "C:\Windows\SysWOW64\explorer.exe", os_pid = 0x600, size = 131072	1	Fn Data
WRITE	0xd0000	process_name = "C:\Windows\SysWOW64\explorer.exe", os_pid = 0x600, size = 4064	1	Fn Data
WRITE	0x470efa	process_name = "C:\Windows\SysWOW64\explorer.exe", os_pid = 0x600, size = 14	1	Fn Data

Thread (1)

Operation	Process Name	Additional Information	Success	Count	Logfile
RESUME	c:\windows\system32\svchost.exe	os_tid = 0x604, os_pid = 0x35c		1	Fn

Module (142)

Operation	Module	Additional Information	Count	Logfile
LOAD	CRYPT32.dll	base_address = 0x0	1	Fn
LOAD	WININET.dll	base_address = 0x0	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x0	1	Fn
LOAD	VERSION.dll	base_address = 0x0	1	Fn
LOAD	MPR.dll	base_address = 0x0	1	Fn
LOAD	imagehlp.dll	base_address = 0x0	1	Fn
LOAD	WS2_32.dll	base_address = 0x0	1	Fn
LOAD	KERNEL32.dll	base_address = 0x0	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x0	1	Fn
LOAD	USER32.dll	base_address = 0x0	1	Fn
LOAD	ole32.dll	base_address = 0x0	1	Fn
LOAD	SHELL32.dll	base_address = 0x0	1	Fn
LOAD	ntdll.dll	base_address = 0x0	1	Fn
LOAD	OLEAUT32.dll	base_address = 0x0	1	Fn
LOAD	GDI32.dll	base_address = 0x0	1	Fn
LOAD	NETAPI32.dll	base_address = 0x0	1	Fn
LOAD	shell32.dll	base_address = 0x761e0000	1	Fn
LOAD	C:\Windows\SysWOW64\AdapterTroubleshooter.exe	base_address = 0x1ce0001	1	Fn
GET_HANDLE	c:\windows\syswow64\kernel32.dll	base_address = 0x75900000	2	Fn
GET_HANDLE	c:\windows\syswow64\user32.dll	base_address = 0x75e30000	1	Fn
GET_HANDLE	c:\windows\syswow64\mswsock.dll	base_address = 0x743d0000	1	Fn
GET_HANDLE	c:\windows\syswow64\gdi32.dll	base_address = 0x76150000	1	Fn
GET_HANDLE	it	base_address = 0x0	24	Fn
GET_HANDLE	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	base_address = 0x400000	5	Fn
CREATE_MAPPING	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	module_name = Nameless FileMapping, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	c:\windows\syswow64\adaptertroubleshooter.exe	module_name = Nameless FileMapping, maximum_size = 0, protection = PAGE_READONLY	1	Fn
CREATE_MAPPING	c:\users\hjrd1k~1\appdata\local\temp\8361.tmp	module_name = Nameless FileMapping, maximum_size = 0, protection = PAGE_READONLY	1	Fn
MAP	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	process_name = c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe, os_pid = 0x4b8, module_name = Nameless FileMapping, desired_access = FILE_MAP_READ, file_offset = 0, address = 0x1c90000	1	Fn
MAP	c:\windows\syswow64\adaptertroubleshooter.exe	process_name = c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe, os_pid = 0x4b8, module_name = Nameless FileMapping, desired_access = FILE_MAP_READ, file_offset = 0, address = 0x1ce0000	1	Fn
MAP	c:\users\hjrd1k~1\appdata\local\temp\8361.tmp	process_name = c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe, os_pid = 0x4b8, module_name = Nameless FileMapping, desired_access = FILE_MAP_READ, file_offset = 0, address = 0x2530000	1	Fn
UNMAP	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	os_pid = 0x4b8, base_address = 0x1c90000	1	Fn
UNMAP	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	os_pid = 0x4b8, base_address = 0x2530000	1	Fn
GET_FILENAME	C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}\esentutl.exe		3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualProtect, address = 0x7591435f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = IMPGetIMEA, address = 0x75ea7331	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = SetForegroundWindow, address = 0x75e6f170	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = ShowWindow, address = 0x75e50dfb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetSysColor, address = 0x75e46c3c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetKeyboardLayoutNameA, address = 0x75ea6bd9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = IsWindow, address = 0x75e47136	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetSystemMetrics, address = 0x75e47d2f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = SetWindowPos, address = 0x75e48e4e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = GetFocus, address = 0x75e50dee	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = SetMenuInfo, address = 0x75e9d222	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = DispatchMessageA, address = 0x75e47bbb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = InvalidateRect, address = 0x75e51381	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = WSPStartup, address = 0x743d8a9b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = dn_expand, address = 0x743eb97c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = sethostname, address = 0x743e6582	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = MigrateWinsockConfiguration, address = 0x743dcd27	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = NPLoadNameSpaces, address = 0x743f1a3e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetNameByTypeA, address = 0x743ee59f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = TransmitFile, address = 0x743ec7e2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = inet_network, address = 0x743e6597	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetAddressByNameA, address = 0x743eddb5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetAcceptExSockaddrs, address = 0x743ec9da	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetTypeByNameW, address = 0x743edfd7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = WSARecvEx, address = 0x743f1b55	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetServiceW, address = 0x743ef340	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = SetServiceA, address = 0x743eefae	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = EnumProtocolsW, address = 0x743ecc25	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = GetTypeByNameA, address = 0x743ee260	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = SetServiceW, address = 0x743ef118	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = StartWsdpService, address = 0x743e633d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = EnumProtocolsA, address = 0x743ed368	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = rexec, address = 0x743e656d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\mswsock.dll	function = StopWsdpService, address = 0x743e5e56	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentThreadId, address = 0x75911450	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = InterlockedDecrement, address = 0x759113f0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapCreate, address = 0x75914a2d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetThreadLocale, address = 0x759135cf	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = QueryPerformanceCounter, address = 0x75911725	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = lstrlenW, address = 0x75911700	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FileTimeToSystemTime, address = 0x7591542c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = UnhandledExceptionFilter, address = 0x7593772f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetUnhandledExceptionFilter, address = 0x759187c9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address = 0x7591110c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetStringTypeW, address = 0x75911946	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetConsoleAliasesA, address = 0x759b6680	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = lstrlenA, address = 0x75915a4b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = lstrcmpiA, address = 0x75913e8e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address = 0x7592d802	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FreeEnvironmentStringsA, address = 0x7591e349	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FreeEnvironmentStringsW, address = 0x759151cb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address = 0x77d21f6e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetFileAttributesW, address = 0x75911b18	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCPInfo, address = 0x75915189	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address = 0x75911809	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LCMapStringA, address = 0x7593bc39	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetOEMCP, address = 0x7593d1a1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address = 0x759134b0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentStringsW, address = 0x759151e3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetSystemTimeAsFileTime, address = 0x75913509	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address = 0x75911856	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address = 0x759111f8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address = 0x7591170d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LCMapStringW, address = 0x759117b9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetHandleCount, address = 0x7591cb29	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetStringTypeA, address = 0x75938266	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = lstrcmpiW, address = 0x7592d5cd	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentStrings, address = 0x7591e361	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetSystemTime, address = 0x75915a96	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetStdHandle, address = 0x7599454f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GlobalSize, address = 0x7592d16f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreateICW, address = 0x7616c040	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreateICA, address = 0x76167c2e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = GetCharWidth32W, address = 0x7616c93c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = DeleteObject, address = 0x76165689	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreatePen, address = 0x7616ba4f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreateRectRgnIndirect, address = 0x7616a764	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\gdi32.dll	function = CreateDCA, address = 0x76167bcc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shell32.dll	function = SHCreateItemFromParsingName, address = 0x76234215	1	Fn

Registry (16)

Operation	Key	Additional Information	Count	Logfile
CREATE_KEY	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}		3	Fn
CREATE_KEY	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion		2	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System		1	Fn
READ_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_02	2	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	value_name = ProgramFilesDir (x86)	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	value_name = ProgramFilesDir (x86), data_ident_out = 67	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	value_name = ProgramFilesDir	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion	value_name = ProgramFilesDir, data_ident_out = 67	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_00	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_00, data_ident_out = 154	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Printers\Defaults\{96846631-2186-5CD6-E75E-DE0C388E7046}	value_name = Component_01, data_ident_out = 103	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	value_name = EnableLUA, data_ident_out = 1	1	Fn

Window (1)

Operation	Window Name	Additional Information	Success	Count	Logfile
CREATE		class_name = 90pWIS=rD^9#mbxu3-#[+6}d%]VFmphBV_V&Hd9@zAVF%X(>aoqjzIPF2f8F>B]EDpaMSN@_8}W3~A6Lq6OAg}32Im{}gE=_-M[CzdR]5ms}xbVUuz5@&USpp9dzppgB+mApZHNQXxlp~1&H~Px#p=T!u)d%GK#dcnp>9$Kj)-eN5NQCh+ujQ&^vrqrAvBO+PMq80PtuVEcE@1^n*HJAuna7VPX#][cAFRzKcx5jRU82#!Vh~bv+WFOvc([, x_coordinate = 1, y_coordinate = 1, width = 1, height = 1, window_parameter = 0		1	Fn

Mutex (1)

Operation	Name	Additional Information	Success	Count	Logfile
OPEN	shell.{0835FA03-68AC-09B6-0CE4-703246A746AB}	desired_access = SYNCHRONIZE		1	Fn

Process #45: spoolsv.exe

Information	Value
ID / OS PID	#45 / 0x4f4
OS Parent PID	0x1a8 (c:\windows\system32\services.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\spoolsv.exe
Command Line	C:\Windows\System32\spoolsv.exe
Monitor	Start Time: 00:01:14, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:14
OS Thread IDs	#471 0x4F8 #482 0x520 #483 0x52C #484 0x530 #487 0x53C #492 0x554
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00051fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000060000	0x00060000	0x00060fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000070000	0x00070000	0x000affff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x000b0000	0x00116fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000120000	0x00120000	0x00120fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000130000	0x00130000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x002affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000300000	0x00300000	0x0033ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000340000	0x00340000	0x0034ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000350000	0x00350000	0x0044ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000450000	0x00450000	0x005d7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005e0000	0x005e0000	0x00760fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000770000	0x00770000	0x01b6ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001b70000	0x01b70000	0x01f62fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001fe0000	0x01fe0000	0x0201ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002030000	0x02030000	0x0206ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002080000	0x02080000	0x020fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002180000	0x02180000	0x021fffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023a0000	0x023a0000	0x023affff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
spoolsv.exe	0xff8a0000	0xff92bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb5f0000	0x7fefb5fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x7fefba20000	0x7fefba4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcf10000	0x7fefcf19fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x7fefd160000	0x7fefd1bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd340000	0x7fefd356fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd8b0000	0x7fefd8bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd910000	0x7fefd934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd940000	0x7fefd94efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefda30000	0x7fefda43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefdb40000	0x7fefdb59fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefdd70000	0x7fefdda5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefe090000	0x7fefe166fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7fefe170000	0x7fefe346fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7fefe3f0000	0x7fefe43cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe440000	0x7fefe642fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe980000	0x7fefe99efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe9a0000	0x7fefe9cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefec80000	0x7fefed88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7fefef10000	0x7fefef17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions

Process #46: dllhost.exe

Information	Value
ID / OS PID	#46 / 0x524
OS Parent PID	0x234 (c:\windows\system32\svchost.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\dllhost.exe
Command Line	C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Monitor	Start Time: 00:01:15, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:13
OS Thread IDs	#485 0x528 #486 0x538 #488 0x540 #493 0x558 #494 0x55C #495 0x560 #504 0x58C
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000040000	0x00040000	0x00040fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000050000	0x00050000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00150000	0x001b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000001c0000	0x001c0000	0x001c0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001d0000	0x001d0000	0x001d0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001e0000	0x001e0000	0x001effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x002effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000340000	0x00340000	0x0043ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000440000	0x00440000	0x005c7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005d0000	0x005d0000	0x00750fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000760000	0x00760000	0x01b5ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001ba0000	0x01ba0000	0x01c9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d00000	0x01d00000	0x01dfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ed0000	0x01ed0000	0x01fcffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x01fd0000	0x0229efff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000022a0000	0x022a0000	0x0237efff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000023e0000	0x023e0000	0x024dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000025b0000	0x025b0000	0x0262ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002670000	0x02670000	0x0276ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002770000	0x02770000	0x0286ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002900000	0x02900000	0x0290ffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77cc0000	0x77cc6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
dllhost.exe	0xff080000	0xff086fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
PhotoMetadataHandler.dll	0x7fef9860000	0x7fef98cafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefa020000	0x7fefa0bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
thumbcache.dll	0x7fefa2e0000	0x7fefa2fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
actxprxy.dll	0x7fefa950000	0x7fefaa3dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WindowsCodecs.dll	0x7fefbe00000	0x7fefbf29fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc3a0000	0x7fefc3f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc400000	0x7fefc52bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefd040000	0x7fefd086fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd340000	0x7fefd356fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd940000	0x7fefd94efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefda30000	0x7fefda43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefe090000	0x7fefe166fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefe350000	0x7fefe3e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe440000	0x7fefe642fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefe860000	0x7fefe8d0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe980000	0x7fefe99efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe9a0000	0x7fefe9cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefec80000	0x7fefed88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7feff080000	0x7feffe07fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #47: taskhost.exe

Information	Value
ID / OS PID	#47 / 0x548
OS Parent PID	0x1a8 (c:\windows\system32\services.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\taskhost.exe
Command Line	"taskhost.exe"
Monitor	Start Time: 00:01:16, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:12
OS Thread IDs	#490 0x54C #497 0x568 #501 0x57C #508 0x59C #510 0x5A4 #511 0x5A8 #518 0x5C0 #524 0x5D4 #528 0x5E0 #559 0x660 #573 0x69C
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00040000	0x000a6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000b0000	0x000b0000	0x000b1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000160000	0x00160000	0x00160fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000170000	0x00170000	0x00170fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000180000	0x00180000	0x00181fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000220000	0x00220000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x0036ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000370000	0x00370000	0x0046ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000470000	0x00470000	0x005f7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000600000	0x00600000	0x00780fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000790000	0x00790000	0x01b8ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001b90000	0x01b90000	0x01f82fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002000000	0x02000000	0x0207ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002080000	0x02080000	0x0215efff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000021f0000	0x021f0000	0x0226ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000022f0000	0x022f0000	0x0236ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002370000	0x02370000	0x023effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002430000	0x02430000	0x024affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024d0000	0x024d0000	0x0254ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002550000	0x02550000	0x025cffff	Private Memory	Readable, Writable	Region Actions
KernelBase.dll.mui	0x025d0000	0x0268ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000002690000	0x02690000	0x0270ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002710000	0x02710000	0x0278ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000027e0000	0x027e0000	0x0285ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002860000	0x02860000	0x028dffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
taskhost.exe	0xffc20000	0xffc33fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msutb.dll	0x7fefb450000	0x7fefb48cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb5f0000	0x7fefb5fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
MsCtfMonitor.dll	0x7fefbcc0000	0x7fefbccafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
HotStartUserAgent.dll	0x7fefbcd0000	0x7fefbcdafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
PlaySndSrv.dll	0x7fefbce0000	0x7fefbcf7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefbdd0000	0x7fefbde0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefbf70000	0x7fefbf87fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc3a0000	0x7fefc3f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd940000	0x7fefd94efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefd9f0000	0x7fefda2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefda30000	0x7fefda43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefe090000	0x7fefe166fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefe350000	0x7fefe3e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe440000	0x7fefe642fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe980000	0x7fefe99efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe9a0000	0x7fefe9cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefec80000	0x7fefed88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #48: jusched.exe

(Host: 5, Network: 0)

Information	Value
ID / OS PID	#48 / 0x570
OS Parent PID	0x4a4 (c:\windows\syswow64\runonce.exe)
Initial Working Directory	C:\Windows\SysWOW64
File Name	c:\program files (x86)\common files\java\java update\jusched.exe
Command Line	"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
Monitor	Start Time: 00:01:16, Reason: Child Process
Unmonitor	End Time: 00:01:18, Reason: Terminated
Monitor Duration	00:00:02
OS Thread IDs	#499 0x574 #506 0x594

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000240000	0x00240000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x0025ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x0036ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000470000	0x00470000	0x004effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005f0000	0x005f0000	0x006effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000006f0000	0x006f0000	0x00877fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000880000	0x00880000	0x00a00fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000bd0000	0x00bd0000	0x00c0ffff	Private Memory	Readable, Writable	Region Actions
jusched.exe	0x00f30000	0x00fc4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000fd0000	0x00fd0000	0x023cffff	Pagefile Backed Memory	Readable	Region Actions
version.dll	0x74010000	0x74018fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x74350000	0x743cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74410000	0x74417fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74420000	0x7447bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74480000	0x744befff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msi.dll	0x755e0000	0x7581ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75830000	0x7583bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75840000	0x7589ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x758a0000	0x758fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75900000	0x75a0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75a10000	0x75b6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75b70000	0x75c0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75c60000	0x75c69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75c70000	0x75da5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75dc0000	0x75dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75dd0000	0x75e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75e30000	0x75f2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75f30000	0x76024fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76030000	0x760ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76150000	0x761dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x761e0000	0x76e29fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76ef0000	0x76f7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76f80000	0x7704bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x77050000	0x7713ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x771f0000	0x77235fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77240000	0x772ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x772f0000	0x7740cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77410000	0x77428fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x77540000	0x7773afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000778e0000	0x778e0000	0x779d9fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000779e0000	0x779e0000	0x77afefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ce0000	0x77e5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

Process (1)

Operation	Process Name	Additional Information	Success	Count	Logfile
GET_INFO	c:\users\hjrd1koky ds8lujv\desktop\d8891477315db13a640ed5956a636951.exe	os_pid = 0x6ec		1	Fn

Module (2)

Operation	Module	Additional Information	Success	Count	Logfile
GET_HANDLE	c:\windows\syswow64\kernel32.dll	base_address = 0x75900000		1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	address = 0x759210b5		1	Fn

Registry (2)

Operation	Key	Additional Information	Success	Count	Logfile
OPEN_KEY	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem			1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem	value_name = Win31FileSystem, data_ident_out = 0		1	Fn

Process #49: svchost.exe

Information	Value
ID / OS PID	#49 / 0x580
OS Parent PID	0x1a8 (c:\windows\system32\services.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
Monitor	Start Time: 00:01:17, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:11
OS Thread IDs	#503 0x584 #505 0x590 #513 0x5B0 #516 0x5B8 #517 0x5BC #521 0x5C8 #532 0x5F0 #556 0x654 #557 0x658 #558 0x65C #563 0x674 #564 0x678 #567 0x684 #579 0x6B8 #581 0x6C0 #582 0x6C4 #583 0x6C8 #584 0x6CC #589 0x6E0 #597 0x700
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x000affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000b0000	0x000b0000	0x000b3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c0fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x000d0000	0x00136fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00141fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000160000	0x00160000	0x00160fff	Private Memory	Readable, Writable	Region Actions
FirewallAPI.dll.mui	0x00170000	0x0018bfff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x00190fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001a0000	0x001a0000	0x001affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001c0000	0x001c0000	0x001c0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001d0000	0x001d0000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x00257fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000260000	0x00260000	0x0035ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000360000	0x00360000	0x0045ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000460000	0x00460000	0x005e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005f0000	0x005f0000	0x00770fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000780000	0x00780000	0x0083ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000840000	0x00840000	0x00c32fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000c40000	0x00c40000	0x00cbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000cc0000	0x00cc0000	0x00d3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d40000	0x00d40000	0x00d43fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d50000	0x00d50000	0x00d53fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d60000	0x00d60000	0x00d63fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d70000	0x00d70000	0x00d73fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d80000	0x00d80000	0x00d80fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d90000	0x00d90000	0x00d90fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000da0000	0x00da0000	0x00da0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000db0000	0x00db0000	0x00db0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000dc0000	0x00dc0000	0x00e3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e40000	0x00e40000	0x00e40fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e50000	0x00e50000	0x00e50fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e60000	0x00e60000	0x00edffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ee0000	0x00ee0000	0x00f5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ee0000	0x00ee0000	0x00ee0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ef0000	0x00ef0000	0x00ef0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f00000	0x00f00000	0x00f00fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f10000	0x00f10000	0x00f10fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f20000	0x00f20000	0x00f20fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f30000	0x00f30000	0x00f30fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f40000	0x00f40000	0x00f40fff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x00f60000	0x0122efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001230000	0x01230000	0x012affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001340000	0x01340000	0x013bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013e0000	0x013e0000	0x0145ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014c0000	0x014c0000	0x0153ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001500000	0x01500000	0x0157ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015d0000	0x015d0000	0x0164ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001690000	0x01690000	0x0170ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001740000	0x01740000	0x017bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000017f0000	0x017f0000	0x0186ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000018a0000	0x018a0000	0x0191ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001970000	0x01970000	0x019effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a20000	0x01a20000	0x01a9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ab0000	0x01ab0000	0x01b2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b50000	0x01b50000	0x01bcffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001bd0000	0x01bd0000	0x01ccffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001cd0000	0x01cd0000	0x01dcffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x778e0000	0x779d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x779e0000	0x77afefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xffa20000	0xffa2afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
PeerDistSh.dll	0x7fef88c0000	0x7fef8977fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wdi.dll	0x7fef8a20000	0x7fef8a38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wfapigp.dll	0x7fef8af0000	0x7fef8af9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dps.dll	0x7fef8cd0000	0x7fef8cfbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
MPSSVC.dll	0x7fef8d50000	0x7fef8e1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
BFE.DLL	0x7fef9df0000	0x7fef9e9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x7fefab20000	0x7fefab37fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc6.dll	0x7fefab40000	0x7fefab50fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FWPUCLNT.DLL	0x7fefab70000	0x7fefabc2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefb510000	0x7fefb51afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IPHLPAPI.DLL	0x7fefb520000	0x7fefb546fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb5f0000	0x7fefb5fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskschd.dll	0x7fefb660000	0x7fefb786fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefb9c0000	0x7fefb9ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcc10000	0x7fefcc1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FirewallAPI.dll	0x7fefcc20000	0x7fefccdafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WSHTCPIP.DLL	0x7fefcce0000	0x7fefcce6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pcwum.dll	0x7fefcda0000	0x7fefcdacfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7fefcde0000	0x7fefcdfafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefce00000	0x7fefce1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcf10000	0x7fefcf19fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd2d0000	0x7fefd2d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd2e0000	0x7fefd334fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd340000	0x7fefd356fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
authz.dll	0x7fefd510000	0x7fefd53efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd8b0000	0x7fefd8bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd910000	0x7fefd934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd940000	0x7fefd94efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x7fefda30000	0x7fefda43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda50000	0x7fefda5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefdd70000	0x7fefdda5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x7fefddb0000	0x7fefde1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefde20000	0x7fefde2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefe090000	0x7fefe166fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefe350000	0x7fefe3e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7fefe3f0000	0x7fefe43cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe440000	0x7fefe642fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefe860000	0x7fefe8d0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe8e0000	0x7fefe97efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe980000	0x7fefe99efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe9a0000	0x7fefe9cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe9d0000	0x7fefeafcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x7fefec20000	0x7fefec71fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefec80000	0x7fefed88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7fefef10000	0x7fefef17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefef20000	0x7fefef86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefefb0000	0x7feff078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffe20000	0x7feffe20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff9a000	0x7fffff9a000	0x7fffff9bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9c000	0x7fffff9c000	0x7fffff9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #50: explorer.exe

(Host: 5, Network: 0)

Information	Value
ID / OS PID	#50 / 0x600
OS Parent PID	0x4b8 (c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\syswow64\explorer.exe
Command Line	"C:\Windows\SysWOW64\explorer.exe"
Monitor	Start Time: 00:01:21, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:07
OS Thread IDs	#536 0x604 #543 0x624 #545 0x62C #586 0x6D4 #593 0x6F0

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00021fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x000affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000b0000	0x000b0000	0x000d0fff	Private Memory	Readable, Writable, Executable	Region Actions
locale.nls	0x000e0000	0x00146fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000150000	0x00150000	0x00151fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000160000	0x00160000	0x00160fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x001affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001e0000	0x001e0000	0x001e0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001f0000	0x001f0000	0x001f0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000200000	0x00200000	0x00200fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000210000	0x00210000	0x00211fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x00220000	0x00223fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000230000	0x00230000	0x00231fff	Pagefile Backed Memory	Readable	Region Actions
{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000a.db	0x00240000	0x00255fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000260000	0x00260000	0x0029ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002a0000	0x002a0000	0x002a0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cversions.2.db	0x002b0000	0x002b3fff	Memory Mapped File	Readable	Region Actions
private_0x00000000002c0000	0x002c0000	0x002cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002d0000	0x002d0000	0x002d0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000002e0000	0x002e0000	0x0035ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000360000	0x00360000	0x0043efff	Pagefile Backed Memory	Readable	Region Actions
explorer.exe	0x00440000	0x006c0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db	0x006d0000	0x006fffff	Memory Mapped File	Readable	Region Actions
{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db	0x00700000	0x00765fff	Memory Mapped File	Readable	Region Actions
private_0x00000000007b0000	0x007b0000	0x007effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000800000	0x00800000	0x008fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000900000	0x00900000	0x00a87fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000a90000	0x00a90000	0x00c10fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000c20000	0x00c20000	0x0201ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002020000	0x02020000	0x02412fff	Pagefile Backed Memory	Readable	Region Actions
SortDefault.nls	0x02420000	0x026eefff	Memory Mapped File	Readable	Region Actions
private_0x0000000002740000	0x02740000	0x0277ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000027f0000	0x027f0000	0x0282ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002880000	0x02880000	0x028bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002910000	0x02910000	0x0294ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002970000	0x02970000	0x029affff	Private Memory	Readable, Writable	Region Actions
uxtheme.dll	0x74350000	0x743cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74410000	0x74417fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74420000	0x7447bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74480000	0x744befff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x74e20000	0x74e2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74e30000	0x74e6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74e70000	0x74e85fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x74e90000	0x74ea3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comsvcs.dll	0x74eb0000	0x74fe5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x750e0000	0x750eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x750f0000	0x75110fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x75120000	0x752bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x752c0000	0x753b4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x753c0000	0x753c7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
GdiPlus.dll	0x753d0000	0x7555ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x75560000	0x75569fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x75570000	0x75594fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dui70.dll	0x755a0000	0x75651fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
duser.dll	0x75660000	0x7568efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ExplorerFrame.dll	0x75690000	0x757fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x75800000	0x75812fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75830000	0x7583bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75840000	0x7589ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x758a0000	0x758fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75900000	0x75a0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75a10000	0x75b6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75b70000	0x75c0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75c60000	0x75c69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75dd0000	0x75e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75e30000	0x75f2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76030000	0x760ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x760d0000	0x760e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76150000	0x761dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x761e0000	0x76e29fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76ef0000	0x76f7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76f80000	0x7704bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x77050000	0x7713ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x771c0000	0x771e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x771f0000	0x77235fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77240000	0x772ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77410000	0x77428fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x77460000	0x774e2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x774f0000	0x77534fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x77740000	0x778dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000778e0000	0x778e0000	0x779d9fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000779e0000	0x779e0000	0x77afefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ce0000	0x77e5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	0x4bc	address = 0xb0000, size = 131072	1	Fn Data
Modify Memory	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	0x4bc	address = 0xd0000, size = 4064	1	Fn Data
Modify Memory	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	0x4bc	address = 0x470efa, size = 14	1	Fn Data

Host Behavior

Com (4)

Operation	Class	Interface	Additional Information	Count	Logfile
CREATE	FileOperation	IFileOperation	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
METHOD	FileOperation	IFileOperation	method = SetOperationFlags	1	Fn
METHOD	FileOperation	IFileOperation	method = newItem	1	Fn
METHOD	FileOperation	IFileOperation	method = PerformOperations	1	Fn

System (1)

Operation	Information	Success	Count	Logfile
CREATE_SHELL_ITEM	display_name = C:\Windows\SysWOW64		1	Fn

Process #51: explorer.exe

(Host: 5, Network: 0)

Information	Value
ID / OS PID	#51 / 0x608
OS Parent PID	0x49c (c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\windows\syswow64\explorer.exe
Command Line	"C:\Windows\SysWOW64\explorer.exe"
Monitor	Start Time: 00:01:21, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:07
OS Thread IDs	#537 0x60C #541 0x61C #544 0x628 #588 0x6DC #596 0x6FC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00021fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x00090fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x00000000000a0000	0x000a0000	0x000a1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000b0000	0x000b0000	0x000b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0010ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x0012ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000130000	0x00130000	0x00130fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00140fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000150000	0x00150000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00190000	0x001f6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000200000	0x00200000	0x00200fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000210000	0x00210000	0x00211fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x00220000	0x00223fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000230000	0x00230000	0x00231fff	Pagefile Backed Memory	Readable	Region Actions
{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000a.db	0x00240000	0x00255fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000260000	0x00260000	0x00260fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cversions.2.db	0x00270000	0x00273fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000280000	0x00280000	0x00280fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000290000	0x00290000	0x0030ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000310000	0x00310000	0x003eefff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000400000	0x00400000	0x0043ffff	Private Memory	Readable, Writable	Region Actions
explorer.exe	0x00440000	0x006c0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db	0x006d0000	0x006fffff	Memory Mapped File	Readable	Region Actions
private_0x0000000000730000	0x00730000	0x0076ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007d0000	0x007d0000	0x008cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000008d0000	0x008d0000	0x00a57fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000a70000	0x00a70000	0x00a7ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000a80000	0x00a80000	0x00c00fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000c10000	0x00c10000	0x0200ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002010000	0x02010000	0x02402fff	Pagefile Backed Memory	Readable	Region Actions
SortDefault.nls	0x02410000	0x026defff	Memory Mapped File	Readable	Region Actions
{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db	0x026e0000	0x02745fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002750000	0x02750000	0x0278ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000027a0000	0x027a0000	0x027dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002800000	0x02800000	0x0283ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002970000	0x02970000	0x029affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029c0000	0x029c0000	0x029fffff	Private Memory	Readable, Writable	Region Actions
uxtheme.dll	0x74350000	0x743cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74410000	0x74417fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74420000	0x7447bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74480000	0x744befff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x74e20000	0x74e2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74e30000	0x74e6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74e70000	0x74e85fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x74e90000	0x74ea3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comsvcs.dll	0x74eb0000	0x74fe5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x750e0000	0x750eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x750f0000	0x75110fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x75120000	0x752bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x752c0000	0x753b4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x753c0000	0x753c7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
GdiPlus.dll	0x753d0000	0x7555ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x75560000	0x75569fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x75570000	0x75594fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dui70.dll	0x755a0000	0x75651fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
duser.dll	0x75660000	0x7568efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ExplorerFrame.dll	0x75690000	0x757fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x75800000	0x75812fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75830000	0x7583bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75840000	0x7589ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x758a0000	0x758fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75900000	0x75a0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75a10000	0x75b6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75b70000	0x75c0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75c60000	0x75c69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75dd0000	0x75e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75e30000	0x75f2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76030000	0x760ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x760d0000	0x760e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76150000	0x761dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x761e0000	0x76e29fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76ef0000	0x76f7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76f80000	0x7704bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x77050000	0x7713ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x771c0000	0x771e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x771f0000	0x77235fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77240000	0x772ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77410000	0x77428fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x77460000	0x774e2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x774f0000	0x77534fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x77740000	0x778dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000778e0000	0x778e0000	0x779d9fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000779e0000	0x779e0000	0x77afefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ce0000	0x77e5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	0x4a0	address = 0x70000, size = 131072	1	Fn Data
Modify Memory	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	0x4a0	address = 0x90000, size = 4064	1	Fn Data
Modify Memory	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	0x4a0	address = 0x470efa, size = 14	1	Fn Data

Host Behavior

Com (4)

Operation	Class	Interface	Additional Information	Count	Logfile
CREATE	FileOperation	IFileOperation	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
METHOD	FileOperation	IFileOperation	method = SetOperationFlags	1	Fn
METHOD	FileOperation	IFileOperation	method = newItem	1	Fn
METHOD	FileOperation	IFileOperation	method = PerformOperations	1	Fn

System (1)

Operation	Information	Success	Count	Logfile
CREATE_SHELL_ITEM	display_name = C:\Windows\SysWOW64		1	Fn

Process #52: explorer.exe

(Host: 5, Network: 0)

Information	Value
ID / OS PID	#52 / 0x664
OS Parent PID	0x4ac (c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe)
Initial Working Directory	C:\Users\hJrD1KOKY DS8lUjv\AppData\Roaming\{B3889326-9C2C-0B70-124E-56B7B618030C}
File Name	c:\windows\syswow64\explorer.exe
Command Line	"C:\Windows\SysWOW64\explorer.exe"
Monitor	Start Time: 00:01:24, Reason: Child Process
Unmonitor	End Time: 00:01:28, Reason: Terminated by Timeout
Monitor Duration	00:00:04
OS Thread IDs	#560 0x668 #562 0x670 #568 0x688 #587 0x6D8 #594 0x6F4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00021fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x00090fff	Private Memory	Readable, Writable, Executable	Region Actions
locale.nls	0x000a0000	0x00106fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000110000	0x00110000	0x00111fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000120000	0x00120000	0x00120fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000130000	0x00130000	0x00130fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000140000	0x00140000	0x0015ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000160000	0x00160000	0x00160fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000170000	0x00170000	0x00170fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000180000	0x00180000	0x00180fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00191fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x001a0000	0x001a3fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000230000	0x00230000	0x0030efff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000310000	0x00310000	0x00311fff	Pagefile Backed Memory	Readable	Region Actions
{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000a.db	0x00320000	0x00335fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000340000	0x00340000	0x003bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003c0000	0x003c0000	0x003c0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cversions.2.db	0x003d0000	0x003d3fff	Memory Mapped File	Readable	Region Actions
private_0x00000000003e0000	0x003e0000	0x0041ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000420000	0x00420000	0x00420fff	Pagefile Backed Memory	Readable	Region Actions
explorer.exe	0x00440000	0x006c0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db	0x006d0000	0x006fffff	Memory Mapped File	Readable	Region Actions
{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db	0x00700000	0x00765fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000770000	0x00770000	0x007affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007e0000	0x007e0000	0x008dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000900000	0x00900000	0x0093ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000009c0000	0x009c0000	0x009fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a30000	0x00a30000	0x00a3ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000a40000	0x00a40000	0x00bc7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000bd0000	0x00bd0000	0x00d50fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000d60000	0x00d60000	0x0215ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002160000	0x02160000	0x02552fff	Pagefile Backed Memory	Readable	Region Actions
SortDefault.nls	0x02560000	0x0282efff	Memory Mapped File	Readable	Region Actions
private_0x00000000028c0000	0x028c0000	0x028fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002910000	0x02910000	0x0294ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029b0000	0x029b0000	0x029effff	Private Memory	Readable, Writable	Region Actions
uxtheme.dll	0x74350000	0x743cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74410000	0x74417fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74420000	0x7447bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74480000	0x744befff	Memory Mapped File	Readable, Writable, Executable	Region Actions
RpcRtRemote.dll	0x74e20000	0x74e2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74e30000	0x74e6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74e70000	0x74e85fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x74e90000	0x74ea3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comsvcs.dll	0x74eb0000	0x74fe5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x750e0000	0x750eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x750f0000	0x75110fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x75120000	0x752bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x752c0000	0x753b4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x753c0000	0x753c7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
GdiPlus.dll	0x753d0000	0x7555ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x75560000	0x75569fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x75570000	0x75594fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dui70.dll	0x755a0000	0x75651fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
duser.dll	0x75660000	0x7568efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ExplorerFrame.dll	0x75690000	0x757fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x75800000	0x75812fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75830000	0x7583bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75840000	0x7589ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x758a0000	0x758fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75900000	0x75a0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75a10000	0x75b6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75b70000	0x75c0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75c60000	0x75c69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75dd0000	0x75e26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75e30000	0x75f2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76030000	0x760ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x760d0000	0x760e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76150000	0x761dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x761e0000	0x76e29fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76ef0000	0x76f7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76f80000	0x7704bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x77050000	0x7713ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x771c0000	0x771e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x771f0000	0x77235fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77240000	0x772ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x77410000	0x77428fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x77460000	0x774e2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
Wldap32.dll	0x774f0000	0x77534fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x77740000	0x778dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000778e0000	0x778e0000	0x779d9fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000779e0000	0x779e0000	0x77afefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77b00000	0x77ca8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ce0000	0x77e5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	0x4b0	address = 0x70000, size = 131072	1	Fn Data
Modify Memory	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	0x4b0	address = 0x90000, size = 4064	1	Fn Data
Modify Memory	c:\users\hjrd1koky ds8lujv\appdata\roaming\{b3889326-9c2c-0b70-124e-56b7b618030c}\esentutl.exe	0x4b0	address = 0x470efa, size = 14	1	Fn Data

Host Behavior

Com (4)

Operation	Class	Interface	Additional Information	Count	Logfile
CREATE	FileOperation	IFileOperation	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
METHOD	FileOperation	IFileOperation	method = SetOperationFlags	1	Fn
METHOD	FileOperation	IFileOperation	method = newItem	1	Fn
METHOD	FileOperation	IFileOperation	method = PerformOperations	1	Fn

System (1)

Operation	Information	Success	Count	Logfile
CREATE_SHELL_ITEM	display_name = C:\Windows\SysWOW64		1	Fn