Analysis Report

Monitored Processes

Behavior Information - Grouped by Category

Process #1: 249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe

(Host: 317, Network: 0)

Information	Value
ID / OS PID	#1 / 0xc8c
OS Parent PID	0x7fc (c:\windows\explorer.exe)
Initial Working Directory	C:\Users\WI2yhmtI onvScY7Pe\Desktop
File Name	c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe
Command Line	"C:\Users\WI2yhmtI onvScY7Pe\Desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe"
Monitor	Start Time: 00:00:37, Reason: Analysis Target
Unmonitor	End Time: 00:02:42, Reason: Terminated by Timeout
Monitor Duration	00:02:05
OS Thread IDs	#1 0xC90 #2 0xD08 #120 0xE84

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00023fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x0003afff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000060000	0x00060000	0x0009ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000a0000	0x000a0000	0x0019ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a3fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001b1fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001c0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000001d0000	0x001d0000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x001d0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000001e0000	0x001e0000	0x001e0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000001f0000	0x001f0000	0x001f0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000200000	0x00200000	0x00200fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000210000	0x00210000	0x00210fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000220000	0x00220000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00230000	0x002edfff	Memory Mapped File	Readable	Region Actions
private_0x00000000002f0000	0x002f0000	0x003c7fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000003d0000	0x003d0000	0x003d0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000003e0000	0x003e0000	0x003effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x003f0fff	Private Memory	Readable, Writable, Executable	Region Actions
249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe	0x00400000	0x005fdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download
private_0x0000000000600000	0x00600000	0x00692fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000006a0000	0x006a0000	0x006a0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000006b0000	0x006b0000	0x006b0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000006c0000	0x006c0000	0x006c0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000006d0000	0x006d0000	0x006d0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000006e0000	0x006e0000	0x007dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007e0000	0x007e0000	0x00adffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000ae0000	0x00ae0000	0x00cdffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000ce0000	0x00ce0000	0x011c1fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000011d0000	0x011d0000	0x012cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000011d0000	0x011d0000	0x011d0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000011e0000	0x011e0000	0x0121ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001220000	0x01220000	0x01223fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001230000	0x01230000	0x01230fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000012d0000	0x012d0000	0x013cffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000013d0000	0x013d0000	0x036cffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000036d0000	0x036d0000	0x037cffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000037d0000	0x037d0000	0x038cffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000038d0000	0x038d0000	0x038d0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000038e0000	0x038e0000	0x038e0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000038f0000	0x038f0000	0x038f0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000003900000	0x03900000	0x03900fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000003910000	0x03910000	0x03910fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000003920000	0x03920000	0x03920fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000003930000	0x03930000	0x03930fff	Private Memory	Readable, Writable, Executable	Region Actions
XuMIAsww	0x03940000	0x03940fff	Memory Mapped File	Readable, Writable	Region Actions Download
YOUMMIEo	0x03950000	0x03950fff	Memory Mapped File	Readable, Writable	Region Actions Download
private_0x0000000003960000	0x03960000	0x03960fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000003970000	0x03970000	0x03970fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000003980000	0x03980000	0x03980fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000003990000	0x03990000	0x03990fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000039a0000	0x039a0000	0x039a0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000039b0000	0x039b0000	0x039b0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000039c0000	0x039c0000	0x039c0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000039d0000	0x039d0000	0x039d0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000039e0000	0x039e0000	0x039e0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000039f0000	0x039f0000	0x039f0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000003a00000	0x03a00000	0x03afffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003b00000	0x03b00000	0x03b00fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000003b10000	0x03b10000	0x03e0ffff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000003e10000	0x03e10000	0x03f97fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000003fa0000	0x03fa0000	0x04120fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000004130000	0x04130000	0x0552ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000005530000	0x05530000	0x05530fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005540000	0x05540000	0x05540fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005550000	0x05550000	0x05550fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000005560000	0x05560000	0x05560fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000005570000	0x05570000	0x05570fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000005580000	0x05580000	0x05580fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000005590000	0x05590000	0x05590fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000055a0000	0x055a0000	0x055a0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000055b0000	0x055b0000	0x055b0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000055c0000	0x055c0000	0x057bffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000057c0000	0x057c0000	0x057d3fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000057e0000	0x057e0000	0x057e6fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000057f0000	0x057f0000	0x057fffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000005800000	0x05800000	0x0580ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000005810000	0x05810000	0x0581ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000005820000	0x05820000	0x0582ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000005830000	0x05830000	0x0583ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000005840000	0x05840000	0x0584ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000005850000	0x05850000	0x0585ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000005860000	0x05860000	0x05a5ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000005a60000	0x05a60000	0x05a60fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000005a70000	0x05a70000	0x05a70fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000005a80000	0x05a80000	0x05a80fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000005a90000	0x05a90000	0x05b8ffff	Private Memory	Readable, Writable	Region Actions
wow64.dll	0x53cc0000	0x53d0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x53d10000	0x53d17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x53d20000	0x53d92fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vsstrace.dll	0x74bf0000	0x74c00fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vssapi.dll	0x74c10000	0x74d2afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
spp.dll	0x74d30000	0x74d69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srclient.dll	0x74d70000	0x74d81fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x74d90000	0x74db7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x74dc0000	0x74e50fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x74e60000	0x74eb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ec0000	0x74ec9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ed0000	0x74eedfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x74ef0000	0x74fadfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74fb0000	0x7502afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x75280000	0x752c3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x752e0000	0x75455fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75460000	0x7548afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x75490000	0x75649fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75650000	0x7573ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75790000	0x758dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
SHCore.dll	0x75aa0000	0x75b2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75b90000	0x75bebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75d70000	0x75d7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75d90000	0x75eaffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x75eb0000	0x75ef2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75f10000	0x7604ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x76050000	0x76056fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x76290000	0x7629bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x762a0000	0x762e3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x762f0000	0x76371fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.storage.dll	0x76380000	0x7685cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76860000	0x7690bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x76910000	0x77ccefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x77cd0000	0x77db9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77dc0000	0x77f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007feb0000	0x7feb0000	0x7ffaffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd8000	0x7ffd8000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7ffb1ddcffff	Private Memory	Readable	Region Actions
ntdll.dll	0x7ffb1ddd0000	0x7ffb1df91fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffb1df92000	0x7ffb1df92000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Created Files

Filename	File Size	Hash Values	Actions
c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\programdata\vmymsigm\yoummieo	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww.exe	2.00 MB (2100224 bytes)	MD5: e8b81e4a627a9f9a772b6d42d9bb3a3c SHA1: 08cdff2e0e82651cde54a58eca4747aadc940a53 SHA256: 0fbd214902a4b12b22dd57fc04449cf9642a220d2cc5c0cd274013131446c899	File Actions Show Properties Download
c:\programdata\vmymsigm\yoummieo.exe	1.95 MB (2042880 bytes)	MD5: 25081af7955ff8b96260f64cc3c76bcb SHA1: e02b4eab3fe752312aadd58de8a2e3558aebe12d SHA256: c7c619989c3733e37fa0b40b0e606cd0f6b3711378cbffd4908c4364fbf1e18c	File Actions Show Properties Download
c:\programdata\baieaacu\xuaecwog.exe	1.98 MB (2079744 bytes)	MD5: 958a7f26c423db4ed7c1caafc0dda8e9 SHA1: 0af04b61a579c82fe3a4b06a62fc4d3cd0e2c571 SHA256: b9796040e89f3877c538a338d75bab2beeec94a720571f3d5df08e019cff3380	File Actions Show Properties Download
c:\users\wi2yhm~1\appdata\local\temp\dwaaskwo.bat	0.00 KB (4 bytes)	MD5: f6f0aa95187fb1682cfbee02e3348d4f SHA1: 46c7c7331f30edf31b3308f077cb583ec37a68be SHA256: b9c68ec4d2854ae3bc968140b7c9ceefb21f5dd73365d16590741bce796ec459	File Actions Show Properties Download
c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware	6.80 KB (6968 bytes)	MD5: 672a1f1de82c3076688c129d2c89d0e2 SHA1: 02e8f06ad6888c9fb28059f5eac065b7bbfdd365 SHA256: 1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363	File Actions Show Properties Download

Host Behavior

File (265)

Operation	Filename	Additional Information	Count	Logfile
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\jflcfzpjeknoja	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\edyqopp	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\vije	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\skqngilsj	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\rorln	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\ikbh	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\evywvrrs	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\rtobnpdljgwwngd	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\wqrqtgk	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\agdb	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\igvsjvpdqbzchuq	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\kgefqqjfdydaway	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\vvjmrgfdiuwazeb	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\lhmk	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\exfda	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\dxfpcywdygfese	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\bolwkhjyxgq	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\gfysb	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\uhnm	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\rpevkxqtrvzngt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\qmufpu	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\sukproak	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\gziysukvx	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\qraq	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\bqnm	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\gzwkvrzheieagd	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\vyqoon	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\okjjjhibzy	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\programdata\vmymsigm\yoummieo	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\jadccbxzcopys	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\programdata\vmymsigm\yoummieo	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\vabnhssjqi	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\sfxs	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\dvrkttxonuvxxo	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\zbchwzxtu	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\fgvyusstvvsmett	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\eygoj	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\fyqyrfypw	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\kdfsxqp	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\ifdaysdzm	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\bwxt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\mbpi	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\qfpfeev	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\sjnrb	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\zfcdvoztqqsqssn	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\adrlcrwowsouok	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\sjfffxwsv	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\eutwzrkvmoo	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\fazehwvdxqq	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\pllm	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\ajazmxx	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\tynjyraljh	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\nocgllgflajyn	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\udlg	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\psejm	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\gsxqdtmlmrr	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\deaczjoevu	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\nsjgfcryrfzr	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\wsjaxpyhq	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\ijzo	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\rzwdstazova	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\tcqrwftqbypivum	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\vcbnbq	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\rxnvrdscfofjr	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\yawlipagrm	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\ucsfzlbaezn	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\zcgwzmuzzmzip	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\ciotal	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\dodoqeqrbwahtjq	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\swudqd	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\jrtgquwkyvanvbi	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\hhqjokypw	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\bnvwlppbnnua	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww.exe	desired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\cfkdoo	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\ivio	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\okroak	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\woghlxmtdopva	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\okooeoueted	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\eqdzfvvf	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\dyfwoqbh	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\ipplbhxcuc	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\pkkpenkyse	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\ucpgdjptbnw	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\ckuhxlydmvbcgt	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\lzzjxhcku	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\rocpuxh	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\pjrrdbkpxxp	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\ddahqzxmaggrzgk	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\zgspcrdzmbdlll	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\tqfrvevei	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\fcjudzpy	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\efrhdichi	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\okpzlttkzghsb	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\qsltlfjc	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\dvdlznyxdqejop	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\wnnum	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\faqybxahlcc	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\gqazpanrzp	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\gnzdojblzdltdv	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\bdvmlsjpvlusc	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\shxkod	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\eqnahklzvzrkra	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\programdata\vmymsigm\yoummieo.exe	desired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\rdotrvcpth	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\olxnxq	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\awwilildhk	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\dlpdjbpebpqqrvh	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\nyfha	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\ibkfdojf	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\mocdpjij	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\fziqk	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\uqktfecidxwd	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\svgrat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\jtylyxjwqnhb	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\sfqevzfusjwkcq	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\ckdfgwhy	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\nctequiorzziw	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\aibxxn	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\programdata\baieaacu\xuaecwog.exe	desired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\wmsxkoocwjp	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\gdrfmasuc	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\kdynuec	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\hzcmrmznnnvhv	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\kmzszjjabixrvi	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\mukdnyiwku	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\xggwdb	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\zzge	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\vkiqloxayyohc	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\dddpavcirmvvqqk	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\auiwcdd	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\sudgniklyefz	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\vvxuzzh	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\pkqljphz	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\quxgkeota	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\pagooqzsdxipqlp	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\cptlucmcnk	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\mpio	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\syndenps	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\iiroxzogklx	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\mdmogm	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\rllub	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\ugpf	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\fzoyzhgob	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\ddjphthbrquss	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\ubupjnawu	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\jujdff	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\aavbijipezbv	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\qeqnpyjjjr	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\qspglilvvmd	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\vzsussoabf	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\uwog	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\spuonpilxjekiro	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\tzvwiy	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\ogrzajo	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\puovwjl	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhm~1\appdata\local\temp\dwaaskwo.bat	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\ftpjwfw	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\twdznhht	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\dlksr	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\ozbllmpyu	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE_DIR	c:\users\wi2yhmti onvscy7pe\ayooemee		1	Fn
CREATE_DIR	c:\users\wi2yhmti onvscy7pe\ayooemee		2	Fn
CREATE_DIR	c:\programdata\vmymsigm		1	Fn
CREATE_DIR	c:\programdata\vmymsigm		2	Fn
CREATE_DIR	c:\programdata\baieaacu		1	Fn
CREATE_DIR	c:\programdata\baieaacu		1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\vije	size = 9	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\ikbh	size = 6	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\evywvrrs	size = 29	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\rtobnpdljgwwngd	size = 14	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\igvsjvpdqbzchuq	size = 13	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\kgefqqjfdydaway	size = 15	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\lhmk	size = 19	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\dxfpcywdygfese	size = 8	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\bolwkhjyxgq	size = 18	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\gfysb	size = 4	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\uhnm	size = 7	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\qmufpu	size = 15	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\gziysukvx	size = 16	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\vyqoon	size = 27	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\okjjjhibzy	size = 6	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\jadccbxzcopys	size = 18	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\fgvyusstvvsmett	size = 8	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\ifdaysdzm	size = 11	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\bwxt	size = 5	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\mbpi	size = 12	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\qfpfeev	size = 30	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\sjnrb	size = 9	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\adrlcrwowsouok	size = 23	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\pllm	size = 25	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\ajazmxx	size = 30	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\tynjyraljh	size = 10	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\nocgllgflajyn	size = 20	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\nsjgfcryrfzr	size = 27	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\wsjaxpyhq	size = 4	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\ijzo	size = 16	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\yawlipagrm	size = 25	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\zcgwzmuzzmzip	size = 5	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\ciotal	size = 13	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\dodoqeqrbwahtjq	size = 13	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\swudqd	size = 6	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\jrtgquwkyvanvbi	size = 5	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\cfkdoo	size = 8	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\woghlxmtdopva	size = 27	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\okooeoueted	size = 24	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\dyfwoqbh	size = 26	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\ckuhxlydmvbcgt	size = 21	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\pjrrdbkpxxp	size = 22	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\zgspcrdzmbdlll	size = 9	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\efrhdichi	size = 29	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\okpzlttkzghsb	size = 30	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\wnnum	size = 8	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\faqybxahlcc	size = 31	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\gqazpanrzp	size = 13	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\gnzdojblzdltdv	size = 14	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\eqnahklzvzrkra	size = 9	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\rdotrvcpth	size = 6	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\olxnxq	size = 31	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\nyfha	size = 22	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\fziqk	size = 26	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\svgrat	size = 28	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\jtylyxjwqnhb	size = 11	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\sfqevzfusjwkcq	size = 30	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\aibxxn	size = 28	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\gdrfmasuc	size = 8	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\hzcmrmznnnvhv	size = 13	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\vkiqloxayyohc	size = 28	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\dddpavcirmvvqqk	size = 25	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\auiwcdd	size = 30	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\sudgniklyefz	size = 20	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\vvxuzzh	size = 31	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\pkqljphz	size = 31	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\quxgkeota	size = 31	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\cptlucmcnk	size = 17	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\mpio	size = 29	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\syndenps	size = 24	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\iiroxzogklx	size = 6	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\ugpf	size = 4	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\fzoyzhgob	size = 15	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\ubupjnawu	size = 24	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\qspglilvvmd	size = 8	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\vzsussoabf	size = 8	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\uwog	size = 8	1	Fn
READ	c:\users\wi2yhmti onvscy7pe\desktop\ftpjwfw	size = 27	1	Fn
WRITE	c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww.exe	size = 1024	1	Fn Data
WRITE	c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww.exe	size = 684032	1	Fn Data
WRITE	c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww.exe	size = 10240	1	Fn Data
WRITE	c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww.exe	size = 1404928	1	Fn
WRITE	c:\programdata\vmymsigm\yoummieo.exe	size = 1024	1	Fn Data
WRITE	c:\programdata\vmymsigm\yoummieo.exe	size = 684032	1	Fn Data
WRITE	c:\programdata\vmymsigm\yoummieo.exe	size = 10240	1	Fn Data
WRITE	c:\programdata\vmymsigm\yoummieo.exe	size = 1347584	1	Fn
WRITE	c:\programdata\baieaacu\xuaecwog.exe	size = 1024	1	Fn Data
WRITE	c:\programdata\baieaacu\xuaecwog.exe	size = 684032	1	Fn Data
WRITE	c:\programdata\baieaacu\xuaecwog.exe	size = 10240	1	Fn Data
WRITE	c:\programdata\baieaacu\xuaecwog.exe	size = 1384448	1	Fn
WRITE	c:\users\wi2yhm~1\appdata\local\temp\dwaaskwo.bat	size = 4	1	Fn Data
WRITE	c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware	size = 6968	1	Fn Data
DELETE	c:\users\wi2yhm~1\appdata\local\temp\dwaaskwo.bat		1	Fn

Process (6)

Operation	Process Name	Additional Information	Count	Logfile
CREATE	C:\Users\WI2yhmtI onvScY7Pe\ayooEMEE\XuMIAsww.exe	os_tid = 0xd7c, os_pid = 0xd78, show_window = SW_HIDE	1	Fn
CREATE	C:\ProgramData\VmYMsIgM\YOUMMIEo.exe	os_tid = 0xdbc, os_pid = 0xdb8, show_window = SW_HIDE	1	Fn
CREATE	C:\Users\WI2YHM~1\AppData\Local\Temp\dWAAskwo.bat	os_tid = 0xe3c, os_pid = 0xe38, creation_flags = CREATE_NO_WINDOW, current_directory = C:\Users\WI2yhmtI onvScY7Pe\Desktop, show_window = SW_HIDE	1	Fn
CREATE	reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1	show_window = SW_HIDE	1	Fn
CREATE	reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2	show_window = SW_HIDE	1	Fn
CREATE	reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f	show_window = SW_HIDE	1	Fn

Module (14)

Operation	Module	Additional Information	Count	Logfile
LOAD	advapi32.dll	base_address = 0x74fb0000	2	Fn
LOAD	NTDLL	base_address = 0x77dc0000	1	Fn
LOAD	ws2_32.dll	base_address = 0x75b90000	1	Fn
LOAD	kernel32.dll	base_address = 0x75650000	1	Fn
LOAD	ntdll.dll	base_address = 0x77dc0000	1	Fn
LOAD	user32.dll	base_address = 0x75f10000	1	Fn
LOAD	shell32.dll	base_address = 0x76910000	1	Fn
LOAD	srclient.dll	base_address = 0x74d70000	1	Fn
CREATE_MAPPING	c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww	module_name = Nameless FileMapping, maximum_size = 2062, protection = PAGE_READWRITE	1	Fn
CREATE_MAPPING	c:\programdata\vmymsigm\yoummieo	module_name = Nameless FileMapping, maximum_size = 2062, protection = PAGE_READWRITE	1	Fn
MAP	c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww	process_name = c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe, os_pid = 0xc8c, module_name = Nameless FileMapping, desired_access = FILE_MAP_ALL_ACCESS, file_offset = 0, address = 0x3940000	1	Fn
MAP	c:\programdata\vmymsigm\yoummieo	process_name = c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe, os_pid = 0xc8c, module_name = Nameless FileMapping, desired_access = FILE_MAP_ALL_ACCESS, file_offset = 0, address = 0x3950000	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\srclient.dll	function = SRRemoveRestorePoint, address = 0x74d745c0	1	Fn

Service (6)

Operation	Service	Additional Information	Count	Logfile
OPEN_MGR	SERVICES_ACTIVE_DATABASE	host = Localhost, desired_access = SC_MANAGER_CONNECT, SC_MANAGER_CREATE_SERVICE, SC_MANAGER_ENUMERATE_SERVICE, SC_MANAGER_LOCK, SC_MANAGER_QUERY_LOCK_STATUS, SC_MANAGER_MODIFY_BOOT_CONFIG, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER	1	Fn
CREATE	cEMAEwpb	file_name = C:\ProgramData\BAIEAAcU\xUAEcwog.exe, database_name = SERVICES_ACTIVE_DATABASE, display_name = cEMAEwpb, desired_access = SERVICE_QUERY_CONFIG, SERVICE_CHANGE_CONFIG, SERVICE_QUERY_STATUS, SERVICE_ENUMERATE_DEPENDENTS, SERVICE_START, SERVICE_STOP, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, service_type = SERVICE_WIN32_OWN_PROCESS, start_type = SERVICE_AUTO_START	1	Fn
OPEN	cEMAEwpb	database_name = SERVICES_ACTIVE_DATABASE, desired_access = SERVICE_QUERY_CONFIG, SERVICE_CHANGE_CONFIG, SERVICE_QUERY_STATUS, SERVICE_ENUMERATE_DEPENDENTS, SERVICE_START, SERVICE_STOP, SERVICE_PAUSE_CONTINUE, SERVICE_INTERROGATE, SERVICE_USER_DEFINED_CONTROL, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER	1	Fn
OPEN	cEMAEwpb	database_name = SERVICES_ACTIVE_DATABASE, desired_access = SERVICE_QUERY_CONFIG, SERVICE_CHANGE_CONFIG, SERVICE_QUERY_STATUS, SERVICE_ENUMERATE_DEPENDENTS, SERVICE_START, SERVICE_STOP, SERVICE_PAUSE_CONTINUE, SERVICE_INTERROGATE, SERVICE_USER_DEFINED_CONTROL, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER	1	Fn
START	cEMAEwpb	parameters = 0	1	Fn
GET_INFO	cEMAEwpb	type = Status	1	Fn

Registry (10)

Operation	Key	Additional Information	Count	Logfile
OPEN_KEY	HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon		2	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	value_name = Userinit, data_ident_out = C:\Windows\system32\userinit.exe,	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	value_name = Userinit, data_ident_out = 0	1	Fn
WRITE_VALUE	HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run	value_name = XuMIAsww.exe, data = C:\Users\WI2yhmtI onvScY7Pe\ayooEMEE\XuMIAsww.exe	1	Fn
WRITE_VALUE	HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run	value_name = YOUMMIEo.exe, data = C:\ProgramData\VmYMsIgM\YOUMMIEo.exe	1	Fn
WRITE_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	value_name = Userinit, data = C:\Windows\system32\userinit.exe,C:\ProgramData\VmYMsIgM\YOUMMIEo.exe,	1	Fn
WRITE_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	value_name = Userinit, data = C:\ProgramData\VmYMsIgM\YOUMMIEo.exe,	1	Fn

User (2)

Operation	User/Group/Server	Additional Information	Success	Count	Logfile
GET_CURRENT	WI2yhmtI onvScY7Pe			2	Fn

System (2)

Operation	Information	Success	Count	Logfile
SLEEP	duration = 159 milliseconds (0.159 seconds)		1	Fn
SLEEP	duration = 50 milliseconds (0.050 seconds)		1	Fn

Mutex (12)

Operation	Name	Additional Information	Count	Logfile
CREATE	AsEwIwsA	initial_owner = 0	1	Fn
CREATE	TYAckMgs	initial_owner = 0	1	Fn
RELEASE	AsEwIwsA		4	Fn
RELEASE			6	Fn

Process #2: xumiasww.exe

Information	Value
ID / OS PID	#2 / 0xd78
OS Parent PID	0xc8c (c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe)
Initial Working Directory	C:\Users\WI2yhmtI onvScY7Pe\Desktop
File Name	c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww.exe
Command Line	"C:\Users\WI2yhmtI onvScY7Pe\ayooEMEE\XuMIAsww.exe"
Monitor	Start Time: 00:01:04, Reason: Child Process
Unmonitor	End Time: 00:02:42, Reason: Terminated by Timeout
Monitor Duration	00:01:38
OS Thread IDs	#3 0xD7C #4 0xD80
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00023fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000060000	0x00060000	0x0009ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000a0000	0x000a0000	0x0019ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a3fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001b1fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000200000	0x00200000	0x00200fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000210000	0x00210000	0x0025dfff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000260000	0x00260000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x0027ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002c0000	0x002c0000	0x003bffff	Private Memory	Readable, Writable	Region Actions
XuMIAsww.exe	0x00400000	0x00600fff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download
locale.nls	0x00610000	0x006cdfff	Memory Mapped File	Readable	Region Actions
private_0x00000000006d0000	0x006d0000	0x007cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000007d0000	0x007d0000	0x00957fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000960000	0x00960000	0x00ae0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000af0000	0x00af0000	0x01eeffff	Pagefile Backed Memory	Readable	Region Actions
wow64.dll	0x53cc0000	0x53d0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x53d10000	0x53d17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x53d20000	0x53d92fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x74dc0000	0x74e50fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x74ef0000	0x74fadfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x752e0000	0x75455fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75460000	0x7548afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75650000	0x7573ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75790000	0x758dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75d90000	0x75eaffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75f10000	0x7604ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77dc0000	0x77f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007feb0000	0x7feb0000	0x7ffaffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd8000	0x7ffd8000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7ffb1ddcffff	Private Memory	Readable	Region Actions
ntdll.dll	0x7ffb1ddd0000	0x7ffb1df91fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffb1df92000	0x7ffb1df92000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Process #3: yoummieo.exe

Information	Value
ID / OS PID	#3 / 0xdb8
OS Parent PID	0xc8c (c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe)
Initial Working Directory	C:\Users\WI2yhmtI onvScY7Pe\Desktop
File Name	c:\programdata\vmymsigm\yoummieo.exe
Command Line	"C:\ProgramData\VmYMsIgM\YOUMMIEo.exe"
Monitor	Start Time: 00:01:25, Reason: Child Process
Unmonitor	End Time: 00:02:42, Reason: Terminated by Timeout
Monitor Duration	00:01:17
OS Thread IDs	#5 0xDBC #6 0xDC0
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00023fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000060000	0x00060000	0x0009ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000a0000	0x000a0000	0x0019ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a3fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001b1fff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x001c0000	0x0027dfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000280000	0x00280000	0x002bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002c0000	0x002c0000	0x002c0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000350000	0x00350000	0x0035ffff	Private Memory	Readable, Writable	Region Actions
YOUMMIEo.exe	0x00400000	0x005f2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download
private_0x0000000000600000	0x00600000	0x006fffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007e0000	0x007e0000	0x008dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000008e0000	0x008e0000	0x00a67fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000a70000	0x00a70000	0x00b5cfff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000b70000	0x00b70000	0x00b7ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000b80000	0x00b80000	0x00d00fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000d10000	0x00d10000	0x0210ffff	Pagefile Backed Memory	Readable	Region Actions
wow64.dll	0x53cc0000	0x53d0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x53d10000	0x53d17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x53d20000	0x53d92fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x74dc0000	0x74e50fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x74ef0000	0x74fadfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x752e0000	0x75455fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75460000	0x7548afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75650000	0x7573ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75790000	0x758dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75d90000	0x75eaffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75f10000	0x7604ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77dc0000	0x77f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007feb0000	0x7feb0000	0x7ffaffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd8000	0x7ffd8000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7ffb1ddcffff	Private Memory	Readable	Region Actions
ntdll.dll	0x7ffb1ddd0000	0x7ffb1df91fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffb1df92000	0x7ffb1df92000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Process #4: System

Information	Value
ID / OS PID	#4 / 0x4
OS Parent PID	0xffffffffffffffff (Unknown)
Initial Working Directory
File Name	System
Command Line
Monitor	Start Time: 00:01:46, Reason: Created Daemon
Unmonitor	End Time: 00:02:42, Reason: Terminated by Timeout
Monitor Duration	00:00:56
OS Thread IDs	#7 0xC94 #8 0xCAC #9 0x14 #10 0x2BC #11 0x540 #12 0x4B8 #13 0x88C #14 0xE8 #15 0x6D0 #16 0x234 #17 0x9F0 #18 0x84C #19 0x7F0 #20 0x80 #21 0x234 #22 0x494 #23 0xAF8 #24 0xD0 #25 0xCC #26 0xC8 #27 0xC4 #28 0x13C #29 0x138 #30 0x30 #31 0x1C #32 0xA60 #33 0xA2C #34 0xA28 #35 0x93C #36 0x6D8 #37 0x5C #38 0xBFC #39 0xBF0 #40 0x3C #41 0xA8C #42 0xA80 #43 0x974 #44 0x968 #45 0x80C #46 0x4D8 #47 0x7DC #48 0x7D4 #49 0xE4 #50 0x628 #51 0x624 #52 0x620 #53 0x610 #54 0xA4 #55 0x5B0 #56 0xB4 #57 0x554 #58 0x48 #59 0x530 #60 0x524 #61 0xB0 #62 0x4B0 #63 0x4A0 #64 0x6C #65 0x464 #66 0x70 #67 0x450 #68 0x170 #69 0x84 #70 0x198 #71 0x74 #72 0x40 #73 0x35C #74 0x8C #75 0x78 #76 0x88 #77 0x2BC #78 0x16C #79 0x144 #80 0x44 #81 0x134 #82 0x124 #83 0x104 #84 0x38 #85 0x1A8 #86 0x7C #87 0x20 #88 0x174 #89 0x168 #90 0x164 #91 0x160 #92 0x140 #93 0x34 #94 0x10 #95 0xA8 #96 0xB8 #97 0xF0 #98 0xC0 #99 0x60 #100 0x110 #101 0xBC #102 0xEC #103 0x64 #104 0x8 #105 0x0 #108 0x18 #109 0x24 #114 0x24C
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
ntdll.dll	0x77dc0000	0x77f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
pagefile_0x0000005500000000	0x5500000000	0x5500000fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000005500010000	0x5500010000	0x5500010fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000005500020000	0x5500020000	0x5500020fff	Pagefile Backed Memory	Readable, Writable	Region Actions
ntdll.dll	0x7ffb1ddd0000	0x7ffb1df91fff	Memory Mapped File	Readable, Writable, Executable	Region Actions

Process #5: xuaecwog.exe

Information	Value
ID / OS PID	#5 / 0xe00
OS Parent PID	0x1dc (c:\windows\system32\services.exe)
Initial Working Directory	C:\Windows\system32
File Name	c:\programdata\baieaacu\xuaecwog.exe
Command Line	C:\ProgramData\BAIEAAcU\xUAEcwog.exe
Monitor	Start Time: 00:01:46, Reason: Created Daemon
Unmonitor	End Time: 00:02:20, Reason: Terminated
Monitor Duration	00:00:34
OS Thread IDs	#106 0xE04 #107 0xE08
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00023fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000060000	0x00060000	0x0009ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000a0000	0x000a0000	0x0019ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a3fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001b1fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000200000	0x00200000	0x00200fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000220000	0x00220000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00230000	0x002edfff	Memory Mapped File	Readable	Region Actions
private_0x00000000002f0000	0x002f0000	0x003effff	Private Memory	Readable, Writable	Region Actions
xUAEcwog.exe	0x00400000	0x005fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download
pagefile_0x0000000000600000	0x00600000	0x006bffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000700000	0x00700000	0x007fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000800000	0x00800000	0x00987fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000990000	0x00990000	0x00b10fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000b20000	0x00b20000	0x00bacfff	Private Memory	Readable, Writable, Executable	Region Actions
wow64.dll	0x53cc0000	0x53d0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x53d10000	0x53d17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x53d20000	0x53d92fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x74dc0000	0x74e50fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x752e0000	0x75455fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75650000	0x7573ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75790000	0x758dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75f10000	0x7604ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77dc0000	0x77f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007feb0000	0x7feb0000	0x7ffaffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd8000	0x7ffd8000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7ffb1ddcffff	Private Memory	Readable	Region Actions
ntdll.dll	0x7ffb1ddd0000	0x7ffb1df91fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffb1df92000	0x7ffb1df92000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Process #6: cmd.exe

(Host: 4, Network: 0)

Information	Value
ID / OS PID	#6 / 0xe38
OS Parent PID	0xc8c (c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe)
Initial Working Directory	C:\Users\WI2yhmtI onvScY7Pe\Desktop
File Name	c:\windows\syswow64\cmd.exe
Command Line	C:\Windows\system32\cmd.exe /c "C:\Users\WI2yhmtI onvScY7Pe\Desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware"
Monitor	Start Time: 00:02:22, Reason: Child Process
Unmonitor	End Time: 00:02:42, Reason: Terminated by Timeout
Monitor Duration	00:00:20
OS Thread IDs	#110 0xE3C #128 0xEAC

Region

Name	Start VA	End VA	Type	Permissions	Actions
cmd.exe	0x00070000	0x000bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000350000	0x00350000	0x0434ffff	Pagefile Backed Memory	-	Region Actions
private_0x0000000004350000	0x04350000	0x0436ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004350000	0x04350000	0x0435ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000004360000	0x04360000	0x04363fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004370000	0x04370000	0x04371fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004380000	0x04380000	0x04393fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000043a0000	0x043a0000	0x043dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000043e0000	0x043e0000	0x044dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000044e0000	0x044e0000	0x044e3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000044f0000	0x044f0000	0x044f0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000004500000	0x04500000	0x04501fff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x04510000	0x045cdfff	Memory Mapped File	Readable	Region Actions
private_0x00000000045e0000	0x045e0000	0x045effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000045f0000	0x045f0000	0x0462ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004630000	0x04630000	0x0472ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004730000	0x04730000	0x0482ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004890000	0x04890000	0x0489ffff	Private Memory	Readable, Writable	Region Actions
wow64.dll	0x53cc0000	0x53d0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x53d10000	0x53d17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x53d20000	0x53d92fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x74ef0000	0x74fadfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x752e0000	0x75455fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75650000	0x7573ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77dc0000	0x77f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f170000	0x7f170000	0x7f26ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007f270000	0x7f270000	0x7f292fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f297000	0x7f297000	0x7f299fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007f29a000	0x7f29a000	0x7f29afff	Private Memory	Readable, Writable	Region Actions
private_0x000000007f29c000	0x7f29c000	0x7f29efff	Private Memory	Readable, Writable	Region Actions
private_0x000000007f29f000	0x7f29f000	0x7f29ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7dfb1ddcffff	Private Memory	Readable	Region Actions
pagefile_0x00007dfb1ddd0000	0x7dfb1ddd0000	0x7ffb1ddcffff	Pagefile Backed Memory	-	Region Actions
ntdll.dll	0x7ffb1ddd0000	0x7ffb1df91fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffb1df92000	0x7ffb1df92000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Host Behavior

Module (3)

Operation	Module	Additional Information	Count	Logfile
GET_HANDLE	c:\windows\syswow64\cmd.exe	base_address = 0x70000	1	Fn
GET_HANDLE	c:\windows\syswow64\kernel32.dll	base_address = 0x75650000	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetThreadUILanguage, address = 0x75692780	1	Fn

Registry (1)

Operation	Key	Additional Information	Success	Count	Logfile
OPEN_KEY	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System			1	Fn

Process #7: reg.exe

Information	Value
ID / OS PID	#7 / 0xe4c
OS Parent PID	0xc8c (c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe)
Initial Working Directory	C:\Users\WI2yhmtI onvScY7Pe\Desktop
File Name	c:\windows\syswow64\reg.exe
Command Line	reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
Monitor	Start Time: 00:02:23, Reason: Child Process
Unmonitor	End Time: 00:02:42, Reason: Terminated by Timeout
Monitor Duration	00:00:19
OS Thread IDs	#111 0xE50
Remarks	No high level activity detected in monitored regions

Region

Name	Start VA	End VA	Type	Permissions	Actions
reg.exe	0x003a0000	0x003f2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000c60000	0x00c60000	0x04c5ffff	Pagefile Backed Memory	-	Region Actions
private_0x0000000004c60000	0x04c60000	0x04c7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004c80000	0x04c80000	0x04c81fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004c90000	0x04c90000	0x04ca3fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000004cb0000	0x04cb0000	0x04ceffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004cf0000	0x04cf0000	0x04d2ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004d30000	0x04d30000	0x04d33fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000004d40000	0x04d40000	0x04d40fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000004d50000	0x04d50000	0x04d51fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004f40000	0x04f40000	0x04f4ffff	Private Memory	Readable, Writable	Region Actions
wow64.dll	0x53cc0000	0x53d0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x53d20000	0x53d92fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77dc0000	0x77f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007e4c0000	0x7e4c0000	0x7e4e2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007e4e8000	0x7e4e8000	0x7e4e8fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e4ec000	0x7e4ec000	0x7e4eefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007e4ef000	0x7e4ef000	0x7e4effff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7dfb1ddcffff	Private Memory	Readable	Region Actions
pagefile_0x00007dfb1ddd0000	0x7dfb1ddd0000	0x7ffb1ddcffff	Pagefile Backed Memory	-	Region Actions
ntdll.dll	0x7ffb1ddd0000	0x7ffb1df91fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffb1df92000	0x7ffb1df92000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Process #9: reg.exe

(Host: 9, Network: 0)

Information	Value
ID / OS PID	#9 / 0xe60
OS Parent PID	0xc8c (c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe)
Initial Working Directory	C:\Users\WI2yhmtI onvScY7Pe\Desktop
File Name	c:\windows\syswow64\reg.exe
Command Line	reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
Monitor	Start Time: 00:02:26, Reason: Child Process
Unmonitor	End Time: 00:02:42, Reason: Terminated by Timeout
Monitor Duration	00:00:16
OS Thread IDs	#115 0xE64 #131 0xEC0

Region

Name	Start VA	End VA	Type	Permissions	Actions
reg.exe	0x003a0000	0x003f2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000009b0000	0x009b0000	0x049affff	Pagefile Backed Memory	-	Region Actions
private_0x00000000049b0000	0x049b0000	0x049cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000049b0000	0x049b0000	0x049bffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000049c0000	0x049c0000	0x049c3fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000049d0000	0x049d0000	0x049d1fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000049e0000	0x049e0000	0x049f3fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000004a00000	0x04a00000	0x04a3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004a40000	0x04a40000	0x04a7ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004a80000	0x04a80000	0x04a83fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000004a90000	0x04a90000	0x04a90fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000004aa0000	0x04aa0000	0x04aa1fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004ab0000	0x04ab0000	0x04aeffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004af0000	0x04af0000	0x04b2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004b40000	0x04b40000	0x04b4ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x04b50000	0x04c0dfff	Memory Mapped File	Readable	Region Actions
private_0x0000000004ca0000	0x04ca0000	0x04d9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004e40000	0x04e40000	0x04e4ffff	Private Memory	Readable, Writable	Region Actions
wow64.dll	0x53cc0000	0x53d0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x53d10000	0x53d17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x53d20000	0x53d92fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x74e60000	0x74eb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ec0000	0x74ec9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ed0000	0x74eedfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x74ef0000	0x74fadfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74fb0000	0x7502afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x752e0000	0x75455fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75650000	0x7573ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75b90000	0x75bebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x75eb0000	0x75ef2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x76050000	0x76056fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76860000	0x7690bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77dc0000	0x77f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f890000	0x7f890000	0x7f98ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007f990000	0x7f990000	0x7f9b2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f9b5000	0x7f9b5000	0x7f9b5fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007f9b9000	0x7f9b9000	0x7f9b9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007f9ba000	0x7f9ba000	0x7f9bcfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007f9bd000	0x7f9bd000	0x7f9bffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7dfb1ddcffff	Private Memory	Readable	Region Actions
pagefile_0x00007dfb1ddd0000	0x7dfb1ddd0000	0x7ffb1ddcffff	Pagefile Backed Memory	-	Region Actions
ntdll.dll	0x7ffb1ddd0000	0x7ffb1df91fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffb1df92000	0x7ffb1df92000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Host Behavior

File (4)

Operation	Filename	Additional Information	Success	Count	Logfile
OPEN	STD_OUTPUT_HANDLE			3	Fn
WRITE	STD_OUTPUT_HANDLE	size = 39		1	Fn Data

Module (1)

Operation	Module	Additional Information	Success	Count	Logfile
GET_HANDLE	c:\windows\syswow64\reg.exe	base_address = 0x3a0000		1	Fn

Registry (4)

Operation	Key	Additional Information	Count	Logfile
CREATE_KEY	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced		1	Fn
OPEN_KEY	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System		1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	value_name = Hidden	1	Fn
WRITE_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced	value_name = Hidden, data = 2	1	Fn

Process #10: reg.exe

(Host: 9, Network: 0)

Information	Value
ID / OS PID	#10 / 0xe68
OS Parent PID	0xc8c (c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe)
Initial Working Directory	C:\Users\WI2yhmtI onvScY7Pe\Desktop
File Name	c:\windows\syswow64\reg.exe
Command Line	reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
Monitor	Start Time: 00:02:26, Reason: Child Process
Unmonitor	End Time: 00:02:42, Reason: Terminated by Timeout
Monitor Duration	00:00:16
OS Thread IDs	#116 0xE6C #132 0xED0

Region

Name	Start VA	End VA	Type	Permissions	Actions
reg.exe	0x003a0000	0x003f2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000410000	0x00410000	0x0440ffff	Pagefile Backed Memory	-	Region Actions
private_0x0000000004410000	0x04410000	0x0442ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004410000	0x04410000	0x0441ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000004420000	0x04420000	0x04423fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004430000	0x04430000	0x04431fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004440000	0x04440000	0x04453fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000004460000	0x04460000	0x0449ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000044a0000	0x044a0000	0x044dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000044e0000	0x044e0000	0x044e3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000044f0000	0x044f0000	0x044f0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000004500000	0x04500000	0x04501fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004520000	0x04520000	0x0452ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x04530000	0x045edfff	Memory Mapped File	Readable	Region Actions
private_0x00000000045f0000	0x045f0000	0x0462ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004630000	0x04630000	0x0466ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004680000	0x04680000	0x0477ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004900000	0x04900000	0x0490ffff	Private Memory	Readable, Writable	Region Actions
wow64.dll	0x53cc0000	0x53d0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x53d10000	0x53d17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x53d20000	0x53d92fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x74e60000	0x74eb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ec0000	0x74ec9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ed0000	0x74eedfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x74ef0000	0x74fadfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74fb0000	0x7502afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x752e0000	0x75455fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75650000	0x7573ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75b90000	0x75bebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x75eb0000	0x75ef2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x76050000	0x76056fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76860000	0x7690bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77dc0000	0x77f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007ef60000	0x7ef60000	0x7f05ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007f060000	0x7f060000	0x7f082fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f085000	0x7f085000	0x7f087fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007f088000	0x7f088000	0x7f088fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007f08a000	0x7f08a000	0x7f08cfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007f08d000	0x7f08d000	0x7f08dfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7dfb1ddcffff	Private Memory	Readable	Region Actions
pagefile_0x00007dfb1ddd0000	0x7dfb1ddd0000	0x7ffb1ddcffff	Pagefile Backed Memory	-	Region Actions
ntdll.dll	0x7ffb1ddd0000	0x7ffb1df91fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffb1df92000	0x7ffb1df92000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Host Behavior

File (4)

Operation	Filename	Additional Information	Success	Count	Logfile
OPEN	STD_OUTPUT_HANDLE			3	Fn
WRITE	STD_OUTPUT_HANDLE	size = 39		1	Fn Data

Module (1)

Operation	Module	Additional Information	Success	Count	Logfile
GET_HANDLE	c:\windows\syswow64\reg.exe	base_address = 0x3a0000		1	Fn

Registry (4)

Operation	Key	Additional Information	Count	Logfile
CREATE_KEY	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System		1	Fn
OPEN_KEY	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System		1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	value_name = EnableLUA	1	Fn
WRITE_VALUE	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	value_name = EnableLUA, data = 0	1	Fn