VMRay Analyzer Report
| Information | Value |
|---|---|
| ID / OS PID | #1 / 0xb0c |
| OS Parent PID | 0x4dc (c:\windows\explorer.exe) |
| Initial Working Directory | C:\Users\User\Desktop |
| File Name | c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe |
| Command Line | "C:\Users\User\Desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe" |
| Monitor | Start Time: 00:00:50, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:09 |
| OS Thread IDs | #1 0xB10 #2 0xB1C #3 0xB20 #4 0xB24 #5 0xB40 #6 0xBEC #7 0xBF0 #8 0xBF8 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 |  | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = SetErrorMode, address_out = 0x763f1acc | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = Secur32.dll, base_address = 0x752b0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = Secur32.dll, function = EncryptMessage, address_out = 0x754e124e | | 1 | |
| NET | ENCRYPT_MSG |  | 1 | ||
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = IsBadReadPtr, address_out = 0x7641d065 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = CreateThread, address_out = 0x763f3495 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = WaitForSingleObject, address_out = 0x763f1136 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = GetExitCodeThread, address_out = 0x7640d585 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = CloseHandle, address_out = 0x763f13e0 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = CreateThread, address_out = 0x763f3495 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = WaitForSingleObject, address_out = 0x763f1136 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = GetExitCodeThread, address_out = 0x7640d585 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = CloseHandle, address_out = 0x763f13e0 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = GetModuleHandleA, address_out = 0x763f1245 | | 1 | |
| MOD | GET_HANDLE | module_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = malloc, address_out = 0x75c49cee | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = memcpy, address_out = 0x75c49910 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = memcpy, address_out = 0x75c49910 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = malloc, address_out = 0x75c49cee | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = VirtualAlloc, address_out = 0x763f1822 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = malloc, address_out = 0x75c49cee | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = free, address_out = 0x75c49894 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = LoadLibraryA, address_out = 0x763f499f | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = GetProcAddress, address_out = 0x763f1222 | | 1 | |
| MOD | LOAD | module_name = msvcrt.dll, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = memcpy, address_out = 0x75c49910 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = memset, address_out = 0x75c49790 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = strrchr, address_out = 0x75c4dbae | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = rand, address_out = 0x75c4c070 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = malloc, address_out = 0x75c49cee | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = free, address_out = 0x75c49894 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = _unlink, address_out = 0x75c62069 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = _snwprintf, address_out = 0x75c695d1 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = sprintf, address_out = 0x75c5d354 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = _wcsicmp, address_out = 0x75c4a9e9 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = fclose, address_out = 0x75c53d79 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = vfprintf, address_out = 0x75cb7430 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = _vsnprintf, address_out = 0x75c4d1a8 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = fopen, address_out = 0x75c5b2c4 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = strncpy, address_out = 0x75c508a9 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = _except_handler3, address_out = 0x75c6d770 | | 1 | |
| MOD | LOAD | module_name = ntdll.dll, base_address = 0x77b30000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwReadVirtualMemory, address_out = 0x77b4fe90 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwQueryInformationProcess, address_out = 0x77b4fad8 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwQuerySystemInformation, address_out = 0x77b4fdb0 | | 1 | |
| MOD | LOAD | module_name = KERNEL32.dll, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = CreateDirectoryA, address_out = 0x7641d516 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = SetErrorMode, address_out = 0x763f1acc | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = RemoveDirectoryA, address_out = 0x764749ff | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetModuleHandleA, address_out = 0x763f1245 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = CloseHandle, address_out = 0x763f13e0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetVersionExA, address_out = 0x763f34d9 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = CreateMutexA, address_out = 0x763f4c33 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetModuleFileNameA, address_out = 0x763f1481 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = OpenEventA, address_out = 0x763f4a0d | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = LockResource, address_out = 0x763f5921 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = OpenMutexA, address_out = 0x7640ec3f | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = LoadLibraryA, address_out = 0x763f499f | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = SetFileAttributesA, address_out = 0x7640eca3 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = VirtualProtect, address_out = 0x763f4327 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetCurrentProcessId, address_out = 0x763f11f8 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = InterlockedIncrement, address_out = 0x763f13d0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = InterlockedDecrement, address_out = 0x763f13c0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = InterlockedCompareExchange, address_out = 0x763f1454 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = OpenProcess, address_out = 0x763f1952 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = ExitProcess, address_out = 0x763f79d8 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = ExpandEnvironmentStringsA, address_out = 0x7640eb09 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetLastError, address_out = 0x763f11c0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = DeleteFileA, address_out = 0x763f540c | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetCommandLineW, address_out = 0x763f51eb | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = CreateFileA, address_out = 0x763f538e | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = FindResourceA, address_out = 0x7640e98b | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = FreeLibrary, address_out = 0x763f3488 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = LoadResource, address_out = 0x763f5914 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetCurrentProcess, address_out = 0x763f17d5 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = WaitForSingleObject, address_out = 0x763f1136 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetLogicalDrives, address_out = 0x763f5339 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = CopyFileA, address_out = 0x764158b5 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetDriveTypeA, address_out = 0x7640ef45 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = Sleep, address_out = 0x763f10ff | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = SizeofResource, address_out = 0x763f5a91 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = FlushFileBuffers, address_out = 0x763f4663 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetProcAddress, address_out = 0x763f1222 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = WriteFile, address_out = 0x763f1282 | | 1 | |
| MOD | LOAD | module_name = ADVAPI32.dll, base_address = 0x76090000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = RegSetValueExA, address_out = 0x760a1433 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = OpenProcessToken, address_out = 0x760a4284 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = CloseServiceHandle, address_out = 0x760a361c | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = RegCloseKey, address_out = 0x760a461d | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = SetFileSecurityA, address_out = 0x760d1a39 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = RegOpenKeyExA, address_out = 0x760a4887 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = InitializeSecurityDescriptor, address_out = 0x760a45a0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = RegDeleteKeyA, address_out = 0x760ba84f | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = LookupPrivilegeValueA, address_out = 0x760a3fca | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = RegCreateKeyExA, address_out = 0x760a13e9 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = OpenSCManagerA, address_out = 0x760a2b58 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = AdjustTokenPrivileges, address_out = 0x760a410e | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = StartServiceCtrlDispatcherA, address_out = 0x760d365f | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = RegisterServiceCtrlHandlerExA, address_out = 0x760d35df | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = SetServiceStatus, address_out = 0x7609c746 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = CreateServiceA, address_out = 0x760d3264 | | 1 | |
| MOD | LOAD | module_name = SHELL32.dll, base_address = 0x76ae0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = SHELL32.dll, function = CommandLineToArgvW, address_out = 0x76af9ea0 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = free, address_out = 0x75c49894 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = free, address_out = 0x75c49894 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = VirtualProtect, address_out = 0x763f4327 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = VirtualAlloc, address_out = 0x763f1822 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = memcpy, address_out = 0x75c49910 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = SetErrorMode, address_out = 0x763f1acc | | 1 | |
| MOD | LOAD | module_name = kernel32.dll, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32.dll, function = IsWow64Process, address_out = 0x763f192a | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32.dll, function = Wow64DisableWow64FsRedirection, address_out = 0x7640d620 | | 1 | |
| MUTEX | OPEN | mutex_name = {E9B1E207-B513-4cfc-86BE-6D6004E5CB9C}, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | | 1 | |
| MUTEX | CREATE | mutex_name = {E9B1E207-B513-4cfc-86BE-6D6004E5CB9C}, initial_owner = 1 | | 1 | |
| FILE | CREATE | file_name = par1\, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, create_disposition = OPEN_EXISTING, flags = FILE_FLAG_BACKUP_SEMANTICS | | 1 | |
| PROC | OPEN | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c, desired_access = PROCESS_VM_READ | | 1 | |
| PROC | GET_INFO | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c | | 1 | |
| MOD | LOAD | module_name = kernel32.dll, base_address = 0x763e0000 | | 1 | |
| PROC | GET_INFO | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c | | 1 | |
| MOD | LOAD | module_name = gdi32.dll, base_address = 0x769c0000 | | 1 | |
| PROC | GET_INFO | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c | | 1 | |
| MOD | LOAD | module_name = user32.dll, base_address = 0x75cf0000 | | 1 | |
| PROC | GET_INFO | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c | | 1 | |
| MOD | LOAD | module_name = ole32.dll, base_address = 0x758d0000 | | 1 | |
| PROC | GET_INFO | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c | | 1 | |
| MOD | LOAD | module_name = oleacc.dll, base_address = 0x752c0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = SetErrorMode, address_out = 0x763f1acc | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = Secur32.dll, base_address = 0x752b0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = Secur32.dll, function = EncryptMessage, address_out = 0x754e124e | | 1 | |
| NET | ENCRYPT_MSG | | 1 | ||
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = IsBadReadPtr, address_out = 0x7641d065 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = malloc, address_out = 0x75c49cee | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = memcpy, address_out = 0x75c49910 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = memcpy, address_out = 0x75c49910 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = malloc, address_out = 0x75c49cee | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = VirtualAlloc, address_out = 0x763f1822 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = malloc, address_out = 0x75c49cee | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = free, address_out = 0x75c49894 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = LoadLibraryA, address_out = 0x763f499f | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = GetProcAddress, address_out = 0x763f1222 | | 1 | |
| MOD | LOAD | module_name = msvcrt.dll, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = _wcsnicmp, address_out = 0x75c4aae3 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = strlen, address_out = 0x75c543d3 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = wcslen, address_out = 0x75c5d335 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = wcsncmp, address_out = 0x75c4b05e | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = memcpy, address_out = 0x75c49910 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = memset, address_out = 0x75c49790 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = malloc, address_out = 0x75c49cee | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = free, address_out = 0x75c49894 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = _strnicmp, address_out = 0x75c50578 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = _stricmp, address_out = 0x75c4db38 | | 1 | |
| MOD | LOAD | module_name = ntdll.dll, base_address = 0x77b30000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwOpenKey, address_out = 0x77b4fa28 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwQueryValueKey, address_out = 0x77b4faa8 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwQuerySystemInformation, address_out = 0x77b4fdb0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwQueryInformationProcess, address_out = 0x77b4fad8 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwClose, address_out = 0x77b4f9e0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwFreeVirtualMemory, address_out = 0x77b4fb58 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = RtlInitUnicodeString, address_out = 0x77b5e228 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwAllocateVirtualMemory, address_out = 0x77b4fac0 | | 1 | |
| MOD | LOAD | module_name = KERNEL32.dll, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetCurrentProcess, address_out = 0x763f17d5 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetVersionExA, address_out = 0x763f34d9 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetLastError, address_out = 0x763f11c0 | | 1 | |
| MOD | LOAD | module_name = USER32.dll, base_address = 0x75cf0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = USER32.dll, function = DefWindowProcA, address_out = 0x77b72ad3 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = USER32.dll, function = CreateWindowExA, address_out = 0x75d0d22e | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = USER32.dll, function = DestroyWindow, address_out = 0x75d09a55 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = free, address_out = 0x75c49894 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = free, address_out = 0x75c49894 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = VirtualProtect, address_out = 0x763f4327 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = VirtualAlloc, address_out = 0x763f1822 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = memcpy, address_out = 0x75c49910 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = SetErrorMode, address_out = 0x763f1acc | | 1 | |
| SYS | GET_INFO | type = SYSTEM_MODULE_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_MODULE_INFORMATION | | 1 | |
| PROC | GET_INFO | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c | | 1 | |
| REG | OPEN_KEY | reg_name = \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ | | 1 | |
| REG | READ_VALUE | reg_name = \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\, value_name = CSDVersion | | 1 | |
| PROC | OPEN | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c, desired_access = PROCESS_VM_READ | | 1 | |
| PROC | GET_INFO | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c | | 1 | |
| MOD | LOAD | module_name = kernel32.dll, base_address = 0x763e0000 | | 1 | |
| PROC | GET_INFO | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c | | 1 | |
| MOD | LOAD | module_name = gdi32.dll, base_address = 0x769c0000 | | 1 | |
| PROC | GET_INFO | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c | | 1 | |
| MOD | LOAD | module_name = user32.dll, base_address = 0x75cf0000 | | 1 | |
| PROC | GET_INFO | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c | | 1 | |
| MOD | LOAD | module_name = ole32.dll, base_address = 0x758d0000 | | 1 | |
| PROC | GET_INFO | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c | | 1 | |
| MOD | LOAD | module_name = oleacc.dll, base_address = 0x752c0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = SetErrorMode, address_out = 0x763f1acc | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = Secur32.dll, base_address = 0x752b0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = Secur32.dll, function = EncryptMessage, address_out = 0x754e124e | | 1 | |
| NET | ENCRYPT_MSG | | 1 | ||
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = IsBadReadPtr, address_out = 0x7641d065 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = malloc, address_out = 0x75c49cee | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = memcpy, address_out = 0x75c49910 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = memcpy, address_out = 0x75c49910 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = malloc, address_out = 0x75c49cee | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = VirtualAlloc, address_out = 0x763f1822 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = malloc, address_out = 0x75c49cee | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = free, address_out = 0x75c49894 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = LoadLibraryA, address_out = 0x763f499f | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = GetProcAddress, address_out = 0x763f1222 | | 1 | |
| MOD | LOAD | module_name = msvcrt.dll, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = fopen, address_out = 0x75c5b2c4 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = fclose, address_out = 0x75c53d79 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = vfprintf, address_out = 0x75cb7430 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = _vsnprintf, address_out = 0x75c4d1a8 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = memset, address_out = 0x75c49790 | | 1 | |
| MOD | LOAD | module_name = ntdll.dll, base_address = 0x77b30000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwQueryInformationProcess, address_out = 0x77b4fad8 | | 1 | |
| MOD | LOAD | module_name = KERNEL32.dll, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = TerminateProcess, address_out = 0x7640d7d2 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetProcAddress, address_out = 0x763f1222 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = OpenProcess, address_out = 0x763f1952 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = CreateRemoteThread, address_out = 0x764746ab | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = WaitForSingleObject, address_out = 0x763f1136 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = VirtualAllocEx, address_out = 0x7640d980 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = CreateProcessA, address_out = 0x763f1072 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetLastError, address_out = 0x763f11c0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = ExpandEnvironmentStringsA, address_out = 0x7640eb09 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetVersionExA, address_out = 0x763f34d9 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = WriteProcessMemory, address_out = 0x7640d9b0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetCurrentProcessId, address_out = 0x763f11f8 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = CloseHandle, address_out = 0x763f13e0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetModuleHandleA, address_out = 0x763f1245 | | 1 | |
| MOD | LOAD | module_name = ADVAPI32.dll, base_address = 0x76090000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = RegOpenKeyExA, address_out = 0x760a4887 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ADVAPI32.dll, function = RegCloseKey, address_out = 0x760a461d | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = free, address_out = 0x75c49894 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = free, address_out = 0x75c49894 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = VirtualProtect, address_out = 0x763f4327 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = VirtualAlloc, address_out = 0x763f1822 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = memcpy, address_out = 0x75c49910 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = SetErrorMode, address_out = 0x763f1acc | | 1 | |
| PROC | GET_INFO | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c | | 1 | |
| FILE | DELETE | file_name = c:\users\user\appdata\local\temp\vdm.dll | | 1 | |
| REG | OPEN_KEY | reg_name = HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows | | 1 | |
| FILE | CREATE | file_name = c:\users\user\desktop\%systemroot%\$ntuninstallq923283$, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, create_disposition = OPEN_EXISTING, flags = FILE_FLAG_BACKUP_SEMANTICS | | 1 | |
| FILE | CREATE_DIR | file_name = c:\windows\$ntuninstallq923283$ | | 1 | |
| FILE | CREATE | file_name = c:\windows\$ntuninstallq923283$\fdisk.sys, desired_access = GENERIC_WRITE, create_disposition = CREATE_ALWAYS, flags = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | WRITE | file_name = c:\windows\$ntuninstallq923283$\fdisk.sys, size = 606720 | | 1 | |
| PROC | OPEN | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c, desired_access = PROCESS_VM_READ | | 1 | |
| PROC | GET_INFO | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c | | 1 | |
| MOD | LOAD | module_name = kernel32.dll, base_address = 0x763e0000 | | 1 | |
| PROC | GET_INFO | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c | | 1 | |
| MOD | LOAD | module_name = gdi32.dll, base_address = 0x769c0000 | | 1 | |
| PROC | GET_INFO | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c | | 1 | |
| MOD | LOAD | module_name = user32.dll, base_address = 0x75cf0000 | | 1 | |
| PROC | GET_INFO | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c | | 1 | |
| MOD | LOAD | module_name = ole32.dll, base_address = 0x758d0000 | | 1 | |
| PROC | GET_INFO | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c | | 1 | |
| MOD | LOAD | module_name = oleacc.dll, base_address = 0x752c0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = SetErrorMode, address_out = 0x763f1acc | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = Secur32.dll, base_address = 0x752b0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = Secur32.dll, function = EncryptMessage, address_out = 0x754e124e | | 1 | |
| NET | ENCRYPT_MSG | | 1 | ||
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = IsBadReadPtr, address_out = 0x7641d065 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = malloc, address_out = 0x75c49cee | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = memcpy, address_out = 0x75c49910 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = memcpy, address_out = 0x75c49910 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = malloc, address_out = 0x75c49cee | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = VirtualAlloc, address_out = 0x763f1822 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = malloc, address_out = 0x75c49cee | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = free, address_out = 0x75c49894 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = LoadLibraryA, address_out = 0x763f499f | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = GetProcAddress, address_out = 0x763f1222 | | 1 | |
| MOD | LOAD | module_name = KERNEL32.dll, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetExitCodeProcess, address_out = 0x76401715 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = CreateProcessA, address_out = 0x763f1072 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetLastError, address_out = 0x763f11c0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = CloseHandle, address_out = 0x763f13e0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = WaitForSingleObject, address_out = 0x763f1136 | | 1 | |
| MOD | LOAD | module_name = msvcrt.dll, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = memset, address_out = 0x75c49790 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = free, address_out = 0x75c49894 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = free, address_out = 0x75c49894 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = VirtualProtect, address_out = 0x763f4327 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = VirtualAlloc, address_out = 0x763f1822 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = memcpy, address_out = 0x75c49910 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = SetErrorMode, address_out = 0x763f1acc | | 1 | |
| FILE | CREATE | file_name = c:\windows\$ntuninstallq923283$\usbehub.sys, desired_access = GENERIC_WRITE, create_disposition = CREATE_ALWAYS, flags = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | WRITE | file_name = c:\windows\$ntuninstallq923283$\usbehub.sys, size = 68288 | | 1 | |
| FILE | CREATE | file_name = c:\windows\$ntuninstallq923283$\pxinsi64.exe, desired_access = GENERIC_WRITE, create_disposition = CREATE_ALWAYS, flags = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | WRITE | file_name = c:\windows\$ntuninstallq923283$\pxinsi64.exe, size = 8192 | | 1 | |
| MOD | GET_HANDLE | module_name = ntdll.dll | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = RtlInitUnicodeString, address_out = 0x77b5e228 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwLoadDriver, address_out = 0x77b50df4 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwUnloadDriver, address_out = 0x77b51e58 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwQuerySystemInformation, address_out = 0x77b4fdb0 | | 1 | |
| PROC | OPEN_TOKEN | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE | | 1 | |
| USER | LOOKUP_PRIVILEGE | server_name = Localhost, privilege = SeLoadDriverPrivilege | | 1 | |
| USER | SET_PRIVILEGE | server_name = Localhost, process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeLoadDriverPrivilege | | 1 | |
| REG | CREATE_KEY | reg_name = HKEY_CLASSES_ROOT\usbehub | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\usbehub, value_name = Type, data = 1 | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\usbehub, value_name = Start, data = 1 | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\usbehub, value_name = ErrorControl, data = 0 | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\usbehub, value_name = Group, data = Base | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\usbehub, value_name = DisplayName, data = usbehub | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\usbehub, value_name = ImagePath, data = \SystemRoot\$NtUninstallQ923283$\usbehub.sys | | 1 | |
| REG | CREATE_KEY | reg_name = HKEY_CLASSES_ROOT\usbehub\Enum | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\usbehub\Enum, value_name = Count, data = 1 | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\usbehub\Enum, value_name = NextInstance, data = 1 | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\usbehub\Enum, value_name = 0, data = Root\LEGACY_NULL\0000 | | 1 | |
| DRV | LOAD | driver_name = \Registry\Machine\Software\Classes\usbehub | | 1 | |
| REG | CREATE_KEY | reg_name = HKEY_CLASSES_ROOT\usbehub | | 1 | |
| REG | DELETE_KEY | reg_name = HKEY_CLASSES_ROOT\usbehub\Enum | | 1 | |
| REG | DELETE_KEY | reg_name = HKEY_CLASSES_ROOT\usbehub | | 1 | |
| PROC | CREATE | process_name = C:\Windows\$NtUninstallQ923283$\pxinsi64.exe, os_tid = 0x824, os_pid = 0x4cc, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE | | 1 | |
| MOD | GET_HANDLE | module_name = ntdll.dll | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = RtlInitUnicodeString, address_out = 0x77b5e228 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwLoadDriver, address_out = 0x77b50df4 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwUnloadDriver, address_out = 0x77b51e58 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwQuerySystemInformation, address_out = 0x77b4fdb0 | | 1 | |
| PROC | OPEN_TOKEN | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE | | 1 | |
| USER | LOOKUP_PRIVILEGE | server_name = Localhost, privilege = SeLoadDriverPrivilege | | 1 | |
| USER | SET_PRIVILEGE | server_name = Localhost, process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeLoadDriverPrivilege | | 1 | |
| REG | CREATE_KEY | reg_name = HKEY_CLASSES_ROOT\usbehub | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\usbehub, value_name = Type, data = 1 | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\usbehub, value_name = Start, data = 1 | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\usbehub, value_name = ErrorControl, data = 0 | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\usbehub, value_name = Group, data = Base | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\usbehub, value_name = DisplayName, data = usbehub | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\usbehub, value_name = ImagePath, data = \SystemRoot\$NtUninstallQ923283$\usbehub.sys | | 1 | |
| REG | CREATE_KEY | reg_name = HKEY_CLASSES_ROOT\usbehub\Enum | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\usbehub\Enum, value_name = Count, data = 1 | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\usbehub\Enum, value_name = NextInstance, data = 1 | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\usbehub\Enum, value_name = 0, data = Root\LEGACY_NULL\0000 | | 1 | |
| DRV | UNLOAD | driver_name = \Registry\Machine\Software\Classes\usbehub | | 1 | |
| REG | CREATE_KEY | reg_name = HKEY_CLASSES_ROOT\usbehub | | 1 | |
| REG | DELETE_KEY | reg_name = HKEY_CLASSES_ROOT\usbehub\Enum | | 1 | |
| REG | DELETE_KEY | reg_name = HKEY_CLASSES_ROOT\usbehub | | 1 | |
| FILE | DELETE | file_name = c:\windows\$ntuninstallq923283$\pxinsi64.exe | | 1 | |
| FILE | DELETE | file_name = c:\windows\$ntuninstallq923283$\usbehub.sys | | 1 | |
| MOD | GET_HANDLE | module_name = ntdll.dll | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = RtlInitUnicodeString, address_out = 0x77b5e228 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwLoadDriver, address_out = 0x77b50df4 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwUnloadDriver, address_out = 0x77b51e58 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwQuerySystemInformation, address_out = 0x77b4fdb0 | | 1 | |
| PROC | OPEN_TOKEN | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE | | 1 | |
| USER | LOOKUP_PRIVILEGE | server_name = Localhost, privilege = SeLoadDriverPrivilege | | 1 | |
| USER | SET_PRIVILEGE | server_name = Localhost, process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeLoadDriverPrivilege | | 1 | |
| REG | CREATE_KEY | reg_name = HKEY_CLASSES_ROOT\Ultra3 | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\Ultra3, value_name = Type, data = 1 | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\Ultra3, value_name = Start, data = 1 | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\Ultra3, value_name = ErrorControl, data = 0 | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\Ultra3, value_name = Group, data = Streams Drivers | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\Ultra3, value_name = DisplayName, data = Ultra3 | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\Ultra3, value_name = ImagePath, data = \SystemRoot\$NtUninstallQ923283$\fdisk.sys | | 1 | |
| REG | CREATE_KEY | reg_name = HKEY_CLASSES_ROOT\Ultra3\Enum | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\Ultra3\Enum, value_name = Count, data = 1 | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\Ultra3\Enum, value_name = NextInstance, data = 1 | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CLASSES_ROOT\Ultra3\Enum, value_name = 0, data = Root\LEGACY_NULL\0000 | | 1 | |
| DRV | LOAD | driver_name = \Registry\Machine\Software\Classes\Ultra3 | | 1 | |
| REG | CREATE_KEY | reg_name = HKEY_CLASSES_ROOT\Ultra3 | | 1 | |
| REG | DELETE_KEY | reg_name = HKEY_CLASSES_ROOT\Ultra3\Enum | | 1 | |
| REG | DELETE_KEY | reg_name = HKEY_CLASSES_ROOT\Ultra3 | | 1 | |
| FILE | CREATE | file_name = par1\, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, create_disposition = OPEN_EXISTING, flags = FILE_FLAG_BACKUP_SEMANTICS | | 1 | |
| FILE | CREATE | file_name = par1\system, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, create_disposition = OPEN_EXISTING | | 1 | |
| PROC | OPEN | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c, desired_access = PROCESS_VM_READ | | 1 | |
| PROC | GET_INFO | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c | | 1 | |
| MOD | LOAD | module_name = kernel32.dll, base_address = 0x763e0000 | | 1 | |
| PROC | GET_INFO | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c | | 1 | |
| MOD | LOAD | module_name = gdi32.dll, base_address = 0x769c0000 | | 1 | |
| PROC | GET_INFO | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c | | 1 | |
| MOD | LOAD | module_name = user32.dll, base_address = 0x75cf0000 | | 1 | |
| PROC | GET_INFO | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c | | 1 | |
| MOD | LOAD | module_name = ole32.dll, base_address = 0x758d0000 | | 1 | |
| PROC | GET_INFO | process_name = c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe, os_pid = 0xb0c | | 1 | |
| MOD | LOAD | module_name = oleacc.dll, base_address = 0x752c0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = SetErrorMode, address_out = 0x763f1acc | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = Secur32.dll, base_address = 0x752b0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = Secur32.dll, function = EncryptMessage, address_out = 0x754e124e | | 1 | |
| NET | ENCRYPT_MSG | | 1 | ||
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = IsBadReadPtr, address_out = 0x7641d065 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = malloc, address_out = 0x75c49cee | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = memcpy, address_out = 0x75c49910 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = memcpy, address_out = 0x75c49910 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = malloc, address_out = 0x75c49cee | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = VirtualAlloc, address_out = 0x763f1822 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = malloc, address_out = 0x75c49cee | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = free, address_out = 0x75c49894 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = LoadLibraryA, address_out = 0x763f499f | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = GetProcAddress, address_out = 0x763f1222 | | 1 | |
| MOD | LOAD | module_name = msvcrt.dll, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = _errno, address_out = 0x75c4a5b8 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = strtol, address_out = 0x75c6e8f0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = rand, address_out = 0x75c4c070 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = srand, address_out = 0x75c4f757 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = realloc, address_out = 0x75c4b10d | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = strtoul, address_out = 0x75c5012e | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = _time64, address_out = 0x75c7031d | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = strchr, address_out = 0x75c4dbeb | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = _strdup, address_out = 0x75c647ad | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = setlocale, address_out = 0x75c55286 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = fflush, address_out = 0x75c54142 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = mbtowc, address_out = 0x75c4acdf | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = fprintf, address_out = 0x75c53e00 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = strncpy, address_out = 0x75c508a9 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = _initterm, address_out = 0x75c4c151 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = _adjust_fdiv, address_out = 0x75ce32ec | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = memset, address_out = 0x75c49790 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = memcpy, address_out = 0x75c49910 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = __iob_func, address_out = 0x75c4c0f6 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = strerror, address_out = 0x75c67a18 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = malloc, address_out = 0x75c49cee | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = calloc, address_out = 0x75c4c456 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = free, address_out = 0x75c49894 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = memmove, address_out = 0x75c49e5a | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt.dll, function = _except_handler3, address_out = 0x75c6d770 | | 1 | |
| MOD | LOAD | module_name = ntdll.dll, base_address = 0x77b30000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwOpenFile, address_out = 0x77b4fd64 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwClose, address_out = 0x77b4f9e0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = RtlInitUnicodeString, address_out = 0x77b5e228 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwReadFile, address_out = 0x77b4f8f0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = ntdll.dll, function = ZwWriteFile, address_out = 0x77b4f928 | | 1 | |
| MOD | LOAD | module_name = KERNEL32.dll, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = FlushFileBuffers, address_out = 0x763f4663 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = GetLastError, address_out = 0x763f11c0 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = VirtualAlloc, address_out = 0x763f1822 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = DeviceIoControl, address_out = 0x763f31ef | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = Sleep, address_out = 0x763f10ff | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = KERNEL32.dll, function = VirtualFree, address_out = 0x763f183a | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = free, address_out = 0x75c49894 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = free, address_out = 0x75c49894 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = VirtualProtect, address_out = 0x763f4327 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = VirtualAlloc, address_out = 0x763f1822 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = msvcrt, base_address = 0x75c40000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = msvcrt, function = memcpy, address_out = 0x75c49910 | | 1 | |
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = SetErrorMode, address_out = 0x763f1acc | | 1 | |
| FILE | OPEN | file_name = par1, desired_access = SYNCHRONIZE, GENERIC_WRITE, GENERIC_READ, open_options = FILE_WRITE_THROUGH, FILE_NO_INTERMEDIATE_BUFFERING, FILE_SYNCHRONOUS_IO_NONALERT | | 1 | |
| DRV | CONTROL | file_name = par1, control_code = 0x7405c | | 1 | |
| FILE | READ | file_name = par1, size = 4096 | | 1 | |
| FILE | WRITE | file_name = par1, size = 4096, offset = 52444672 | | 1 | |
| FILE | READ | file_name = par1, size = 16384 | | 1 | |
| FILE | WRITE | file_name = par1, size = 16384, offset = 16384 | | 1 | |
| FILE | READ | file_name = par1, size = 512 | | 1 | |
| FILE | WRITE | file_name = par1, size = 512, offset = 8192 | | 1 | |
| FILE | READ | file_name = par1, size = 512 | | 1 | |
| FILE | WRITE | file_name = par1, size = 512, offset = 8192 | | 1 | |
| FILE | READ | file_name = par1, size = 4096 | | 1 | |
| FILE | WRITE | file_name = par1, size = 4096, offset = 209714688 | | 1 | |
| FILE | READ | file_name = par1, size = 4193792 | | 1 | |
| FILE | WRITE | file_name = par1, size = 4193792, offset = 209718784 | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = IsBadReadPtr, address_out = 0x7641d065 | | 1 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| MOD | GET_PROC_ADDRESS | function = LoadLibraryExA, address_out = 0x766e2cd9 | | 1 | |
| MOD | LOAD | module_name = kernel32, base_address = 0x763e0000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = kernel32, function = IsBadReadPtr, address_out = 0x7641d065 | | 1 |
| Information | Value |
|---|---|
| ID / OS PID | #2 / 0x4 |
| OS Parent PID | 0xffffffffffffffff (Unknown) |
| Initial Working Directory | |
| File Name | System |
| Command Line | |
| Monitor | Start Time: 00:02:04, Reason: Created Daemon |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #9 0x9C8 #10 0x930 #11 0x9CC #12 0x99C #13 0x9F4 #14 0x9D0 #15 0x9BC #16 0x9A8 #17 0x9B8 #18 0x9B0 #19 0x94 #20 0x2F0 #21 0x488 #22 0xB4 #23 0x60 #24 0xB8 #25 0x7C #26 0xAC #27 0x6A4 #28 0xDC #29 0x32C #30 0x50 #31 0x2F8 #32 0x3C8 #33 0x3F8 #34 0x18 #35 0x1C #36 0x654 #37 0x644 #38 0x63C #39 0x630 #40 0x624 #41 0x614 #42 0x578 #43 0x510 #44 0x50C #45 0x4AC #46 0x454 #47 0x3B0 #48 0xF4 #49 0x3CC #50 0x24 #51 0x68 #52 0x20 #53 0x26C #54 0x2D0 #55 0x74 #56 0x90 #57 0x78 #58 0x8C #59 0x88 #60 0x84 #61 0x80 #62 0x11C #63 0x10C #64 0x5C #65 0xE4 #66 0x4C #67 0x19C #68 0x34 #69 0x144 #70 0x140 #71 0x13C #72 0x138 #73 0xA0 #74 0x110 #75 0x114 #76 0x118 #77 0x108 #78 0x38 #79 0x3C #80 0x2C #81 0x48 #82 0x104 #83 0x28 #84 0x30 #85 0xA8 #86 0xBC #87 0x44 #88 0x8 #89 0x0 #459 0x820 #460 0x97C #461 0x2F0 #462 0x1FC #463 0x1C8 #464 0x1A8 #467 0x784 #468 0x9A0 #470 0x3E4 #473 0x978 #476 0x970 #516 0xA18 #518 0xA14 #519 0x95C |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x00032fff | Pagefile Backed File | Readable, Writable | |  |
| pagefile_0x0000000000040000 | 0x00040000 | 0x0005ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000060000 | 0x00060000 | 0x0007ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00080fff | Pagefile Backed File | Readable, Writable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77b30000 | 0x77caffff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| pagefile_0x000007fffaad0000 | 0x7fffaad0000 | 0x7fffaafffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x000007fffafd0000 | 0x7fffafd0000 | 0x7fffaffffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x000007fffb4d0000 | 0x7fffb4d0000 | 0x7fffb4fffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x000007fffb9d0000 | 0x7fffb9d0000 | 0x7fffb9fffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x000007fffbed0000 | 0x7fffbed0000 | 0x7fffbefffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x000007fffc3d0000 | 0x7fffc3d0000 | 0x7fffc3fffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x000007fffc8d0000 | 0x7fffc8d0000 | 0x7fffc8fffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x000007fffcdd0000 | 0x7fffcdd0000 | 0x7fffcdfffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x000007fffd2d0000 | 0x7fffd2d0000 | 0x7fffd2fffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x000007fffd7d0000 | 0x7fffd7d0000 | 0x7fffd7fffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x000007fffdcd0000 | 0x7fffdcd0000 | 0x7fffdcfffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x000007fffe1d0000 | 0x7fffe1d0000 | 0x7fffe1fffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x000007fffe6d0000 | 0x7fffe6d0000 | 0x7fffe6fffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x000007fffebd0000 | 0x7fffebd0000 | 0x7fffebfffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x000007ffff0d0000 | 0x7ffff0d0000 | 0x7ffff0fffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x000007ffff5d0000 | 0x7ffff5d0000 | 0x7ffff5fffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x000007ffffad0000 | 0x7ffffad0000 | 0x7ffffafffff | Pagefile Backed File | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #4 / 0x130 |
| OS Parent PID | 0xffffffffffffffff (Unknown) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\csrss.exe |
| Command Line | %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #94 0x1E4 #95 0x1CC #96 0x1A4 #97 0x1A0 #98 0x174 #99 0x154 #100 0x150 #101 0x14C #102 0x148 #103 0x134 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| locale.nls | 0x00010000 | 0x00076fff | Memory Mapped File | Readable | | |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00086fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00091fff | Pagefile Backed File | Readable, Writable | | |
| private_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Private Memory | Readable, Writable | | |
| vgasys.fon | 0x000b0000 | 0x000b1fff | Memory Mapped File | Readable | | |
| private_0x00000000000c0000 | 0x000c0000 | 0x000fffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000100000 | 0x00100000 | 0x0010ffff | Pagefile Backed File | Readable, Writable | | |
| marlett.ttf | 0x00110000 | 0x00116fff | Memory Mapped File | Readable | | |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00137fff | Pagefile Backed File | Readable | | |
| private_0x0000000000140000 | 0x00140000 | 0x0023ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000240000 | 0x00240000 | 0x00240fff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000250000 | 0x00250000 | 0x0027ffff | Pagefile Backed File | Readable | | |
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000390000 | 0x00390000 | 0x00510fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000520000 | 0x00520000 | 0x0080bfff | Pagefile Backed File | Readable | | |
| private_0x0000000000810000 | 0x00810000 | 0x0084ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000850000 | 0x00850000 | 0x0085ffff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000860000 | 0x00860000 | 0x0089ffff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x008affff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x008bffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x008cffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x008dffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x008effff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x008f1fff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000900000 | 0x00900000 | 0x0093ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000940000 | 0x00940000 | 0x0094ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000950000 | 0x00950000 | 0x0095ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000960000 | 0x00960000 | 0x0096ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000970000 | 0x00970000 | 0x0097ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000980000 | 0x00980000 | 0x0098ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000990000 | 0x00990000 | 0x0099ffff | Pagefile Backed File | Readable, Writable | | |
| private_0x00000000009a0000 | 0x009a0000 | 0x009dffff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x009effff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x009fffff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a3ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x00bc7fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000bd0000 | 0x00bd0000 | 0x00bdffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000be0000 | 0x00be0000 | 0x00beffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000bf0000 | 0x00bf0000 | 0x00bfffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000c00000 | 0x00c00000 | 0x00c0ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000c10000 | 0x00c10000 | 0x00c1ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000c20000 | 0x00c20000 | 0x00c2ffff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000c30000 | 0x00c30000 | 0x00c6ffff | Private Memory | Readable, Writable | | |
| segoeui.ttf | 0x00c70000 | 0x00ceefff | Memory Mapped File | Readable | | |
| pagefile_0x0000000000cf0000 | 0x00cf0000 | 0x020effff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000020f0000 | 0x020f0000 | 0x020fffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000002100000 | 0x02100000 | 0x0210ffff | Pagefile Backed File | Readable, Writable | | |
| vgaoem.fon | 0x02130000 | 0x02131fff | Memory Mapped File | Readable | | |
| dosapp.fon | 0x02140000 | 0x02148fff | Memory Mapped File | Readable | | |
| cga40woa.fon | 0x02150000 | 0x02151fff | Memory Mapped File | Readable | | |
| cga80woa.fon | 0x02160000 | 0x02161fff | Memory Mapped File | Readable | | |
| ega40woa.fon | 0x02170000 | 0x02172fff | Memory Mapped File | Readable | | |
| private_0x0000000002190000 | 0x02190000 | 0x021cffff | Private Memory | Readable, Writable | | |
| private_0x00000000021d0000 | 0x021d0000 | 0x0220ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000002210000 | 0x02210000 | 0x022cffff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000022d0000 | 0x022d0000 | 0x0238ffff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000002390000 | 0x02390000 | 0x0244ffff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000002450000 | 0x02450000 | 0x0250ffff | Pagefile Backed File | Readable | | |
| csrss.exe | 0x4a350000 | 0x4a355fff | Memory Mapped File | Readable, Writable, Executable | | |
| user32.dll | 0x77730000 | 0x77829fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x77830000 | 0x7794efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable, Writable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| cryptbase.dll | 0x7fefd570000 | 0x7fefd57efff | Memory Mapped File | Readable, Writable, Executable | | |
| sxs.dll | 0x7fefd580000 | 0x7fefd610fff | Memory Mapped File | Readable, Writable, Executable | | |
| sxssrv.dll | 0x7fefd680000 | 0x7fefd68bfff | Memory Mapped File | Readable, Writable, Executable | | |
| winsrv.dll | 0x7fefd690000 | 0x7fefd6c7fff | Memory Mapped File | Readable, Writable, Executable | | |
| basesrv.dll | 0x7fefd6d0000 | 0x7fefd6e0fff | Memory Mapped File | Readable, Writable, Executable | | |
| csrsrv.dll | 0x7fefd6f0000 | 0x7fefd702fff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x7fefda30000 | 0x7fefda9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7fefdaf0000 | 0x7fefdbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7fefea70000 | 0x7fefeb9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7feff2a0000 | 0x7feff2befff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x7feff4e0000 | 0x7feff5a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x7feffa40000 | 0x7feffa4dfff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x7feffb40000 | 0x7feffbdefff | Memory Mapped File | Readable, Writable, Executable | | |
| apisetschema.dll | 0x7feffc70000 | 0x7feffc70fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000007fffffaa000 | 0x7fffffaa000 | 0x7fffffabfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable | | |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed File | Readable | | |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #6 / 0x16c |
| OS Parent PID | 0xffffffffffffffff (Unknown) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\csrss.exe |
| Command Line | %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #108 0x1B4 #109 0x1B0 #110 0x194 #111 0x184 #112 0x180 #113 0x17C #114 0x178 #115 0x170 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x00016fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00021fff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000040000 | 0x00040000 | 0x0004ffff | Pagefile Backed File | Readable, Writable | | |
| marlett.ttf | 0x00050000 | 0x00056fff | Memory Mapped File | Readable | | |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00077fff | Pagefile Backed File | Readable | | |
| locale.nls | 0x00080000 | 0x000e6fff | Memory Mapped File | Readable | | |
| private_0x00000000000f0000 | 0x000f0000 | 0x001effff | Private Memory | Readable, Writable | | |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000002f0000 | 0x002f0000 | 0x00470fff | Pagefile Backed File | Readable | | |
| vgasys.fon | 0x00480000 | 0x00481fff | Memory Mapped File | Readable | | |
| private_0x0000000000490000 | 0x00490000 | 0x0049ffff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x0078bfff | Pagefile Backed File | Readable | | |
| private_0x0000000000790000 | 0x00790000 | 0x00790fff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x007a1fff | Pagefile Backed File | Readable, Writable | | |
| private_0x00000000007c0000 | 0x007c0000 | 0x007fffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000800000 | 0x00800000 | 0x0082ffff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000830000 | 0x00830000 | 0x0083ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000840000 | 0x00840000 | 0x0084ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000850000 | 0x00850000 | 0x0085ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000860000 | 0x00860000 | 0x0086ffff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000870000 | 0x00870000 | 0x008affff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x008bffff | Pagefile Backed File | Readable, Writable | | |
| private_0x00000000008d0000 | 0x008d0000 | 0x0090ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000910000 | 0x00910000 | 0x0094ffff | Private Memory | Readable, Writable | | |
| vgaoem.fon | 0x00950000 | 0x00951fff | Memory Mapped File | Readable | | |
| private_0x0000000000960000 | 0x00960000 | 0x0099ffff | Private Memory | Readable, Writable | | |
| segoeui.ttf | 0x009a0000 | 0x00a1efff | Memory Mapped File | Readable | | |
| segoeuii.ttf | 0x00a20000 | 0x00a7efff | Memory Mapped File | Readable | | |
| private_0x0000000000a80000 | 0x00a80000 | 0x00abffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x00c47fff | Pagefile Backed File | Readable | | |
| dosapp.fon | 0x00c50000 | 0x00c58fff | Memory Mapped File | Readable | | |
| private_0x0000000000c60000 | 0x00c60000 | 0x00c9ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000ca0000 | 0x00ca0000 | 0x0209ffff | Pagefile Backed File | Readable | | |
| micross.ttf | 0x020a0000 | 0x0213ffff | Memory Mapped File | Readable | | |
| cga40woa.fon | 0x02140000 | 0x02141fff | Memory Mapped File | Readable | | |
| cga80woa.fon | 0x02150000 | 0x02151fff | Memory Mapped File | Readable | | |
| ega40woa.fon | 0x02160000 | 0x02162fff | Memory Mapped File | Readable | | |
| pagefile_0x0000000002170000 | 0x02170000 | 0x0217ffff | Pagefile Backed File | Readable, Writable | | |
| segoeuib.ttf | 0x021e0000 | 0x02259fff | Memory Mapped File | Readable | | |
| csrss.exe | 0x4a350000 | 0x4a355fff | Memory Mapped File | Readable, Writable, Executable | | |
| user32.dll | 0x77730000 | 0x77829fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x77830000 | 0x7794efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable, Writable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| cryptbase.dll | 0x7fefd570000 | 0x7fefd57efff | Memory Mapped File | Readable, Writable, Executable | | |
| sxs.dll | 0x7fefd580000 | 0x7fefd610fff | Memory Mapped File | Readable, Writable, Executable | | |
| sxssrv.dll | 0x7fefd680000 | 0x7fefd68bfff | Memory Mapped File | Readable, Writable, Executable | | |
| winsrv.dll | 0x7fefd690000 | 0x7fefd6c7fff | Memory Mapped File | Readable, Writable, Executable | | |
| basesrv.dll | 0x7fefd6d0000 | 0x7fefd6e0fff | Memory Mapped File | Readable, Writable, Executable | | |
| csrsrv.dll | 0x7fefd6f0000 | 0x7fefd702fff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x7fefda30000 | 0x7fefda9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7fefdaf0000 | 0x7fefdbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7fefea70000 | 0x7fefeb9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7feff2a0000 | 0x7feff2befff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x7feff4e0000 | 0x7feff5a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x7feffa40000 | 0x7feffa4dfff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x7feffb40000 | 0x7feffbdefff | Memory Mapped File | Readable, Writable, Executable | | |
| apisetschema.dll | 0x7feffc70000 | 0x7feffc70fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable | | |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed File | Readable | | |
| private_0x000007fffffd4000 | 0x7fffffd4000 | 0x7fffffd4fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #7 / 0x188 |
| OS Parent PID | 0xffffffffffffffff (Unknown) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\winlogon.exe |
| Command Line | winlogon.exe |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #116 0xAC0 #117 0x340 #118 0x2E4 #119 0x2C8 #120 0x1AC #121 0x18C |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| locale.nls | 0x00020000 | 0x00086fff | Memory Mapped File | Readable | | |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00096fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a1fff | Pagefile Backed File | Readable, Writable | | |
| private_0x00000000000b0000 | 0x000b0000 | 0x000b0fff | Private Memory | Readable, Writable | | |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000fffff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000100000 | 0x00100000 | 0x0010ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000110000 | 0x00110000 | 0x0011ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000120000 | 0x00120000 | 0x0012ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00147fff | Pagefile Backed File | Readable | | |
| private_0x0000000000160000 | 0x00160000 | 0x0016ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | Readable, Writable | | |
| private_0x0000000000190000 | 0x00190000 | 0x0020ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000450000 | 0x00450000 | 0x0054ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000550000 | 0x00550000 | 0x006d7fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x00860fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000870000 | 0x00870000 | 0x00b5bfff | Pagefile Backed File | Readable | | |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00c4ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00d1ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d9ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000db0000 | 0x00db0000 | 0x00e2ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000ec0000 | 0x00ec0000 | 0x00f3ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000f40000 | 0x00f40000 | 0x00fbffff | Private Memory | Readable, Writable | | |
| private_0x0000000000fe0000 | 0x00fe0000 | 0x0105ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001180000 | 0x01180000 | 0x011fffff | Private Memory | Readable, Writable | | |
| private_0x0000000001200000 | 0x01200000 | 0x012fffff | Private Memory | Readable, Writable | | |
| private_0x0000000001380000 | 0x01380000 | 0x013fffff | Private Memory | Readable, Writable | | |
| private_0x0000000001400000 | 0x01400000 | 0x014fffff | Private Memory | Readable, Writable | | |
| private_0x0000000001560000 | 0x01560000 | 0x015dffff | Private Memory | Readable, Writable | | |
| SortDefault.nls | 0x015e0000 | 0x018aefff | Memory Mapped File | Readable | | |
| pagefile_0x00000000018b0000 | 0x018b0000 | 0x02caffff | Pagefile Backed File | Readable | | |
| private_0x0000000002d10000 | 0x02d10000 | 0x02d8ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002d90000 | 0x02d90000 | 0x02e0ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002ea0000 | 0x02ea0000 | 0x02f1ffff | Private Memory | Readable, Writable | | |
| user32.dll | 0x77730000 | 0x77829fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x77830000 | 0x7794efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| winlogon.exe | 0xff470000 | 0xff4e1fff | Memory Mapped File | Readable, Writable, Executable | | |
| mpr.dll | 0x7fefa8d0000 | 0x7fefa8e7fff | Memory Mapped File | Readable, Writable, Executable | | |
| UXInit.dll | 0x7fefad20000 | 0x7fefad29fff | Memory Mapped File | Readable, Writable, Executable | | |
| slc.dll | 0x7fefb030000 | 0x7fefb03afff | Memory Mapped File | Readable, Writable, Executable | | |
| wkscli.dll | 0x7fefb820000 | 0x7fefb834fff | Memory Mapped File | Readable, Writable, Executable | | |
| netutils.dll | 0x7fefb840000 | 0x7fefb84bfff | Memory Mapped File | Readable, Writable, Executable | | |
| WindowsCodecs.dll | 0x7fefb980000 | 0x7fefbae0fff | Memory Mapped File | Readable, Writable, Executable | | |
| uxtheme.dll | 0x7fefbf90000 | 0x7fefbfe5fff | Memory Mapped File | Readable, Writable, Executable | | |
| rsaenh.dll | 0x7fefcc10000 | 0x7fefcc56fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptsp.dll | 0x7fefcf10000 | 0x7fefcf26fff | Memory Mapped File | Readable, Writable, Executable | | |
| netjoin.dll | 0x7fefd020000 | 0x7fefd051fff | Memory Mapped File | Readable, Writable, Executable | | |
| sspicli.dll | 0x7fefd4e0000 | 0x7fefd504fff | Memory Mapped File | Readable, Writable, Executable | | |
| apphelp.dll | 0x7fefd510000 | 0x7fefd566fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x7fefd570000 | 0x7fefd57efff | Memory Mapped File | Readable, Writable, Executable | | |
| winsta.dll | 0x7fefd620000 | 0x7fefd65cfff | Memory Mapped File | Readable, Writable, Executable | | |
| RpcRtRemote.dll | 0x7fefd660000 | 0x7fefd673fff | Memory Mapped File | Readable, Writable, Executable | | |
| profapi.dll | 0x7fefd720000 | 0x7fefd72efff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x7fefda30000 | 0x7fefda9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7fefdaf0000 | 0x7fefdbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| msctf.dll | 0x7fefdbd0000 | 0x7fefdcd8fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7fefea70000 | 0x7fefeb9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7feff2a0000 | 0x7feff2befff | Memory Mapped File | Readable, Writable, Executable | | |
| imm32.dll | 0x7feff2c0000 | 0x7feff2edfff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x7feff4e0000 | 0x7feff5a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| ole32.dll | 0x7feff6e0000 | 0x7feff8e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x7feffa40000 | 0x7feffa4dfff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x7feffb40000 | 0x7feffbdefff | Memory Mapped File | Readable, Writable, Executable | | |
| apisetschema.dll | 0x7feffc70000 | 0x7feffc70fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable | | |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed File | Readable | | |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffdcfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #8 / 0x1c0 |
| OS Parent PID | 0x160 (c:\windows\system32\wininit.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\services.exe |
| Command Line | C:\Windows\system32\services.exe |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #122 0x894 #123 0xBF4 #124 0x844 #125 0x670 #126 0x464 #127 0x2D0 #128 0x120 #129 0x268 #130 0x230 #131 0x218 #478 0x968 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed File | Readable | | |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable | | |
| locale.nls | 0x00060000 | 0x000c6fff | Memory Mapped File | Readable | | |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed File | Readable, Writable | | |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | Readable, Writable | | |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable | | |
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | Readable, Writable | | |
| private_0x0000000000120000 | 0x00120000 | 0x00120fff | Private Memory | Readable, Writable | | |
| private_0x0000000000140000 | 0x00140000 | 0x0017ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000180000 | 0x00180000 | 0x0018ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000290000 | 0x00290000 | 0x0034ffff | Pagefile Backed File | Readable | | |
| private_0x0000000000380000 | 0x00380000 | 0x0047ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000580000 | 0x00580000 | 0x00707fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000710000 | 0x00710000 | 0x00890fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x00b8bfff | Pagefile Backed File | Readable | | |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00c3ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000c40000 | 0x00c40000 | 0x00cbffff | Private Memory | Readable, Writable | | |
| private_0x0000000000da0000 | 0x00da0000 | 0x00e1ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000ea0000 | 0x00ea0000 | 0x00f1ffff | Private Memory | Readable, Writable | | |
| private_0x00000000010f0000 | 0x010f0000 | 0x0116ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001180000 | 0x01180000 | 0x011fffff | Private Memory | Readable, Writable | | |
| private_0x0000000001280000 | 0x01280000 | 0x012fffff | Private Memory | Readable, Writable | | |
| private_0x0000000001410000 | 0x01410000 | 0x0148ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001490000 | 0x01490000 | 0x0158ffff | Private Memory | Readable, Writable | | |
| private_0x00000000015a0000 | 0x015a0000 | 0x0161ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001620000 | 0x01620000 | 0x0171ffff | Private Memory | Readable, Writable | | |
| SortDefault.nls | 0x017f0000 | 0x01abefff | Memory Mapped File | Readable | | |
| private_0x0000000001ac0000 | 0x01ac0000 | 0x01cbffff | Private Memory | Readable, Writable | | |
| private_0x0000000001d10000 | 0x01d10000 | 0x01d8ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002390000 | 0x02390000 | 0x0240ffff | Private Memory | Readable, Writable | | |
| user32.dll | 0x77730000 | 0x77829fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x77830000 | 0x7794efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| services.exe | 0xffc80000 | 0xffcd2fff | Memory Mapped File | Readable, Writable, Executable | | |
| wtsapi32.dll | 0x7fefbaf0000 | 0x7fefbb00fff | Memory Mapped File | Readable, Writable, Executable | | |
| WSHTCPIP.DLL | 0x7fefc8d0000 | 0x7fefc8d6fff | Memory Mapped File | Readable, Writable, Executable | | |
| ubpm.dll | 0x7fefcaa0000 | 0x7fefcad8fff | Memory Mapped File | Readable, Writable, Executable | | |
| credssp.dll | 0x7fefcae0000 | 0x7fefcae9fff | Memory Mapped File | Readable, Writable, Executable | | |
| wship6.dll | 0x7fefcea0000 | 0x7fefcea6fff | Memory Mapped File | Readable, Writable, Executable | | |
| mswsock.dll | 0x7fefceb0000 | 0x7fefcf04fff | Memory Mapped File | Readable, Writable, Executable | | |
| authz.dll | 0x7fefd100000 | 0x7fefd12efff | Memory Mapped File | Readable, Writable, Executable | | |
| srvcli.dll | 0x7fefd1b0000 | 0x7fefd1d2fff | Memory Mapped File | Readable, Writable, Executable | | |
| scesrv.dll | 0x7fefd430000 | 0x7fefd496fff | Memory Mapped File | Readable, Writable, Executable | | |
| secur32.dll | 0x7fefd4a0000 | 0x7fefd4aafff | Memory Mapped File | Readable, Writable, Executable | | |
| scext.dll | 0x7fefd4c0000 | 0x7fefd4d8fff | Memory Mapped File | Readable, Writable, Executable | | |
| sspicli.dll | 0x7fefd4e0000 | 0x7fefd504fff | Memory Mapped File | Readable, Writable, Executable | | |
| apphelp.dll | 0x7fefd510000 | 0x7fefd566fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x7fefd570000 | 0x7fefd57efff | Memory Mapped File | Readable, Writable, Executable | | |
| winsta.dll | 0x7fefd620000 | 0x7fefd65cfff | Memory Mapped File | Readable, Writable, Executable | | |
| RpcRtRemote.dll | 0x7fefd660000 | 0x7fefd673fff | Memory Mapped File | Readable, Writable, Executable | | |
| profapi.dll | 0x7fefd720000 | 0x7fefd72efff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x7fefda30000 | 0x7fefda9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7fefdaf0000 | 0x7fefdbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| msctf.dll | 0x7fefdbd0000 | 0x7fefdcd8fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7fefea70000 | 0x7fefeb9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7feff2a0000 | 0x7feff2befff | Memory Mapped File | Readable, Writable, Executable | | |
| imm32.dll | 0x7feff2c0000 | 0x7feff2edfff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x7feff4e0000 | 0x7feff5a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| nsi.dll | 0x7feff650000 | 0x7feff657fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x7feffa40000 | 0x7feffa4dfff | Memory Mapped File | Readable, Writable, Executable | | |
| ws2_32.dll | 0x7feffa50000 | 0x7feffa9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x7feffb40000 | 0x7feffbdefff | Memory Mapped File | Readable, Writable, Executable | | |
| apisetschema.dll | 0x7feffc70000 | 0x7feffc70fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000007fffff8c000 | 0x7fffff8c000 | 0x7fffff8dfff | Private Memory | Readable, Writable | | |
| private_0x000007fffff98000 | 0x7fffff98000 | 0x7fffff99fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa2000 | 0x7fffffa2000 | 0x7fffffa3fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa6000 | 0x7fffffa6000 | 0x7fffffa7fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa8000 | 0x7fffffa8000 | 0x7fffffa9fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable | | |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed File | Readable | | |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #9 / 0x1d0 |
| OS Parent PID | 0x160 (c:\windows\system32\wininit.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\lsass.exe |
| Command Line | C:\Windows\system32\lsass.exe |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #132 0x884 #133 0x830 #134 0x210 #135 0x1F0 #136 0x1EC #137 0x1E8 #138 0x1E0 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00020fff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed File | Readable | | |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable | | |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | Readable, Writable | | |
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | Readable | | |
| private_0x0000000000160000 | 0x00160000 | 0x00160fff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000170000 | 0x00170000 | 0x0017ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000180000 | 0x00180000 | 0x0018ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00196fff | Pagefile Backed File | Readable | | |
| private_0x00000000001a0000 | 0x001a0000 | 0x001affff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b1fff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001cffff | Pagefile Backed File | Readable, Writable | | |
| C_28591.NLS | 0x001d0000 | 0x001e0fff | Memory Mapped File | Readable | | |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Private Memory | Readable, Writable | | |
| private_0x0000000000200000 | 0x00200000 | 0x002fffff | Private Memory | Readable, Writable | | |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000400000 | 0x00400000 | 0x004bffff | Pagefile Backed File | Readable | | |
| private_0x00000000004c0000 | 0x004c0000 | 0x004c0fff | Private Memory | Readable, Writable | | |
| private_0x00000000004d0000 | 0x004d0000 | 0x004d0fff | Private Memory | Readable, Writable | | |
| private_0x00000000004e0000 | 0x004e0000 | 0x004e0fff | Private Memory | Readable, Writable | | |
| private_0x00000000004f0000 | 0x004f0000 | 0x004f0fff | Private Memory | Readable, Writable | | |
| private_0x0000000000500000 | 0x00500000 | 0x00500fff | Private Memory | Readable, Writable | | |
| private_0x0000000000510000 | 0x00510000 | 0x0058ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00717fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000720000 | 0x00720000 | 0x008a0fff | Pagefile Backed File | Readable | | |
| private_0x00000000008b0000 | 0x008b0000 | 0x008b0fff | Private Memory | Readable, Writable | | |
| private_0x00000000008c0000 | 0x008c0000 | 0x008c0fff | Private Memory | Readable, Writable | | |
| private_0x00000000008d0000 | 0x008d0000 | 0x0094ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000950000 | 0x00950000 | 0x00950fff | Private Memory | Readable, Writable | | |
| private_0x0000000000af0000 | 0x00af0000 | 0x00b6ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00c4ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000c50000 | 0x00c50000 | 0x00f3bfff | Pagefile Backed File | Readable | | |
| SortDefault.nls | 0x00f40000 | 0x0120efff | Memory Mapped File | Readable | | |
| private_0x0000000001290000 | 0x01290000 | 0x0130ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001370000 | 0x01370000 | 0x013effff | Private Memory | Readable, Writable | | |
| private_0x0000000001400000 | 0x01400000 | 0x014fffff | Private Memory | Readable, Writable | | |
| private_0x0000000001560000 | 0x01560000 | 0x015dffff | Private Memory | Readable, Writable | | |
| private_0x0000000001730000 | 0x01730000 | 0x0182ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001990000 | 0x01990000 | 0x01a0ffff | Private Memory | Readable, Writable | | |
| msprivs.dll | 0x754a0000 | 0x754a1fff | Memory Mapped File | Readable, Writable, Executable | | |
| user32.dll | 0x77730000 | 0x77829fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x77830000 | 0x7794efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| lsass.exe | 0xffb50000 | 0xffb5bfff | Memory Mapped File | Readable, Writable, Executable | | |
| winnsi.dll | 0x7fefafa0000 | 0x7fefafaafff | Memory Mapped File | Readable, Writable, Executable | | |
| IPHLPAPI.DLL | 0x7fefafb0000 | 0x7fefafd6fff | Memory Mapped File | Readable, Writable, Executable | | |
| wkscli.dll | 0x7fefb820000 | 0x7fefb834fff | Memory Mapped File | Readable, Writable, Executable | | |
| netutils.dll | 0x7fefb840000 | 0x7fefb84bfff | Memory Mapped File | Readable, Writable, Executable | | |
| WSHTCPIP.DLL | 0x7fefc8d0000 | 0x7fefc8d6fff | Memory Mapped File | Readable, Writable, Executable | | |
| credssp.dll | 0x7fefcae0000 | 0x7fefcae9fff | Memory Mapped File | Readable, Writable, Executable | | |
| scecli.dll | 0x7fefcaf0000 | 0x7fefcb2dfff | Memory Mapped File | Readable, Writable, Executable | | |
| efslsaext.dll | 0x7fefcb30000 | 0x7fefcb41fff | Memory Mapped File | Readable, Writable, Executable | | |
| bcryptprimitives.dll | 0x7fefcb50000 | 0x7fefcb9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| pku2u.dll | 0x7fefcba0000 | 0x7fefcbe4fff | Memory Mapped File | Readable, Writable, Executable | | |
| TSpkg.dll | 0x7fefcbf0000 | 0x7fefcc08fff | Memory Mapped File | Readable, Writable, Executable | | |
| rsaenh.dll | 0x7fefcc10000 | 0x7fefcc56fff | Memory Mapped File | Readable, Writable, Executable | | |
| wdigest.dll | 0x7fefcc60000 | 0x7fefcc95fff | Memory Mapped File | Readable, Writable, Executable | | |
| schannel.dll | 0x7fefcca0000 | 0x7fefccf6fff | Memory Mapped File | Readable, Writable, Executable | | |
| logoncli.dll | 0x7fefcd00000 | 0x7fefcd2ffff | Memory Mapped File | Readable, Writable, Executable | | |
| dnsapi.dll | 0x7fefcd30000 | 0x7fefcd8afff | Memory Mapped File | Readable, Writable, Executable | | |
| netlogon.dll | 0x7fefcd90000 | 0x7fefce3dfff | Memory Mapped File | Readable, Writable, Executable | | |
| msv1_0.dll | 0x7fefce40000 | 0x7fefce91fff | Memory Mapped File | Readable, Writable, Executable | | |
| wship6.dll | 0x7fefcea0000 | 0x7fefcea6fff | Memory Mapped File | Readable, Writable, Executable | | |
| mswsock.dll | 0x7fefceb0000 | 0x7fefcf04fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptsp.dll | 0x7fefcf10000 | 0x7fefcf26fff | Memory Mapped File | Readable, Writable, Executable | | |
| kerberos.dll | 0x7fefcf30000 | 0x7fefcfe7fff | Memory Mapped File | Readable, Writable, Executable | | |
| negoexts.dll | 0x7fefcff0000 | 0x7fefd013fff | Memory Mapped File | Readable, Writable, Executable | | |
| netjoin.dll | 0x7fefd020000 | 0x7fefd051fff | Memory Mapped File | Readable, Writable, Executable | | |
| bcrypt.dll | 0x7fefd080000 | 0x7fefd0a1fff | Memory Mapped File | Readable, Writable, Executable | | |
| ncrypt.dll | 0x7fefd0b0000 | 0x7fefd0fffff | Memory Mapped File | Readable, Writable, Executable | | |
| authz.dll | 0x7fefd100000 | 0x7fefd12efff | Memory Mapped File | Readable, Writable, Executable | | |
| cngaudit.dll | 0x7fefd130000 | 0x7fefd138fff | Memory Mapped File | Readable, Writable, Executable | | |
| wevtapi.dll | 0x7fefd140000 | 0x7fefd1acfff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptdll.dll | 0x7fefd1e0000 | 0x7fefd1f3fff | Memory Mapped File | Readable, Writable, Executable | | |
| samsrv.dll | 0x7fefd200000 | 0x7fefd2bcfff | Memory Mapped File | Readable, Writable, Executable | | |
| lsasrv.dll | 0x7fefd2c0000 | 0x7fefd429fff | Memory Mapped File | Readable, Writable, Executable | | |
| secur32.dll | 0x7fefd4a0000 | 0x7fefd4aafff | Memory Mapped File | Readable, Writable, Executable | | |
| sspisrv.dll | 0x7fefd4b0000 | 0x7fefd4bafff | Memory Mapped File | Readable, Writable, Executable | | |
| sspicli.dll | 0x7fefd4e0000 | 0x7fefd504fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x7fefd570000 | 0x7fefd57efff | Memory Mapped File | Readable, Writable, Executable | | |
| winsta.dll | 0x7fefd620000 | 0x7fefd65cfff | Memory Mapped File | Readable, Writable, Executable | | |
| RpcRtRemote.dll | 0x7fefd660000 | 0x7fefd673fff | Memory Mapped File | Readable, Writable, Executable | | |
| msasn1.dll | 0x7fefd710000 | 0x7fefd71efff | Memory Mapped File | Readable, Writable, Executable | | |
| profapi.dll | 0x7fefd720000 | 0x7fefd72efff | Memory Mapped File | Readable, Writable, Executable | | |
| crypt32.dll | 0x7fefd7d0000 | 0x7fefd93cfff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x7fefda30000 | 0x7fefda9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| userenv.dll | 0x7fefdaa0000 | 0x7fefdabdfff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7fefdaf0000 | 0x7fefdbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| msctf.dll | 0x7fefdbd0000 | 0x7fefdcd8fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7fefea70000 | 0x7fefeb9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7feff2a0000 | 0x7feff2befff | Memory Mapped File | Readable, Writable, Executable | | |
| imm32.dll | 0x7feff2c0000 | 0x7feff2edfff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x7feff4e0000 | 0x7feff5a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| nsi.dll | 0x7feff650000 | 0x7feff657fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x7feffa40000 | 0x7feffa4dfff | Memory Mapped File | Readable, Writable, Executable | | |
| ws2_32.dll | 0x7feffa50000 | 0x7feffa9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x7feffb40000 | 0x7feffbdefff | Memory Mapped File | Readable, Writable, Executable | | |
| apisetschema.dll | 0x7feffc70000 | 0x7feffc70fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000007fffffa4000 | 0x7fffffa4000 | 0x7fffffa5fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable | | |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed File | Readable | | |
| private_0x000007fffffd4000 | 0x7fffffd4000 | 0x7fffffd4fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #10 / 0x1d8 |
| OS Parent PID | 0x160 (c:\windows\system32\wininit.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\lsm.exe |
| Command Line | C:\Windows\system32\lsm.exe |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #139 0x88C #140 0xA10 #141 0x2C4 #142 0x2C0 #143 0x2B8 #144 0x2B4 #145 0x2A8 #146 0x2A4 #147 0x228 #148 0x1DC |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed File | Readable | | |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable | | |
| locale.nls | 0x00060000 | 0x000c6fff | Memory Mapped File | Readable | | |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed File | Readable, Writable | | |
| private_0x00000000000e0000 | 0x000e0000 | 0x0015ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000160000 | 0x00160000 | 0x0016ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000170000 | 0x00170000 | 0x00171fff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000180000 | 0x00180000 | 0x00186fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00191fff | Pagefile Backed File | Readable, Writable | | |
| lsm.exe.mui | 0x001a0000 | 0x001a1fff | Memory Mapped File | Readable, Writable | | |
| private_0x00000000001e0000 | 0x001e0000 | 0x0025ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000260000 | 0x00260000 | 0x0035ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000370000 | 0x00370000 | 0x0046ffff | Private Memory | Readable, Writable | | |
| SortDefault.nls | 0x00470000 | 0x0073efff | Memory Mapped File | Readable | | |
| private_0x0000000000760000 | 0x00760000 | 0x007dffff | Private Memory | Readable, Writable | | |
| private_0x0000000000800000 | 0x00800000 | 0x0087ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000890000 | 0x00890000 | 0x0090ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000950000 | 0x00950000 | 0x009cffff | Private Memory | Readable, Writable | | |
| private_0x00000000009d0000 | 0x009d0000 | 0x00a4ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000a50000 | 0x00a50000 | 0x00acffff | Private Memory | Readable, Writable | | |
| private_0x0000000000b70000 | 0x00b70000 | 0x00beffff | Private Memory | Readable, Writable | | |
| private_0x0000000000c40000 | 0x00c40000 | 0x00cbffff | Private Memory | Readable, Writable | | |
| private_0x0000000000e20000 | 0x00e20000 | 0x00e9ffff | Private Memory | Readable, Writable | | |
| kernel32.dll | 0x77830000 | 0x7794efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| lsm.exe | 0xff520000 | 0xff576fff | Memory Mapped File | Readable, Writable, Executable | | |
| pcwum.dll | 0x7fefc990000 | 0x7fefc99cfff | Memory Mapped File | Readable, Writable, Executable | | |
| credssp.dll | 0x7fefcae0000 | 0x7fefcae9fff | Memory Mapped File | Readable, Writable, Executable | | |
| wmsgapi.dll | 0x7fefd060000 | 0x7fefd067fff | Memory Mapped File | Readable, Writable, Executable | | |
| sysntfy.dll | 0x7fefd070000 | 0x7fefd079fff | Memory Mapped File | Readable, Writable, Executable | | |
| secur32.dll | 0x7fefd4a0000 | 0x7fefd4aafff | Memory Mapped File | Readable, Writable, Executable | | |
| sspicli.dll | 0x7fefd4e0000 | 0x7fefd504fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x7fefd570000 | 0x7fefd57efff | Memory Mapped File | Readable, Writable, Executable | | |
| RpcRtRemote.dll | 0x7fefd660000 | 0x7fefd673fff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x7fefda30000 | 0x7fefda9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7fefdaf0000 | 0x7fefdbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7fefea70000 | 0x7fefeb9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7feff2a0000 | 0x7feff2befff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x7feffb40000 | 0x7feffbdefff | Memory Mapped File | Readable, Writable, Executable | | |
| apisetschema.dll | 0x7feffc70000 | 0x7feffc70fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000007fffffa6000 | 0x7fffffa6000 | 0x7fffffa7fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa8000 | 0x7fffffa8000 | 0x7fffffa9fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffaa000 | 0x7fffffaa000 | 0x7fffffabfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable | | |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed File | Readable | | |
| private_0x000007fffffd4000 | 0x7fffffd4000 | 0x7fffffd5fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffdcfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #11 / 0x234 |
| OS Parent PID | 0x1c0 (c:\windows\system32\services.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k DcomLaunch |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #149 0x980 #150 0x810 #151 0x674 #152 0x5AC #153 0x284 #154 0x27C #155 0x264 #156 0x260 #157 0x25C #158 0x254 #159 0x248 #160 0x240 #161 0x238 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed File | Readable | | |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable | | |
| locale.nls | 0x00060000 | 0x000c6fff | Memory Mapped File | Readable | | |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed File | Readable, Writable | | |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | Readable, Writable | | |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable | | |
| private_0x0000000000100000 | 0x00100000 | 0x0010ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00130fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00150fff | Pagefile Backed File | Readable | | |
| umpnpmgr.dll.mui | 0x00170000 | 0x00173fff | Memory Mapped File | Readable, Writable | | |
| private_0x00000000001c0000 | 0x001c0000 | 0x0023ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000240000 | 0x00240000 | 0x0033ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000350000 | 0x00350000 | 0x003cffff | Private Memory | Readable, Writable | | |
| private_0x0000000000430000 | 0x00430000 | 0x0052ffff | Private Memory | Readable, Writable | | |
| private_0x00000000005c0000 | 0x005c0000 | 0x0063ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000640000 | 0x00640000 | 0x006fffff | Pagefile Backed File | Readable | | |
| private_0x0000000000730000 | 0x00730000 | 0x007affff | Private Memory | Readable, Writable | | |
| SortDefault.nls | 0x00800000 | 0x00acefff | Memory Mapped File | Readable | | |
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x00c57fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x00de0fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000df0000 | 0x00df0000 | 0x010dbfff | Pagefile Backed File | Readable | | |
| private_0x0000000001100000 | 0x01100000 | 0x0117ffff | Private Memory | Readable, Writable | | |
| private_0x00000000011d0000 | 0x011d0000 | 0x011dffff | Private Memory | Readable, Writable | | |
| private_0x0000000001200000 | 0x01200000 | 0x0127ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001390000 | 0x01390000 | 0x0140ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001410000 | 0x01410000 | 0x0150ffff | Private Memory | Readable, Writable | | |
| private_0x00000000015e0000 | 0x015e0000 | 0x0165ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001660000 | 0x01660000 | 0x016dffff | Private Memory | Readable, Writable | | |
| private_0x00000000016f0000 | 0x016f0000 | 0x0176ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001770000 | 0x01770000 | 0x017effff | Private Memory | Readable, Writable | | |
| private_0x00000000017f0000 | 0x017f0000 | 0x0186ffff | Private Memory | Readable, Writable | | |
| private_0x00000000018f0000 | 0x018f0000 | 0x0196ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001980000 | 0x01980000 | 0x019fffff | Private Memory | Readable, Writable | | |
| private_0x0000000001af0000 | 0x01af0000 | 0x01beffff | Private Memory | Readable, Writable | | |
| private_0x0000000001ce0000 | 0x01ce0000 | 0x01d5ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001d60000 | 0x01d60000 | 0x01e5ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000001e60000 | 0x01e60000 | 0x02066fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000002070000 | 0x02070000 | 0x023bcfff | Pagefile Backed File | Readable | | |
| user32.dll | 0x77730000 | 0x77829fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x77830000 | 0x7794efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| svchost.exe | 0xff840000 | 0xff84afff | Memory Mapped File | Readable, Writable, Executable | | |
| wmiutils.dll | 0x7fef81c0000 | 0x7fef81e5fff | Memory Mapped File | Readable, Writable, Executable | | |
| wbemsvc.dll | 0x7fef8310000 | 0x7fef8323fff | Memory Mapped File | Readable, Writable, Executable | | |
| wbemprox.dll | 0x7fef8d20000 | 0x7fef8d2efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdsapi.dll | 0x7fef8d30000 | 0x7fef8d56fff | Memory Mapped File | Readable, Writable, Executable | | |
| fastprox.dll | 0x7fef8d60000 | 0x7fef8e41fff | Memory Mapped File | Readable, Writable, Executable | | |
| WmiDcPrv.dll | 0x7fef8e50000 | 0x7fef8e81fff | Memory Mapped File | Readable, Writable, Executable | | |
| wbemcomn.dll | 0x7fef9310000 | 0x7fef9395fff | Memory Mapped File | Readable, Writable, Executable | | |
| ntmarta.dll | 0x7fefab30000 | 0x7fefab5cfff | Memory Mapped File | Readable, Writable, Executable | | |
| wtsapi32.dll | 0x7fefbaf0000 | 0x7fefbb00fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcss.dll | 0x7fefc900000 | 0x7fefc980fff | Memory Mapped File | Readable, Writable, Executable | | |
| pcwum.dll | 0x7fefc990000 | 0x7fefc99cfff | Memory Mapped File | Readable, Writable, Executable | | |
| umpo.dll | 0x7fefc9a0000 | 0x7fefc9cbfff | Memory Mapped File | Readable, Writable, Executable | | |
| gpapi.dll | 0x7fefc9d0000 | 0x7fefc9eafff | Memory Mapped File | Readable, Writable, Executable | | |
| devrtl.dll | 0x7fefc9f0000 | 0x7fefca01fff | Memory Mapped File | Readable, Writable, Executable | | |
| SPInf.dll | 0x7fefca10000 | 0x7fefca2efff | Memory Mapped File | Readable, Writable, Executable | | |
| umpnpmgr.dll | 0x7fefca30000 | 0x7fefca96fff | Memory Mapped File | Readable, Writable, Executable | | |
| credssp.dll | 0x7fefcae0000 | 0x7fefcae9fff | Memory Mapped File | Readable, Writable, Executable | | |
| rsaenh.dll | 0x7fefcc10000 | 0x7fefcc56fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptsp.dll | 0x7fefcf10000 | 0x7fefcf26fff | Memory Mapped File | Readable, Writable, Executable | | |
| sspicli.dll | 0x7fefd4e0000 | 0x7fefd504fff | Memory Mapped File | Readable, Writable, Executable | | |
| apphelp.dll | 0x7fefd510000 | 0x7fefd566fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x7fefd570000 | 0x7fefd57efff | Memory Mapped File | Readable, Writable, Executable | | |
| winsta.dll | 0x7fefd620000 | 0x7fefd65cfff | Memory Mapped File | Readable, Writable, Executable | | |
| RpcRtRemote.dll | 0x7fefd660000 | 0x7fefd673fff | Memory Mapped File | Readable, Writable, Executable | | |
| msasn1.dll | 0x7fefd710000 | 0x7fefd71efff | Memory Mapped File | Readable, Writable, Executable | | |
| profapi.dll | 0x7fefd720000 | 0x7fefd72efff | Memory Mapped File | Readable, Writable, Executable | | |
| devobj.dll | 0x7fefd730000 | 0x7fefd749fff | Memory Mapped File | Readable, Writable, Executable | | |
| wintrust.dll | 0x7fefd790000 | 0x7fefd7cafff | Memory Mapped File | Readable, Writable, Executable | | |
| crypt32.dll | 0x7fefd7d0000 | 0x7fefd93cfff | Memory Mapped File | Readable, Writable, Executable | | |
| cfgmgr32.dll | 0x7fefd9f0000 | 0x7fefda25fff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x7fefda30000 | 0x7fefda9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| userenv.dll | 0x7fefdaa0000 | 0x7fefdabdfff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7fefdaf0000 | 0x7fefdbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| msctf.dll | 0x7fefdbd0000 | 0x7fefdcd8fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7fefea70000 | 0x7fefeb9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| setupapi.dll | 0x7fefeba0000 | 0x7fefed76fff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7feff2a0000 | 0x7feff2befff | Memory Mapped File | Readable, Writable, Executable | | |
| imm32.dll | 0x7feff2c0000 | 0x7feff2edfff | Memory Mapped File | Readable, Writable, Executable | | |
| Wldap32.dll | 0x7feff480000 | 0x7feff4d1fff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x7feff4e0000 | 0x7feff5a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| nsi.dll | 0x7feff650000 | 0x7feff657fff | Memory Mapped File | Readable, Writable, Executable | | |
| ole32.dll | 0x7feff6e0000 | 0x7feff8e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| oleaut32.dll | 0x7feff8f0000 | 0x7feff9c6fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x7feffa40000 | 0x7feffa4dfff | Memory Mapped File | Readable, Writable, Executable | | |
| ws2_32.dll | 0x7feffa50000 | 0x7feffa9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| clbcatq.dll | 0x7feffaa0000 | 0x7feffb38fff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x7feffb40000 | 0x7feffbdefff | Memory Mapped File | Readable, Writable, Executable | | |
| apisetschema.dll | 0x7feffc70000 | 0x7feffc70fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000007fffff9e000 | 0x7fffff9e000 | 0x7fffff9ffff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa0000 | 0x7fffffa0000 | 0x7fffffa1fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa2000 | 0x7fffffa2000 | 0x7fffffa3fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa6000 | 0x7fffffa6000 | 0x7fffffa7fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa8000 | 0x7fffffa8000 | 0x7fffffa9fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable | | |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed File | Readable | | |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #12 / 0x274 |
| OS Parent PID | 0x1c0 (c:\windows\system32\services.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k RPCSS |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #162 0x2A0 #163 0x29C #164 0x298 #165 0x294 #166 0x288 #167 0x280 #168 0x278 #465 0x168 #508 0x60C |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed File | Readable | | |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable | | |
| locale.nls | 0x00060000 | 0x000c6fff | Memory Mapped File | Readable | | |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed File | Readable, Writable | | |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | Readable, Writable | | |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00100fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed File | Readable | | |
| private_0x0000000000120000 | 0x00120000 | 0x0012ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000130000 | 0x00130000 | 0x001effff | Pagefile Backed File | Readable | | |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | Readable, Writable | | |
| private_0x00000000003a0000 | 0x003a0000 | 0x0049ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000590000 | 0x00590000 | 0x0060ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000620000 | 0x00620000 | 0x0069ffff | Private Memory | Readable, Writable | | |
| private_0x00000000006f0000 | 0x006f0000 | 0x0076ffff | Private Memory | Readable, Writable | | |
| SortDefault.nls | 0x00780000 | 0x00a4efff | Memory Mapped File | Readable | | |
| private_0x0000000000a70000 | 0x00a70000 | 0x00aeffff | Private Memory | Readable, Writable | | |
| private_0x0000000000b90000 | 0x00b90000 | 0x00c0ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000c10000 | 0x00c10000 | 0x00d97fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000da0000 | 0x00da0000 | 0x00f20fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000f30000 | 0x00f30000 | 0x0121bfff | Pagefile Backed File | Readable | | |
| private_0x00000000012a0000 | 0x012a0000 | 0x0131ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001400000 | 0x01400000 | 0x014fffff | Private Memory | Readable, Writable | | |
| user32.dll | 0x77730000 | 0x77829fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x77830000 | 0x7794efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| svchost.exe | 0xff840000 | 0xff84afff | Memory Mapped File | Readable, Writable, Executable | | |
| FWPUCLNT.DLL | 0x7fefae60000 | 0x7fefaeb2fff | Memory Mapped File | Readable, Writable, Executable | | |
| wtsapi32.dll | 0x7fefbaf0000 | 0x7fefbb00fff | Memory Mapped File | Readable, Writable, Executable | | |
| version.dll | 0x7fefc800000 | 0x7fefc80bfff | Memory Mapped File | Readable, Writable, Executable | | |
| FirewallAPI.dll | 0x7fefc810000 | 0x7fefc8cafff | Memory Mapped File | Readable, Writable, Executable | | |
| WSHTCPIP.DLL | 0x7fefc8d0000 | 0x7fefc8d6fff | Memory Mapped File | Readable, Writable, Executable | | |
| RpcEpMap.dll | 0x7fefc8e0000 | 0x7fefc8f3fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcss.dll | 0x7fefc900000 | 0x7fefc980fff | Memory Mapped File | Readable, Writable, Executable | | |
| credssp.dll | 0x7fefcae0000 | 0x7fefcae9fff | Memory Mapped File | Readable, Writable, Executable | | |
| rsaenh.dll | 0x7fefcc10000 | 0x7fefcc56fff | Memory Mapped File | Readable, Writable, Executable | | |
| wship6.dll | 0x7fefcea0000 | 0x7fefcea6fff | Memory Mapped File | Readable, Writable, Executable | | |
| mswsock.dll | 0x7fefceb0000 | 0x7fefcf04fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptsp.dll | 0x7fefcf10000 | 0x7fefcf26fff | Memory Mapped File | Readable, Writable, Executable | | |
| secur32.dll | 0x7fefd4a0000 | 0x7fefd4aafff | Memory Mapped File | Readable, Writable, Executable | | |
| sspicli.dll | 0x7fefd4e0000 | 0x7fefd504fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x7fefd570000 | 0x7fefd57efff | Memory Mapped File | Readable, Writable, Executable | | |
| winsta.dll | 0x7fefd620000 | 0x7fefd65cfff | Memory Mapped File | Readable, Writable, Executable | | |
| RpcRtRemote.dll | 0x7fefd660000 | 0x7fefd673fff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x7fefda30000 | 0x7fefda9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7fefdaf0000 | 0x7fefdbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| msctf.dll | 0x7fefdbd0000 | 0x7fefdcd8fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7fefea70000 | 0x7fefeb9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7feff2a0000 | 0x7feff2befff | Memory Mapped File | Readable, Writable, Executable | | |
| imm32.dll | 0x7feff2c0000 | 0x7feff2edfff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x7feff4e0000 | 0x7feff5a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| nsi.dll | 0x7feff650000 | 0x7feff657fff | Memory Mapped File | Readable, Writable, Executable | | |
| ole32.dll | 0x7feff6e0000 | 0x7feff8e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| oleaut32.dll | 0x7feff8f0000 | 0x7feff9c6fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x7feffa40000 | 0x7feffa4dfff | Memory Mapped File | Readable, Writable, Executable | | |
| ws2_32.dll | 0x7feffa50000 | 0x7feffa9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| clbcatq.dll | 0x7feffaa0000 | 0x7feffb38fff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x7feffb40000 | 0x7feffbdefff | Memory Mapped File | Readable, Writable, Executable | | |
| apisetschema.dll | 0x7feffc70000 | 0x7feffc70fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable | | |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed File | Readable | | |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #13 / 0x2ac |
| OS Parent PID | 0x1c0 (c:\windows\system32\services.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #169 0x8B4 #170 0x8B0 #171 0xB94 #172 0xB84 #173 0x9D4 #174 0x960 #175 0x418 #176 0x560 #177 0x6A8 #178 0x698 #179 0x690 #180 0x144 #181 0x104 #182 0x394 #183 0x390 #184 0x300 #185 0x2FC #186 0x2DC #187 0x2BC #188 0x2B0 #505 0xA00 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed File | Readable | | |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable | | |
| locale.nls | 0x00060000 | 0x000c6fff | Memory Mapped File | Readable | | |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed File | Readable, Writable | | |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | Readable, Writable | | |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable | | |
| private_0x0000000000100000 | 0x00100000 | 0x0011ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000120000 | 0x00120000 | 0x00127fff | Private Memory | Readable, Writable | | |
| private_0x0000000000130000 | 0x00130000 | 0x0016ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000170000 | 0x00170000 | 0x001effff | Private Memory | Readable, Writable | | |
| private_0x00000000001f0000 | 0x001f0000 | 0x0020ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000210000 | 0x00210000 | 0x0022ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00230fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00240fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000250000 | 0x00250000 | 0x00250fff | Pagefile Backed File | Readable, Writable | | |
| WinMgmtR.dll | 0x00260000 | 0x00262fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000380000 | 0x00380000 | 0x0047ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000490000 | 0x00490000 | 0x0049ffff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x00627fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000630000 | 0x00630000 | 0x007b0fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x0087ffff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000880000 | 0x00880000 | 0x00b6bfff | Pagefile Backed File | Readable | | |
| private_0x0000000000c30000 | 0x00c30000 | 0x00caffff | Private Memory | Readable, Writable | | |
| private_0x0000000000ce0000 | 0x00ce0000 | 0x00d5ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000d60000 | 0x00d60000 | 0x00e5ffff | Private Memory | Readable, Writable | | |
| winlogon.exe | 0x00ee0000 | 0x00f51fff | Memory Mapped File | Readable, Writable, Executable | | |
| SortDefault.nls | 0x00f70000 | 0x0123efff | Memory Mapped File | Readable | | |
| private_0x00000000012c0000 | 0x012c0000 | 0x0133ffff | Private Memory | Readable, Writable | | |
| private_0x00000000013a0000 | 0x013a0000 | 0x0141ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001420000 | 0x01420000 | 0x0149ffff | Private Memory | Readable, Writable | | |
| private_0x00000000014a0000 | 0x014a0000 | 0x0151ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001520000 | 0x01520000 | 0x0159ffff | Private Memory | Readable, Writable | | |
| private_0x00000000015e0000 | 0x015e0000 | 0x0165ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001660000 | 0x01660000 | 0x0175ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001760000 | 0x01760000 | 0x0195ffff | Private Memory | Readable, Writable | | |
| private_0x00000000019b0000 | 0x019b0000 | 0x01a2ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001a30000 | 0x01a30000 | 0x01aaffff | Private Memory | Readable, Writable | | |
| private_0x0000000001ad0000 | 0x01ad0000 | 0x01b4ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001b60000 | 0x01b60000 | 0x01bdffff | Private Memory | Readable, Writable | | |
| private_0x0000000001be0000 | 0x01be0000 | 0x01c5ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001ca0000 | 0x01ca0000 | 0x01d1ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001dd0000 | 0x01dd0000 | 0x01e4ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001ed0000 | 0x01ed0000 | 0x022cffff | Private Memory | Readable, Writable | | |
| private_0x00000000022d0000 | 0x022d0000 | 0x0234ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002440000 | 0x02440000 | 0x02c3ffff | Private Memory | Readable, Writable | | |
| WinSAT.exe | 0x02c40000 | 0x03016fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x0000000003060000 | 0x03060000 | 0x030dffff | Private Memory | Readable, Writable | | |
| private_0x0000000003110000 | 0x03110000 | 0x0318ffff | Private Memory | Readable, Writable | | |
| private_0x00000000031a0000 | 0x031a0000 | 0x0321ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003290000 | 0x03290000 | 0x0330ffff | Private Memory | Readable, Writable | | |
| WinMgmtR.dll | 0x74110000 | 0x74112fff | Memory Mapped File | Readable, Writable, Executable | | |
| user32.dll | 0x77730000 | 0x77829fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x77830000 | 0x7794efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| winlogon.exe | 0xff470000 | 0xff4e1fff | Memory Mapped File | Readable, Writable, Executable | | |
| svchost.exe | 0xff840000 | 0xff84afff | Memory Mapped File | Readable, Writable, Executable | | |
| services.exe | 0xffc80000 | 0xffcd2fff | Memory Mapped File | Readable, Writable, Executable | | |
| dbghelp.dll | 0x7fef5bd0000 | 0x7fef5cf4fff | Memory Mapped File | Readable, Writable, Executable | | |
| wscsvc.dll | 0x7fef6110000 | 0x7fef612bfff | Memory Mapped File | Readable, Writable, Executable | | |
| tquery.dll | 0x7fef6910000 | 0x7fef6b49fff | Memory Mapped File | Readable, Writable, Executable | | |
| dhcpcsvc.dll | 0x7fefadb0000 | 0x7fefadc7fff | Memory Mapped File | Readable, Writable, Executable | | |
| dhcpcsvc6.dll | 0x7fefae30000 | 0x7fefae40fff | Memory Mapped File | Readable, Writable, Executable | | |
| dhcpcore6.dll | 0x7fefaec0000 | 0x7fefaefafff | Memory Mapped File | Readable, Writable, Executable | | |
| dhcpcore.dll | 0x7fefaf00000 | 0x7fefaf50fff | Memory Mapped File | Readable, Writable, Executable | | |
| nrpsrv.dll | 0x7fefaf90000 | 0x7fefaf97fff | Memory Mapped File | Readable, Writable, Executable | | |
| winnsi.dll | 0x7fefafa0000 | 0x7fefafaafff | Memory Mapped File | Readable, Writable, Executable | | |
| IPHLPAPI.DLL | 0x7fefafb0000 | 0x7fefafd6fff | Memory Mapped File | Readable, Writable, Executable | | |
| lmhsvc.dll | 0x7fefaff0000 | 0x7fefaff9fff | Memory Mapped File | Readable, Writable, Executable | | |
| avrt.dll | 0x7fefb5c0000 | 0x7fefb5c8fff | Memory Mapped File | Readable, Writable, Executable | | |
| powrprof.dll | 0x7fefb5d0000 | 0x7fefb5fbfff | Memory Mapped File | Readable, Writable, Executable | | |
| audiosrv.dll | 0x7fefb600000 | 0x7fefb6abfff | Memory Mapped File | Readable, Writable, Executable | | |
| MMDevAPI.dll | 0x7fefbb80000 | 0x7fefbbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| propsys.dll | 0x7fefbff0000 | 0x7fefc11bfff | Memory Mapped File | Readable, Writable, Executable | | |
| wevtsvc.dll | 0x7fefc140000 | 0x7fefc2d5fff | Memory Mapped File | Readable, Writable, Executable | | |
| version.dll | 0x7fefc800000 | 0x7fefc80bfff | Memory Mapped File | Readable, Writable, Executable | | |
| FirewallAPI.dll | 0x7fefc810000 | 0x7fefc8cafff | Memory Mapped File | Readable, Writable, Executable | | |
| WSHTCPIP.DLL | 0x7fefc8d0000 | 0x7fefc8d6fff | Memory Mapped File | Readable, Writable, Executable | | |
| gpapi.dll | 0x7fefc9d0000 | 0x7fefc9eafff | Memory Mapped File | Readable, Writable, Executable | | |
| credssp.dll | 0x7fefcae0000 | 0x7fefcae9fff | Memory Mapped File | Readable, Writable, Executable | | |
| dnsapi.dll | 0x7fefcd30000 | 0x7fefcd8afff | Memory Mapped File | Readable, Writable, Executable | | |
| wship6.dll | 0x7fefcea0000 | 0x7fefcea6fff | Memory Mapped File | Readable, Writable, Executable | | |
| mswsock.dll | 0x7fefceb0000 | 0x7fefcf04fff | Memory Mapped File | Readable, Writable, Executable | | |
| wevtapi.dll | 0x7fefd140000 | 0x7fefd1acfff | Memory Mapped File | Readable, Writable, Executable | | |
| secur32.dll | 0x7fefd4a0000 | 0x7fefd4aafff | Memory Mapped File | Readable, Writable, Executable | | |
| sspicli.dll | 0x7fefd4e0000 | 0x7fefd504fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x7fefd570000 | 0x7fefd57efff | Memory Mapped File | Readable, Writable, Executable | | |
| winsta.dll | 0x7fefd620000 | 0x7fefd65cfff | Memory Mapped File | Readable, Writable, Executable | | |
| RpcRtRemote.dll | 0x7fefd660000 | 0x7fefd673fff | Memory Mapped File | Readable, Writable, Executable | | |
| devobj.dll | 0x7fefd730000 | 0x7fefd749fff | Memory Mapped File | Readable, Writable, Executable | | |
| cfgmgr32.dll | 0x7fefd9f0000 | 0x7fefda25fff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x7fefda30000 | 0x7fefda9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7fefdaf0000 | 0x7fefdbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| msctf.dll | 0x7fefdbd0000 | 0x7fefdcd8fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7fefea70000 | 0x7fefeb9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| setupapi.dll | 0x7fefeba0000 | 0x7fefed76fff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7feff2a0000 | 0x7feff2befff | Memory Mapped File | Readable, Writable, Executable | | |
| imm32.dll | 0x7feff2c0000 | 0x7feff2edfff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x7feff4e0000 | 0x7feff5a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| nsi.dll | 0x7feff650000 | 0x7feff657fff | Memory Mapped File | Readable, Writable, Executable | | |
| ole32.dll | 0x7feff6e0000 | 0x7feff8e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| oleaut32.dll | 0x7feff8f0000 | 0x7feff9c6fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x7feffa40000 | 0x7feffa4dfff | Memory Mapped File | Readable, Writable, Executable | | |
| ws2_32.dll | 0x7feffa50000 | 0x7feffa9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| clbcatq.dll | 0x7feffaa0000 | 0x7feffb38fff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x7feffb40000 | 0x7feffbdefff | Memory Mapped File | Readable, Writable, Executable | | |
| apisetschema.dll | 0x7feffc70000 | 0x7feffc70fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000007fffff94000 | 0x7fffff94000 | 0x7fffff95fff | Private Memory | Readable, Writable | | |
| private_0x000007fffff96000 | 0x7fffff96000 | 0x7fffff97fff | Private Memory | Readable, Writable | | |
| private_0x000007fffff98000 | 0x7fffff98000 | 0x7fffff99fff | Private Memory | Readable, Writable | | |
| private_0x000007fffff9a000 | 0x7fffff9a000 | 0x7fffff9bfff | Private Memory | Readable, Writable | | |
| private_0x000007fffff9c000 | 0x7fffff9c000 | 0x7fffff9dfff | Private Memory | Readable, Writable | | |
| private_0x000007fffff9e000 | 0x7fffff9e000 | 0x7fffff9ffff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa0000 | 0x7fffffa0000 | 0x7fffffa1fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa2000 | 0x7fffffa2000 | 0x7fffffa3fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa4000 | 0x7fffffa4000 | 0x7fffffa5fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa6000 | 0x7fffffa6000 | 0x7fffffa7fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa8000 | 0x7fffffa8000 | 0x7fffffa9fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffaa000 | 0x7fffffaa000 | 0x7fffffabfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable | | |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed File | Readable | | |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdbfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #14 / 0x30c |
| OS Parent PID | 0x1c0 (c:\windows\system32\services.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #189 0x100 #190 0xB70 #191 0xB14 #192 0x5FC #193 0x6C0 #194 0x5C4 #195 0x5B4 #196 0x64 #197 0x3EC #198 0x3E0 #199 0x3DC #200 0x3D8 #201 0x3D4 #202 0x3BC #203 0x398 #204 0x378 #205 0x33C #206 0x318 #207 0x310 #522 0x258 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed File | Readable | | |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable | | |
| locale.nls | 0x00060000 | 0x000c6fff | Memory Mapped File | Readable | | |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed File | Readable, Writable | | |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | Readable, Writable | | |
| private_0x00000000000f0000 | 0x000f0000 | 0x0016ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000270000 | 0x00270000 | 0x00270fff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000280000 | 0x00280000 | 0x00280fff | Pagefile Backed File | Readable | | |
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000002b0000 | 0x002b0000 | 0x002b1fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000002c0000 | 0x002c0000 | 0x002c0fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000002d0000 | 0x002d0000 | 0x002d1fff | Pagefile Backed File | Readable | | |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x00567fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000570000 | 0x00570000 | 0x006f0fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000700000 | 0x00700000 | 0x007bffff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x00aabfff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00ab0fff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000b70000 | 0x00b70000 | 0x00b7ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000b80000 | 0x00b80000 | 0x00bfffff | Private Memory | Readable, Writable | | |
| private_0x0000000000ca0000 | 0x00ca0000 | 0x00d1ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000d90000 | 0x00d90000 | 0x00e0ffff | Private Memory | Readable, Writable | | |
| SortDefault.nls | 0x00e50000 | 0x0111efff | Memory Mapped File | Readable | | |
| private_0x0000000001120000 | 0x01120000 | 0x0119ffff | Private Memory | Readable, Writable | | |
| private_0x00000000011e0000 | 0x011e0000 | 0x0125ffff | Private Memory | Readable, Writable | | |
| private_0x00000000012c0000 | 0x012c0000 | 0x0133ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001340000 | 0x01340000 | 0x013bffff | Private Memory | Readable, Writable | | |
| private_0x00000000013f0000 | 0x013f0000 | 0x0146ffff | Private Memory | Readable, Writable | | |
| private_0x00000000014e0000 | 0x014e0000 | 0x0155ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001560000 | 0x01560000 | 0x015dffff | Private Memory | Readable, Writable | | |
| private_0x00000000015f0000 | 0x015f0000 | 0x0166ffff | Private Memory | Readable, Writable | | |
| private_0x00000000016c0000 | 0x016c0000 | 0x0173ffff | Private Memory | Readable, Writable | | |
| private_0x00000000017d0000 | 0x017d0000 | 0x018cffff | Private Memory | Readable, Writable | | |
| private_0x00000000018d0000 | 0x018d0000 | 0x018dffff | Private Memory | Readable, Writable | | |
| private_0x00000000019c0000 | 0x019c0000 | 0x01a3ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001a40000 | 0x01a40000 | 0x01abffff | Private Memory | Readable, Writable | | |
| private_0x0000000001ac0000 | 0x01ac0000 | 0x01bbffff | Private Memory | Readable, Writable | | |
| private_0x0000000001bc0000 | 0x01bc0000 | 0x01cbffff | Private Memory | Readable, Writable | | |
| private_0x0000000001db0000 | 0x01db0000 | 0x01dbffff | Private Memory | Readable, Writable | | |
| private_0x0000000001dd0000 | 0x01dd0000 | 0x01e4ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001f00000 | 0x01f00000 | 0x01ffffff | Private Memory | Readable, Writable | | |
| private_0x0000000002020000 | 0x02020000 | 0x0202ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002060000 | 0x02060000 | 0x020dffff | Private Memory | Readable, Writable | | |
| private_0x00000000020f0000 | 0x020f0000 | 0x020fffff | Private Memory | Readable, Writable | | |
| private_0x0000000002100000 | 0x02100000 | 0x021fffff | Private Memory | Readable, Writable | | |
| private_0x0000000002220000 | 0x02220000 | 0x0222ffff | Private Memory | Readable, Writable | | |
| private_0x00000000022c0000 | 0x022c0000 | 0x0233ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002350000 | 0x02350000 | 0x023cffff | Private Memory | Readable, Writable | | |
| private_0x0000000002400000 | 0x02400000 | 0x0240ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002410000 | 0x02410000 | 0x0250ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002600000 | 0x02600000 | 0x0260ffff | Private Memory | Readable, Writable | | |
| private_0x00000000026e0000 | 0x026e0000 | 0x0275ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002770000 | 0x02770000 | 0x027effff | Private Memory | Readable, Writable | | |
| sfc.dll | 0x74130000 | 0x74132fff | Memory Mapped File | Readable, Writable, Executable | | |
| user32.dll | 0x77730000 | 0x77829fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x77830000 | 0x7794efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| svchost.exe | 0xff840000 | 0xff84afff | Memory Mapped File | Readable, Writable, Executable | | |
| eappcfg.dll | 0x7fef5e10000 | 0x7fef5e53fff | Memory Mapped File | Readable, Writable, Executable | | |
| eappcfg.dll | 0x7fef5e50000 | 0x7fef5e93fff | Memory Mapped File | Readable, Writable, Executable | | |
| onex.dll | 0x7fef5e60000 | 0x7fef5e9ffff | Memory Mapped File | Readable, Writable, Executable | | |
| eappprxy.dll | 0x7fef6060000 | 0x7fef6073fff | Memory Mapped File | Readable, Writable, Executable | | |
| wlanhlp.dll | 0x7fef6080000 | 0x7fef60a0fff | Memory Mapped File | Readable, Writable, Executable | | |
| dot3api.dll | 0x7fef6090000 | 0x7fef60a7fff | Memory Mapped File | Readable, Writable, Executable | | |
| wlanapi.dll | 0x7fef6f10000 | 0x7fef6f2ffff | Memory Mapped File | Readable, Writable, Executable | | |
| rasman.dll | 0x7fef6f50000 | 0x7fef6f6bfff | Memory Mapped File | Readable, Writable, Executable | | |
| rasapi32.dll | 0x7fef6f70000 | 0x7fef6fd1fff | Memory Mapped File | Readable, Writable, Executable | | |
| mprapi.dll | 0x7fef6fe0000 | 0x7fef7019fff | Memory Mapped File | Readable, Writable, Executable | | |
| rasdlg.dll | 0x7fef7020000 | 0x7fef70f7fff | Memory Mapped File | Readable, Writable, Executable | | |
| netman.dll | 0x7fef7100000 | 0x7fef715bfff | Memory Mapped File | Readable, Writable, Executable | | |
| netshell.dll | 0x7fef7360000 | 0x7fef75eafff | Memory Mapped File | Readable, Writable, Executable | | |
| cscobj.dll | 0x7fef77b0000 | 0x7fef77eefff | Memory Mapped File | Readable, Writable, Executable | | |
| PortableDeviceConnectApi.dll | 0x7fef7940000 | 0x7fef7956fff | Memory Mapped File | Readable, Writable, Executable | | |
| Apphlpdm.dll | 0x7fef7a00000 | 0x7fef7a0bfff | Memory Mapped File | Readable, Writable, Executable | | |
| PortableDeviceApi.dll | 0x7fef7a10000 | 0x7fef7accfff | Memory Mapped File | Readable, Writable, Executable | | |
| wdi.dll | 0x7fef7ed0000 | 0x7fef7ee9fff | Memory Mapped File | Readable, Writable, Executable | | |
| hnetcfg.dll | 0x7fef7f70000 | 0x7fef7fdafff | Memory Mapped File | Readable, Writable, Executable | | |
| netcfgx.dll | 0x7fef8280000 | 0x7fef8303fff | Memory Mapped File | Readable, Writable, Executable | | |
| wbemsvc.dll | 0x7fef8310000 | 0x7fef8323fff | Memory Mapped File | Readable, Writable, Executable | | |
| wlanutil.dll | 0x7fef8790000 | 0x7fef8796fff | Memory Mapped File | Readable, Writable, Executable | | |
| wer.dll | 0x7fef8860000 | 0x7fef88dbfff | Memory Mapped File | Readable, Writable, Executable | | |
| trkwks.dll | 0x7fef8ca0000 | 0x7fef8cc1fff | Memory Mapped File | Readable, Writable, Executable | | |
| wbemprox.dll | 0x7fef8d20000 | 0x7fef8d2efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdsapi.dll | 0x7fef8d30000 | 0x7fef8d56fff | Memory Mapped File | Readable, Writable, Executable | | |
| fastprox.dll | 0x7fef8d60000 | 0x7fef8e41fff | Memory Mapped File | Readable, Writable, Executable | | |
| wbemcomn.dll | 0x7fef9310000 | 0x7fef9395fff | Memory Mapped File | Readable, Writable, Executable | | |
| aepic.dll | 0x7fef94b0000 | 0x7fef94c1fff | Memory Mapped File | Readable, Writable, Executable | | |
| sfc_os.dll | 0x7fef9510000 | 0x7fef951ffff | Memory Mapped File | Readable, Writable, Executable | | |
| pcasvc.dll | 0x7fef9570000 | 0x7fef95a1fff | Memory Mapped File | Readable, Writable, Executable | | |
| winnsi.dll | 0x7fefafa0000 | 0x7fefafaafff | Memory Mapped File | Readable, Writable, Executable | | |
| IPHLPAPI.DLL | 0x7fefafb0000 | 0x7fefafd6fff | Memory Mapped File | Readable, Writable, Executable | | |
| uxsms.dll | 0x7fefb000000 | 0x7fefb00ffff | Memory Mapped File | Readable, Writable, Executable | | |
| slc.dll | 0x7fefb030000 | 0x7fefb03afff | Memory Mapped File | Readable, Writable, Executable | | |
| dsrole.dll | 0x7fefb040000 | 0x7fefb04bfff | Memory Mapped File | Readable, Writable, Executable | | |
| mstask.dll | 0x7fefb050000 | 0x7fefb08cfff | Memory Mapped File | Readable, Writable, Executable | | |
| taskschd.dll | 0x7fefb100000 | 0x7fefb226fff | Memory Mapped File | Readable, Writable, Executable | | |
| nlaapi.dll | 0x7fefb240000 | 0x7fefb254fff | Memory Mapped File | Readable, Writable, Executable | | |
| PeerDist.dll | 0x7fefb260000 | 0x7fefb28ffff | Memory Mapped File | Readable, Writable, Executable | | |
| atl.dll | 0x7fefb290000 | 0x7fefb2a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| cscsvc.dll | 0x7fefb3c0000 | 0x7fefb46bfff | Memory Mapped File | Readable, Writable, Executable | | |
| avrt.dll | 0x7fefb5c0000 | 0x7fefb5c8fff | Memory Mapped File | Readable, Writable, Executable | | |
| powrprof.dll | 0x7fefb5d0000 | 0x7fefb5fbfff | Memory Mapped File | Readable, Writable, Executable | | |
| audiosrv.dll | 0x7fefb600000 | 0x7fefb6abfff | Memory Mapped File | Readable, Writable, Executable | | |
| rtutils.dll | 0x7fefb6b0000 | 0x7fefb6c0fff | Memory Mapped File | Readable, Writable, Executable | | |
| wtsapi32.dll | 0x7fefbaf0000 | 0x7fefbb00fff | Memory Mapped File | Readable, Writable, Executable | | |
| xmllite.dll | 0x7fefbb20000 | 0x7fefbb54fff | Memory Mapped File | Readable, Writable, Executable | | |
| MMDevAPI.dll | 0x7fefbb80000 | 0x7fefbbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| propsys.dll | 0x7fefbff0000 | 0x7fefc11bfff | Memory Mapped File | Readable, Writable, Executable | | |
| comctl32.dll | 0x7fefc310000 | 0x7fefc503fff | Memory Mapped File | Readable, Writable, Executable | | |
| version.dll | 0x7fefc800000 | 0x7fefc80bfff | Memory Mapped File | Readable, Writable, Executable | | |
| pcwum.dll | 0x7fefc990000 | 0x7fefc99cfff | Memory Mapped File | Readable, Writable, Executable | | |
| gpapi.dll | 0x7fefc9d0000 | 0x7fefc9eafff | Memory Mapped File | Readable, Writable, Executable | | |
| devrtl.dll | 0x7fefc9f0000 | 0x7fefca01fff | Memory Mapped File | Readable, Writable, Executable | | |
| rsaenh.dll | 0x7fefcc10000 | 0x7fefcc56fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptsp.dll | 0x7fefcf10000 | 0x7fefcf26fff | Memory Mapped File | Readable, Writable, Executable | | |
| authz.dll | 0x7fefd100000 | 0x7fefd12efff | Memory Mapped File | Readable, Writable, Executable | | |
| wevtapi.dll | 0x7fefd140000 | 0x7fefd1acfff | Memory Mapped File | Readable, Writable, Executable | | |
| sspicli.dll | 0x7fefd4e0000 | 0x7fefd504fff | Memory Mapped File | Readable, Writable, Executable | | |
| apphelp.dll | 0x7fefd510000 | 0x7fefd566fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x7fefd570000 | 0x7fefd57efff | Memory Mapped File | Readable, Writable, Executable | | |
| winsta.dll | 0x7fefd620000 | 0x7fefd65cfff | Memory Mapped File | Readable, Writable, Executable | | |
| RpcRtRemote.dll | 0x7fefd660000 | 0x7fefd673fff | Memory Mapped File | Readable, Writable, Executable | | |
| msasn1.dll | 0x7fefd710000 | 0x7fefd71efff | Memory Mapped File | Readable, Writable, Executable | | |
| profapi.dll | 0x7fefd720000 | 0x7fefd72efff | Memory Mapped File | Readable, Writable, Executable | | |
| devobj.dll | 0x7fefd730000 | 0x7fefd749fff | Memory Mapped File | Readable, Writable, Executable | | |
| wintrust.dll | 0x7fefd790000 | 0x7fefd7cafff | Memory Mapped File | Readable, Writable, Executable | | |
| crypt32.dll | 0x7fefd7d0000 | 0x7fefd93cfff | Memory Mapped File | Readable, Writable, Executable | | |
| cfgmgr32.dll | 0x7fefd9f0000 | 0x7fefda25fff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x7fefda30000 | 0x7fefda9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| userenv.dll | 0x7fefdaa0000 | 0x7fefdabdfff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7fefdaf0000 | 0x7fefdbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| msctf.dll | 0x7fefdbd0000 | 0x7fefdcd8fff | Memory Mapped File | Readable, Writable, Executable | | |
| shell32.dll | 0x7fefdce0000 | 0x7fefea67fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7fefea70000 | 0x7fefeb9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| setupapi.dll | 0x7fefeba0000 | 0x7fefed76fff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7feff2a0000 | 0x7feff2befff | Memory Mapped File | Readable, Writable, Executable | | |
| imm32.dll | 0x7feff2c0000 | 0x7feff2edfff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x7feff4e0000 | 0x7feff5a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| nsi.dll | 0x7feff650000 | 0x7feff657fff | Memory Mapped File | Readable, Writable, Executable | | |
| ole32.dll | 0x7feff6e0000 | 0x7feff8e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| oleaut32.dll | 0x7feff8f0000 | 0x7feff9c6fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x7feffa40000 | 0x7feffa4dfff | Memory Mapped File | Readable, Writable, Executable | | |
| ws2_32.dll | 0x7feffa50000 | 0x7feffa9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| clbcatq.dll | 0x7feffaa0000 | 0x7feffb38fff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x7feffb40000 | 0x7feffbdefff | Memory Mapped File | Readable, Writable, Executable | | |
| shlwapi.dll | 0x7feffbe0000 | 0x7feffc50fff | Memory Mapped File | Readable, Writable, Executable | | |
| apisetschema.dll | 0x7feffc70000 | 0x7feffc70fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000007fffff8e000 | 0x7fffff8e000 | 0x7fffff8ffff | Private Memory | Readable, Writable | | |
| private_0x000007fffff96000 | 0x7fffff96000 | 0x7fffff97fff | Private Memory | Readable, Writable | | |
| private_0x000007fffff98000 | 0x7fffff98000 | 0x7fffff99fff | Private Memory | Readable, Writable | | |
| private_0x000007fffff9a000 | 0x7fffff9a000 | 0x7fffff9bfff | Private Memory | Readable, Writable | | |
| private_0x000007fffff9e000 | 0x7fffff9e000 | 0x7fffff9ffff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa0000 | 0x7fffffa0000 | 0x7fffffa1fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa2000 | 0x7fffffa2000 | 0x7fffffa3fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa4000 | 0x7fffffa4000 | 0x7fffffa5fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa6000 | 0x7fffffa6000 | 0x7fffffa7fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa8000 | 0x7fffffa8000 | 0x7fffffa9fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffaa000 | 0x7fffffaa000 | 0x7fffffabfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable | | |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed File | Readable | | |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdbfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #15 / 0x344 |
| OS Parent PID | 0x1c0 (c:\windows\system32\services.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalService |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #208 0x408 #209 0x4B4 #210 0xB5C #211 0x9A4 #212 0x4B4 #213 0x708 #214 0x6BC #215 0x688 #216 0x67C #217 0x3F4 #218 0x3F0 #219 0x384 #220 0x380 #221 0x350 #222 0x34C #223 0x348 #494 0x85C #506 0x5D0 #517 0xA1C #521 0xA44 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000020000 | 0x00020000 | 0x0002ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed File | Readable | | |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable | | |
| locale.nls | 0x00060000 | 0x000c6fff | Memory Mapped File | Readable | | |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d6fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed File | Readable, Writable | | |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable | | |
| private_0x0000000000100000 | 0x00100000 | 0x001fffff | Private Memory | Readable, Writable | | |
| private_0x0000000000200000 | 0x00200000 | 0x0027ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00507fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00690fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x0075ffff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000760000 | 0x00760000 | 0x00a4bfff | Pagefile Backed File | Readable | | |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a50fff | Private Memory | Readable, Writable | | |
| ~FontCache-System.dat | 0x00a60000 | 0x00aaefff | Memory Mapped File | Readable, Writable | | |
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x00ab0fff | Pagefile Backed File | Readable | | |
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00b3ffff | Private Memory | Readable, Writable | | |
| es.dll | 0x00b40000 | 0x00b50fff | Memory Mapped File | Readable | | |
| stdole2.tlb | 0x00b60000 | 0x00b63fff | Memory Mapped File | Readable | | |
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x00b71fff | Pagefile Backed File | Readable | | |
| private_0x0000000000b80000 | 0x00b80000 | 0x00b80fff | Private Memory | Readable, Writable | | |
| private_0x0000000000be0000 | 0x00be0000 | 0x00beffff | Private Memory | Readable, Writable | | |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c7ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000c90000 | 0x00c90000 | 0x00d0ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000d10000 | 0x00d10000 | 0x00d8ffff | Private Memory | Readable, Writable | | |
| SortDefault.nls | 0x00e10000 | 0x010defff | Memory Mapped File | Readable | | |
| private_0x00000000010f0000 | 0x010f0000 | 0x0116ffff | Private Memory | Readable, Writable | | |
| ~FontCache-FontFace.dat | 0x01170000 | 0x0216ffff | Memory Mapped File | Readable, Writable | | |
| private_0x0000000002180000 | 0x02180000 | 0x021fffff | Private Memory | Readable, Writable | | |
| private_0x0000000002230000 | 0x02230000 | 0x0232ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002340000 | 0x02340000 | 0x023bffff | Private Memory | Readable, Writable | | |
| private_0x00000000024b0000 | 0x024b0000 | 0x0252ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002550000 | 0x02550000 | 0x0264ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002680000 | 0x02680000 | 0x026fffff | Private Memory | Readable, Writable | | |
| private_0x0000000002700000 | 0x02700000 | 0x0277ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002780000 | 0x02780000 | 0x027fffff | Private Memory | Readable, Writable | | |
| private_0x0000000002840000 | 0x02840000 | 0x0284ffff | Private Memory | Readable, Writable | | |
| KernelBase.dll.mui | 0x02850000 | 0x0290ffff | Memory Mapped File | Readable, Writable | | |
| private_0x0000000002910000 | 0x02910000 | 0x0298ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002a90000 | 0x02a90000 | 0x02b0ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002b90000 | 0x02b90000 | 0x02c0ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002d00000 | 0x02d00000 | 0x02d7ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002d80000 | 0x02d80000 | 0x02d8ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002dc0000 | 0x02dc0000 | 0x02e3ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002e40000 | 0x02e40000 | 0x0303ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003040000 | 0x03040000 | 0x0313ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003260000 | 0x03260000 | 0x032dffff | Private Memory | Readable, Writable | | |
| sfc.dll | 0x74130000 | 0x74132fff | Memory Mapped File | Readable, Writable, Executable | | |
| user32.dll | 0x77730000 | 0x77829fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x77830000 | 0x7794efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| svchost.exe | 0xff840000 | 0xff84afff | Memory Mapped File | Readable, Writable, Executable | | |
| powertracker.dll | 0x7fef7960000 | 0x7fef796bfff | Memory Mapped File | Readable, Writable, Executable | | |
| perftrack.dll | 0x7fef7b00000 | 0x7fef7bebfff | Memory Mapped File | Readable, Writable, Executable | | |
| npmproxy.dll | 0x7fef7e90000 | 0x7fef7e9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| wdi.dll | 0x7fef7ed0000 | 0x7fef7ee9fff | Memory Mapped File | Readable, Writable, Executable | | |
| netprofm.dll | 0x7fef7ef0000 | 0x7fef7f63fff | Memory Mapped File | Readable, Writable, Executable | | |
| wer.dll | 0x7fef8860000 | 0x7fef88dbfff | Memory Mapped File | Readable, Writable, Executable | | |
| webio.dll | 0x7fef92a0000 | 0x7fef9303fff | Memory Mapped File | Readable, Writable, Executable | | |
| winhttp.dll | 0x7fef93a0000 | 0x7fef9410fff | Memory Mapped File | Readable, Writable, Executable | | |
| aepic.dll | 0x7fef94b0000 | 0x7fef94c1fff | Memory Mapped File | Readable, Writable, Executable | | |
| sfc_os.dll | 0x7fef9510000 | 0x7fef951ffff | Memory Mapped File | Readable, Writable, Executable | | |
| rasadhlp.dll | 0x7fefa870000 | 0x7fefa877fff | Memory Mapped File | Readable, Writable, Executable | | |
| dhcpcsvc.dll | 0x7fefadb0000 | 0x7fefadc7fff | Memory Mapped File | Readable, Writable, Executable | | |
| dhcpcsvc6.dll | 0x7fefae30000 | 0x7fefae40fff | Memory Mapped File | Readable, Writable, Executable | | |
| FWPUCLNT.DLL | 0x7fefae60000 | 0x7fefaeb2fff | Memory Mapped File | Readable, Writable, Executable | | |
| winnsi.dll | 0x7fefafa0000 | 0x7fefafaafff | Memory Mapped File | Readable, Writable, Executable | | |
| IPHLPAPI.DLL | 0x7fefafb0000 | 0x7fefafd6fff | Memory Mapped File | Readable, Writable, Executable | | |
| nsisvc.dll | 0x7fefafe0000 | 0x7fefafe9fff | Memory Mapped File | Readable, Writable, Executable | | |
| dsrole.dll | 0x7fefb040000 | 0x7fefb04bfff | Memory Mapped File | Readable, Writable, Executable | | |
| es.dll | 0x7fefb090000 | 0x7fefb0f6fff | Memory Mapped File | Readable, Writable, Executable | | |
| nlaapi.dll | 0x7fefb240000 | 0x7fefb254fff | Memory Mapped File | Readable, Writable, Executable | | |
| FntCache.dll | 0x7fefb490000 | 0x7fefb5b3fff | Memory Mapped File | Readable, Writable, Executable | | |
| pnrpnsp.dll | 0x7fefb900000 | 0x7fefb918fff | Memory Mapped File | Readable, Writable, Executable | | |
| NapiNSP.dll | 0x7fefb920000 | 0x7fefb934fff | Memory Mapped File | Readable, Writable, Executable | | |
| winrnr.dll | 0x7fefbb10000 | 0x7fefbb1afff | Memory Mapped File | Readable, Writable, Executable | | |
| dwmapi.dll | 0x7fefbb60000 | 0x7fefbb77fff | Memory Mapped File | Readable, Writable, Executable | | |
| version.dll | 0x7fefc800000 | 0x7fefc80bfff | Memory Mapped File | Readable, Writable, Executable | | |
| WSHTCPIP.DLL | 0x7fefc8d0000 | 0x7fefc8d6fff | Memory Mapped File | Readable, Writable, Executable | | |
| gpapi.dll | 0x7fefc9d0000 | 0x7fefc9eafff | Memory Mapped File | Readable, Writable, Executable | | |
| credssp.dll | 0x7fefcae0000 | 0x7fefcae9fff | Memory Mapped File | Readable, Writable, Executable | | |
| rsaenh.dll | 0x7fefcc10000 | 0x7fefcc56fff | Memory Mapped File | Readable, Writable, Executable | | |
| dnsapi.dll | 0x7fefcd30000 | 0x7fefcd8afff | Memory Mapped File | Readable, Writable, Executable | | |
| msv1_0.dll | 0x7fefce40000 | 0x7fefce91fff | Memory Mapped File | Readable, Writable, Executable | | |
| wship6.dll | 0x7fefcea0000 | 0x7fefcea6fff | Memory Mapped File | Readable, Writable, Executable | | |
| mswsock.dll | 0x7fefceb0000 | 0x7fefcf04fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptsp.dll | 0x7fefcf10000 | 0x7fefcf26fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptdll.dll | 0x7fefd1e0000 | 0x7fefd1f3fff | Memory Mapped File | Readable, Writable, Executable | | |
| secur32.dll | 0x7fefd4a0000 | 0x7fefd4aafff | Memory Mapped File | Readable, Writable, Executable | | |
| sspicli.dll | 0x7fefd4e0000 | 0x7fefd504fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x7fefd570000 | 0x7fefd57efff | Memory Mapped File | Readable, Writable, Executable | | |
| sxs.dll | 0x7fefd580000 | 0x7fefd610fff | Memory Mapped File | Readable, Writable, Executable | | |
| RpcRtRemote.dll | 0x7fefd660000 | 0x7fefd673fff | Memory Mapped File | Readable, Writable, Executable | | |
| profapi.dll | 0x7fefd720000 | 0x7fefd72efff | Memory Mapped File | Readable, Writable, Executable | | |
| devobj.dll | 0x7fefd730000 | 0x7fefd749fff | Memory Mapped File | Readable, Writable, Executable | | |
| cfgmgr32.dll | 0x7fefd9f0000 | 0x7fefda25fff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x7fefda30000 | 0x7fefda9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| userenv.dll | 0x7fefdaa0000 | 0x7fefdabdfff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7fefdaf0000 | 0x7fefdbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| msctf.dll | 0x7fefdbd0000 | 0x7fefdcd8fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7fefea70000 | 0x7fefeb9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7feff2a0000 | 0x7feff2befff | Memory Mapped File | Readable, Writable, Executable | | |
| imm32.dll | 0x7feff2c0000 | 0x7feff2edfff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x7feff4e0000 | 0x7feff5a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| nsi.dll | 0x7feff650000 | 0x7feff657fff | Memory Mapped File | Readable, Writable, Executable | | |
| ole32.dll | 0x7feff6e0000 | 0x7feff8e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| oleaut32.dll | 0x7feff8f0000 | 0x7feff9c6fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x7feffa40000 | 0x7feffa4dfff | Memory Mapped File | Readable, Writable, Executable | | |
| ws2_32.dll | 0x7feffa50000 | 0x7feffa9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| clbcatq.dll | 0x7feffaa0000 | 0x7feffb38fff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x7feffb40000 | 0x7feffbdefff | Memory Mapped File | Readable, Writable, Executable | | |
| shlwapi.dll | 0x7feffbe0000 | 0x7feffc50fff | Memory Mapped File | Readable, Writable, Executable | | |
| apisetschema.dll | 0x7feffc70000 | 0x7feffc70fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000007fffff96000 | 0x7fffff96000 | 0x7fffff97fff | Private Memory | Readable, Writable | | |
| private_0x000007fffff9a000 | 0x7fffff9a000 | 0x7fffff9bfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa2000 | 0x7fffffa2000 | 0x7fffffa3fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa4000 | 0x7fffffa4000 | 0x7fffffa5fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa6000 | 0x7fffffa6000 | 0x7fffffa7fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa8000 | 0x7fffffa8000 | 0x7fffffa9fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffaa000 | 0x7fffffaa000 | 0x7fffffabfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable | | |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed File | Readable | | |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #16 / 0x35c |
| OS Parent PID | 0x1c0 (c:\windows\system32\services.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k netsvcs |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #224 0x8D0 #225 0x80C #226 0x848 #227 0xBFC #228 0xBE0 #229 0xBDC #230 0xBD4 #231 0xBD0 #232 0x72C #233 0x750 #234 0x334 #235 0x480 #236 0x680 #237 0x664 #238 0x638 #239 0x62C #240 0x628 #241 0x608 #242 0x5D4 #243 0x5A8 #244 0x588 #245 0x448 #246 0x1B8 #247 0x12C #248 0x38C #249 0x358 #250 0x270 #251 0x244 #252 0x204 #253 0x20C #254 0x10C #255 0x3C0 #256 0x3B8 #257 0x3B4 #258 0x37C #259 0x370 #260 0x368 #261 0x364 #262 0x360 #491 0x984 #492 0xF4 #493 0x618 #495 0x66C #509 0x774 #511 0x858 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| ID / OS PID | #18 / 0x108 |
| OS Parent PID | 0x1c0 (c:\windows\system32\services.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k NetworkService |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #269 0xB60 #270 0x430 #271 0x308 #272 0x5A0 #273 0x6FC #274 0x660 #275 0x64C #276 0x610 #277 0x5DC #278 0x544 #279 0x158 #280 0x15C #281 0x170 #282 0x134 #283 0x138 #284 0x110 #285 0x114 #469 0x290 #475 0x96C #497 0x6B0 #500 0x6D0 #501 0x4C0 #504 0x6C8 #513 0x5E0 #520 0x958 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000020000 | 0x00020000 | 0x0002ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed File | Readable | | |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable | | |
| locale.nls | 0x00060000 | 0x000c6fff | Memory Mapped File | Readable | | |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d6fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed File | Readable, Writable | | |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable | | |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed File | Readable | | |
| private_0x0000000000130000 | 0x00130000 | 0x00130fff | Private Memory | Readable, Writable | | |
| private_0x0000000000140000 | 0x00140000 | 0x00159fff | Private Memory | Readable, Writable | | |
| private_0x0000000000160000 | 0x00160000 | 0x00160fff | Private Memory | Readable, Writable | | |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | Readable, Writable | | |
| private_0x0000000000180000 | 0x00180000 | 0x001fffff | Private Memory | Readable, Writable | | |
| private_0x0000000000200000 | 0x00200000 | 0x002fffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000300000 | 0x00300000 | 0x003bffff | Pagefile Backed File | Readable | | |
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | Readable, Writable | | |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | Readable, Writable | | |
| private_0x00000000003e0000 | 0x003e0000 | 0x003effff | Private Memory | Readable, Writable | | |
| private_0x00000000003f0000 | 0x003f0000 | 0x004effff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000004f0000 | 0x004f0000 | 0x00677fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000680000 | 0x00680000 | 0x00800fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000810000 | 0x00810000 | 0x00afbfff | Pagefile Backed File | Readable | | |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b00fff | Private Memory | Readable, Writable | | |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b11fff | Private Memory | Readable, Writable | | |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b2ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b3ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b40fff | Private Memory | Readable, Writable | | |
| private_0x0000000000b50000 | 0x00b50000 | 0x00b50fff | Private Memory | Readable, Writable | | |
| private_0x0000000000b60000 | 0x00b60000 | 0x00b64fff | Private Memory | Readable, Writable | | |
| private_0x0000000000b70000 | 0x00b70000 | 0x00beffff | Private Memory | Readable, Writable | | |
| catdb | 0x00bf0000 | 0x00bfffff | Memory Mapped File | Readable, Writable | | |
| private_0x0000000000c00000 | 0x00c00000 | 0x00c7ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000c80000 | 0x00c80000 | 0x00cfffff | Private Memory | Readable, Writable | | |
| catdb | 0x00d00000 | 0x00d0ffff | Memory Mapped File | Readable, Writable | | |
| catdb | 0x00d10000 | 0x00d1ffff | Memory Mapped File | Readable, Writable | | |
| pagefile_0x0000000000d80000 | 0x00d80000 | 0x00d8ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000d90000 | 0x00d90000 | 0x00d9ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000da0000 | 0x00da0000 | 0x00daffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000db0000 | 0x00db0000 | 0x00dbffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000dc0000 | 0x00dc0000 | 0x00dcffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000dd0000 | 0x00dd0000 | 0x00ddffff | Pagefile Backed File | Readable, Writable | | |
| catdb | 0x00de0000 | 0x00deffff | Memory Mapped File | Readable, Writable | | |
| catdb | 0x00df0000 | 0x00dfffff | Memory Mapped File | Readable, Writable | | |
| catdb | 0x00e00000 | 0x00e0ffff | Memory Mapped File | Readable, Writable | | |
| private_0x0000000000e10000 | 0x00e10000 | 0x00e1ffff | Private Memory | Readable, Writable | | |
| catdb | 0x00e20000 | 0x00e2ffff | Memory Mapped File | Readable, Writable | | |
| catdb | 0x00e30000 | 0x00e3ffff | Memory Mapped File | Readable, Writable | | |
| catdb | 0x00e40000 | 0x00e4ffff | Memory Mapped File | Readable, Writable | | |
| catdb | 0x00e50000 | 0x00e5ffff | Memory Mapped File | Readable, Writable | | |
| SortDefault.nls | 0x00e60000 | 0x0112efff | Memory Mapped File | Readable | | |
| KernelBase.dll.mui | 0x01130000 | 0x011effff | Memory Mapped File | Readable, Writable | | |
| catdb | 0x011f0000 | 0x011fffff | Memory Mapped File | Readable, Writable | | |
| catdb | 0x01200000 | 0x0120ffff | Memory Mapped File | Readable, Writable | | |
| private_0x0000000001210000 | 0x01210000 | 0x0128ffff | Private Memory | Readable, Writable | | |
| catdb | 0x01290000 | 0x0129ffff | Memory Mapped File | Readable, Writable | | |
| catdb | 0x012a0000 | 0x012affff | Memory Mapped File | Readable, Writable | | |
| private_0x00000000012b0000 | 0x012b0000 | 0x0132ffff | Private Memory | Readable, Writable | | |
| catdb | 0x01330000 | 0x0133ffff | Memory Mapped File | Readable, Writable | | |
| catdb | 0x01340000 | 0x0134ffff | Memory Mapped File | Readable, Writable | | |
| private_0x0000000001350000 | 0x01350000 | 0x0135ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001360000 | 0x01360000 | 0x013dffff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000013e0000 | 0x013e0000 | 0x013effff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x00000000013f0000 | 0x013f0000 | 0x013fffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000001400000 | 0x01400000 | 0x0140ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000001410000 | 0x01410000 | 0x0141ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000001420000 | 0x01420000 | 0x0142ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000001430000 | 0x01430000 | 0x0143ffff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000001440000 | 0x01440000 | 0x0144ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001450000 | 0x01450000 | 0x0145ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001460000 | 0x01460000 | 0x0146ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001470000 | 0x01470000 | 0x0147ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001480000 | 0x01480000 | 0x014fffff | Private Memory | Readable, Writable | | |
| private_0x0000000001500000 | 0x01500000 | 0x015fffff | Private Memory | Readable, Writable | | |
| private_0x0000000001600000 | 0x01600000 | 0x0167ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001680000 | 0x01680000 | 0x01680fff | Private Memory | Readable, Writable | | |
| private_0x0000000001690000 | 0x01690000 | 0x0170ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001710000 | 0x01710000 | 0x0178ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001790000 | 0x01790000 | 0x0188ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001890000 | 0x01890000 | 0x01890fff | Private Memory | Readable, Writable | | |
| private_0x00000000018a0000 | 0x018a0000 | 0x018a0fff | Private Memory | Readable, Writable | | |
| catdb | 0x018b0000 | 0x018bffff | Memory Mapped File | Readable, Writable | | |
| private_0x00000000018c0000 | 0x018c0000 | 0x0193ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001940000 | 0x01940000 | 0x0194ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001a10000 | 0x01a10000 | 0x01a8ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001ab0000 | 0x01ab0000 | 0x01b2ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001b30000 | 0x01b30000 | 0x01c2ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001c70000 | 0x01c70000 | 0x01c7ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001d40000 | 0x01d40000 | 0x01dbffff | Private Memory | Readable, Writable | | |
| private_0x0000000001e80000 | 0x01e80000 | 0x01f7ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001fa0000 | 0x01fa0000 | 0x0201ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002040000 | 0x02040000 | 0x020bffff | Private Memory | Readable, Writable | | |
| private_0x00000000020d0000 | 0x020d0000 | 0x0214ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002150000 | 0x02150000 | 0x0224ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002300000 | 0x02300000 | 0x023fffff | Private Memory | Readable, Writable | | |
| private_0x0000000002400000 | 0x02400000 | 0x033fffff | Private Memory | Readable, Writable | | |
| private_0x0000000003500000 | 0x03500000 | 0x0357ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003680000 | 0x03680000 | 0x0368ffff | Private Memory | Readable, Writable | | |
| user32.dll | 0x77730000 | 0x77829fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x77830000 | 0x7794efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| psapi.dll | 0x77b20000 | 0x77b26fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| svchost.exe | 0xff840000 | 0xff84afff | Memory Mapped File | Readable, Writable, Executable | | |
| ssdpapi.dll | 0x7fef8330000 | 0x7fef8340fff | Memory Mapped File | Readable, Writable, Executable | | |
| esent.dll | 0x7fef9020000 | 0x7fef9299fff | Memory Mapped File | Readable, Writable, Executable | | |
| webio.dll | 0x7fef92a0000 | 0x7fef9303fff | Memory Mapped File | Readable, Writable, Executable | | |
| winhttp.dll | 0x7fef93a0000 | 0x7fef9410fff | Memory Mapped File | Readable, Writable, Executable | | |
| ncsi.dll | 0x7fef9520000 | 0x7fef9558fff | Memory Mapped File | Readable, Writable, Executable | | |
| nlasvc.dll | 0x7fef95e0000 | 0x7fef962dfff | Memory Mapped File | Readable, Writable, Executable | | |
| vsstrace.dll | 0x7fef9740000 | 0x7fef9756fff | Memory Mapped File | Readable, Writable, Executable | | |
| vssapi.dll | 0x7fef9760000 | 0x7fef990ffff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptnet.dll | 0x7fef9940000 | 0x7fef9966fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptsvc.dll | 0x7fef9970000 | 0x7fef99a2fff | Memory Mapped File | Readable, Writable, Executable | | |
| wkssvc.dll | 0x7fef9db0000 | 0x7fef9dcffff | Memory Mapped File | Readable, Writable, Executable | | |
| rasadhlp.dll | 0x7fefa870000 | 0x7fefa877fff | Memory Mapped File | Readable, Writable, Executable | | |
| dhcpcsvc.dll | 0x7fefadb0000 | 0x7fefadc7fff | Memory Mapped File | Readable, Writable, Executable | | |
| dhcpcsvc6.dll | 0x7fefae30000 | 0x7fefae40fff | Memory Mapped File | Readable, Writable, Executable | | |
| dnsext.dll | 0x7fefae50000 | 0x7fefae56fff | Memory Mapped File | Readable, Writable, Executable | | |
| FWPUCLNT.DLL | 0x7fefae60000 | 0x7fefaeb2fff | Memory Mapped File | Readable, Writable, Executable | | |
| dnsrslvr.dll | 0x7fefaf60000 | 0x7fefaf8ffff | Memory Mapped File | Readable, Writable, Executable | | |
| winnsi.dll | 0x7fefafa0000 | 0x7fefafaafff | Memory Mapped File | Readable, Writable, Executable | | |
| IPHLPAPI.DLL | 0x7fefafb0000 | 0x7fefafd6fff | Memory Mapped File | Readable, Writable, Executable | | |
| es.dll | 0x7fefb090000 | 0x7fefb0f6fff | Memory Mapped File | Readable, Writable, Executable | | |
| atl.dll | 0x7fefb290000 | 0x7fefb2a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| samcli.dll | 0x7fefb800000 | 0x7fefb813fff | Memory Mapped File | Readable, Writable, Executable | | |
| wkscli.dll | 0x7fefb820000 | 0x7fefb834fff | Memory Mapped File | Readable, Writable, Executable | | |
| netutils.dll | 0x7fefb840000 | 0x7fefb84bfff | Memory Mapped File | Readable, Writable, Executable | | |
| wtsapi32.dll | 0x7fefbaf0000 | 0x7fefbb00fff | Memory Mapped File | Readable, Writable, Executable | | |
| propsys.dll | 0x7fefbff0000 | 0x7fefc11bfff | Memory Mapped File | Readable, Writable, Executable | | |
| samlib.dll | 0x7fefc120000 | 0x7fefc13cfff | Memory Mapped File | Readable, Writable, Executable | | |
| WSHTCPIP.DLL | 0x7fefc8d0000 | 0x7fefc8d6fff | Memory Mapped File | Readable, Writable, Executable | | |
| gpapi.dll | 0x7fefc9d0000 | 0x7fefc9eafff | Memory Mapped File | Readable, Writable, Executable | | |
| credssp.dll | 0x7fefcae0000 | 0x7fefcae9fff | Memory Mapped File | Readable, Writable, Executable | | |
| bcryptprimitives.dll | 0x7fefcb50000 | 0x7fefcb9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| rsaenh.dll | 0x7fefcc10000 | 0x7fefcc56fff | Memory Mapped File | Readable, Writable, Executable | | |
| dnsapi.dll | 0x7fefcd30000 | 0x7fefcd8afff | Memory Mapped File | Readable, Writable, Executable | | |
| wship6.dll | 0x7fefcea0000 | 0x7fefcea6fff | Memory Mapped File | Readable, Writable, Executable | | |
| mswsock.dll | 0x7fefceb0000 | 0x7fefcf04fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptsp.dll | 0x7fefcf10000 | 0x7fefcf26fff | Memory Mapped File | Readable, Writable, Executable | | |
| netjoin.dll | 0x7fefd020000 | 0x7fefd051fff | Memory Mapped File | Readable, Writable, Executable | | |
| bcrypt.dll | 0x7fefd080000 | 0x7fefd0a1fff | Memory Mapped File | Readable, Writable, Executable | | |
| wevtapi.dll | 0x7fefd140000 | 0x7fefd1acfff | Memory Mapped File | Readable, Writable, Executable | | |
| secur32.dll | 0x7fefd4a0000 | 0x7fefd4aafff | Memory Mapped File | Readable, Writable, Executable | | |
| sspicli.dll | 0x7fefd4e0000 | 0x7fefd504fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x7fefd570000 | 0x7fefd57efff | Memory Mapped File | Readable, Writable, Executable | | |
| winsta.dll | 0x7fefd620000 | 0x7fefd65cfff | Memory Mapped File | Readable, Writable, Executable | | |
| RpcRtRemote.dll | 0x7fefd660000 | 0x7fefd673fff | Memory Mapped File | Readable, Writable, Executable | | |
| msasn1.dll | 0x7fefd710000 | 0x7fefd71efff | Memory Mapped File | Readable, Writable, Executable | | |
| profapi.dll | 0x7fefd720000 | 0x7fefd72efff | Memory Mapped File | Readable, Writable, Executable | | |
| crypt32.dll | 0x7fefd7d0000 | 0x7fefd93cfff | Memory Mapped File | Readable, Writable, Executable | | |
| cfgmgr32.dll | 0x7fefd9f0000 | 0x7fefda25fff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x7fefda30000 | 0x7fefda9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| userenv.dll | 0x7fefdaa0000 | 0x7fefdabdfff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7fefdaf0000 | 0x7fefdbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| msctf.dll | 0x7fefdbd0000 | 0x7fefdcd8fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7fefea70000 | 0x7fefeb9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7feff2a0000 | 0x7feff2befff | Memory Mapped File | Readable, Writable, Executable | | |
| imm32.dll | 0x7feff2c0000 | 0x7feff2edfff | Memory Mapped File | Readable, Writable, Executable | | |
| Wldap32.dll | 0x7feff480000 | 0x7feff4d1fff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x7feff4e0000 | 0x7feff5a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| nsi.dll | 0x7feff650000 | 0x7feff657fff | Memory Mapped File | Readable, Writable, Executable | | |
| ole32.dll | 0x7feff6e0000 | 0x7feff8e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| oleaut32.dll | 0x7feff8f0000 | 0x7feff9c6fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x7feffa40000 | 0x7feffa4dfff | Memory Mapped File | Readable, Writable, Executable | | |
| ws2_32.dll | 0x7feffa50000 | 0x7feffa9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| clbcatq.dll | 0x7feffaa0000 | 0x7feffb38fff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x7feffb40000 | 0x7feffbdefff | Memory Mapped File | Readable, Writable, Executable | | |
| shlwapi.dll | 0x7feffbe0000 | 0x7feffc50fff | Memory Mapped File | Readable, Writable, Executable | | |
| apisetschema.dll | 0x7feffc70000 | 0x7feffc70fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000007fffff94000 | 0x7fffff94000 | 0x7fffff95fff | Private Memory | Readable, Writable | | |
| private_0x000007fffff96000 | 0x7fffff96000 | 0x7fffff97fff | Private Memory | Readable, Writable | | |
| private_0x000007fffff98000 | 0x7fffff98000 | 0x7fffff99fff | Private Memory | Readable, Writable | | |
| private_0x000007fffff9c000 | 0x7fffff9c000 | 0x7fffff9dfff | Private Memory | Readable, Writable | | |
| private_0x000007fffff9e000 | 0x7fffff9e000 | 0x7fffff9ffff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa2000 | 0x7fffffa2000 | 0x7fffffa3fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa6000 | 0x7fffffa6000 | 0x7fffffa7fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa8000 | 0x7fffffa8000 | 0x7fffffa9fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffaa000 | 0x7fffffaa000 | 0x7fffffabfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable | | |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed File | Readable | | |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdbfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #19 / 0x3fc |
| OS Parent PID | 0x1c0 (c:\windows\system32\services.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\spoolsv.exe |
| Command Line | C:\Windows\System32\spoolsv.exe |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #286 0xB78 #287 0x580 #288 0x568 #289 0x564 #290 0x548 #291 0x540 #292 0x53C #293 0x530 #294 0x504 #295 0x404 #296 0x208 #297 0x388 #298 0x28C #299 0xFC #496 0x9C4 #499 0x420 #510 0x744 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed File | Readable | | |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable | | |
| locale.nls | 0x00060000 | 0x000c6fff | Memory Mapped File | Readable | | |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed File | Readable, Writable | | |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | Readable, Writable | | |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable | | |
| private_0x0000000000100000 | 0x00100000 | 0x0013ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00150fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed File | Readable | | |
| msxml6r.dll | 0x00170000 | 0x00170fff | Memory Mapped File | Readable | | |
| private_0x0000000000180000 | 0x00180000 | 0x0019ffff | Private Memory | - | | |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | Readable, Writable | | |
| private_0x00000000002b0000 | 0x002b0000 | 0x003affff | Private Memory | Readable, Writable | | |
| private_0x00000000003b0000 | 0x003b0000 | 0x0042ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000470000 | 0x00470000 | 0x0047ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000480000 | 0x00480000 | 0x00607fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00790fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x01b9ffff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000001ba0000 | 0x01ba0000 | 0x01e8bfff | Pagefile Backed File | Readable | | |
| private_0x0000000001ec0000 | 0x01ec0000 | 0x01efffff | Private Memory | Readable, Writable | | |
| private_0x0000000001f10000 | 0x01f10000 | 0x01f1ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001f40000 | 0x01f40000 | 0x01f7ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001f90000 | 0x01f90000 | 0x01fcffff | Private Memory | Readable, Writable | | |
| private_0x0000000002000000 | 0x02000000 | 0x0203ffff | Private Memory | Readable, Writable | | |
| private_0x00000000020e0000 | 0x020e0000 | 0x0211ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002140000 | 0x02140000 | 0x021bffff | Private Memory | Readable, Writable | | |
| private_0x00000000021e0000 | 0x021e0000 | 0x0221ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002270000 | 0x02270000 | 0x0227ffff | Private Memory | Readable, Writable | | |
| private_0x00000000022b0000 | 0x022b0000 | 0x022bffff | Private Memory | Readable, Writable | | |
| private_0x00000000022f0000 | 0x022f0000 | 0x0232ffff | Private Memory | Readable, Writable | | |
| SortDefault.nls | 0x02370000 | 0x0263efff | Memory Mapped File | Readable | | |
| private_0x0000000002660000 | 0x02660000 | 0x0269ffff | Private Memory | Readable, Writable | | |
| private_0x00000000026b0000 | 0x026b0000 | 0x0272ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002750000 | 0x02750000 | 0x0278ffff | Private Memory | Readable, Writable | | |
| private_0x00000000027b0000 | 0x027b0000 | 0x0282ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002830000 | 0x02830000 | 0x02930fff | Private Memory | Readable, Writable | | |
| private_0x0000000002940000 | 0x02940000 | 0x02a3ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002ae0000 | 0x02ae0000 | 0x02b5ffff | Private Memory | Readable, Writable | | |
| KernelBase.dll.mui | 0x02b60000 | 0x02c1ffff | Memory Mapped File | Readable, Writable | | |
| private_0x0000000002c70000 | 0x02c70000 | 0x02caffff | Private Memory | Readable, Writable | | |
| private_0x0000000002ce0000 | 0x02ce0000 | 0x02d5ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002dc0000 | 0x02dc0000 | 0x02dfffff | Private Memory | Readable, Writable | | |
| private_0x0000000002e40000 | 0x02e40000 | 0x02e4ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002ec0000 | 0x02ec0000 | 0x02f3ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002f40000 | 0x02f40000 | 0x0333ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003340000 | 0x03340000 | 0x0343ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003450000 | 0x03450000 | 0x0348ffff | Private Memory | Readable, Writable | | |
| private_0x00000000034c0000 | 0x034c0000 | 0x034fffff | Private Memory | Readable, Writable | | |
| user32.dll | 0x77730000 | 0x77829fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x77830000 | 0x7794efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| spoolsv.exe | 0xff3f0000 | 0xff47bfff | Memory Mapped File | Readable, Writable, Executable | | |
| inetpp.dll | 0x7fef95b0000 | 0x7fef95dcfff | Memory Mapped File | Readable, Writable, Executable | | |
| win32spl.dll | 0x7fef9680000 | 0x7fef973cfff | Memory Mapped File | Readable, Writable, Executable | | |
| winprint.dll | 0x7fef99b0000 | 0x7fef99bdfff | Memory Mapped File | Readable, Writable, Executable | | |
| fdPnp.dll | 0x7fef99c0000 | 0x7fef99cffff | Memory Mapped File | Readable, Writable, Executable | | |
| fundisc.dll | 0x7fef99d0000 | 0x7fef9a02fff | Memory Mapped File | Readable, Writable, Executable | | |
| webservices.dll | 0x7fef9ab0000 | 0x7fef9bcefff | Memory Mapped File | Readable, Writable, Executable | | |
| WSDApi.dll | 0x7fef9bd0000 | 0x7fef9c60fff | Memory Mapped File | Readable, Writable, Executable | | |
| cscapi.dll | 0x7fef9c70000 | 0x7fef9c7efff | Memory Mapped File | Readable, Writable, Executable | | |
| WSDMon.dll | 0x7fef9c80000 | 0x7fef9cb9fff | Memory Mapped File | Readable, Writable, Executable | | |
| WlS0WndH.dll | 0x7fef9d90000 | 0x7fef9d96fff | Memory Mapped File | Readable, Writable, Executable | | |
| usbmon.dll | 0x7fef9da0000 | 0x7fef9daefff | Memory Mapped File | Readable, Writable, Executable | | |
| msxml6.dll | 0x7fef9dd0000 | 0x7fef9fc0fff | Memory Mapped File | Readable, Writable, Executable | | |
| wsnmp32.dll | 0x7fef9fd0000 | 0x7fef9fe3fff | Memory Mapped File | Readable, Writable, Executable | | |
| snmpapi.dll | 0x7fef9ff0000 | 0x7fef9ffafff | Memory Mapped File | Readable, Writable, Executable | | |
| tcpmon.dll | 0x7fefa000000 | 0x7fefa033fff | Memory Mapped File | Readable, Writable, Executable | | |
| FXSMON.dll | 0x7fefa210000 | 0x7fefa21dfff | Memory Mapped File | Readable, Writable, Executable | | |
| PrintIsolationProxy.dll | 0x7fefa220000 | 0x7fefa22ffff | Memory Mapped File | Readable, Writable, Executable | | |
| winspool.drv | 0x7fefa230000 | 0x7fefa2a0fff | Memory Mapped File | Readable, Writable, Executable | | |
| spoolss.dll | 0x7fefa2b0000 | 0x7fefa2c1fff | Memory Mapped File | Readable, Writable, Executable | | |
| localspl.dll | 0x7fefa2d0000 | 0x7fefa3bdfff | Memory Mapped File | Readable, Writable, Executable | | |
| umb.dll | 0x7fefa3c0000 | 0x7fefa3d2fff | Memory Mapped File | Readable, Writable, Executable | | |
| rasadhlp.dll | 0x7fefa870000 | 0x7fefa877fff | Memory Mapped File | Readable, Writable, Executable | | |
| FWPUCLNT.DLL | 0x7fefae60000 | 0x7fefaeb2fff | Memory Mapped File | Readable, Writable, Executable | | |
| winnsi.dll | 0x7fefafa0000 | 0x7fefafaafff | Memory Mapped File | Readable, Writable, Executable | | |
| IPHLPAPI.DLL | 0x7fefafb0000 | 0x7fefafd6fff | Memory Mapped File | Readable, Writable, Executable | | |
| slc.dll | 0x7fefb030000 | 0x7fefb03afff | Memory Mapped File | Readable, Writable, Executable | | |
| dsrole.dll | 0x7fefb040000 | 0x7fefb04bfff | Memory Mapped File | Readable, Writable, Executable | | |
| atl.dll | 0x7fefb290000 | 0x7fefb2a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| powrprof.dll | 0x7fefb5d0000 | 0x7fefb5fbfff | Memory Mapped File | Readable, Writable, Executable | | |
| netutils.dll | 0x7fefb840000 | 0x7fefb84bfff | Memory Mapped File | Readable, Writable, Executable | | |
| wtsapi32.dll | 0x7fefbaf0000 | 0x7fefbb00fff | Memory Mapped File | Readable, Writable, Executable | | |
| version.dll | 0x7fefc800000 | 0x7fefc80bfff | Memory Mapped File | Readable, Writable, Executable | | |
| FirewallAPI.dll | 0x7fefc810000 | 0x7fefc8cafff | Memory Mapped File | Readable, Writable, Executable | | |
| WSHTCPIP.DLL | 0x7fefc8d0000 | 0x7fefc8d6fff | Memory Mapped File | Readable, Writable, Executable | | |
| gpapi.dll | 0x7fefc9d0000 | 0x7fefc9eafff | Memory Mapped File | Readable, Writable, Executable | | |
| devrtl.dll | 0x7fefc9f0000 | 0x7fefca01fff | Memory Mapped File | Readable, Writable, Executable | | |
| SPInf.dll | 0x7fefca10000 | 0x7fefca2efff | Memory Mapped File | Readable, Writable, Executable | | |
| credssp.dll | 0x7fefcae0000 | 0x7fefcae9fff | Memory Mapped File | Readable, Writable, Executable | | |
| rsaenh.dll | 0x7fefcc10000 | 0x7fefcc56fff | Memory Mapped File | Readable, Writable, Executable | | |
| dnsapi.dll | 0x7fefcd30000 | 0x7fefcd8afff | Memory Mapped File | Readable, Writable, Executable | | |
| wship6.dll | 0x7fefcea0000 | 0x7fefcea6fff | Memory Mapped File | Readable, Writable, Executable | | |
| mswsock.dll | 0x7fefceb0000 | 0x7fefcf04fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptsp.dll | 0x7fefcf10000 | 0x7fefcf26fff | Memory Mapped File | Readable, Writable, Executable | | |
| srvcli.dll | 0x7fefd1b0000 | 0x7fefd1d2fff | Memory Mapped File | Readable, Writable, Executable | | |
| secur32.dll | 0x7fefd4a0000 | 0x7fefd4aafff | Memory Mapped File | Readable, Writable, Executable | | |
| sspicli.dll | 0x7fefd4e0000 | 0x7fefd504fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x7fefd570000 | 0x7fefd57efff | Memory Mapped File | Readable, Writable, Executable | | |
| winsta.dll | 0x7fefd620000 | 0x7fefd65cfff | Memory Mapped File | Readable, Writable, Executable | | |
| RpcRtRemote.dll | 0x7fefd660000 | 0x7fefd673fff | Memory Mapped File | Readable, Writable, Executable | | |
| msasn1.dll | 0x7fefd710000 | 0x7fefd71efff | Memory Mapped File | Readable, Writable, Executable | | |
| profapi.dll | 0x7fefd720000 | 0x7fefd72efff | Memory Mapped File | Readable, Writable, Executable | | |
| devobj.dll | 0x7fefd730000 | 0x7fefd749fff | Memory Mapped File | Readable, Writable, Executable | | |
| wintrust.dll | 0x7fefd790000 | 0x7fefd7cafff | Memory Mapped File | Readable, Writable, Executable | | |
| crypt32.dll | 0x7fefd7d0000 | 0x7fefd93cfff | Memory Mapped File | Readable, Writable, Executable | | |
| cfgmgr32.dll | 0x7fefd9f0000 | 0x7fefda25fff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x7fefda30000 | 0x7fefda9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| userenv.dll | 0x7fefdaa0000 | 0x7fefdabdfff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7fefdaf0000 | 0x7fefdbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| msctf.dll | 0x7fefdbd0000 | 0x7fefdcd8fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7fefea70000 | 0x7fefeb9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| setupapi.dll | 0x7fefeba0000 | 0x7fefed76fff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7feff2a0000 | 0x7feff2befff | Memory Mapped File | Readable, Writable, Executable | | |
| imm32.dll | 0x7feff2c0000 | 0x7feff2edfff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x7feff4e0000 | 0x7feff5a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| nsi.dll | 0x7feff650000 | 0x7feff657fff | Memory Mapped File | Readable, Writable, Executable | | |
| ole32.dll | 0x7feff6e0000 | 0x7feff8e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| oleaut32.dll | 0x7feff8f0000 | 0x7feff9c6fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x7feffa40000 | 0x7feffa4dfff | Memory Mapped File | Readable, Writable, Executable | | |
| ws2_32.dll | 0x7feffa50000 | 0x7feffa9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| clbcatq.dll | 0x7feffaa0000 | 0x7feffb38fff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x7feffb40000 | 0x7feffbdefff | Memory Mapped File | Readable, Writable, Executable | | |
| shlwapi.dll | 0x7feffbe0000 | 0x7feffc50fff | Memory Mapped File | Readable, Writable, Executable | | |
| apisetschema.dll | 0x7feffc70000 | 0x7feffc70fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000007fffff9c000 | 0x7fffff9c000 | 0x7fffff9dfff | Private Memory | Readable, Writable | | |
| private_0x000007fffff9e000 | 0x7fffff9e000 | 0x7fffff9ffff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa2000 | 0x7fffffa2000 | 0x7fffffa3fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa4000 | 0x7fffffa4000 | 0x7fffffa5fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa6000 | 0x7fffffa6000 | 0x7fffffa7fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa8000 | 0x7fffffa8000 | 0x7fffffa9fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffaa000 | 0x7fffffaa000 | 0x7fffffabfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable | | |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed File | Readable | | |
| private_0x000007fffffd4000 | 0x7fffffd4000 | 0x7fffffd5fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdafff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #20 / 0x410 |
| OS Parent PID | 0x1c0 (c:\windows\system32\services.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #300 0xB80 #301 0x740 #302 0x6E0 #303 0x6DC #304 0x6D4 #305 0x6C4 #306 0x68C #307 0x598 #308 0x554 #309 0x520 #310 0x51C #311 0x518 #312 0x4FC #313 0x4C8 #314 0x4C4 #315 0x4A4 #316 0x44C #317 0x444 #318 0x43C #319 0x434 #320 0x41C #321 0x414 #503 0x6D4 #512 0x5C8 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed File | Readable | | |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable | | |
| locale.nls | 0x00060000 | 0x000c6fff | Memory Mapped File | Readable | | |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed File | Readable, Writable | | |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | Readable, Writable | | |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable | | |
| FirewallAPI.dll.mui | 0x00100000 | 0x0011bfff | Memory Mapped File | Readable, Writable | | |
| private_0x0000000000120000 | 0x00120000 | 0x0019ffff | Private Memory | Readable, Writable | | |
| private_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Pagefile Backed File | Readable | | |
| private_0x00000000001d0000 | 0x001d0000 | 0x001d7fff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e1fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000200000 | 0x00200000 | 0x002fffff | Private Memory | Readable, Writable | | |
| private_0x0000000000300000 | 0x00300000 | 0x00303fff | Private Memory | Readable, Writable | | |
| private_0x0000000000310000 | 0x00310000 | 0x00310fff | Private Memory | Readable, Writable | | |
| private_0x0000000000320000 | 0x00320000 | 0x0039ffff | Private Memory | Readable, Writable | | |
| private_0x00000000003a0000 | 0x003a0000 | 0x003affff | Private Memory | Readable, Writable | | |
| private_0x00000000003b0000 | 0x003b0000 | 0x004affff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x00637fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000640000 | 0x00640000 | 0x007c0fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x0088ffff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000890000 | 0x00890000 | 0x00b7bfff | Pagefile Backed File | Readable | | |
| private_0x0000000000ba0000 | 0x00ba0000 | 0x00c1ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000c20000 | 0x00c20000 | 0x00c93fff | Private Memory | Readable, Writable | | |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00d2ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000d40000 | 0x00d40000 | 0x00dbffff | Private Memory | Readable, Writable | | |
| private_0x0000000000de0000 | 0x00de0000 | 0x00e5ffff | Private Memory | Readable, Writable | | |
| SortDefault.nls | 0x00f40000 | 0x0120efff | Memory Mapped File | Readable | | |
| private_0x0000000001240000 | 0x01240000 | 0x012bffff | Private Memory | Readable, Writable | | |
| private_0x00000000012c0000 | 0x012c0000 | 0x0133ffff | Private Memory | Readable, Writable | | |
| private_0x00000000013f0000 | 0x013f0000 | 0x0146ffff | Private Memory | Readable, Writable | | |
| private_0x00000000014d0000 | 0x014d0000 | 0x0154ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001580000 | 0x01580000 | 0x015fffff | Private Memory | Readable, Writable | | |
| private_0x0000000001660000 | 0x01660000 | 0x016dffff | Private Memory | Readable, Writable | | |
| private_0x0000000001730000 | 0x01730000 | 0x017affff | Private Memory | Readable, Writable | | |
| private_0x00000000017d0000 | 0x017d0000 | 0x0184ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001850000 | 0x01850000 | 0x018cffff | Private Memory | Readable, Writable | | |
| private_0x00000000018d0000 | 0x018d0000 | 0x0194ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001950000 | 0x01950000 | 0x019cffff | Private Memory | Readable, Writable | | |
| private_0x00000000019d0000 | 0x019d0000 | 0x01acffff | Private Memory | Readable, Writable | | |
| private_0x0000000001b20000 | 0x01b20000 | 0x01b9ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001ba0000 | 0x01ba0000 | 0x01c9ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001d60000 | 0x01d60000 | 0x01ddffff | Private Memory | Readable, Writable | | |
| private_0x0000000001ea0000 | 0x01ea0000 | 0x01fbffff | Private Memory | Readable, Writable | | |
| private_0x0000000001fe0000 | 0x01fe0000 | 0x01feffff | Private Memory | Readable, Writable | | |
| private_0x0000000001ff0000 | 0x01ff0000 | 0x021effff | Private Memory | Readable, Writable | | |
| private_0x00000000021f0000 | 0x021f0000 | 0x023f0fff | Private Memory | Readable, Writable | | |
| private_0x0000000002480000 | 0x02480000 | 0x024fffff | Private Memory | Readable, Writable | | |
| private_0x0000000002590000 | 0x02590000 | 0x0260ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002670000 | 0x02670000 | 0x026effff | Private Memory | Readable, Writable | | |
| private_0x0000000002750000 | 0x02750000 | 0x027cffff | Private Memory | Readable, Writable | | |
| private_0x00000000027d0000 | 0x027d0000 | 0x029cffff | Private Memory | Readable, Writable | | |
| private_0x00000000029d0000 | 0x029d0000 | 0x02d6ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002d70000 | 0x02d70000 | 0x02f6ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002f70000 | 0x02f70000 | 0x0336ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003370000 | 0x03370000 | 0x0348cfff | Private Memory | Readable, Writable | | |
| private_0x00000000035e0000 | 0x035e0000 | 0x037c0fff | Private Memory | Readable, Writable | | |
| user32.dll | 0x77730000 | 0x77829fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x77830000 | 0x7794efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| svchost.exe | 0xff840000 | 0xff84afff | Memory Mapped File | Readable, Writable, Executable | | |
| wdiasqmmodule.dll | 0x7fef7930000 | 0x7fef793cfff | Memory Mapped File | Readable, Writable, Executable | | |
| radardt.dll | 0x7fef7ad0000 | 0x7fef7aecfff | Memory Mapped File | Readable, Writable, Executable | | |
| pnpts.dll | 0x7fef7af0000 | 0x7fef7af7fff | Memory Mapped File | Readable, Writable, Executable | | |
| diagperf.dll | 0x7fef7cf0000 | 0x7fef7e39fff | Memory Mapped File | Readable, Writable, Executable | | |
| npmproxy.dll | 0x7fef7e90000 | 0x7fef7e9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| wdi.dll | 0x7fef7ed0000 | 0x7fef7ee9fff | Memory Mapped File | Readable, Writable, Executable | | |
| netprofm.dll | 0x7fef7ef0000 | 0x7fef7f63fff | Memory Mapped File | Readable, Writable, Executable | | |
| dps.dll | 0x7fef9910000 | 0x7fef993bfff | Memory Mapped File | Readable, Writable, Executable | | |
| wfapigp.dll | 0x7fef9a10000 | 0x7fef9a19fff | Memory Mapped File | Readable, Writable, Executable | | |
| MPSSVC.dll | 0x7fefa8f0000 | 0x7fefa9bdfff | Memory Mapped File | Readable, Writable, Executable | | |
| BFE.DLL | 0x7fefaa80000 | 0x7fefab2ffff | Memory Mapped File | Readable, Writable, Executable | | |
| ntmarta.dll | 0x7fefab30000 | 0x7fefab5cfff | Memory Mapped File | Readable, Writable, Executable | | |
| dhcpcsvc.dll | 0x7fefadb0000 | 0x7fefadc7fff | Memory Mapped File | Readable, Writable, Executable | | |
| dhcpcsvc6.dll | 0x7fefae30000 | 0x7fefae40fff | Memory Mapped File | Readable, Writable, Executable | | |
| FWPUCLNT.DLL | 0x7fefae60000 | 0x7fefaeb2fff | Memory Mapped File | Readable, Writable, Executable | | |
| winnsi.dll | 0x7fefafa0000 | 0x7fefafaafff | Memory Mapped File | Readable, Writable, Executable | | |
| IPHLPAPI.DLL | 0x7fefafb0000 | 0x7fefafd6fff | Memory Mapped File | Readable, Writable, Executable | | |
| slc.dll | 0x7fefb030000 | 0x7fefb03afff | Memory Mapped File | Readable, Writable, Executable | | |
| taskschd.dll | 0x7fefb100000 | 0x7fefb226fff | Memory Mapped File | Readable, Writable, Executable | | |
| nlaapi.dll | 0x7fefb240000 | 0x7fefb254fff | Memory Mapped File | Readable, Writable, Executable | | |
| wtsapi32.dll | 0x7fefbaf0000 | 0x7fefbb00fff | Memory Mapped File | Readable, Writable, Executable | | |
| version.dll | 0x7fefc800000 | 0x7fefc80bfff | Memory Mapped File | Readable, Writable, Executable | | |
| FirewallAPI.dll | 0x7fefc810000 | 0x7fefc8cafff | Memory Mapped File | Readable, Writable, Executable | | |
| WSHTCPIP.DLL | 0x7fefc8d0000 | 0x7fefc8d6fff | Memory Mapped File | Readable, Writable, Executable | | |
| pcwum.dll | 0x7fefc990000 | 0x7fefc99cfff | Memory Mapped File | Readable, Writable, Executable | | |
| gpapi.dll | 0x7fefc9d0000 | 0x7fefc9eafff | Memory Mapped File | Readable, Writable, Executable | | |
| credssp.dll | 0x7fefcae0000 | 0x7fefcae9fff | Memory Mapped File | Readable, Writable, Executable | | |
| rsaenh.dll | 0x7fefcc10000 | 0x7fefcc56fff | Memory Mapped File | Readable, Writable, Executable | | |
| wship6.dll | 0x7fefcea0000 | 0x7fefcea6fff | Memory Mapped File | Readable, Writable, Executable | | |
| mswsock.dll | 0x7fefceb0000 | 0x7fefcf04fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptsp.dll | 0x7fefcf10000 | 0x7fefcf26fff | Memory Mapped File | Readable, Writable, Executable | | |
| bcrypt.dll | 0x7fefd080000 | 0x7fefd0a1fff | Memory Mapped File | Readable, Writable, Executable | | |
| authz.dll | 0x7fefd100000 | 0x7fefd12efff | Memory Mapped File | Readable, Writable, Executable | | |
| secur32.dll | 0x7fefd4a0000 | 0x7fefd4aafff | Memory Mapped File | Readable, Writable, Executable | | |
| sspicli.dll | 0x7fefd4e0000 | 0x7fefd504fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x7fefd570000 | 0x7fefd57efff | Memory Mapped File | Readable, Writable, Executable | | |
| RpcRtRemote.dll | 0x7fefd660000 | 0x7fefd673fff | Memory Mapped File | Readable, Writable, Executable | | |
| profapi.dll | 0x7fefd720000 | 0x7fefd72efff | Memory Mapped File | Readable, Writable, Executable | | |
| cfgmgr32.dll | 0x7fefd9f0000 | 0x7fefda25fff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x7fefda30000 | 0x7fefda9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| userenv.dll | 0x7fefdaa0000 | 0x7fefdabdfff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7fefdaf0000 | 0x7fefdbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| msctf.dll | 0x7fefdbd0000 | 0x7fefdcd8fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7fefea70000 | 0x7fefeb9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7feff2a0000 | 0x7feff2befff | Memory Mapped File | Readable, Writable, Executable | | |
| imm32.dll | 0x7feff2c0000 | 0x7feff2edfff | Memory Mapped File | Readable, Writable, Executable | | |
| Wldap32.dll | 0x7feff480000 | 0x7feff4d1fff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x7feff4e0000 | 0x7feff5a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| nsi.dll | 0x7feff650000 | 0x7feff657fff | Memory Mapped File | Readable, Writable, Executable | | |
| ole32.dll | 0x7feff6e0000 | 0x7feff8e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| oleaut32.dll | 0x7feff8f0000 | 0x7feff9c6fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x7feffa40000 | 0x7feffa4dfff | Memory Mapped File | Readable, Writable, Executable | | |
| ws2_32.dll | 0x7feffa50000 | 0x7feffa9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| clbcatq.dll | 0x7feffaa0000 | 0x7feffb38fff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x7feffb40000 | 0x7feffbdefff | Memory Mapped File | Readable, Writable, Executable | | |
| shlwapi.dll | 0x7feffbe0000 | 0x7feffc50fff | Memory Mapped File | Readable, Writable, Executable | | |
| apisetschema.dll | 0x7feffc70000 | 0x7feffc70fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000007fffff8e000 | 0x7fffff8e000 | 0x7fffff8ffff | Private Memory | Readable, Writable | | |
| private_0x000007fffff90000 | 0x7fffff90000 | 0x7fffff91fff | Private Memory | Readable, Writable | | |
| private_0x000007fffff92000 | 0x7fffff92000 | 0x7fffff93fff | Private Memory | Readable, Writable | | |
| private_0x000007fffff94000 | 0x7fffff94000 | 0x7fffff95fff | Private Memory | Readable, Writable | | |
| private_0x000007fffff96000 | 0x7fffff96000 | 0x7fffff97fff | Private Memory | Readable, Writable | | |
| private_0x000007fffff9a000 | 0x7fffff9a000 | 0x7fffff9bfff | Private Memory | Readable, Writable | | |
| private_0x000007fffff9c000 | 0x7fffff9c000 | 0x7fffff9dfff | Private Memory | Readable, Writable | | |
| private_0x000007fffff9e000 | 0x7fffff9e000 | 0x7fffff9ffff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa0000 | 0x7fffffa0000 | 0x7fffffa1fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa2000 | 0x7fffffa2000 | 0x7fffffa3fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa4000 | 0x7fffffa4000 | 0x7fffffa5fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa6000 | 0x7fffffa6000 | 0x7fffffa7fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa8000 | 0x7fffffa8000 | 0x7fffffa9fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffaa000 | 0x7fffffaa000 | 0x7fffffabfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable | | |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed File | Readable | | |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdbfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #21 / 0x468 |
| OS Parent PID | 0x1c0 (c:\windows\system32\services.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\taskhost.exe |
| Command Line | "taskhost.exe" |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #322 0x8EC #323 0xB74 #324 0x870 #325 0x75C #326 0x728 #327 0x720 #328 0x574 #329 0x48C #330 0x474 #331 0x46C |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed File | Readable | | |
| private_0x0000000000040000 | 0x00040000 | 0x00040fff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00051fff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | Readable, Writable | | |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00080fff | Pagefile Backed File | Readable | | |
| private_0x0000000000090000 | 0x00090000 | 0x0010ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00121fff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000130000 | 0x00130000 | 0x00130fff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000140000 | 0x00140000 | 0x00159fff | Private Memory | Readable, Writable | | |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | Readable, Writable | | |
| locale.nls | 0x00270000 | 0x002d6fff | Memory Mapped File | Readable | | |
| private_0x0000000000380000 | 0x00380000 | 0x0038ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000390000 | 0x00390000 | 0x0048ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00617fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000620000 | 0x00620000 | 0x007a0fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x01baffff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000001bb0000 | 0x01bb0000 | 0x01e9bfff | Pagefile Backed File | Readable | | |
| private_0x0000000001eb0000 | 0x01eb0000 | 0x01f2ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001f40000 | 0x01f40000 | 0x01fbffff | Private Memory | Readable, Writable | | |
| private_0x0000000001fe0000 | 0x01fe0000 | 0x0205ffff | Private Memory | Readable, Writable | | |
| private_0x00000000020f0000 | 0x020f0000 | 0x0216ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000002170000 | 0x02170000 | 0x0224efff | Pagefile Backed File | Readable | | |
| KernelBase.dll.mui | 0x023a0000 | 0x0245ffff | Memory Mapped File | Readable, Writable | | |
| private_0x00000000024a0000 | 0x024a0000 | 0x0251ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002540000 | 0x02540000 | 0x025bffff | Private Memory | Readable, Writable | | |
| private_0x00000000025d0000 | 0x025d0000 | 0x0264ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002680000 | 0x02680000 | 0x026fffff | Private Memory | Readable, Writable | | |
| private_0x0000000002700000 | 0x02700000 | 0x027fffff | Private Memory | Readable, Writable | | |
| SortDefault.nls | 0x02800000 | 0x02acefff | Memory Mapped File | Readable | | |
| private_0x0000000002b30000 | 0x02b30000 | 0x02baffff | Private Memory | Readable, Writable | | |
| private_0x0000000002c50000 | 0x02c50000 | 0x02ccffff | Private Memory | Readable, Writable | | |
| private_0x0000000002d10000 | 0x02d10000 | 0x02d8ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002e40000 | 0x02e40000 | 0x02e4ffff | Private Memory | Readable, Writable | | |
| user32.dll | 0x77730000 | 0x77829fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x77830000 | 0x7794efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| normaliz.dll | 0x77b10000 | 0x77b12fff | Memory Mapped File | Readable, Writable, Executable | | |
| psapi.dll | 0x77b20000 | 0x77b26fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| taskhost.exe | 0xff6f0000 | 0xff703fff | Memory Mapped File | Readable, Writable, Executable | | |
| winmm.dll | 0x7fef7e40000 | 0x7fef7e7afff | Memory Mapped File | Readable, Writable, Executable | | |
| dimsjob.dll | 0x7fef7e80000 | 0x7fef7e8dfff | Memory Mapped File | Readable, Writable, Executable | | |
| npmproxy.dll | 0x7fef7e90000 | 0x7fef7e9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| netprofm.dll | 0x7fef7ef0000 | 0x7fef7f63fff | Memory Mapped File | Readable, Writable, Executable | | |
| esent.dll | 0x7fef9020000 | 0x7fef9299fff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-advapi32-l2-1-0.dll | 0x7fef9560000 | 0x7fef9563fff | Memory Mapped File | Readable, Writable, Executable | | |
| msutb.dll | 0x7fef9630000 | 0x7fef966cfff | Memory Mapped File | Readable, Writable, Executable | | |
| MsCtfMonitor.dll | 0x7fef9670000 | 0x7fef967afff | Memory Mapped File | Readable, Writable, Executable | | |
| HotStartUserAgent.dll | 0x7fefa3e0000 | 0x7fefa3eafff | Memory Mapped File | Readable, Writable, Executable | | |
| PlaySndSrv.dll | 0x7fefa8b0000 | 0x7fefa8c7fff | Memory Mapped File | Readable, Writable, Executable | | |
| slc.dll | 0x7fefb030000 | 0x7fefb03afff | Memory Mapped File | Readable, Writable, Executable | | |
| dsrole.dll | 0x7fefb040000 | 0x7fefb04bfff | Memory Mapped File | Readable, Writable, Executable | | |
| taskschd.dll | 0x7fefb100000 | 0x7fefb226fff | Memory Mapped File | Readable, Writable, Executable | | |
| nlaapi.dll | 0x7fefb240000 | 0x7fefb254fff | Memory Mapped File | Readable, Writable, Executable | | |
| wtsapi32.dll | 0x7fefbaf0000 | 0x7fefbb00fff | Memory Mapped File | Readable, Writable, Executable | | |
| dwmapi.dll | 0x7fefbb60000 | 0x7fefbb77fff | Memory Mapped File | Readable, Writable, Executable | | |
| uxtheme.dll | 0x7fefbf90000 | 0x7fefbfe5fff | Memory Mapped File | Readable, Writable, Executable | | |
| version.dll | 0x7fefc800000 | 0x7fefc80bfff | Memory Mapped File | Readable, Writable, Executable | | |
| rsaenh.dll | 0x7fefcc10000 | 0x7fefcc56fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptsp.dll | 0x7fefcf10000 | 0x7fefcf26fff | Memory Mapped File | Readable, Writable, Executable | | |
| sspicli.dll | 0x7fefd4e0000 | 0x7fefd504fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x7fefd570000 | 0x7fefd57efff | Memory Mapped File | Readable, Writable, Executable | | |
| winsta.dll | 0x7fefd620000 | 0x7fefd65cfff | Memory Mapped File | Readable, Writable, Executable | | |
| RpcRtRemote.dll | 0x7fefd660000 | 0x7fefd673fff | Memory Mapped File | Readable, Writable, Executable | | |
| profapi.dll | 0x7fefd720000 | 0x7fefd72efff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-ole32-l1-1-0.dll | 0x7fefd750000 | 0x7fefd753fff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-version-l1-1-0.dll | 0x7fefd760000 | 0x7fefd763fff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-shlwapi-l1-1-0.dll | 0x7fefd770000 | 0x7fefd773fff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-normaliz-l1-1-0.dll | 0x7fefd780000 | 0x7fefd782fff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-user32-l1-1-0.dll | 0x7fefd940000 | 0x7fefd943fff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x7fefda30000 | 0x7fefda9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| userenv.dll | 0x7fefdaa0000 | 0x7fefdabdfff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-advapi32-l1-1-0.dll | 0x7fefdac0000 | 0x7fefdac4fff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7fefdaf0000 | 0x7fefdbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| msctf.dll | 0x7fefdbd0000 | 0x7fefdcd8fff | Memory Mapped File | Readable, Writable, Executable | | |
| shell32.dll | 0x7fefdce0000 | 0x7fefea67fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7fefea70000 | 0x7fefeb9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| wininet.dll | 0x7fefed80000 | 0x7fefefc7fff | Memory Mapped File | Readable, Writable, Executable | | |
| iertutil.dll | 0x7fefefd0000 | 0x7feff296fff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7feff2a0000 | 0x7feff2befff | Memory Mapped File | Readable, Writable, Executable | | |
| imm32.dll | 0x7feff2c0000 | 0x7feff2edfff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x7feff4e0000 | 0x7feff5a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| nsi.dll | 0x7feff650000 | 0x7feff657fff | Memory Mapped File | Readable, Writable, Executable | | |
| ole32.dll | 0x7feff6e0000 | 0x7feff8e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| oleaut32.dll | 0x7feff8f0000 | 0x7feff9c6fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x7feffa40000 | 0x7feffa4dfff | Memory Mapped File | Readable, Writable, Executable | | |
| clbcatq.dll | 0x7feffaa0000 | 0x7feffb38fff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x7feffb40000 | 0x7feffbdefff | Memory Mapped File | Readable, Writable, Executable | | |
| shlwapi.dll | 0x7feffbe0000 | 0x7feffc50fff | Memory Mapped File | Readable, Writable, Executable | | |
| apisetschema.dll | 0x7feffc70000 | 0x7feffc70fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000007fffffa4000 | 0x7fffffa4000 | 0x7fffffa5fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa6000 | 0x7fffffa6000 | 0x7fffffa7fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa8000 | 0x7fffffa8000 | 0x7fffffa9fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffaa000 | 0x7fffffaa000 | 0x7fffffabfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable | | |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed File | Readable | | |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd8fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #23 / 0x4dc |
| OS Parent PID | 0xffffffffffffffff (Unknown) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\explorer.exe |
| Command Line | C:\Windows\Explorer.EXE |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #336 0xB4C #337 0xA78 #338 0x5B8 #339 0x778 #340 0x684 #341 0x7D4 #342 0x678 #343 0x510 #344 0x128 #345 0xD4 #346 0x2D4 #347 0x2D8 #348 0x2F4 #349 0x324 #350 0x604 #351 0x600 #352 0x5F8 #353 0x5F4 #354 0x5F0 #355 0x5EC #356 0x5E8 #357 0x5E4 #358 0x5E0 #359 0x5C0 #360 0x5BC #361 0x59C #362 0x538 #363 0x534 #364 0x52C #365 0x528 #366 0x500 #367 0x4E0 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| ID / OS PID | #24 / 0x4f4 |
| OS Parent PID | 0x35c (c:\windows\system32\svchost.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {A99ED261-3025-4BA6-9259-C370241D052C} S-1-5-18:NT AUTHORITY\System:Service: |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #368 0xB68 #369 0x74C #370 0x748 #371 0x73C #372 0x738 #373 0x4F8 #524 0x6D8 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed File | Readable | | |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable | | |
| locale.nls | 0x00060000 | 0x000c6fff | Memory Mapped File | Readable | | |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x0018ffff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000190000 | 0x00190000 | 0x00191fff | Pagefile Backed File | Readable, Writable | | |
| private_0x00000000001a0000 | 0x001a0000 | 0x001affff | Private Memory | Readable, Writable | | |
| private_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Private Memory | Readable, Writable | | |
| private_0x00000000001c0000 | 0x001c0000 | 0x001c0fff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Pagefile Backed File | Readable | | |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | Readable, Writable | | |
| private_0x00000000003d0000 | 0x003d0000 | 0x004cffff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x00657fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000660000 | 0x00660000 | 0x007e0fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x00adbfff | Pagefile Backed File | Readable | | |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00bdffff | Private Memory | Readable, Writable | | |
| private_0x0000000000c30000 | 0x00c30000 | 0x00caffff | Private Memory | Readable, Writable | | |
| private_0x0000000000d20000 | 0x00d20000 | 0x00d9ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000e40000 | 0x00e40000 | 0x00ebffff | Private Memory | Readable, Writable | | |
| SortDefault.nls | 0x01060000 | 0x0132efff | Memory Mapped File | Readable | | |
| private_0x0000000001370000 | 0x01370000 | 0x013effff | Private Memory | Readable, Writable | | |
| private_0x0000000001470000 | 0x01470000 | 0x014effff | Private Memory | Readable, Writable | | |
| private_0x0000000001560000 | 0x01560000 | 0x015dffff | Private Memory | Readable, Writable | | |
| user32.dll | 0x77730000 | 0x77829fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x77830000 | 0x7794efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| taskeng.exe | 0xff8f0000 | 0xff963fff | Memory Mapped File | Readable, Writable, Executable | | |
| TSChannel.dll | 0x7fef7920000 | 0x7fef7928fff | Memory Mapped File | Readable, Writable, Executable | | |
| ktmw32.dll | 0x7fefabf0000 | 0x7fefabf9fff | Memory Mapped File | Readable, Writable, Executable | | |
| xmllite.dll | 0x7fefbb20000 | 0x7fefbb54fff | Memory Mapped File | Readable, Writable, Executable | | |
| rsaenh.dll | 0x7fefcc10000 | 0x7fefcc56fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptsp.dll | 0x7fefcf10000 | 0x7fefcf26fff | Memory Mapped File | Readable, Writable, Executable | | |
| wevtapi.dll | 0x7fefd140000 | 0x7fefd1acfff | Memory Mapped File | Readable, Writable, Executable | | |
| sspicli.dll | 0x7fefd4e0000 | 0x7fefd504fff | Memory Mapped File | Readable, Writable, Executable | | |
| apphelp.dll | 0x7fefd510000 | 0x7fefd566fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x7fefd570000 | 0x7fefd57efff | Memory Mapped File | Readable, Writable, Executable | | |
| RpcRtRemote.dll | 0x7fefd660000 | 0x7fefd673fff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x7fefda30000 | 0x7fefda9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7fefdaf0000 | 0x7fefdbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| msctf.dll | 0x7fefdbd0000 | 0x7fefdcd8fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7fefea70000 | 0x7fefeb9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7feff2a0000 | 0x7feff2befff | Memory Mapped File | Readable, Writable, Executable | | |
| imm32.dll | 0x7feff2c0000 | 0x7feff2edfff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x7feff4e0000 | 0x7feff5a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| ole32.dll | 0x7feff6e0000 | 0x7feff8e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| oleaut32.dll | 0x7feff8f0000 | 0x7feff9c6fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x7feffa40000 | 0x7feffa4dfff | Memory Mapped File | Readable, Writable, Executable | | |
| clbcatq.dll | 0x7feffaa0000 | 0x7feffb38fff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x7feffb40000 | 0x7feffbdefff | Memory Mapped File | Readable, Writable, Executable | | |
| shlwapi.dll | 0x7feffbe0000 | 0x7feffc50fff | Memory Mapped File | Readable, Writable, Executable | | |
| apisetschema.dll | 0x7feffc70000 | 0x7feffc70fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed File | Readable | | |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd3fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd4000 | 0x7fffffd4000 | 0x7fffffd5fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #25 / 0x69c |
| OS Parent PID | 0x1c0 (c:\windows\system32\services.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\Windows\System32\svchost.exe -k secsvcs |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #374 0xB6C #375 0xA0C #376 0x7E0 #377 0x488 #378 0x79C #379 0x794 #380 0x7CC #381 0x7C8 #382 0x7C4 #383 0x7C0 #384 0x70C #385 0x700 #386 0x6B4 #387 0x6AC #388 0x6A0 #484 0x250 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed File | Readable | | |
| private_0x0000000000040000 | 0x00040000 | 0x000bffff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Pagefile Backed File | Readable | | |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | Readable, Writable | | |
| locale.nls | 0x000e0000 | 0x00146fff | Memory Mapped File | Readable | | |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00151fff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000160000 | 0x00160000 | 0x0025ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000260000 | 0x00260000 | 0x0035ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000370000 | 0x00370000 | 0x003effff | Private Memory | Readable, Writable | | |
| private_0x00000000003f0000 | 0x003f0000 | 0x003f0fff | Private Memory | Readable, Writable | | |
| private_0x0000000000400000 | 0x00400000 | 0x00400fff | Private Memory | Readable, Writable | | |
| private_0x0000000000410000 | 0x00410000 | 0x0048ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000490000 | 0x00490000 | 0x00617fff | Pagefile Backed File | Readable | | |
| private_0x0000000000620000 | 0x00620000 | 0x00623fff | Private Memory | Readable, Writable | | |
| private_0x0000000000630000 | 0x00630000 | 0x0066ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000670000 | 0x00670000 | 0x00670fff | Private Memory | Readable, Writable | | |
| private_0x0000000000680000 | 0x00680000 | 0x00683fff | Private Memory | Readable, Writable | | |
| private_0x0000000000690000 | 0x00690000 | 0x00690fff | Private Memory | Readable, Writable | | |
| SortDefault.nls | 0x006a0000 | 0x0096efff | Memory Mapped File | Readable | | |
| pagefile_0x0000000000970000 | 0x00970000 | 0x00af0fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000b00000 | 0x00b00000 | 0x00bbffff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000bc0000 | 0x00bc0000 | 0x00eabfff | Pagefile Backed File | Readable | | |
| private_0x0000000000eb0000 | 0x00eb0000 | 0x00eb3fff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000ec0000 | 0x00ec0000 | 0x00ec0fff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000ed0000 | 0x00ed0000 | 0x00ed3fff | Private Memory | Readable, Writable | | |
| private_0x0000000000ee0000 | 0x00ee0000 | 0x00ee3fff | Private Memory | Readable, Writable | | |
| private_0x0000000000ef0000 | 0x00ef0000 | 0x00ef3fff | Private Memory | Readable, Writable | | |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f7ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000f80000 | 0x00f80000 | 0x00f83fff | Private Memory | Readable, Writable | | |
| TMP0000000414B677C6E8EDCC23 | 0x00f90000 | 0x0100ffff | Memory Mapped File | Readable, Writable | | |
| private_0x0000000001010000 | 0x01010000 | 0x0108ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001090000 | 0x01090000 | 0x01090fff | Private Memory | Readable, Writable | | |
| private_0x00000000010a0000 | 0x010a0000 | 0x010a0fff | Private Memory | Readable, Writable | | |
| private_0x00000000010b0000 | 0x010b0000 | 0x0112ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001130000 | 0x01130000 | 0x01130fff | Private Memory | Readable, Writable | | |
| private_0x0000000001140000 | 0x01140000 | 0x01140fff | Private Memory | Readable, Writable | | |
| private_0x0000000001150000 | 0x01150000 | 0x011cffff | Private Memory | Readable, Writable | | |
| private_0x00000000011d0000 | 0x011d0000 | 0x0120ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001210000 | 0x01210000 | 0x0124ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001250000 | 0x01250000 | 0x01250fff | Private Memory | Readable, Writable | | |
| private_0x0000000001260000 | 0x01260000 | 0x01260fff | Private Memory | Readable, Writable | | |
| private_0x0000000001270000 | 0x01270000 | 0x01270fff | Private Memory | Readable, Writable | | |
| private_0x0000000001280000 | 0x01280000 | 0x012fffff | Private Memory | Readable, Writable | | |
| private_0x0000000001300000 | 0x01300000 | 0x01300fff | Private Memory | Readable, Writable | | |
| private_0x0000000001310000 | 0x01310000 | 0x01310fff | Private Memory | Readable, Writable | | |
| private_0x0000000001320000 | 0x01320000 | 0x01320fff | Private Memory | Readable, Writable | | |
| private_0x00000000013b0000 | 0x013b0000 | 0x013effff | Private Memory | Readable, Writable | | |
| private_0x00000000013f0000 | 0x013f0000 | 0x013f0fff | Private Memory | Readable, Writable | | |
| private_0x0000000001400000 | 0x01400000 | 0x0147ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001480000 | 0x01480000 | 0x014bffff | Private Memory | Readable, Writable | | |
| private_0x00000000014c0000 | 0x014c0000 | 0x014c0fff | Private Memory | Readable, Writable | | |
| private_0x00000000014d0000 | 0x014d0000 | 0x014d0fff | Private Memory | Readable, Writable | | |
| private_0x00000000014e0000 | 0x014e0000 | 0x014e0fff | Private Memory | Readable, Writable | | |
| private_0x00000000014f0000 | 0x014f0000 | 0x0156ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001570000 | 0x01570000 | 0x015affff | Private Memory | Readable, Writable | | |
| private_0x00000000015b0000 | 0x015b0000 | 0x015b0fff | Private Memory | Readable, Writable | | |
| private_0x00000000015c0000 | 0x015c0000 | 0x015c0fff | Private Memory | Readable, Writable | | |
| private_0x00000000015d0000 | 0x015d0000 | 0x015d0fff | Private Memory | Readable, Writable | | |
| private_0x00000000015e0000 | 0x015e0000 | 0x0165ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001660000 | 0x01660000 | 0x0169ffff | Private Memory | Readable, Writable | | |
| private_0x00000000016a0000 | 0x016a0000 | 0x016a0fff | Private Memory | Readable, Writable | | |
| private_0x00000000016b0000 | 0x016b0000 | 0x016b0fff | Private Memory | Readable, Writable | | |
| private_0x0000000001740000 | 0x01740000 | 0x0183ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001840000 | 0x01840000 | 0x01841fff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000001850000 | 0x01850000 | 0x01850fff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000001860000 | 0x01860000 | 0x018dffff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000018f0000 | 0x018f0000 | 0x018f0fff | Pagefile Backed File | Readable | | |
| private_0x0000000001970000 | 0x01970000 | 0x01b6ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001b70000 | 0x01b70000 | 0x01baffff | Private Memory | Readable, Writable | | |
| private_0x0000000001bb0000 | 0x01bb0000 | 0x01beffff | Private Memory | Readable, Writable | | |
| private_0x0000000001bf0000 | 0x01bf0000 | 0x01c2ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001c30000 | 0x01c30000 | 0x01c6ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001c70000 | 0x01c70000 | 0x01c70fff | Private Memory | Readable, Writable | | |
| private_0x0000000001c80000 | 0x01c80000 | 0x01c80fff | Private Memory | Readable, Writable | | |
| private_0x0000000001c90000 | 0x01c90000 | 0x01c90fff | Private Memory | Readable, Writable | | |
| private_0x0000000001ca0000 | 0x01ca0000 | 0x01d1ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001d20000 | 0x01d20000 | 0x0211ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002120000 | 0x02120000 | 0x0215ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002160000 | 0x02160000 | 0x02349fff | Private Memory | Readable, Writable | | |
| private_0x0000000002350000 | 0x02350000 | 0x023befff | Private Memory | Readable, Writable | | |
| private_0x00000000023c0000 | 0x023c0000 | 0x026aefff | Private Memory | Readable, Writable | | |
| private_0x00000000026b0000 | 0x026b0000 | 0x0272ffff | Private Memory | Readable, Writable, Executable | | |
| private_0x0000000002730000 | 0x02730000 | 0x0282ffff | Private Memory | Readable, Writable, Executable | | |
| private_0x0000000002830000 | 0x02830000 | 0x02841fff | Private Memory | Readable, Writable | | |
| private_0x0000000002850000 | 0x02850000 | 0x0288ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002890000 | 0x02890000 | 0x028cffff | Private Memory | Readable, Writable | | |
| private_0x00000000028d0000 | 0x028d0000 | 0x0290ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002910000 | 0x02910000 | 0x02913fff | Private Memory | Readable, Writable | | |
| private_0x0000000002920000 | 0x02920000 | 0x02923fff | Private Memory | Readable, Writable | | |
| private_0x0000000002930000 | 0x02930000 | 0x0296ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002970000 | 0x02970000 | 0x029affff | Private Memory | Readable, Writable | | |
| private_0x00000000029b0000 | 0x029b0000 | 0x029effff | Private Memory | Readable, Writable | | |
| private_0x00000000029f0000 | 0x029f0000 | 0x02a2ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002a30000 | 0x02a30000 | 0x02a6ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002a70000 | 0x02a70000 | 0x02aaffff | Private Memory | Readable, Writable | | |
| private_0x0000000002ab0000 | 0x02ab0000 | 0x02aeffff | Private Memory | Readable, Writable | | |
| private_0x0000000002af0000 | 0x02af0000 | 0x02b2ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002b30000 | 0x02b30000 | 0x02b6ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002b70000 | 0x02b70000 | 0x02baffff | Private Memory | Readable, Writable | | |
| private_0x0000000002bb0000 | 0x02bb0000 | 0x02beffff | Private Memory | Readable, Writable | | |
| private_0x0000000002bf0000 | 0x02bf0000 | 0x02c2ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002c30000 | 0x02c30000 | 0x02c6ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002c70000 | 0x02c70000 | 0x02caffff | Private Memory | Readable, Writable | | |
| private_0x0000000002cb0000 | 0x02cb0000 | 0x034affff | Private Memory | Readable, Writable | | |
| private_0x00000000034b0000 | 0x034b0000 | 0x034effff | Private Memory | Readable, Writable | | |
| private_0x00000000034f0000 | 0x034f0000 | 0x03535fff | Private Memory | Readable, Writable | | |
| private_0x0000000003540000 | 0x03540000 | 0x03667fff | Private Memory | Readable, Writable | | |
| private_0x0000000003670000 | 0x03670000 | 0x036affff | Private Memory | Readable, Writable | | |
| private_0x00000000036b0000 | 0x036b0000 | 0x036effff | Private Memory | Readable, Writable | | |
| private_0x00000000036f0000 | 0x036f0000 | 0x0372ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003730000 | 0x03730000 | 0x0376ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003770000 | 0x03770000 | 0x037affff | Private Memory | Readable, Writable | | |
| private_0x00000000037b0000 | 0x037b0000 | 0x037effff | Private Memory | Readable, Writable | | |
| private_0x00000000037f0000 | 0x037f0000 | 0x0382ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003830000 | 0x03830000 | 0x0386ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003870000 | 0x03870000 | 0x038affff | Private Memory | Readable, Writable | | |
| private_0x00000000038b0000 | 0x038b0000 | 0x038b3fff | Private Memory | Readable, Writable | | |
| private_0x00000000038c0000 | 0x038c0000 | 0x038c3fff | Private Memory | Readable, Writable | | |
| private_0x00000000038d0000 | 0x038d0000 | 0x038d3fff | Private Memory | Readable, Writable | | |
| private_0x00000000038e0000 | 0x038e0000 | 0x038e3fff | Private Memory | Readable, Writable | | |
| private_0x00000000038f0000 | 0x038f0000 | 0x038f3fff | Private Memory | Readable, Writable | | |
| private_0x0000000003900000 | 0x03900000 | 0x03903fff | Private Memory | Readable, Writable | | |
| private_0x0000000003910000 | 0x03910000 | 0x03913fff | Private Memory | Readable, Writable | | |
| private_0x0000000003920000 | 0x03920000 | 0x03923fff | Private Memory | Readable, Writable | | |
| private_0x0000000003930000 | 0x03930000 | 0x03933fff | Private Memory | Readable, Writable | | |
| private_0x0000000003940000 | 0x03940000 | 0x03940fff | Private Memory | Readable, Writable | | |
| private_0x0000000003950000 | 0x03950000 | 0x03950fff | Private Memory | Readable, Writable | | |
| private_0x0000000003960000 | 0x03960000 | 0x03961fff | Private Memory | Readable, Writable | | |
| private_0x0000000003970000 | 0x03970000 | 0x039affff | Private Memory | Readable, Writable | | |
| private_0x00000000039b0000 | 0x039b0000 | 0x039effff | Private Memory | Readable, Writable | | |
| private_0x00000000039f0000 | 0x039f0000 | 0x03a2ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003a30000 | 0x03a30000 | 0x03a6ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003a70000 | 0x03a70000 | 0x03aaffff | Private Memory | Readable, Writable | | |
| private_0x0000000003ab0000 | 0x03ab0000 | 0x03aeffff | Private Memory | Readable, Writable | | |
| private_0x0000000003af0000 | 0x03af0000 | 0x03b2ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003b30000 | 0x03b30000 | 0x03b6ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003b70000 | 0x03b70000 | 0x03baffff | Private Memory | Readable, Writable | | |
| private_0x0000000003bb0000 | 0x03bb0000 | 0x03c1bfff | Private Memory | Readable, Writable | | |
| private_0x0000000003c20000 | 0x03c20000 | 0x03c5ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003c60000 | 0x03c60000 | 0x03c9ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003ca0000 | 0x03ca0000 | 0x03cdffff | Private Memory | Readable, Writable | | |
| private_0x0000000003ce0000 | 0x03ce0000 | 0x03d1ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003d20000 | 0x03d20000 | 0x03d5ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003d60000 | 0x03d60000 | 0x03d9ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003da0000 | 0x03da0000 | 0x03ddffff | Private Memory | Readable, Writable | | |
| private_0x0000000003de0000 | 0x03de0000 | 0x03e1ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003e20000 | 0x03e20000 | 0x03e5ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003e60000 | 0x03e60000 | 0x03e9ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003ea0000 | 0x03ea0000 | 0x03edffff | Private Memory | Readable, Writable | | |
| private_0x0000000003ee0000 | 0x03ee0000 | 0x03f1ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003f20000 | 0x03f20000 | 0x03f5ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003f60000 | 0x03f60000 | 0x03f9ffff | Private Memory | Readable, Writable | | |
| private_0x0000000003fa0000 | 0x03fa0000 | 0x03fdffff | Private Memory | Readable, Writable | | |
| private_0x0000000003fe0000 | 0x03fe0000 | 0x0401ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004020000 | 0x04020000 | 0x0405ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004060000 | 0x04060000 | 0x0409ffff | Private Memory | Readable, Writable | | |
| private_0x00000000040a0000 | 0x040a0000 | 0x040dffff | Private Memory | Readable, Writable | | |
| private_0x00000000040e0000 | 0x040e0000 | 0x0411ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004120000 | 0x04120000 | 0x0415ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004160000 | 0x04160000 | 0x0419ffff | Private Memory | Readable, Writable | | |
| private_0x00000000041a0000 | 0x041a0000 | 0x041dffff | Private Memory | Readable, Writable | | |
| private_0x00000000041e0000 | 0x041e0000 | 0x0421ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004220000 | 0x04220000 | 0x0425ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004260000 | 0x04260000 | 0x0429ffff | Private Memory | Readable, Writable | | |
| private_0x00000000042a0000 | 0x042a0000 | 0x042dffff | Private Memory | Readable, Writable | | |
| private_0x00000000042e0000 | 0x042e0000 | 0x0431ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004320000 | 0x04320000 | 0x0435ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004360000 | 0x04360000 | 0x0439ffff | Private Memory | Readable, Writable | | |
| private_0x00000000043a0000 | 0x043a0000 | 0x043dffff | Private Memory | Readable, Writable | | |
| private_0x00000000043e0000 | 0x043e0000 | 0x0441ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004420000 | 0x04420000 | 0x0445ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004460000 | 0x04460000 | 0x0449ffff | Private Memory | Readable, Writable | | |
| private_0x00000000044a0000 | 0x044a0000 | 0x044dffff | Private Memory | Readable, Writable | | |
| private_0x00000000044e0000 | 0x044e0000 | 0x0451ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004520000 | 0x04520000 | 0x0455ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004560000 | 0x04560000 | 0x0459ffff | Private Memory | Readable, Writable | | |
| private_0x00000000045a0000 | 0x045a0000 | 0x045dffff | Private Memory | Readable, Writable | | |
| private_0x00000000045e0000 | 0x045e0000 | 0x0461ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004620000 | 0x04620000 | 0x0465ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004660000 | 0x04660000 | 0x0469ffff | Private Memory | Readable, Writable | | |
| private_0x00000000046a0000 | 0x046a0000 | 0x046dffff | Private Memory | Readable, Writable | | |
| private_0x00000000046e0000 | 0x046e0000 | 0x0471ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004720000 | 0x04720000 | 0x0475ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004760000 | 0x04760000 | 0x0479ffff | Private Memory | Readable, Writable | | |
| private_0x00000000047a0000 | 0x047a0000 | 0x047dffff | Private Memory | Readable, Writable | | |
| private_0x00000000047e0000 | 0x047e0000 | 0x0481ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004820000 | 0x04820000 | 0x0485ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004860000 | 0x04860000 | 0x0489ffff | Private Memory | Readable, Writable | | |
| private_0x00000000048a0000 | 0x048a0000 | 0x048dffff | Private Memory | Readable, Writable | | |
| private_0x00000000048e0000 | 0x048e0000 | 0x0491ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004920000 | 0x04920000 | 0x0495ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004960000 | 0x04960000 | 0x0499ffff | Private Memory | Readable, Writable | | |
| private_0x00000000049a0000 | 0x049a0000 | 0x049dffff | Private Memory | Readable, Writable | | |
| private_0x00000000049e0000 | 0x049e0000 | 0x04a1ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004a20000 | 0x04a20000 | 0x04a5ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004a60000 | 0x04a60000 | 0x04a9ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004aa0000 | 0x04aa0000 | 0x04adffff | Private Memory | Readable, Writable | | |
| private_0x0000000004ae0000 | 0x04ae0000 | 0x04b1ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004b20000 | 0x04b20000 | 0x04b5ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004b60000 | 0x04b60000 | 0x04b9ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004ba0000 | 0x04ba0000 | 0x04bdffff | Private Memory | Readable, Writable | | |
| private_0x0000000004be0000 | 0x04be0000 | 0x04c1ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004c20000 | 0x04c20000 | 0x04c5ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004c60000 | 0x04c60000 | 0x04c9ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04cdffff | Private Memory | Readable, Writable | | |
| private_0x0000000004ce0000 | 0x04ce0000 | 0x04d1ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004d20000 | 0x04d20000 | 0x04d5ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004d60000 | 0x04d60000 | 0x04d9ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004da0000 | 0x04da0000 | 0x04ddffff | Private Memory | Readable, Writable | | |
| private_0x0000000004de0000 | 0x04de0000 | 0x04e1ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004e20000 | 0x04e20000 | 0x04e5ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004e60000 | 0x04e60000 | 0x04e9ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004ea0000 | 0x04ea0000 | 0x04edffff | Private Memory | Readable, Writable | | |
| private_0x0000000004ee0000 | 0x04ee0000 | 0x04f1ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004f20000 | 0x04f20000 | 0x04f5ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004f60000 | 0x04f60000 | 0x04f9ffff | Private Memory | Readable, Writable | | |
| private_0x0000000004fa0000 | 0x04fa0000 | 0x04fdffff | Private Memory | Readable, Writable | | |
| private_0x0000000004fe0000 | 0x04fe0000 | 0x0501ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005020000 | 0x05020000 | 0x0505ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005060000 | 0x05060000 | 0x0509ffff | Private Memory | Readable, Writable | | |
| private_0x00000000050a0000 | 0x050a0000 | 0x050dffff | Private Memory | Readable, Writable | | |
| private_0x00000000050e0000 | 0x050e0000 | 0x0511ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005120000 | 0x05120000 | 0x0515ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005160000 | 0x05160000 | 0x0519ffff | Private Memory | Readable, Writable | | |
| private_0x00000000051a0000 | 0x051a0000 | 0x051dffff | Private Memory | Readable, Writable | | |
| private_0x00000000051e0000 | 0x051e0000 | 0x05229fff | Private Memory | Readable, Writable | | |
| private_0x0000000005230000 | 0x05230000 | 0x0526ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005270000 | 0x05270000 | 0x052affff | Private Memory | Readable, Writable | | |
| private_0x00000000052b0000 | 0x052b0000 | 0x052effff | Private Memory | Readable, Writable | | |
| private_0x00000000052f0000 | 0x052f0000 | 0x0532ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005330000 | 0x05330000 | 0x0536ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005370000 | 0x05370000 | 0x053affff | Private Memory | Readable, Writable | | |
| private_0x00000000053b0000 | 0x053b0000 | 0x053effff | Private Memory | Readable, Writable | | |
| private_0x00000000053f0000 | 0x053f0000 | 0x0542ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005430000 | 0x05430000 | 0x0546ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005470000 | 0x05470000 | 0x054affff | Private Memory | Readable, Writable | | |
| private_0x00000000054b0000 | 0x054b0000 | 0x054effff | Private Memory | Readable, Writable | | |
| private_0x00000000054f0000 | 0x054f0000 | 0x0552ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005530000 | 0x05530000 | 0x0556ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005570000 | 0x05570000 | 0x055affff | Private Memory | Readable, Writable | | |
| private_0x00000000055b0000 | 0x055b0000 | 0x055effff | Private Memory | Readable, Writable | | |
| private_0x00000000055f0000 | 0x055f0000 | 0x0562ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005630000 | 0x05630000 | 0x05691fff | Private Memory | Readable, Writable | | |
| private_0x00000000056a0000 | 0x056a0000 | 0x056dffff | Private Memory | Readable, Writable | | |
| private_0x00000000056e0000 | 0x056e0000 | 0x0571ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005720000 | 0x05720000 | 0x0575ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005760000 | 0x05760000 | 0x0579ffff | Private Memory | Readable, Writable | | |
| private_0x00000000057a0000 | 0x057a0000 | 0x057dffff | Private Memory | Readable, Writable | | |
| private_0x00000000057e0000 | 0x057e0000 | 0x0581ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005820000 | 0x05820000 | 0x0585ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005860000 | 0x05860000 | 0x0589ffff | Private Memory | Readable, Writable | | |
| private_0x00000000058a0000 | 0x058a0000 | 0x058dffff | Private Memory | Readable, Writable | | |
| private_0x00000000058e0000 | 0x058e0000 | 0x0591ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005920000 | 0x05920000 | 0x0595ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005960000 | 0x05960000 | 0x0599ffff | Private Memory | Readable, Writable | | |
| private_0x00000000059a0000 | 0x059a0000 | 0x059dffff | Private Memory | Readable, Writable | | |
| private_0x00000000059e0000 | 0x059e0000 | 0x05a1ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005a20000 | 0x05a20000 | 0x05a5ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005a60000 | 0x05a60000 | 0x05a9ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005aa0000 | 0x05aa0000 | 0x05b28fff | Private Memory | Readable, Writable | | |
| private_0x0000000005b30000 | 0x05b30000 | 0x05b6ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005b70000 | 0x05b70000 | 0x05baffff | Private Memory | Readable, Writable | | |
| private_0x0000000005bb0000 | 0x05bb0000 | 0x05beffff | Private Memory | Readable, Writable | | |
| private_0x0000000005bf0000 | 0x05bf0000 | 0x05c34fff | Private Memory | Readable, Writable | | |
| private_0x0000000005c40000 | 0x05c40000 | 0x05c84fff | Private Memory | Readable, Writable | | |
| private_0x0000000005c90000 | 0x05c90000 | 0x05cd4fff | Private Memory | Readable, Writable | | |
| private_0x0000000005ce0000 | 0x05ce0000 | 0x05d24fff | Private Memory | Readable, Writable | | |
| private_0x0000000005d30000 | 0x05d30000 | 0x05d75fff | Private Memory | Readable, Writable | | |
| private_0x0000000005d80000 | 0x05d80000 | 0x05dc7fff | Private Memory | Readable, Writable | | |
| private_0x0000000005dd0000 | 0x05dd0000 | 0x05e19fff | Private Memory | Readable, Writable | | |
| private_0x0000000005e20000 | 0x05e20000 | 0x05e6cfff | Private Memory | Readable, Writable | | |
| private_0x0000000005e70000 | 0x05e70000 | 0x05ef4fff | Private Memory | Readable, Writable | | |
| private_0x0000000005f00000 | 0x05f00000 | 0x05f4ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005f50000 | 0x05f50000 | 0x05f9ffff | Private Memory | Readable, Writable | | |
| private_0x0000000005fa0000 | 0x05fa0000 | 0x05ff5fff | Private Memory | Readable, Writable | | |
| private_0x0000000006000000 | 0x06000000 | 0x06055fff | Private Memory | Readable, Writable | | |
| private_0x0000000006060000 | 0x06060000 | 0x060b9fff | Private Memory | Readable, Writable | | |
| private_0x00000000060c0000 | 0x060c0000 | 0x06115fff | Private Memory | Readable, Writable | | |
| private_0x0000000006120000 | 0x06120000 | 0x0617bfff | Private Memory | Readable, Writable | | |
| private_0x0000000006180000 | 0x06180000 | 0x061dbfff | Private Memory | Readable, Writable | | |
| private_0x00000000061e0000 | 0x061e0000 | 0x0623afff | Private Memory | Readable, Writable | | |
| private_0x0000000006240000 | 0x06240000 | 0x062a1fff | Private Memory | Readable, Writable | | |
| private_0x00000000062b0000 | 0x062b0000 | 0x06315fff | Private Memory | Readable, Writable | | |
| private_0x0000000006320000 | 0x06320000 | 0x06385fff | Private Memory | Readable, Writable | | |
| private_0x0000000006390000 | 0x06390000 | 0x063f4fff | Private Memory | Readable, Writable | | |
| private_0x0000000006400000 | 0x06400000 | 0x06495fff | Private Memory | Readable, Writable | | |
| private_0x00000000064a0000 | 0x064a0000 | 0x0650ffff | Private Memory | Readable, Writable | | |
| private_0x0000000006510000 | 0x06510000 | 0x0657ffff | Private Memory | Readable, Writable | | |
| private_0x0000000006580000 | 0x06580000 | 0x065f9fff | Private Memory | Readable, Writable | | |
| private_0x0000000006600000 | 0x06600000 | 0x0667afff | Private Memory | Readable, Writable | | |
| private_0x0000000006680000 | 0x06680000 | 0x066fffff | Private Memory | Readable, Writable | | |
| private_0x0000000006700000 | 0x06700000 | 0x0677ffff | Private Memory | Readable, Writable | | |
| private_0x0000000006780000 | 0x06780000 | 0x06809fff | Private Memory | Readable, Writable | | |
| private_0x0000000006810000 | 0x06810000 | 0x068a2fff | Private Memory | Readable, Writable | | |
| private_0x00000000068b0000 | 0x068b0000 | 0x06944fff | Private Memory | Readable, Writable | | |
| private_0x0000000006950000 | 0x06950000 | 0x069effff | Private Memory | Readable, Writable | | |
| private_0x00000000069f0000 | 0x069f0000 | 0x06aa2fff | Private Memory | Readable, Writable | | |
| private_0x0000000006ab0000 | 0x06ab0000 | 0x06b5cfff | Private Memory | Readable, Writable | | |
| private_0x0000000006b60000 | 0x06b60000 | 0x06c2cfff | Private Memory | Readable, Writable | | |
| private_0x0000000006c30000 | 0x06c30000 | 0x06d12fff | Private Memory | Readable, Writable | | |
| private_0x0000000006d20000 | 0x06d20000 | 0x06e11fff | Private Memory | Readable, Writable | | |
| private_0x0000000006e20000 | 0x06e20000 | 0x06f1dfff | Private Memory | Readable, Writable | | |
| private_0x0000000006f20000 | 0x06f20000 | 0x0702afff | Private Memory | Readable, Writable | | |
| private_0x0000000007030000 | 0x07030000 | 0x0713efff | Private Memory | Readable, Writable | | |
| private_0x0000000007140000 | 0x07140000 | 0x07250fff | Private Memory | Readable, Writable | | |
| private_0x0000000007260000 | 0x07260000 | 0x0739dfff | Private Memory | Readable, Writable | | |
| private_0x00000000073a0000 | 0x073a0000 | 0x074f3fff | Private Memory | Readable, Writable | | |
| private_0x0000000007500000 | 0x07500000 | 0x0753ffff | Private Memory | Readable, Writable | | |
| private_0x0000000007540000 | 0x07540000 | 0x0757ffff | Private Memory | Readable, Writable | | |
| private_0x0000000007580000 | 0x07580000 | 0x075bffff | Private Memory | Readable, Writable | | |
| private_0x00000000075c0000 | 0x075c0000 | 0x075fffff | Private Memory | Readable, Writable | | |
| private_0x0000000007600000 | 0x07600000 | 0x07654fff | Private Memory | Readable, Writable | | |
| private_0x0000000007660000 | 0x07660000 | 0x0769ffff | Private Memory | Readable, Writable | | |
| private_0x00000000076a0000 | 0x076a0000 | 0x076e9fff | Private Memory | Readable, Writable | | |
| private_0x00000000076f0000 | 0x076f0000 | 0x07739fff | Private Memory | Readable, Writable | | |
| private_0x0000000007740000 | 0x07740000 | 0x077d1fff | Private Memory | Readable, Writable | | |
| private_0x00000000077e0000 | 0x077e0000 | 0x0788efff | Private Memory | Readable, Writable | | |
| private_0x0000000007890000 | 0x07890000 | 0x078cffff | Private Memory | Readable, Writable | | |
| private_0x00000000078d0000 | 0x078d0000 | 0x07910fff | Private Memory | Readable, Writable | | |
| private_0x0000000007920000 | 0x07920000 | 0x07920fff | Private Memory | Readable, Writable | | |
| private_0x0000000007930000 | 0x07930000 | 0x07930fff | Private Memory | Readable, Writable | | |
| private_0x0000000007940000 | 0x07940000 | 0x07940fff | Private Memory | Readable, Writable | | |
| private_0x0000000007950000 | 0x07950000 | 0x07950fff | Private Memory | Readable, Writable | | |
| private_0x0000000007960000 | 0x07960000 | 0x07960fff | Private Memory | Readable, Writable | | |
| private_0x0000000007970000 | 0x07970000 | 0x07970fff | Private Memory | Readable, Writable | | |
| private_0x0000000007980000 | 0x07980000 | 0x07980fff | Private Memory | Readable, Writable | | |
| private_0x0000000007990000 | 0x07990000 | 0x07990fff | Private Memory | Readable, Writable | | |
| private_0x00000000079a0000 | 0x079a0000 | 0x079a0fff | Private Memory | Readable, Writable | | |
| private_0x00000000079b0000 | 0x079b0000 | 0x079b0fff | Private Memory | Readable, Writable | | |
| private_0x00000000079c0000 | 0x079c0000 | 0x079c0fff | Private Memory | Readable, Writable | | |
| private_0x00000000079d0000 | 0x079d0000 | 0x079d0fff | Private Memory | Readable, Writable | | |
| private_0x00000000079e0000 | 0x079e0000 | 0x079e0fff | Private Memory | Readable, Writable | | |
| private_0x00000000079f0000 | 0x079f0000 | 0x079f0fff | Private Memory | Readable, Writable | | |
| private_0x0000000007a00000 | 0x07a00000 | 0x07a00fff | Private Memory | Readable, Writable | | |
| private_0x0000000007a10000 | 0x07a10000 | 0x07a10fff | Private Memory | Readable, Writable | | |
| private_0x0000000007a20000 | 0x07a20000 | 0x07a20fff | Private Memory | Readable, Writable | | |
| private_0x0000000007a30000 | 0x07a30000 | 0x07a30fff | Private Memory | Readable, Writable | | |
| private_0x0000000007a40000 | 0x07a40000 | 0x07a40fff | Private Memory | Readable, Writable | | |
| private_0x0000000007a50000 | 0x07a50000 | 0x07a50fff | Private Memory | Readable, Writable | | |
| private_0x0000000007a60000 | 0x07a60000 | 0x07a60fff | Private Memory | Readable, Writable | | |
| private_0x0000000007a70000 | 0x07a70000 | 0x07a70fff | Private Memory | Readable, Writable | | |
| private_0x0000000007a80000 | 0x07a80000 | 0x07a80fff | Private Memory | Readable, Writable | | |
| private_0x0000000007a90000 | 0x07a90000 | 0x07a90fff | Private Memory | Readable, Writable | | |
| private_0x0000000007aa0000 | 0x07aa0000 | 0x07aa0fff | Private Memory | Readable, Writable | | |
| private_0x0000000007ab0000 | 0x07ab0000 | 0x07ab0fff | Private Memory | Readable, Writable | | |
| private_0x0000000007ac0000 | 0x07ac0000 | 0x07ac0fff | Private Memory | Readable, Writable | | |
| private_0x0000000007ad0000 | 0x07ad0000 | 0x07ad0fff | Private Memory | Readable, Writable | | |
| private_0x0000000007ae0000 | 0x07ae0000 | 0x07ae0fff | Private Memory | Readable, Writable | | |
| private_0x0000000007af0000 | 0x07af0000 | 0x07af0fff | Private Memory | Readable, Writable | | |
| private_0x0000000007b00000 | 0x07b00000 | 0x07b00fff | Private Memory | Readable, Writable | | |
| private_0x0000000007b10000 | 0x07b10000 | 0x07b10fff | Private Memory | Readable, Writable | | |
| private_0x0000000007b20000 | 0x07b20000 | 0x07b20fff | Private Memory | Readable, Writable | | |
| private_0x0000000007b30000 | 0x07b30000 | 0x07b30fff | Private Memory | Readable, Writable | | |
| private_0x0000000007b40000 | 0x07b40000 | 0x07b40fff | Private Memory | Readable, Writable | | |
| private_0x0000000007b50000 | 0x07b50000 | 0x07b50fff | Private Memory | Readable, Writable | | |
| private_0x0000000007b60000 | 0x07b60000 | 0x07b60fff | Private Memory | Readable, Writable | | |
| private_0x0000000007b70000 | 0x07b70000 | 0x07b70fff | Private Memory | Readable, Writable | | |
| private_0x0000000007b80000 | 0x07b80000 | 0x07b80fff | Private Memory | Readable, Writable | | |
| private_0x0000000007b90000 | 0x07b90000 | 0x07b90fff | Private Memory | Readable, Writable | | |
| private_0x0000000007ba0000 | 0x07ba0000 | 0x07ba0fff | Private Memory | Readable, Writable | | |
| private_0x0000000007bb0000 | 0x07bb0000 | 0x07bb0fff | Private Memory | Readable, Writable | | |
| private_0x0000000007bc0000 | 0x07bc0000 | 0x07bc0fff | Private Memory | Readable, Writable | | |
| private_0x0000000007bd0000 | 0x07bd0000 | 0x07bd0fff | Private Memory | Readable, Writable | | |
| private_0x0000000007be0000 | 0x07be0000 | 0x07be0fff | Private Memory | Readable, Writable | | |
| private_0x0000000007bf0000 | 0x07bf0000 | 0x07bf0fff | Private Memory | Readable, Writable | | |
| private_0x0000000007c00000 | 0x07c00000 | 0x07c3ffff | Private Memory | Readable, Writable | | |
| private_0x0000000007c40000 | 0x07c40000 | 0x07c7ffff | Private Memory | Readable, Writable | | |
| private_0x0000000007c80000 | 0x07c80000 | 0x07c83fff | Private Memory | Readable, Writable | | |
| private_0x0000000007c90000 | 0x07c90000 | 0x07ccffff | Private Memory | Readable, Writable | | |
| private_0x0000000007cd0000 | 0x07cd0000 | 0x07d0ffff | Private Memory | Readable, Writable | | |
| private_0x0000000007d10000 | 0x07d10000 | 0x07d4ffff | Private Memory | Readable, Writable | | |
| private_0x0000000007d50000 | 0x07d50000 | 0x07d8ffff | Private Memory | Readable, Writable | | |
| private_0x0000000007d90000 | 0x07d90000 | 0x07dcffff | Private Memory | Readable, Writable | | |
| private_0x0000000007dd0000 | 0x07dd0000 | 0x07eacfff | Private Memory | Readable, Writable | | |
| private_0x0000000007eb0000 | 0x07eb0000 | 0x07eb3fff | Private Memory | Readable, Writable | | |
| private_0x0000000007ec0000 | 0x07ec0000 | 0x07ec3fff | Private Memory | Readable, Writable | | |
| private_0x0000000007ed0000 | 0x07ed0000 | 0x07ed0fff | Private Memory | Readable, Writable | | |
| private_0x0000000007ee0000 | 0x07ee0000 | 0x07ee1fff | Private Memory | Readable, Writable | | |
| private_0x0000000007ef0000 | 0x07ef0000 | 0x07fd5fff | Private Memory | Readable, Writable | | |
| private_0x0000000007fe0000 | 0x07fe0000 | 0x07fe2fff | Private Memory | Readable, Writable | | |
| private_0x0000000007ff0000 | 0x07ff0000 | 0x07ff0fff | Private Memory | Readable, Writable | | |
| private_0x0000000008000000 | 0x08000000 | 0x08000fff | Private Memory | Readable, Writable | | |
| private_0x0000000008010000 | 0x08010000 | 0x08010fff | Private Memory | Readable, Writable | | |
| private_0x0000000008020000 | 0x08020000 | 0x08020fff | Private Memory | Readable, Writable | | |
| private_0x0000000008030000 | 0x08030000 | 0x08030fff | Private Memory | Readable, Writable | | |
| private_0x0000000008040000 | 0x08040000 | 0x08040fff | Private Memory | Readable, Writable | | |
| private_0x0000000008050000 | 0x08050000 | 0x08050fff | Private Memory | Readable, Writable | | |
| private_0x0000000008060000 | 0x08060000 | 0x08060fff | Private Memory | Readable, Writable | | |
| private_0x0000000008070000 | 0x08070000 | 0x08070fff | Private Memory | Readable, Writable | | |
| private_0x00000000080c0000 | 0x080c0000 | 0x080fffff | Private Memory | Readable, Writable | | |
| private_0x0000000008100000 | 0x08100000 | 0x0813ffff | Private Memory | Readable, Writable | | |
| private_0x0000000008140000 | 0x08140000 | 0x0817ffff | Private Memory | Readable, Writable | | |
| private_0x0000000008180000 | 0x08180000 | 0x081bffff | Private Memory | Readable, Writable | | |
| private_0x00000000081c0000 | 0x081c0000 | 0x081fffff | Private Memory | Readable, Writable | | |
| private_0x0000000008200000 | 0x08200000 | 0x0823ffff | Private Memory | Readable, Writable | | |
| private_0x0000000008240000 | 0x08240000 | 0x08286fff | Private Memory | Readable, Writable | | |
| private_0x0000000008290000 | 0x08290000 | 0x08620fff | Private Memory | Readable, Writable | | |
| private_0x0000000008630000 | 0x08630000 | 0x088a3fff | Private Memory | Readable, Writable | | |
| private_0x00000000088b0000 | 0x088b0000 | 0x08a29fff | Private Memory | Readable, Writable | | |
| private_0x0000000008ab0000 | 0x08ab0000 | 0x08b2ffff | Private Memory | Readable, Writable | | |
| private_0x0000000008b30000 | 0x08b30000 | 0x08baffff | Private Memory | Readable, Writable | | |
| private_0x0000000008cb0000 | 0x08cb0000 | 0x08d2ffff | Private Memory | Readable, Writable | | |
| private_0x0000000008dc0000 | 0x08dc0000 | 0x08f9dfff | Private Memory | Readable, Writable | | |
| private_0x0000000008fa0000 | 0x08fa0000 | 0x090acfff | Private Memory | Readable, Writable, Executable | | |
| private_0x00000000090c0000 | 0x090c0000 | 0x0913ffff | Private Memory | Readable, Writable | | |
| private_0x0000000009d30000 | 0x09d30000 | 0x0ab50fff | Private Memory | Readable, Writable | | |
| private_0x000000000cf40000 | 0x0cf40000 | 0x0df0ffff | Private Memory | Readable, Writable | | |
| sfc.dll | 0x74130000 | 0x74132fff | Memory Mapped File | Readable, Writable, Executable | | |
| user32.dll | 0x77730000 | 0x77829fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x77830000 | 0x7794efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| normaliz.dll | 0x77b10000 | 0x77b12fff | Memory Mapped File | Readable, Writable, Executable | | |
| psapi.dll | 0x77b20000 | 0x77b26fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| svchost.exe | 0xff840000 | 0xff84afff | Memory Mapped File | Readable, Writable, Executable | | |
| mpengine.dll | 0x7fef4f90000 | 0x7fef5ac8fff | Memory Mapped File | Readable, Writable, Executable | | |
| wscapi.dll | 0x7fef63c0000 | 0x7fef63d2fff | Memory Mapped File | Readable, Writable, Executable | | |
| tdh.dll | 0x7fef7840000 | 0x7fef7916fff | Memory Mapped File | Readable, Writable, Executable | | |
| MpClient.dll | 0x7fef7970000 | 0x7fef79fffff | Memory Mapped File | Readable, Writable, Executable | | |
| MpSvc.dll | 0x7fef7bf0000 | 0x7fef7ceafff | Memory Mapped File | Readable, Writable, Executable | | |
| sfc_os.dll | 0x7fef9510000 | 0x7fef951ffff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-advapi32-l2-1-0.dll | 0x7fef9560000 | 0x7fef9563fff | Memory Mapped File | Readable, Writable, Executable | | |
| MpRTP.dll | 0x7fefaa40000 | 0x7fefaa74fff | Memory Mapped File | Readable, Writable, Executable | | |
| ntmarta.dll | 0x7fefab30000 | 0x7fefab5cfff | Memory Mapped File | Readable, Writable, Executable | | |
| wtsapi32.dll | 0x7fefbaf0000 | 0x7fefbb00fff | Memory Mapped File | Readable, Writable, Executable | | |
| version.dll | 0x7fefc800000 | 0x7fefc80bfff | Memory Mapped File | Readable, Writable, Executable | | |
| gpapi.dll | 0x7fefc9d0000 | 0x7fefc9eafff | Memory Mapped File | Readable, Writable, Executable | | |
| credssp.dll | 0x7fefcae0000 | 0x7fefcae9fff | Memory Mapped File | Readable, Writable, Executable | | |
| bcryptprimitives.dll | 0x7fefcb50000 | 0x7fefcb9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| rsaenh.dll | 0x7fefcc10000 | 0x7fefcc56fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptsp.dll | 0x7fefcf10000 | 0x7fefcf26fff | Memory Mapped File | Readable, Writable, Executable | | |
| bcrypt.dll | 0x7fefd080000 | 0x7fefd0a1fff | Memory Mapped File | Readable, Writable, Executable | | |
| ncrypt.dll | 0x7fefd0b0000 | 0x7fefd0fffff | Memory Mapped File | Readable, Writable, Executable | | |
| secur32.dll | 0x7fefd4a0000 | 0x7fefd4aafff | Memory Mapped File | Readable, Writable, Executable | | |
| sspicli.dll | 0x7fefd4e0000 | 0x7fefd504fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x7fefd570000 | 0x7fefd57efff | Memory Mapped File | Readable, Writable, Executable | | |
| RpcRtRemote.dll | 0x7fefd660000 | 0x7fefd673fff | Memory Mapped File | Readable, Writable, Executable | | |
| msasn1.dll | 0x7fefd710000 | 0x7fefd71efff | Memory Mapped File | Readable, Writable, Executable | | |
| profapi.dll | 0x7fefd720000 | 0x7fefd72efff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-ole32-l1-1-0.dll | 0x7fefd750000 | 0x7fefd753fff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-version-l1-1-0.dll | 0x7fefd760000 | 0x7fefd763fff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-shlwapi-l1-1-0.dll | 0x7fefd770000 | 0x7fefd773fff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-normaliz-l1-1-0.dll | 0x7fefd780000 | 0x7fefd782fff | Memory Mapped File | Readable, Writable, Executable | | |
| wintrust.dll | 0x7fefd790000 | 0x7fefd7cafff | Memory Mapped File | Readable, Writable, Executable | | |
| crypt32.dll | 0x7fefd7d0000 | 0x7fefd93cfff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-user32-l1-1-0.dll | 0x7fefd940000 | 0x7fefd943fff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x7fefda30000 | 0x7fefda9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| userenv.dll | 0x7fefdaa0000 | 0x7fefdabdfff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-advapi32-l1-1-0.dll | 0x7fefdac0000 | 0x7fefdac4fff | Memory Mapped File | Readable, Writable, Executable | | |
| imagehlp.dll | 0x7fefdad0000 | 0x7fefdae8fff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7fefdaf0000 | 0x7fefdbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| msctf.dll | 0x7fefdbd0000 | 0x7fefdcd8fff | Memory Mapped File | Readable, Writable, Executable | | |
| shell32.dll | 0x7fefdce0000 | 0x7fefea67fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7fefea70000 | 0x7fefeb9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| wininet.dll | 0x7fefed80000 | 0x7fefefc7fff | Memory Mapped File | Readable, Writable, Executable | | |
| iertutil.dll | 0x7fefefd0000 | 0x7feff296fff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7feff2a0000 | 0x7feff2befff | Memory Mapped File | Readable, Writable, Executable | | |
| imm32.dll | 0x7feff2c0000 | 0x7feff2edfff | Memory Mapped File | Readable, Writable, Executable | | |
| urlmon.dll | 0x7feff2f0000 | 0x7feff474fff | Memory Mapped File | Readable, Writable, Executable | | |
| Wldap32.dll | 0x7feff480000 | 0x7feff4d1fff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x7feff4e0000 | 0x7feff5a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| nsi.dll | 0x7feff650000 | 0x7feff657fff | Memory Mapped File | Readable, Writable, Executable | | |
| ole32.dll | 0x7feff6e0000 | 0x7feff8e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| oleaut32.dll | 0x7feff8f0000 | 0x7feff9c6fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x7feffa40000 | 0x7feffa4dfff | Memory Mapped File | Readable, Writable, Executable | | |
| ws2_32.dll | 0x7feffa50000 | 0x7feffa9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| clbcatq.dll | 0x7feffaa0000 | 0x7feffb38fff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x7feffb40000 | 0x7feffbdefff | Memory Mapped File | Readable, Writable, Executable | | |
| shlwapi.dll | 0x7feffbe0000 | 0x7feffc50fff | Memory Mapped File | Readable, Writable, Executable | | |
| apisetschema.dll | 0x7feffc70000 | 0x7feffc70fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000007fffff98000 | 0x7fffff98000 | 0x7fffff99fff | Private Memory | Readable, Writable | | |
| private_0x000007fffff9a000 | 0x7fffff9a000 | 0x7fffff9bfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa0000 | 0x7fffffa0000 | 0x7fffffa1fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa2000 | 0x7fffffa2000 | 0x7fffffa3fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa4000 | 0x7fffffa4000 | 0x7fffffa5fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa6000 | 0x7fffffa6000 | 0x7fffffa7fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffa8000 | 0x7fffffa8000 | 0x7fffffa9fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffaa000 | 0x7fffffaa000 | 0x7fffffabfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable | | |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed File | Readable | | |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #26 / 0x754 |
| OS Parent PID | 0x35c (c:\windows\system32\svchost.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\taskeng.exe |
| Command Line | taskeng.exe {A102D200-38FE-4EBE-8603-33AE94893701} S-1-5-21-3335109830-3850919073-1580866493-1000:User-PC\User:Interactive:Highest[1] |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #389 0xB64 #390 0x780 #391 0x77C #392 0x764 #393 0x760 #394 0x758 #498 0x668 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed File | Readable | | |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable | | |
| locale.nls | 0x00060000 | 0x000c6fff | Memory Mapped File | Readable | | |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed File | Readable, Writable | | |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | Readable, Writable | | |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00100fff | Pagefile Backed File | Readable | | |
| private_0x0000000000180000 | 0x00180000 | 0x0018ffff | Private Memory | Readable, Writable | | |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | Readable, Writable | | |
| private_0x00000000002b0000 | 0x002b0000 | 0x0032ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000440000 | 0x00440000 | 0x0053ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000540000 | 0x00540000 | 0x006c7fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x00850fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000860000 | 0x00860000 | 0x01c5ffff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000001c60000 | 0x01c60000 | 0x01f4bfff | Pagefile Backed File | Readable | | |
| private_0x0000000001fd0000 | 0x01fd0000 | 0x0204ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002050000 | 0x02050000 | 0x0214ffff | Private Memory | Readable, Writable | | |
| private_0x00000000021b0000 | 0x021b0000 | 0x0222ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002270000 | 0x02270000 | 0x022effff | Private Memory | Readable, Writable | | |
| SortDefault.nls | 0x023c0000 | 0x0268efff | Memory Mapped File | Readable | | |
| private_0x0000000002760000 | 0x02760000 | 0x027dffff | Private Memory | Readable, Writable | | |
| private_0x0000000002860000 | 0x02860000 | 0x028dffff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000029a0000 | 0x029a0000 | 0x02a7efff | Pagefile Backed File | Readable | | |
| private_0x0000000002ae0000 | 0x02ae0000 | 0x02b5ffff | Private Memory | Readable, Writable | | |
| user32.dll | 0x77730000 | 0x77829fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x77830000 | 0x7794efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| taskeng.exe | 0xff8f0000 | 0xff963fff | Memory Mapped File | Readable, Writable, Executable | | |
| TSChannel.dll | 0x7fef7920000 | 0x7fef7928fff | Memory Mapped File | Readable, Writable, Executable | | |
| ktmw32.dll | 0x7fefabf0000 | 0x7fefabf9fff | Memory Mapped File | Readable, Writable, Executable | | |
| xmllite.dll | 0x7fefbb20000 | 0x7fefbb54fff | Memory Mapped File | Readable, Writable, Executable | | |
| dwmapi.dll | 0x7fefbb60000 | 0x7fefbb77fff | Memory Mapped File | Readable, Writable, Executable | | |
| uxtheme.dll | 0x7fefbf90000 | 0x7fefbfe5fff | Memory Mapped File | Readable, Writable, Executable | | |
| rsaenh.dll | 0x7fefcc10000 | 0x7fefcc56fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptsp.dll | 0x7fefcf10000 | 0x7fefcf26fff | Memory Mapped File | Readable, Writable, Executable | | |
| wevtapi.dll | 0x7fefd140000 | 0x7fefd1acfff | Memory Mapped File | Readable, Writable, Executable | | |
| sspicli.dll | 0x7fefd4e0000 | 0x7fefd504fff | Memory Mapped File | Readable, Writable, Executable | | |
| apphelp.dll | 0x7fefd510000 | 0x7fefd566fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x7fefd570000 | 0x7fefd57efff | Memory Mapped File | Readable, Writable, Executable | | |
| RpcRtRemote.dll | 0x7fefd660000 | 0x7fefd673fff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x7fefda30000 | 0x7fefda9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7fefdaf0000 | 0x7fefdbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| msctf.dll | 0x7fefdbd0000 | 0x7fefdcd8fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7fefea70000 | 0x7fefeb9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7feff2a0000 | 0x7feff2befff | Memory Mapped File | Readable, Writable, Executable | | |
| imm32.dll | 0x7feff2c0000 | 0x7feff2edfff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x7feff4e0000 | 0x7feff5a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| ole32.dll | 0x7feff6e0000 | 0x7feff8e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| oleaut32.dll | 0x7feff8f0000 | 0x7feff9c6fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x7feffa40000 | 0x7feffa4dfff | Memory Mapped File | Readable, Writable, Executable | | |
| clbcatq.dll | 0x7feffaa0000 | 0x7feffb38fff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x7feffb40000 | 0x7feffbdefff | Memory Mapped File | Readable, Writable, Executable | | |
| shlwapi.dll | 0x7feffbe0000 | 0x7feffc50fff | Memory Mapped File | Readable, Writable, Executable | | |
| apisetschema.dll | 0x7feffc70000 | 0x7feffc70fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed File | Readable | | |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffd9fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #27 / 0x7f0 |
| OS Parent PID | 0x1c0 (c:\windows\system32\services.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\searchindexer.exe |
| Command Line | C:\Windows\system32\SearchIndexer.exe \Embedding |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #395 0x428 #396 0xB58 #397 0xA50 #398 0x49C #399 0x578 #400 0x54C #401 0x550 #402 0x4E8 #403 0x4AC #404 0x330 #405 0x440 #406 0x438 #407 0x7F8 #408 0x7F4 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| ID / OS PID | #28 / 0x590 |
| OS Parent PID | 0x7f0 (c:\windows\system32\searchindexer.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\searchprotocolhost.exe |
| Command Line | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3335109830-3850919073-1580866493-10001_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3335109830-3850919073-1580866493-10001 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla\4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1" |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #409 0xB50 #410 0x55C #411 0x5E8 #412 0x56C #413 0x4EC #414 0x594 #415 0x57C #523 0x61C |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed File | Readable | | |
| private_0x0000000000040000 | 0x00040000 | 0x00040fff | Private Memory | Readable, Writable | | |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable | | |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00070fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000080000 | 0x00080000 | 0x00080fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000090000 | 0x00090000 | 0x0009ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000affff | Pagefile Backed File | Readable, Writable | | |
| private_0x00000000000b0000 | 0x000b0000 | 0x0012ffff | Private Memory | Readable, Writable | | |
| locale.nls | 0x00130000 | 0x00196fff | Memory Mapped File | Readable | | |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | Readable, Writable | | |
| private_0x0000000000300000 | 0x00300000 | 0x0037ffff | Private Memory | Readable, Writable | | |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | Readable, Writable | | |
| private_0x00000000003e0000 | 0x003e0000 | 0x004dffff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x00667fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000670000 | 0x00670000 | 0x007f0fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000800000 | 0x00800000 | 0x01bfffff | Pagefile Backed File | Readable | | |
| private_0x0000000001ca0000 | 0x01ca0000 | 0x01d1ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001db0000 | 0x01db0000 | 0x01e2ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001e80000 | 0x01e80000 | 0x01efffff | Private Memory | Readable, Writable | | |
| private_0x0000000001f00000 | 0x01f00000 | 0x01ffffff | Private Memory | Readable, Writable | | |
| private_0x0000000002010000 | 0x02010000 | 0x0208ffff | Private Memory | Readable, Writable | | |
| private_0x00000000020f0000 | 0x020f0000 | 0x0216ffff | Private Memory | Readable, Writable | | |
| SortDefault.nls | 0x02220000 | 0x024eefff | Memory Mapped File | Readable | | |
| private_0x0000000002600000 | 0x02600000 | 0x0267ffff | Private Memory | Readable, Writable | | |
| user32.dll | 0x77730000 | 0x77829fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x77830000 | 0x7794efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| SearchProtocolHost.exe | 0xffd10000 | 0xffd50fff | Memory Mapped File | Readable, Writable, Executable | | |
| mssvp.dll | 0x7fef6610000 | 0x7fef66d1fff | Memory Mapped File | Readable, Writable, Executable | | |
| tquery.dll | 0x7fef6910000 | 0x7fef6b49fff | Memory Mapped File | Readable, Writable, Executable | | |
| cscobj.dll | 0x7fef77b0000 | 0x7fef77eefff | Memory Mapped File | Readable, Writable, Executable | | |
| cscapi.dll | 0x7fef9c70000 | 0x7fef9c7efff | Memory Mapped File | Readable, Writable, Executable | | |
| mapi32.dll | 0x7fefb6d0000 | 0x7fefb6eafff | Memory Mapped File | Readable, Writable, Executable | | |
| msshooks.dll | 0x7fefb870000 | 0x7fefb877fff | Memory Mapped File | Readable, Writable, Executable | | |
| mssprxy.dll | 0x7fefb8c0000 | 0x7fefb8dcfff | Memory Mapped File | Readable, Writable, Executable | | |
| msidle.dll | 0x7fefb8e0000 | 0x7fefb8e6fff | Memory Mapped File | Readable, Writable, Executable | | |
| rsaenh.dll | 0x7fefcc10000 | 0x7fefcc56fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptsp.dll | 0x7fefcf10000 | 0x7fefcf26fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x7fefd570000 | 0x7fefd57efff | Memory Mapped File | Readable, Writable, Executable | | |
| RpcRtRemote.dll | 0x7fefd660000 | 0x7fefd673fff | Memory Mapped File | Readable, Writable, Executable | | |
| profapi.dll | 0x7fefd720000 | 0x7fefd72efff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x7fefda30000 | 0x7fefda9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| userenv.dll | 0x7fefdaa0000 | 0x7fefdabdfff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7fefdaf0000 | 0x7fefdbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| msctf.dll | 0x7fefdbd0000 | 0x7fefdcd8fff | Memory Mapped File | Readable, Writable, Executable | | |
| shell32.dll | 0x7fefdce0000 | 0x7fefea67fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7fefea70000 | 0x7fefeb9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7feff2a0000 | 0x7feff2befff | Memory Mapped File | Readable, Writable, Executable | | |
| imm32.dll | 0x7feff2c0000 | 0x7feff2edfff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x7feff4e0000 | 0x7feff5a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| ole32.dll | 0x7feff6e0000 | 0x7feff8e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| oleaut32.dll | 0x7feff8f0000 | 0x7feff9c6fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x7feffa40000 | 0x7feffa4dfff | Memory Mapped File | Readable, Writable, Executable | | |
| clbcatq.dll | 0x7feffaa0000 | 0x7feffb38fff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x7feffb40000 | 0x7feffbdefff | Memory Mapped File | Readable, Writable, Executable | | |
| shlwapi.dll | 0x7feffbe0000 | 0x7feffc50fff | Memory Mapped File | Readable, Writable, Executable | | |
| apisetschema.dll | 0x7feffc70000 | 0x7feffc70fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable | | |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed File | Readable | | |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdbfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #29 / 0x584 |
| OS Parent PID | 0x7f0 (c:\windows\system32\searchindexer.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\searchfilterhost.exe |
| Command Line | "C:\Windows\system32\SearchFilterHost.exe" 0 504 508 516 65536 512 |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #416 0xB54 #417 0x5A4 #418 0x5C0 #419 0x59C #420 0x5B0 #507 0x58C |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| ID / OS PID | #30 / 0x8f4 |
| OS Parent PID | 0x1c0 (c:\windows\system32\services.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\taskhost.exe |
| Command Line | taskhost.exe $(Arg0) |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #421 0x424 #422 0xB44 #423 0x954 #424 0x950 #425 0x94C #426 0x948 #427 0x944 #428 0x910 #429 0x908 #430 0x904 #431 0x900 #432 0x8F8 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed File | Readable | | |
| private_0x0000000000040000 | 0x00040000 | 0x00040fff | Private Memory | Readable, Writable | | |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable | | |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c1fff | Pagefile Backed File | Readable, Writable | | |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | Readable, Writable | | |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00100fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000130000 | 0x00130000 | 0x0013ffff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000140000 | 0x00140000 | 0x0014ffff | Private Memory | Readable, Writable | | |
| msxml6r.dll | 0x00150000 | 0x00150fff | Memory Mapped File | Readable | | |
| private_0x0000000000160000 | 0x00160000 | 0x0017ffff | Private Memory | - | | |
| private_0x0000000000180000 | 0x00180000 | 0x001fffff | Private Memory | Readable, Writable | | |
| private_0x0000000000200000 | 0x00200000 | 0x002fffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000300000 | 0x00300000 | 0x003bffff | Pagefile Backed File | Readable | | |
| WinSATAPI.dll.mui | 0x003c0000 | 0x003c1fff | Memory Mapped File | Readable, Writable | | |
| pagefile_0x00000000003d0000 | 0x003d0000 | 0x003d0fff | Pagefile Backed File | Readable, Writable | | |
| private_0x00000000003e0000 | 0x003e0000 | 0x004dffff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x00667fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000670000 | 0x00670000 | 0x007f0fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00aebfff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000af0000 | 0x00af0000 | 0x00afffff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b7ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000b80000 | 0x00b80000 | 0x00b80fff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000b90000 | 0x00b90000 | 0x00b9ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000ba0000 | 0x00ba0000 | 0x00ba0fff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00bbffff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000bc0000 | 0x00bc0000 | 0x00c3ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000cb0000 | 0x00cb0000 | 0x00d2ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000e40000 | 0x00e40000 | 0x00ebffff | Private Memory | Readable, Writable | | |
| private_0x0000000000f00000 | 0x00f00000 | 0x00f7ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000f80000 | 0x00f80000 | 0x00ffffff | Private Memory | Readable, Writable | | |
| private_0x0000000001030000 | 0x01030000 | 0x010affff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000010b0000 | 0x010b0000 | 0x01139fff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000001140000 | 0x01140000 | 0x011bffff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000011c0000 | 0x011c0000 | 0x0148bfff | Pagefile Backed File | Readable, Writable | | |
| SortDefault.nls | 0x01490000 | 0x0175efff | Memory Mapped File | Readable | | |
| KernelBase.dll.mui | 0x01760000 | 0x0181ffff | Memory Mapped File | Readable, Writable | | |
| private_0x0000000001860000 | 0x01860000 | 0x018dffff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000018e0000 | 0x018e0000 | 0x01969fff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000001970000 | 0x01970000 | 0x019effff | Private Memory | Readable, Writable | | |
| private_0x0000000001ab0000 | 0x01ab0000 | 0x01b2ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001b30000 | 0x01b30000 | 0x01f2ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001f70000 | 0x01f70000 | 0x01feffff | Private Memory | Readable, Writable | | |
| private_0x0000000002010000 | 0x02010000 | 0x0210ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002130000 | 0x02130000 | 0x021affff | Private Memory | Readable, Writable | | |
| private_0x00000000021b0000 | 0x021b0000 | 0x023affff | Private Memory | Readable, Writable | | |
| private_0x00000000023d0000 | 0x023d0000 | 0x0244ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002470000 | 0x02470000 | 0x024effff | Private Memory | Readable, Writable | | |
| private_0x00000000024f0000 | 0x024f0000 | 0x0256ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002570000 | 0x02570000 | 0x025effff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000025f0000 | 0x025f0000 | 0x028bbfff | Pagefile Backed File | Readable, Writable | | |
| private_0x00000000028f0000 | 0x028f0000 | 0x0296ffff | Private Memory | Readable, Writable | | |
| private_0x0000000002990000 | 0x02990000 | 0x02a0ffff | Private Memory | Readable, Writable | | |
| sfc.dll | 0x74130000 | 0x74132fff | Memory Mapped File | Readable, Writable, Executable | | |
| user32.dll | 0x77730000 | 0x77829fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x77830000 | 0x7794efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| taskhost.exe | 0xff6f0000 | 0xff703fff | Memory Mapped File | Readable, Writable, Executable | | |
| sqlceqp30.dll | 0x7fef4b70000 | 0x7fef4c40fff | Memory Mapped File | Readable, Writable, Executable | | |
| RacEngn.dll | 0x7fef4e10000 | 0x7fef4f8ffff | Memory Mapped File | Readable, Writable, Executable | | |
| sqlcese30.dll | 0x7fef5b40000 | 0x7fef5bb3fff | Memory Mapped File | Readable, Writable, Executable | | |
| WinSATAPI.dll | 0x7fef5d00000 | 0x7fef5d84fff | Memory Mapped File | Readable, Writable, Executable | | |
| usbceip.dll | 0x7fef60b0000 | 0x7fef60bafff | Memory Mapped File | Readable, Writable, Executable | | |
| sqlceoledb30.dll | 0x7fef60c0000 | 0x7fef60f2fff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-shlwapi-l2-1-0.dll | 0x7fef61c0000 | 0x7fef61c3fff | Memory Mapped File | Readable, Writable, Executable | | |
| sqmapi.dll | 0x7fef8cd0000 | 0x7fef8d11fff | Memory Mapped File | Readable, Writable, Executable | | |
| aepic.dll | 0x7fef94b0000 | 0x7fef94c1fff | Memory Mapped File | Readable, Writable, Executable | | |
| sfc_os.dll | 0x7fef9510000 | 0x7fef951ffff | Memory Mapped File | Readable, Writable, Executable | | |
| msxml6.dll | 0x7fef9dd0000 | 0x7fef9fc0fff | Memory Mapped File | Readable, Writable, Executable | | |
| dxgi.dll | 0x7fefa5d0000 | 0x7fefa62cfff | Memory Mapped File | Readable, Writable, Executable | | |
| taskschd.dll | 0x7fefb100000 | 0x7fefb226fff | Memory Mapped File | Readable, Writable, Executable | | |
| powrprof.dll | 0x7fefb5d0000 | 0x7fefb5fbfff | Memory Mapped File | Readable, Writable, Executable | | |
| xmllite.dll | 0x7fefbb20000 | 0x7fefbb54fff | Memory Mapped File | Readable, Writable, Executable | | |
| dwmapi.dll | 0x7fefbb60000 | 0x7fefbb77fff | Memory Mapped File | Readable, Writable, Executable | | |
| GdiPlus.dll | 0x7fefbd70000 | 0x7fefbf85fff | Memory Mapped File | Readable, Writable, Executable | | |
| propsys.dll | 0x7fefbff0000 | 0x7fefc11bfff | Memory Mapped File | Readable, Writable, Executable | | |
| version.dll | 0x7fefc800000 | 0x7fefc80bfff | Memory Mapped File | Readable, Writable, Executable | | |
| wevtapi.dll | 0x7fefd140000 | 0x7fefd1acfff | Memory Mapped File | Readable, Writable, Executable | | |
| sspicli.dll | 0x7fefd4e0000 | 0x7fefd504fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x7fefd570000 | 0x7fefd57efff | Memory Mapped File | Readable, Writable, Executable | | |
| msasn1.dll | 0x7fefd710000 | 0x7fefd71efff | Memory Mapped File | Readable, Writable, Executable | | |
| profapi.dll | 0x7fefd720000 | 0x7fefd72efff | Memory Mapped File | Readable, Writable, Executable | | |
| devobj.dll | 0x7fefd730000 | 0x7fefd749fff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-shlwapi-l1-1-0.dll | 0x7fefd770000 | 0x7fefd773fff | Memory Mapped File | Readable, Writable, Executable | | |
| wintrust.dll | 0x7fefd790000 | 0x7fefd7cafff | Memory Mapped File | Readable, Writable, Executable | | |
| crypt32.dll | 0x7fefd7d0000 | 0x7fefd93cfff | Memory Mapped File | Readable, Writable, Executable | | |
| cfgmgr32.dll | 0x7fefd9f0000 | 0x7fefda25fff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x7fefda30000 | 0x7fefda9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-advapi32-l1-1-0.dll | 0x7fefdac0000 | 0x7fefdac4fff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7fefdaf0000 | 0x7fefdbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| msctf.dll | 0x7fefdbd0000 | 0x7fefdcd8fff | Memory Mapped File | Readable, Writable, Executable | | |
| shell32.dll | 0x7fefdce0000 | 0x7fefea67fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7fefea70000 | 0x7fefeb9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| setupapi.dll | 0x7fefeba0000 | 0x7fefed76fff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7feff2a0000 | 0x7feff2befff | Memory Mapped File | Readable, Writable, Executable | | |
| imm32.dll | 0x7feff2c0000 | 0x7feff2edfff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x7feff4e0000 | 0x7feff5a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| ole32.dll | 0x7feff6e0000 | 0x7feff8e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| oleaut32.dll | 0x7feff8f0000 | 0x7feff9c6fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x7feffa40000 | 0x7feffa4dfff | Memory Mapped File | Readable, Writable, Executable | | |
| clbcatq.dll | 0x7feffaa0000 | 0x7feffb38fff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x7feffb40000 | 0x7feffbdefff | Memory Mapped File | Readable, Writable, Executable | | |
| shlwapi.dll | 0x7feffbe0000 | 0x7feffc50fff | Memory Mapped File | Readable, Writable, Executable | | |
| apisetschema.dll | 0x7feffc70000 | 0x7feffc70fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000007fffffa8000 | 0x7fffffa8000 | 0x7fffffa9fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffaa000 | 0x7fffffaa000 | 0x7fffffabfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffac000 | 0x7fffffac000 | 0x7fffffadfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable | | |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed File | Readable | | |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd4fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd6fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd8fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffdafff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdcfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #31 / 0x850 |
| OS Parent PID | 0x1c0 (c:\windows\system32\services.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe |
| Command Line | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #433 0x914 #434 0x888 #435 0x84C #436 0x4B0 #437 0x7E4 #438 0x868 #514 0x118 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| ID / OS PID | #33 / 0x7ec |
| OS Parent PID | 0x1c0 (c:\windows\system32\services.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe |
| Command Line | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:55 |
| OS Thread IDs | #445 0x8A8 #446 0x8CC #447 0x8F0 #448 0x928 #449 0x918 #450 0x8FC |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| ID / OS PID | #34 / 0x8ac |
| OS Parent PID | 0x1c0 (c:\windows\system32\services.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\program files (x86)\google\update\googleupdate.exe |
| Command Line | "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" \svc |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Terminated |
| Monitor Duration | 00:00:21 |
| OS Thread IDs | #451 0x788 #452 0x898 #453 0x89C #454 0xA0 #455 0x8A0 #456 0x940 #458 0x78C #471 0x3AC #474 0x9D8 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| ID / OS PID | #35 / 0x4cc |
| OS Parent PID | 0xb0c (c:\users\user\desktop\55b17467da6d12ecf71e82eb96870bd314f248675da1bfad1b1e437b45453452.exe) |
| Initial Working Directory | C:\Users\User\Desktop |
| File Name | c:\windows\$ntuninstallq923283$\pxinsi64.exe |
| Command Line | "C:\Windows\$NtUninstallQ923283$\pxinsi64.exe" |
| Monitor | Start Time: 00:02:13, Reason: Child Process |
| Unmonitor | End Time: 00:02:18, Reason: Terminated |
| Monitor Duration | 00:00:05 |
| OS Thread IDs | #457 0x824 |
| Category | Operation | Information | Success | Amount | Logfile |
|---|---|---|---|---|---|
| FILE | CREATE | file_name = vboxdrv, desired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = OPEN_EXISTING | | 1 | |
| SYS | GET_INFO | type = SYSTEM_MODULE_INFORMATION | | 1 | |
| SYS | GET_INFO | type = SYSTEM_MODULE_INFORMATION | | 1 | |
| DRV | CONTROL | file_name = vboxdrv, control_code = 0x228204 | | 1 | |
| DRV | CONTROL | file_name = vboxdrv, control_code = 0x228214 | | 1 | |
| DRV | CONTROL | file_name = vboxdrv, control_code = 0x228218 | | 1 | |
| DRV | CONTROL | file_name = vboxdrv, control_code = 0x22824c | | 1 | |
| DRV | CONTROL | file_name = vboxdrv, control_code = 0x22830b | | 1 |
| Information | Value |
|---|---|
| ID / OS PID | #36 / 0xf8 |
| OS Parent PID | 0x1c0 (c:\windows\system32\services.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\windows\system32\sppsvc.exe |
| Command Line | C:\Windows\system32\sppsvc.exe |
| Monitor | Start Time: 00:02:21, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:38 |
| OS Thread IDs | #466 0x374 #477 0x974 #479 0x964 #480 0x9F8 #485 0x7B4 #490 0x45C #515 0x634 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed File | Readable | | |
| private_0x0000000000030000 | 0x00030000 | 0x000affff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000b3fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Pagefile Backed File | Readable | | |
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | Readable, Writable | | |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | Readable, Writable | | |
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | Readable | | |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00161fff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | Readable, Writable | | |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | Readable, Writable | | |
| private_0x00000000001a0000 | 0x001a0000 | 0x0029ffff | Private Memory | Readable, Writable | | |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000410000 | 0x00410000 | 0x0041ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000420000 | 0x00420000 | 0x005a7fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x00730fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000740000 | 0x00740000 | 0x007fffff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000800000 | 0x00800000 | 0x00aebfff | Pagefile Backed File | Readable | | |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b8ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000c80000 | 0x00c80000 | 0x00cfffff | Private Memory | Readable, Writable | | |
| private_0x0000000000d00000 | 0x00d00000 | 0x00dfffff | Private Memory | Readable, Writable | | |
| private_0x0000000000e40000 | 0x00e40000 | 0x00ebffff | Private Memory | Readable, Writable | | |
| private_0x0000000000ff0000 | 0x00ff0000 | 0x0106ffff | Private Memory | Readable, Writable | | |
| user32.dll | 0x77730000 | 0x77829fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x77830000 | 0x7794efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| sppsvc.exe | 0xff5b0000 | 0xff90efff | Memory Mapped File | Readable, Writable, Executable | | |
| rsaenh.dll | 0x7fefcc10000 | 0x7fefcc56fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptsp.dll | 0x7fefcf10000 | 0x7fefcf26fff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x7fefd570000 | 0x7fefd57efff | Memory Mapped File | Readable, Writable, Executable | | |
| RpcRtRemote.dll | 0x7fefd660000 | 0x7fefd673fff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x7fefda30000 | 0x7fefda9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7fefdaf0000 | 0x7fefdbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| msctf.dll | 0x7fefdbd0000 | 0x7fefdcd8fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7fefea70000 | 0x7fefeb9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7feff2a0000 | 0x7feff2befff | Memory Mapped File | Readable, Writable, Executable | | |
| imm32.dll | 0x7feff2c0000 | 0x7feff2edfff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x7feff4e0000 | 0x7feff5a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| ole32.dll | 0x7feff6e0000 | 0x7feff8e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x7feffa40000 | 0x7feffa4dfff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x7feffb40000 | 0x7feffbdefff | Memory Mapped File | Readable, Writable, Executable | | |
| apisetschema.dll | 0x7feffc70000 | 0x7feffc70fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000007fffffae000 | 0x7fffffae000 | 0x7fffffaffff | Private Memory | Readable, Writable | | |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed File | Readable | | |
| private_0x000007fffffd6000 | 0x7fffffd6000 | 0x7fffffd7fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | Readable, Writable | | |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffdcfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #37 / 0x3e8 |
| OS Parent PID | 0x8ac (c:\program files (x86)\google\update\googleupdate.exe) |
| Initial Working Directory | C:\Program Files (x86)\Google\Update\1.3.26.9 |
| File Name | c:\program files (x86)\google\update\googleupdate.exe |
| Command Line | "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" \c |
| Monitor | Start Time: 00:02:22, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:37 |
| OS Thread IDs | #472 0x9E4 #481 0x508 #482 0x570 #483 0x770 #486 0x40C |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable | | |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable | | |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable | | |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed File | Readable | | |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | Readable, Writable | | |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000090000 | 0x00090000 | 0x00090fff | Pagefile Backed File | Readable, Writable | | |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000b1fff | Pagefile Backed File | Readable | | |
| GoogleUpdate.exe | 0x000c0000 | 0x000dbfff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed File | Readable | | |
| private_0x00000000000f0000 | 0x000f0000 | 0x0012ffff | Private Memory | Readable, Writable | | |
| locale.nls | 0x00130000 | 0x00196fff | Memory Mapped File | Readable | | |
| private_0x00000000001c0000 | 0x001c0000 | 0x0023ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000290000 | 0x00290000 | 0x0038ffff | Private Memory | Readable, Writable | | |
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | Readable, Writable | | |
| private_0x0000000000420000 | 0x00420000 | 0x0051ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000520000 | 0x00520000 | 0x005dffff | Pagefile Backed File | Readable | | |
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000650000 | 0x00650000 | 0x0065ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000660000 | 0x00660000 | 0x007e7fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x00970fff | Pagefile Backed File | Readable | | |
| private_0x0000000000990000 | 0x00990000 | 0x009cffff | Private Memory | Readable, Writable | | |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a3ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000a50000 | 0x00a50000 | 0x00a5ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000a80000 | 0x00a80000 | 0x00a8ffff | Private Memory | Readable, Writable | | |
| SortDefault.nls | 0x00a90000 | 0x00d5efff | Memory Mapped File | Readable | | |
| private_0x0000000000dd0000 | 0x00dd0000 | 0x00e0ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000e30000 | 0x00e30000 | 0x00f2ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000f30000 | 0x00f30000 | 0x0102ffff | Private Memory | Readable, Writable | | |
| private_0x0000000001030000 | 0x01030000 | 0x0112ffff | Private Memory | Readable, Writable | | |
| GoogleUpdate.exe | 0x01190000 | 0x011abfff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x00000000011b0000 | 0x011b0000 | 0x012affff | Private Memory | Readable, Writable | | |
| private_0x00000000012c0000 | 0x012c0000 | 0x013bffff | Private Memory | Readable, Writable | | |
| private_0x0000000001320000 | 0x01320000 | 0x0141ffff | Private Memory | Readable, Writable | | |
| private_0x00000000014c0000 | 0x014c0000 | 0x014fffff | Private Memory | Readable, Writable | | |
| sysmain.sdb | 0x01500000 | 0x018e4fff | Memory Mapped File | Readable | | |
| dbghelp.dll | 0x746c0000 | 0x747aafff | Memory Mapped File | Readable, Writable, Executable | | |
| mstask.dll | 0x746f0000 | 0x74724fff | Memory Mapped File | Readable, Writable, Executable | | |
| dbghelp.dll | 0x74730000 | 0x7481afff | Memory Mapped File | Readable, Writable, Executable | | |
| apphelp.dll | 0x74820000 | 0x7486bfff | Memory Mapped File | Readable, Writable, Executable | | |
| ntmarta.dll | 0x74870000 | 0x74890fff | Memory Mapped File | Readable, Writable, Executable | | |
| cscapi.dll | 0x748a0000 | 0x748aafff | Memory Mapped File | Readable, Writable, Executable | | |
| uxtheme.dll | 0x748b0000 | 0x7492ffff | Memory Mapped File | Readable, Writable, Executable | | |
| msimg32.dll | 0x74930000 | 0x74934fff | Memory Mapped File | Readable, Writable, Executable | | |
| msi.dll | 0x74940000 | 0x74b84fff | Memory Mapped File | Readable, Writable, Executable | | |
| comctl32.dll | 0x74b90000 | 0x74d2dfff | Memory Mapped File | Readable, Writable, Executable | | |
| version.dll | 0x74d30000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable | | |
| rasman.dll | 0x74d40000 | 0x74d54fff | Memory Mapped File | Readable, Writable, Executable | | |
| rasapi32.dll | 0x74d60000 | 0x74db1fff | Memory Mapped File | Readable, Writable, Executable | | |
| wkscli.dll | 0x74dc0000 | 0x74dcefff | Memory Mapped File | Readable, Writable, Executable | | |
| srvcli.dll | 0x74dd0000 | 0x74de8fff | Memory Mapped File | Readable, Writable, Executable | | |
| netutils.dll | 0x74df0000 | 0x74df8fff | Memory Mapped File | Readable, Writable, Executable | | |
| netapi32.dll | 0x74e00000 | 0x74e10fff | Memory Mapped File | Readable, Writable, Executable | | |
| winnsi.dll | 0x74e20000 | 0x74e26fff | Memory Mapped File | Readable, Writable, Executable | | |
| IPHLPAPI.DLL | 0x74e30000 | 0x74e4bfff | Memory Mapped File | Readable, Writable, Executable | | |
| goopdate.dll | 0x74e50000 | 0x74feefff | Memory Mapped File | Readable, Writable, Executable | | |
| wtsapi32.dll | 0x75050000 | 0x7505cfff | Memory Mapped File | Readable, Writable, Executable | | |
| wow64cpu.dll | 0x75300000 | 0x75307fff | Memory Mapped File | Readable, Writable, Executable | | |
| wow64win.dll | 0x75310000 | 0x7536bfff | Memory Mapped File | Readable, Writable, Executable | | |
| wow64.dll | 0x75370000 | 0x753aefff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x754b0000 | 0x754bbfff | Memory Mapped File | Readable, Writable, Executable | | |
| sspicli.dll | 0x754c0000 | 0x7551ffff | Memory Mapped File | Readable, Writable, Executable | | |
| ws2_32.dll | 0x75520000 | 0x75554fff | Memory Mapped File | Readable, Writable, Executable | | |
| imm32.dll | 0x75560000 | 0x755bffff | Memory Mapped File | Readable, Writable, Executable | | |
| iertutil.dll | 0x75620000 | 0x75851fff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-advapi32-l1-1-0.dll | 0x75860000 | 0x75864fff | Memory Mapped File | Readable, Writable, Executable | | |
| shlwapi.dll | 0x75870000 | 0x758c6fff | Memory Mapped File | Readable, Writable, Executable | | |
| ole32.dll | 0x758d0000 | 0x75a2bfff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x75a30000 | 0x75a48fff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-version-l1-1-0.dll | 0x75a50000 | 0x75a53fff | Memory Mapped File | Readable, Writable, Executable | | |
| wininet.dll | 0x75a60000 | 0x75c34fff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x75c40000 | 0x75cebfff | Memory Mapped File | Readable, Writable, Executable | | |
| user32.dll | 0x75cf0000 | 0x75deffff | Memory Mapped File | Readable, Writable, Executable | | |
| wintrust.dll | 0x75e70000 | 0x75e9efff | Memory Mapped File | Readable, Writable, Executable | | |
| Wldap32.dll | 0x75ea0000 | 0x75ee4fff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x76090000 | 0x7612ffff | Memory Mapped File | Readable, Writable, Executable | | |
| normaliz.dll | 0x76130000 | 0x76132fff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-shlwapi-l1-1-0.dll | 0x76140000 | 0x76143fff | Memory Mapped File | Readable, Writable, Executable | | |
| userenv.dll | 0x76160000 | 0x76176fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x76180000 | 0x7626ffff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x763e0000 | 0x764effff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-normaliz-l1-1-0.dll | 0x764f0000 | 0x764f2fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x76500000 | 0x76509fff | Memory Mapped File | Readable, Writable, Executable | | |
| crypt32.dll | 0x76510000 | 0x76630fff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x766d0000 | 0x76716fff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x76720000 | 0x767bcfff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-user32-l1-1-0.dll | 0x767c0000 | 0x767c3fff | Memory Mapped File | Readable, Writable, Executable | | |
| psapi.dll | 0x767d0000 | 0x767d4fff | Memory Mapped File | Readable, Writable, Executable | | |
| profapi.dll | 0x767e0000 | 0x767eafff | Memory Mapped File | Readable, Writable, Executable | | |
| clbcatq.dll | 0x767f0000 | 0x76872fff | Memory Mapped File | Readable, Writable, Executable | | |
| msctf.dll | 0x768e0000 | 0x769abfff | Memory Mapped File | Readable, Writable, Executable | | |
| nsi.dll | 0x769b0000 | 0x769b5fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x769c0000 | 0x76a4ffff | Memory Mapped File | Readable, Writable, Executable | | |
| oleaut32.dll | 0x76a50000 | 0x76adefff | Memory Mapped File | Readable, Writable, Executable | | |
| shell32.dll | 0x76ae0000 | 0x77729fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x0000000077730000 | 0x77730000 | 0x77829fff | Private Memory | Readable, Writable, Executable | | |
| private_0x0000000077830000 | 0x77830000 | 0x7794efff | Private Memory | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| msasn1.dll | 0x77b00000 | 0x77b0bfff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77b30000 | 0x77caffff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable | | |
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable | | |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed File | Readable | | |
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable | | |
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable | | |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable | | |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable | | |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable | | |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable | | |
| Information | Value |
|---|---|
| ID / OS PID | #38 / 0x9c0 |
| OS Parent PID | 0x3e8 (c:\program files (x86)\google\update\googleupdate.exe) |
| Initial Working Directory | C:\Program Files (x86)\Google\Update\1.3.26.9 |
| File Name | c:\program files (x86)\google\update\googleupdate.exe |
| Command Line | "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" \cr |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:34 |
| OS Thread IDs | #487 0x710 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable | | |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable | | |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable | | |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed File | Readable | | |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | Readable, Writable | | |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | Readable, Writable | | |
| locale.nls | 0x00090000 | 0x000f6fff | Memory Mapped File | Readable | | |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00100fff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000190000 | 0x00190000 | 0x0019ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | Readable, Writable | | |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x00567fff | Pagefile Backed File | Readable | | |
| private_0x0000000000570000 | 0x00570000 | 0x005effff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000005f0000 | 0x005f0000 | 0x00770fff | Pagefile Backed File | Readable | | |
| private_0x0000000000780000 | 0x00780000 | 0x0087ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000880000 | 0x00880000 | 0x0093ffff | Pagefile Backed File | Readable | | |
| private_0x0000000000a00000 | 0x00a00000 | 0x00a0ffff | Private Memory | Readable, Writable | | |
| GoogleUpdate.exe | 0x01190000 | 0x011abfff | Memory Mapped File | Readable, Writable, Executable | | |
| uxtheme.dll | 0x748b0000 | 0x7492ffff | Memory Mapped File | Readable, Writable, Executable | | |
| msimg32.dll | 0x74930000 | 0x74934fff | Memory Mapped File | Readable, Writable, Executable | | |
| msi.dll | 0x74940000 | 0x74b84fff | Memory Mapped File | Readable, Writable, Executable | | |
| comctl32.dll | 0x74b90000 | 0x74d2dfff | Memory Mapped File | Readable, Writable, Executable | | |
| version.dll | 0x74d30000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable | | |
| rasman.dll | 0x74d40000 | 0x74d54fff | Memory Mapped File | Readable, Writable, Executable | | |
| rasapi32.dll | 0x74d60000 | 0x74db1fff | Memory Mapped File | Readable, Writable, Executable | | |
| wkscli.dll | 0x74dc0000 | 0x74dcefff | Memory Mapped File | Readable, Writable, Executable | | |
| srvcli.dll | 0x74dd0000 | 0x74de8fff | Memory Mapped File | Readable, Writable, Executable | | |
| netutils.dll | 0x74df0000 | 0x74df8fff | Memory Mapped File | Readable, Writable, Executable | | |
| netapi32.dll | 0x74e00000 | 0x74e10fff | Memory Mapped File | Readable, Writable, Executable | | |
| winnsi.dll | 0x74e20000 | 0x74e26fff | Memory Mapped File | Readable, Writable, Executable | | |
| IPHLPAPI.DLL | 0x74e30000 | 0x74e4bfff | Memory Mapped File | Readable, Writable, Executable | | |
| goopdate.dll | 0x74e50000 | 0x74feefff | Memory Mapped File | Readable, Writable, Executable | | |
| wtsapi32.dll | 0x75050000 | 0x7505cfff | Memory Mapped File | Readable, Writable, Executable | | |
| wow64cpu.dll | 0x75300000 | 0x75307fff | Memory Mapped File | Readable, Writable, Executable | | |
| wow64win.dll | 0x75310000 | 0x7536bfff | Memory Mapped File | Readable, Writable, Executable | | |
| wow64.dll | 0x75370000 | 0x753aefff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x754b0000 | 0x754bbfff | Memory Mapped File | Readable, Writable, Executable | | |
| sspicli.dll | 0x754c0000 | 0x7551ffff | Memory Mapped File | Readable, Writable, Executable | | |
| ws2_32.dll | 0x75520000 | 0x75554fff | Memory Mapped File | Readable, Writable, Executable | | |
| imm32.dll | 0x75560000 | 0x755bffff | Memory Mapped File | Readable, Writable, Executable | | |
| iertutil.dll | 0x75620000 | 0x75851fff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-advapi32-l1-1-0.dll | 0x75860000 | 0x75864fff | Memory Mapped File | Readable, Writable, Executable | | |
| shlwapi.dll | 0x75870000 | 0x758c6fff | Memory Mapped File | Readable, Writable, Executable | | |
| ole32.dll | 0x758d0000 | 0x75a2bfff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x75a30000 | 0x75a48fff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-version-l1-1-0.dll | 0x75a50000 | 0x75a53fff | Memory Mapped File | Readable, Writable, Executable | | |
| wininet.dll | 0x75a60000 | 0x75c34fff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x75c40000 | 0x75cebfff | Memory Mapped File | Readable, Writable, Executable | | |
| user32.dll | 0x75cf0000 | 0x75deffff | Memory Mapped File | Readable, Writable, Executable | | |
| wintrust.dll | 0x75e70000 | 0x75e9efff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x76090000 | 0x7612ffff | Memory Mapped File | Readable, Writable, Executable | | |
| normaliz.dll | 0x76130000 | 0x76132fff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-shlwapi-l1-1-0.dll | 0x76140000 | 0x76143fff | Memory Mapped File | Readable, Writable, Executable | | |
| userenv.dll | 0x76160000 | 0x76176fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x76180000 | 0x7626ffff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x763e0000 | 0x764effff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-normaliz-l1-1-0.dll | 0x764f0000 | 0x764f2fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x76500000 | 0x76509fff | Memory Mapped File | Readable, Writable, Executable | | |
| crypt32.dll | 0x76510000 | 0x76630fff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x766d0000 | 0x76716fff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x76720000 | 0x767bcfff | Memory Mapped File | Readable, Writable, Executable | | |
| api-ms-win-downlevel-user32-l1-1-0.dll | 0x767c0000 | 0x767c3fff | Memory Mapped File | Readable, Writable, Executable | | |
| psapi.dll | 0x767d0000 | 0x767d4fff | Memory Mapped File | Readable, Writable, Executable | | |
| profapi.dll | 0x767e0000 | 0x767eafff | Memory Mapped File | Readable, Writable, Executable | | |
| msctf.dll | 0x768e0000 | 0x769abfff | Memory Mapped File | Readable, Writable, Executable | | |
| nsi.dll | 0x769b0000 | 0x769b5fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x769c0000 | 0x76a4ffff | Memory Mapped File | Readable, Writable, Executable | | |
| oleaut32.dll | 0x76a50000 | 0x76adefff | Memory Mapped File | Readable, Writable, Executable | | |
| shell32.dll | 0x76ae0000 | 0x77729fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x0000000077730000 | 0x77730000 | 0x77829fff | Private Memory | Readable, Writable, Executable | | |
| private_0x0000000077830000 | 0x77830000 | 0x7794efff | Private Memory | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| msasn1.dll | 0x77b00000 | 0x77b0bfff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77b30000 | 0x77caffff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed File | Readable | | |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable | | |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable | | |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable | | |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable | | |
| Information | Value |
|---|---|
| ID / OS PID | #39 / 0x99c |
| OS Parent PID | 0x3e8 (c:\program files (x86)\google\update\googleupdate.exe) |
| Initial Working Directory | C:\Program Files (x86)\Google\Update\1.3.26.9 |
| File Name | c:\program files (x86)\google\update\1.3.26.9\googlecrashhandler.exe |
| Command Line | "C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleCrashHandler.exe" |
| Monitor | Start Time: 00:02:26, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:33 |
| OS Thread IDs | #488 0x994 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable | | |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed File | Readable | | |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | Readable, Writable | | |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | Readable, Writable | | |
| locale.nls | 0x00090000 | 0x000f6fff | Memory Mapped File | Readable | | |
| private_0x00000000001d0000 | 0x001d0000 | 0x001dffff | Private Memory | Readable, Writable | | |
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | Readable, Writable | | |
| private_0x00000000002f0000 | 0x002f0000 | 0x003effff | Private Memory | Readable, Writable | | |
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x00577fff | Pagefile Backed File | Readable | | |
| private_0x00000000005a0000 | 0x005a0000 | 0x0061ffff | Private Memory | Readable, Writable | | |
| private_0x00000000007d0000 | 0x007d0000 | 0x008cffff | Private Memory | Readable, Writable | | |
| GoogleCrashHandler.exe | 0x00ac0000 | 0x00afcfff | Memory Mapped File | Readable, Writable, Executable | | |
| version.dll | 0x74d30000 | 0x74d38fff | Memory Mapped File | Readable, Writable, Executable | | |
| wkscli.dll | 0x74dc0000 | 0x74dcefff | Memory Mapped File | Readable, Writable, Executable | | |
| srvcli.dll | 0x74dd0000 | 0x74de8fff | Memory Mapped File | Readable, Writable, Executable | | |
| netutils.dll | 0x74df0000 | 0x74df8fff | Memory Mapped File | Readable, Writable, Executable | | |
| netapi32.dll | 0x74e00000 | 0x74e10fff | Memory Mapped File | Readable, Writable, Executable | | |
| wow64cpu.dll | 0x75300000 | 0x75307fff | Memory Mapped File | Readable, Writable, Executable | | |
| wow64win.dll | 0x75310000 | 0x7536bfff | Memory Mapped File | Readable, Writable, Executable | | |
| wow64.dll | 0x75370000 | 0x753aefff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x754b0000 | 0x754bbfff | Memory Mapped File | Readable, Writable, Executable | | |
| sspicli.dll | 0x754c0000 | 0x7551ffff | Memory Mapped File | Readable, Writable, Executable | | |
| imm32.dll | 0x75560000 | 0x755bffff | Memory Mapped File | Readable, Writable, Executable | | |
| shlwapi.dll | 0x75870000 | 0x758c6fff | Memory Mapped File | Readable, Writable, Executable | | |
| ole32.dll | 0x758d0000 | 0x75a2bfff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x75a30000 | 0x75a48fff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x75c40000 | 0x75cebfff | Memory Mapped File | Readable, Writable, Executable | | |
| user32.dll | 0x75cf0000 | 0x75deffff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x76090000 | 0x7612ffff | Memory Mapped File | Readable, Writable, Executable | | |
| userenv.dll | 0x76160000 | 0x76176fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x76180000 | 0x7626ffff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x763e0000 | 0x764effff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x76500000 | 0x76509fff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x766d0000 | 0x76716fff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x76720000 | 0x767bcfff | Memory Mapped File | Readable, Writable, Executable | | |
| profapi.dll | 0x767e0000 | 0x767eafff | Memory Mapped File | Readable, Writable, Executable | | |
| msctf.dll | 0x768e0000 | 0x769abfff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x769c0000 | 0x76a4ffff | Memory Mapped File | Readable, Writable, Executable | | |
| shell32.dll | 0x76ae0000 | 0x77729fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x0000000077730000 | 0x77730000 | 0x77829fff | Private Memory | Readable, Writable, Executable | | |
| private_0x0000000077830000 | 0x77830000 | 0x7794efff | Private Memory | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77b30000 | 0x77caffff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed File | Readable | | |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable | | |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable | | |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable | | |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable | | |
| Information | Value |
|---|---|
| ID / OS PID | #40 / 0x998 |
| OS Parent PID | 0x3e8 (c:\program files (x86)\google\update\googleupdate.exe) |
| Initial Working Directory | C:\Program Files (x86)\Google\Update\1.3.26.9 |
| File Name | c:\program files (x86)\google\update\1.3.26.9\googlecrashhandler64.exe |
| Command Line | "C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleCrashHandler64.exe" |
| Monitor | Start Time: 00:02:26, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:33 |
| OS Thread IDs | #489 0x98C |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00041fff | Pagefile Backed File | Readable | | |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | Readable, Writable | | |
| private_0x0000000000060000 | 0x00060000 | 0x00060fff | Private Memory | Readable, Writable | | |
| private_0x00000000000b0000 | 0x000b0000 | 0x001affff | Private Memory | Readable, Writable | | |
| locale.nls | 0x001b0000 | 0x00216fff | Memory Mapped File | Readable | | |
| private_0x0000000000220000 | 0x00220000 | 0x0031ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000320000 | 0x00320000 | 0x0041ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000420000 | 0x00420000 | 0x005a7fff | Pagefile Backed File | Readable | | |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000610000 | 0x00610000 | 0x00790fff | Pagefile Backed File | Readable | | |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x0085ffff | Pagefile Backed File | Readable | | |
| user32.dll | 0x77730000 | 0x77829fff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x77830000 | 0x7794efff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| private_0x000000007fff1000 | 0x7fff1000 | 0x7fff1fff | Private Memory | Readable, Writable | | |
| GoogleCrashHandler64.exe | 0x13fa50000 | 0x13fa9afff | Memory Mapped File | Readable, Writable, Executable | | |
| wkscli.dll | 0x7fefb820000 | 0x7fefb834fff | Memory Mapped File | Readable, Writable, Executable | | |
| netutils.dll | 0x7fefb840000 | 0x7fefb84bfff | Memory Mapped File | Readable, Writable, Executable | | |
| netapi32.dll | 0x7fefb850000 | 0x7fefb865fff | Memory Mapped File | Readable, Writable, Executable | | |
| version.dll | 0x7fefc800000 | 0x7fefc80bfff | Memory Mapped File | Readable, Writable, Executable | | |
| srvcli.dll | 0x7fefd1b0000 | 0x7fefd1d2fff | Memory Mapped File | Readable, Writable, Executable | | |
| profapi.dll | 0x7fefd720000 | 0x7fefd72efff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x7fefda30000 | 0x7fefda9bfff | Memory Mapped File | Readable, Writable, Executable | | |
| userenv.dll | 0x7fefdaa0000 | 0x7fefdabdfff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x7fefdaf0000 | 0x7fefdbcafff | Memory Mapped File | Readable, Writable, Executable | | |
| msctf.dll | 0x7fefdbd0000 | 0x7fefdcd8fff | Memory Mapped File | Readable, Writable, Executable | | |
| shell32.dll | 0x7fefdce0000 | 0x7fefea67fff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x7fefea70000 | 0x7fefeb9cfff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x7feff2a0000 | 0x7feff2befff | Memory Mapped File | Readable, Writable, Executable | | |
| imm32.dll | 0x7feff2c0000 | 0x7feff2edfff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x7feff4e0000 | 0x7feff5a8fff | Memory Mapped File | Readable, Writable, Executable | | |
| ole32.dll | 0x7feff6e0000 | 0x7feff8e2fff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x7feff9d0000 | 0x7feffa36fff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x7feffa40000 | 0x7feffa4dfff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x7feffb40000 | 0x7feffbdefff | Memory Mapped File | Readable, Writable, Executable | | |
| shlwapi.dll | 0x7feffbe0000 | 0x7feffc50fff | Memory Mapped File | Readable, Writable, Executable | | |
| apisetschema.dll | 0x7feffc70000 | 0x7feffc70fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed File | Readable | | |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffdcfff | Private Memory | Readable, Writable | | |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | Readable, Writable | | |
| Information | Value |
|---|---|
| ID / OS PID | #41 / 0x988 |
| OS Parent PID | 0x3e8 (c:\program files (x86)\google\update\googleupdate.exe) |
| Initial Working Directory | C:\Program Files (x86)\Google\Update\1.3.26.9 |
| File Name | c:\program files (x86)\google\update\googleupdate.exe |
| Command Line | "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" \ua \installsource core |
| Monitor | Start Time: 00:02:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:59, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:28 |
| OS Thread IDs | #502 0x990 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump |
|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable | | |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed File | Readable, Writable | | |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable | | |
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed File | Readable | | |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed File | Readable | | |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | Readable, Writable | | |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | Readable, Writable | | |
| private_0x00000000000d0000 | 0x000d0000 | 0x0014ffff | Private Memory | Readable, Writable | | |
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | Readable, Writable | | |
| private_0x00000000001d0000 | 0x001d0000 | 0x002cffff | Private Memory | Readable, Writable | | |
| private_0x0000000000310000 | 0x00310000 | 0x0040ffff | Private Memory | Readable, Writable | | |
| locale.nls | 0x00410000 | 0x00476fff | Memory Mapped File | Readable | | |
| private_0x0000000000590000 | 0x00590000 | 0x0059ffff | Private Memory | Readable, Writable | | |
| GoogleUpdate.exe | 0x01190000 | 0x011abfff | Memory Mapped File | Readable, Writable, Executable | | |
| wow64cpu.dll | 0x75300000 | 0x75307fff | Memory Mapped File | Readable, Writable, Executable | | |
| wow64win.dll | 0x75310000 | 0x7536bfff | Memory Mapped File | Readable, Writable, Executable | | |
| wow64.dll | 0x75370000 | 0x753aefff | Memory Mapped File | Readable, Writable, Executable | | |
| cryptbase.dll | 0x754b0000 | 0x754bbfff | Memory Mapped File | Readable, Writable, Executable | | |
| sspicli.dll | 0x754c0000 | 0x7551ffff | Memory Mapped File | Readable, Writable, Executable | | |
| shlwapi.dll | 0x75870000 | 0x758c6fff | Memory Mapped File | Readable, Writable, Executable | | |
| sechost.dll | 0x75a30000 | 0x75a48fff | Memory Mapped File | Readable, Writable, Executable | | |
| msvcrt.dll | 0x75c40000 | 0x75cebfff | Memory Mapped File | Readable, Writable, Executable | | |
| user32.dll | 0x75cf0000 | 0x75deffff | Memory Mapped File | Readable, Writable, Executable | | |
| advapi32.dll | 0x76090000 | 0x7612ffff | Memory Mapped File | Readable, Writable, Executable | | |
| rpcrt4.dll | 0x76180000 | 0x7626ffff | Memory Mapped File | Readable, Writable, Executable | | |
| kernel32.dll | 0x763e0000 | 0x764effff | Memory Mapped File | Readable, Writable, Executable | | |
| lpk.dll | 0x76500000 | 0x76509fff | Memory Mapped File | Readable, Writable, Executable | | |
| KernelBase.dll | 0x766d0000 | 0x76716fff | Memory Mapped File | Readable, Writable, Executable | | |
| usp10.dll | 0x76720000 | 0x767bcfff | Memory Mapped File | Readable, Writable, Executable | | |
| gdi32.dll | 0x769c0000 | 0x76a4ffff | Memory Mapped File | Readable, Writable, Executable | | |
| shell32.dll | 0x76ae0000 | 0x77729fff | Memory Mapped File | Readable, Writable, Executable | | |
| private_0x0000000077730000 | 0x77730000 | 0x77829fff | Private Memory | Readable, Writable, Executable | | |
| private_0x0000000077830000 | 0x77830000 | 0x7794efff | Private Memory | Readable, Writable, Executable | | |
| ntdll.dll | 0x77950000 | 0x77af8fff | Memory Mapped File | Readable, Writable, Executable | | |
| ntdll.dll | 0x77b30000 | 0x77caffff | Memory Mapped File | Readable, Writable, Executable | | |
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed File | Readable | | |
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable | | |
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable | | |
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable | | |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable | | |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed File | Readable | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable | | |
