80ca3de5...03af | Sequential Behavior
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Riskware, Wiper, Trojan, Ransomware

80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af (SHA256)


Windows Exe (x86-32)

Created at 2018-09-18 12:19:00

Notifications (2/3)

Some extracted files may be missing in the report since the total file extraction size limit was reached during the analysis. You can increase the limit in the configuration settings.

Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.

The operating system was rebooted during the analysis.

Monitored Processes

Process Overview
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x9e0 Analysis Target High (Elevated) 80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe "C:\Users\EEBsYm5\Desktop\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe" -
#2 0x9e8 Child Process High (Elevated) vssadmin.exe vssadmin delete shadows /all /quiet #1
#7 0x4 Kernel Analysis System (Elevated) System - -
#9 0xe4 Child Process System (Elevated) smss.exe \SystemRoot\System32\smss.exe #7
#10 0xfc Child Process System (Elevated) autochk.exe \??\C:\Windows\system32\autochk.exe * #9
#11 0x120 Child Process System (Elevated) smss.exe \SystemRoot\System32\smss.exe 00000000 0000003c #9
#12 0x128 Child Process System (Elevated) csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 #11
#13 0x150 Child Process System (Elevated) smss.exe \SystemRoot\System32\smss.exe 00000001 0000003c #9
#14 0x158 Child Process System (Elevated) wininit.exe wininit.exe #11
#15 0x164 Child Process System (Elevated) csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 #13
#16 0x17c Child Process System (Elevated) winlogon.exe winlogon.exe #13
#17 0x1a8 Child Process System (Elevated) services.exe C:\Windows\system32\services.exe #14
#18 0x1b0 Child Process System (Elevated) lsass.exe C:\Windows\system32\lsass.exe #14
#19 0x1bc Child Process System (Elevated) lsm.exe C:\Windows\system32\lsm.exe #14
#20 0x234 Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch #17
#21 0x278 Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k RPCSS #17
#22 0x2a8 Child Process System (Elevated) svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted #17
#23 0x2f4 Child Process System (Elevated) logonui.exe "LogonUI.exe" /flags:0x0 #16
#24 0x32c Child Process System (Elevated) svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted #17
#25 0x34c Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k netsvcs #17
#26 0x394 Child Process System (Elevated) audiodg.exe C:\Windows\system32\AUDIODG.EXE 0x2e0 #22
#27 0x3d8 Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k LocalService #17
#28 0x438 Child Process System (Elevated) dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} #20
#29 0x468 Child Process Medium dwm.exe "C:\Windows\system32\Dwm.exe" #24
#30 0x470 Child Process Medium slui.exe "C:\Windows\system32\slui.exe" #16
#31 0x4a8 Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k NetworkService #17
#32 0x52c Child Process System (Elevated) spoolsv.exe C:\Windows\System32\spoolsv.exe #17
#33 0x548 Child Process Medium taskhost.exe "taskhost.exe" #17
#34 0x568 Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork #17
#35 0x5ec Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation #17
#36 0x6d0 Child Process System (Elevated) sppsvc.exe C:\Windows\system32\sppsvc.exe #17
#37 0x6dc Child Process System (Elevated) drvinst.exe DrvInst.exe "1" "200" "acpi\genuineintel_-_x86_family_6_model_94_-_intel(r)_core(tm)_i5-7500_cpu_@_3.40ghz\_0" "" "" "68a85eb53" "00000000" "00000548" "0000054C" #20
#38 0x700 Child Process System (Elevated) taskhost.exe taskhost.exe SYSTEM #17
#39 0x7f8 Child Process Medium userinit.exe C:\Windows\system32\userinit.exe #16
#40 0x64 Child Process Medium explorer.exe C:\Windows\Explorer.EXE #39

Behavior Information - Sequential View

Process #1: 80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe
1605 0
Information Value
ID #1
File Name c:\users\eebsym5\desktop\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe
Command Line "C:\Users\EEBsYm5\Desktop\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe"
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:01:17, Reason: Analysis Target
Unmonitor End Time: 00:02:37, Reason: Self Terminated
Monitor Duration 00:01:20
OS Process Information
Information Value
PID 0x9e0
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9E4
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x00050fff Private Memory rw True False False -
private_0x0000000000060000 0x00060000 0x0006ffff Private Memory rw True False False -
pagefile_0x0000000000060000 0x00060000 0x0006efff Pagefile Backed Memory rw True False False -
private_0x0000000000070000 0x00070000 0x0007ffff Private Memory rw True False False -
pagefile_0x0000000000080000 0x00080000 0x0008efff Pagefile Backed Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x001affff Private Memory rw True False False -
locale.nls 0x001b0000 0x00216fff Memory Mapped File r False False False -
80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe 0x00230000 0x00243fff Memory Mapped File rwx True True False
pagefile_0x0000000000250000 0x00250000 0x00317fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000320000 0x00320000 0x00420fff Pagefile Backed Memory r True False False -
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory rw True False False -
pagefile_0x0000000000530000 0x00530000 0x0112ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001130000 0x01130000 0x0153ffff Pagefile Backed Memory rw True False False -
private_0x0000000001130000 0x01130000 0x01230fff Private Memory rw True False False -
sortdefault.nls 0x01240000 0x0150efff Memory Mapped File r False False False -
rsaenh.dll 0x01510000 0x0154bfff Memory Mapped File r False False False -
pagefile_0x0000000001540000 0x01540000 0x0194ffff Pagefile Backed Memory rw True False False -
mpr.dll 0x71d30000 0x71d41fff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bf0000 0x74c2afff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e50000 0x74e65fff Memory Mapped File rwx False False False -
cryptbase.dll 0x752d0000 0x752dbfff Memory Mapped File rwx False False False -
msasn1.dll 0x753f0000 0x753fbfff Memory Mapped File rwx False False False -
crypt32.dll 0x75420000 0x7553cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75680000 0x75720fff Memory Mapped File rwx False False False -
shell32.dll 0x75830000 0x76479fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
advapi32.dll 0x769f0000 0x76a8ffff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
shlwapi.dll 0x76e10000 0x76e66fff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
sechost.dll 0x773c0000 0x773d8fff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Created Files
Filename File Size Hash Values YARA Match Actions
C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab 10.00 MB MD5: 462b9e6db6eb4ec8343a0ef8fe95fbc5
SHA1: a3a4e9f9fee5dc9b406e6b40403e81bdfdc31c7d
SHA256: f9e8d0ac307cdd99967fba289f699c65032d1c57005c842fc505561011ebfb6a
SSDeep: 196608:TkVTxhuu7trkggX899oqDVfIic25Ptg1V4viGB5:TkVXuuJrkgb99ZDO2oaqI
C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi 2.02 MB MD5: cb783d6d38f110f6c86263f39631de48
SHA1: 1e179d9cb5c0eee6a2b17fd50285dbf6010781f1
SHA256: 90e613e670ac1cf9fa655ccc9ed0f6a9aed28b10d9db4627cb2cd3f4f85c701d
SSDeep: 49152:E3k21YVHgbYHbIakj4HMfyyWfDT2dBHsp53dqCmNzcz:E3k21YVAbY7Iak4yWfDT2dBHy/
C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi 1.74 MB MD5: 2e0d8a61cfa5638a83fb98a9802f919f
SHA1: 34b241448b2f5c66f0c851e14e2cff1cb5e34b6f
SHA256: 178bf9bd0dbf464c4f4cdb4d516a88f3c0fb7fe784f06c91663f307a8c0821ba
SSDeep: 49152:w8nZxb+GkQma3aI2zJP8XG5GuFgKpMGyyWfDT2/Bqs05qo4PT66Y:wu1Jjma3+1PJQkWfDT2/Bqyg
C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml 2.27 KB MD5: 521133afa3115211a16f367bcfa02136
SHA1: eb92a2354d3683aa9e62dd82d60ea7280595d085
SHA256: 44d471c766056dcad499f5c94b23036e066a9c3847ffbbcc223dca6e65d0318b
SSDeep: 48:aSvkHZmLav5LYsl0AlkCYuJjkpP0NvdX3zpZ0tY:aSvkH4LWLYc0ETYSvVHzpZl
C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml 4.61 KB MD5: f6e20d1bb451f6ec332bfcecc1cd8a30
SHA1: a36dab0d88190a02fc04ac5177e987ba623f53e3
SHA256: 3c073b1c7e12a2d28caf7bac2333d67ddbf5259562ac7e2444730ad4e9820bc2
SSDeep: 96:OmK1Fe0WwRMzC63vv3EUod61fFfDEzMbLGhSEuYjVHzpZl:/V1w6zT3vv3EU11tfwzCvELBZ
C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab 9.49 MB MD5: f511bf0e1acbc88d4ef3431ac9611bc2
SHA1: 6a9440a4cb8ae2191633fc58fae3626da03a5625
SHA256: fb7d5c5661faf95cd5eb9e9c9f0bd6c95b621364cc30f702136b1a9e882923da
SSDeep: 196608:BGuCyT7CukfQ2OtQnEdOG3o4QK7tZiTn1v9GtsEWImJi58:BgyT7CvBEQ4B7tZiTn1vSslIM
C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab 10.00 MB MD5: a63f29b7dced1560b818d08414cd0c02
SHA1: 823d48ee2954eb47a6e1667a02a6e62000a6a96a
SHA256: e0cc36971644e2ebe6d23ba9f90850743ad5ca79e8e7df99ecfdec2526e3fe0f
SSDeep: 196608:eZH/5rQq9k8M4k8IMj3kMxfGbWaxJMKMA4JxuiNQG3A2r7rfiSFhysD8uxDxKj:iH/pKn8IQkM2BFEx96G3AUf7FnzKj
C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi 1.72 MB MD5: 915dad8631801b67853bf4a3257f2686
SHA1: 6416f03da37a77bbbe5e6594a00dd725b4e9ae89
SHA256: 16b09c1f390521bd8306a66dc3d65d404060fe9a0cc33e7209fcd52a10456f5a
SSDeep: 49152:gMZLdXmOuf3pbrS3VUjCDIHlzMGyyWfDT2/Bqs05qojZTavk:gwdbg3pbfjdfWfDT2/BqyA
c:\$recycle.bin\s-1-5-21-3785418085-2572485238-895829336-1000\!=how_recovery_files=!.txt 0.02 KB MD5: 9c6fad36ad5a993ddd78859b649f1e5a
SHA1: 834a5b4f7b3a86ebe580858a32b9785ed7d0d0d5
SHA256: dfdf9412c9018eb9d49a86fe12f8c36ab6a0c49e93b09cee5e02071cf2e1bcaa
SSDeep: 3:6StW/KHLa:6StWCHu
C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi 1.72 MB MD5: 55fa4260be16f8bb15c08fa3caa1fc9e
SHA1: 220b1ff21b4544fc55e237f59fa5e66301e9d782
SHA256: 8c04901604b136e1207d0a85afa059294fcd3df2f5d8330937bca8d4289dc2ef
SSDeep: 49152:Z3Sm8GtBbroRhGdMWxwZzLtD7zeMGyyWfDT2/Bqs05qoRPTryj:hSxk9rshdWwzLtEWfDT2/BqyL
C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml 1.92 KB MD5: d19dfd98091ff8b0fac976fd0c31ceb8
SHA1: f614c14c222d1ae2fd8a792da08f3f2e0bd1a4dd
SHA256: 5c8c203ee40da796220e377aef9ce5776d418e9685b489da4ceec98f0679826d
SSDeep: 48:HxLcZ9qurcliZnmEXCQ1ruWFsfNvdX3zpZ0tY:HBO9quoREXCQ1QFVHzpZl
C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab 10.00 MB MD5: 7327431950f87a40c33bdb9cae5990fb
SHA1: 12cb19d15ad1347f7ccd6630211e6ea0877b9f15
SHA256: ac499dd77c4baa4a186324b0acd2b177e88e571d88fac25dedd71ecaa5226d99
SSDeep: 196608:+jJ7LpE6VvQFsSyYcpcrjj/bvYLhqQIf5O6eELiTfTVcKAsG:yrVvafyfOrPbvoDFRELI6Ko
C:\\autoexec.bat 0.53 KB MD5: d082bc467d44e9e84568d07a9defd80c
SHA1: 6bad626a87c8226d62ac77fede72cb2bbad07bb3
SHA256: 6126ad40a0de85ab07b561379c47817b1d00e6217ec09f5324070eda2a9e3a20
SSDeep: 12:rgLkQDNU7LAn9q1b/enhnVcUXfXn/SNaxvbZM94jZ6P75XU2U:3sNaLA9ZVdXfPSgVbZX16tXjU
C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml 2.34 KB MD5: ac0a182bc8245e166d69307edf0cd561
SHA1: 6e6488f4c0d8c2260ae25cfb48ccae89322ea82e
SHA256: 8961f6c24e3c81254ed03a649cb80c0a3e75410fcf9ce915761648dff537da56
SSDeep: 48:ivhEMeW62RMT5RhFzFqNncuhT5mHcnT5eLQ9fhGpsjEOXNvdX3zpZ0tY:qSMeWfRqlzFKjh5vn1FfcWg+VHzpZl
C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab 10.00 MB MD5: 474431a335dfff92143b233b3419b0b2
SHA1: 7f4a6bb6da3f5e093434618512908d0607f99539
SHA256: 9c031ff33f89322e0d22ef3550eba1da33aa9ccf3c984ff4ae7ea3dc842581c2
SSDeep: 196608:bZQRd5xhR46L5h3AHQDZRW+ffvGVyx0G7rZG7kkg/oHLJ8LEeubk:FQkQwHQDZ02fvEyxFRMgw9sEeubk
C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab 1.75 MB MD5: bb01e8d6deceb8268dc0b62872ee19a3
SHA1: 8b863edbf283c10bc3678ba70dc671b33bb87e45
SHA256: b200be290846cb7ac0f24acbd1042d95476ecfad4e92ab1bb257a095b107cc1f
SSDeep: 49152:jyuOCsl3Dja+aJHJJtkyR+fVeogNdp1yKZWMAL024ehpZhT8HW:jBexjLajJiyLogNfkKtAL0kpZF82
C:\\$Recycle.Bin\S-1-5-21-3785418085-2572485238-895829336-1000\desktop.ini 0.64 KB MD5: 5a75d181325914302969aac4168b72d4
SHA1: d09159cb52b7f56e0bd2c750be374c33c959a299
SHA256: 74292fb27c273076d629c7faa090a9ed47960a6dfba0b5b81f15b33a7397450a
SSDeep: 12:FzcG1DdCmyIZU/Q+fWoStDNU7LAn9q1b/enhnVcUXfXn/SNaxvbZM94jZ6P75XUz:FzNDdoIZU/FW9NaLA9ZVdXfPSgVbZX1T
C:\\config.sys 0.52 KB MD5: 314ef243ea65440c0c84da76611ca4e8
SHA1: 85fcb7bf2d519dd31032335553859ab2f3d4c52a
SHA256: c54c21377dc649c1b52e90a1cac833d721e9df306b0346d1d29896c4eed1f8d4
SSDeep: 12:HaFtbDNU7LAn9q1b/enhnVcUXfXn/SNaxvbZM94jZ6P75XU2U:H2NaLA9ZVdXfPSgVbZX16tXjU
C:\\Boot\BOOTSTAT.DAT 64.52 KB MD5: 7cefd3f9470572f23f5215843de9bc26
SHA1: bd0902ed953a7bd7066f7443fe0770c84abe9de4
SHA256: c5d888b685405df33aeb2ff959f9668f21a576b14b45a0e0d467f501af35e06f
SSDeep: 1536:1txZdRKVEkkLbKYGZH/+ESi/Oaa3bL+Cz75K3kZ:17ZdRKVGyYGJ/+Pi/OZ7KkZ
C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml 3.62 KB MD5: ff61ca841ece348a9c3e25ff96bacb1c
SHA1: c6aad975de8b8cdfc7574455318e9e517bb1d3ad
SHA256: 1651434872aad648959b9d7f4eda76bbcf821e19ecf97f6a47968a98098a4b4a
SSDeep: 96:WTtY8lhkG44nwX5HW2lFS16T4Hz4Mjc67twW2r4otqbqVHzpZl:WBYSyjq6HHUkMo2wWy4gqeBZ
C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml 2.75 KB MD5: fab9db6cb5c0cc679b615cac808ac8bb
SHA1: b012a1b3be6e591a8b2c544e9ba8a180914d6692
SHA256: f8c29c5bf0cddb66afd85c006c0f07650058c804f1f2a7c47aad1c81df4d5818
SSDeep: 48:FkBrgql0FcK6UEQiUR7+y7boKMwDbJRb2rSvC/gqDIYXqcZkhMNvdX3zpZ0tY:FkBrZkcK5i6baID4Sauyu0VHzpZl
C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi 642.02 KB MD5: 2578dbbfa968b834afa7fc917c954a84
SHA1: c8c22b02dcceebeeb4e374aefdfead8b8e4c69e5
SHA256: 034e9de26a23d87b8947d1d158197a0326446ff8c58575f8b7ec8462a8a7ff9d
C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml 1.83 KB MD5: b0e3ea4039a5cc2393988232d47bdab6
SHA1: 29d8a94593426d84c468aa7a2b20b24416d0c6b4
SHA256: 8a8649962cd1c42a685a5f99aaf2330da473a89d5ceba6cc9832fbae8c921e2a
SSDeep: 48:QPRdUap7sxL2Y8toGvEM6DNvdX3zpZ0tY:kR/1sxL2YMvX8VHzpZl
C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml 2.03 KB MD5: f3c81b704c49e6bb6f91dad5a6c03509
SHA1: 48a11ad5c099b67a5db0202ce1a677c578fe047c
SHA256: 52b69cae06870668f427f72f8eb91844802ead34fd23d1bb70ca30a9dd67ab3d
SSDeep: 48:4R2Fp4BOA9yXPPQ2gxHs0JsZXRqG/pdzNvdX3zpZ0tY:g2FeEPjgxfSjpdRVHzpZl
C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab 10.00 MB MD5: 4d172eef6a4560b7aaaea241ac9b2be2
SHA1: ece46952b9a7bfa0bd5077cacbc6e2810a08d204
SHA256: ed6df3ada96ec7e682d0a77612b0fe7b2139ec3b3bb4f9b7efd557d9c647b065
SSDeep: 196608:URKzgbdLrw0m0EFArjk6F35ceeTiY7LFFjqeXaXZLzr30m3mYXQR3:URpbBQpFokk5ceeTiaFjmZLU6y3
C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi 1.73 MB MD5: f22117d6fa6a1a339513f368e70ea823
SHA1: 9da721a4da8b8d5cb8327b5d1e4661359c1afad4
SHA256: 5c7473e31fc35907b4e3adef8154327433326ed5c1b51b24b92e03aef7994d15
SSDeep: 49152:u0/oiN7HsoQneMstMUoChsAZlrmjrlMGyyWfDT2/Bqs05qocPT46yG:XbX9SCsAkRWfDT2/Bqyb
C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml 2.08 KB MD5: 223026698845b351a7ef93b50a50aeda
SHA1: dcd74a5773b1dd5b9ea7cb738ee8fc8d6424e826
SHA256: 3664b5169c2f8d5eacadff0b75a38ab877a91a880fc10ec98e9bec4c55cf1577
SSDeep: 48:zvHj8d32drlMS1kdvW2DFtIaaz9p8JNSfW7Nhhf6DTkNvdX3zpZ0tY:zjs32drlb1yXDIaaz9mNSOxYTMVHzpZl
C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml 2.88 KB MD5: 559db357fce01240fbee096e450e715c
SHA1: 5a41091144e0e6f25003da65a5ca5e52b84e9212
SHA256: fc3ee5bf87cb0af45dadc7f0f8ada1949e479e6f1f8a0792a38837dcacd36108
SSDeep: 48:hd2ZdQof4MXo3cGddqwHCQcwUThx4yAfcXwMQKBbT2OXcrRqr2XLETlIsNvdX3zZ:T2ZdBfaMnTvThx4yAfiFQK5qOQTUVHzZ
C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml 2.03 KB MD5: c4c32359a677f4bc2700529ced732a3b
SHA1: 3adffe79d24911c7e46f03ace07a17d9e7d70091
SHA256: f5ddde542907dfe719b4ed13053abe451159c3ddefeb48b044f238844c839860
SSDeep: 48:TNsq+r18IWszdWcUFem7Ftkv0sCAQ4GNvdX3zpZ0tY:GqvP8Iem7kK4CVHzpZl
Modified Files
Filename File Size Hash Values YARA Match Actions
C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi 1.72 MB MD5: c5e31af7606efbcb98326524237dcb99
SHA1: 429fdf2a94064e3e1ead164a0b5975e048e60123
SHA256: f6df80c36373dc9aef52a40db2e822e134c89f0576048ddc1eab432d0209d518
SSDeep: 49152:gMZLdXmOuf3pbrS3VUjCDIHlzMGyyWfDT2/Bqs05qojZTav:gwdbg3pbfjdfWfDT2/Bqy
C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml 1.53 KB MD5: f4beb2c2098def89b9b9dca30a4e356c
SHA1: f060fc226377c6c9ffc4efc20e8af822aa1fc3ba
SHA256: 8f91f83c677775e1a431719d76a614f41466a3598b303470ea538ec5ba7aea21
SSDeep: 24:kMNrIq89yufJLD8IWmNz6UWcUFem7tnr2WH7oQ89CrsuF01Q45bW:TNsq+r18IWszdWcUFem7Ftkv0sCAQ4s
C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab 10.00 MB MD5: 462b9e6db6eb4ec8343a0ef8fe95fbc5
SHA1: a3a4e9f9fee5dc9b406e6b40403e81bdfdc31c7d
SHA256: f9e8d0ac307cdd99967fba289f699c65032d1c57005c842fc505561011ebfb6a
SSDeep: 196608:TkVTxhuu7trkggX899oqDVfIic25Ptg1V4viGB5:TkVXuuJrkgb99ZDO2oaqI
C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi 2.02 MB MD5: cb783d6d38f110f6c86263f39631de48
SHA1: 1e179d9cb5c0eee6a2b17fd50285dbf6010781f1
SHA256: 90e613e670ac1cf9fa655ccc9ed0f6a9aed28b10d9db4627cb2cd3f4f85c701d
SSDeep: 49152:E3k21YVHgbYHbIakj4HMfyyWfDT2dBHsp53dqCmNzcz:E3k21YVAbY7Iak4yWfDT2dBHy/
C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi 641.52 KB MD5: 259203746fdc49f971df402e643eba04
SHA1: 9032854121d423735ba5ab06d291bb9743f58a71
SHA256: 426fba998a250461a1f303bb5506be6c5853c0b7ad9433d8901035c57a66511f
SSDeep: 12288:V7FZHYXJJTbFFwq01sAOEEwO8OKuqEENDzNCcf2bXkqgMrPw2tK8FT1bh+:BFZMJTbF2ZO1nIuqEENDRCcubUr2PwM+
C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi 1.74 MB MD5: 2e0d8a61cfa5638a83fb98a9802f919f
SHA1: 34b241448b2f5c66f0c851e14e2cff1cb5e34b6f
SHA256: 178bf9bd0dbf464c4f4cdb4d516a88f3c0fb7fe784f06c91663f307a8c0821ba
SSDeep: 49152:w8nZxb+GkQma3aI2zJP8XG5GuFgKpMGyyWfDT2/Bqs05qo4PT66Y:wu1Jjma3+1PJQkWfDT2/Bqyg
C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml 2.25 KB MD5: 46d902cef22e09e366a1452f2d7883d9
SHA1: d4c63e85e1dbd8a16c830b174bc90b48b02a5419
SHA256: 25ca2ea29b41a0ef6bef6eba630b6e2f08b7f6918c70366a112603f77c829717
SSDeep: 48:FkBrgql0FcK6UEQiUR7+y7boKMwDbJRb2rSvC/gqDIYXqcZkhu:FkBrZkcK5i6baID4Sauyuu
C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml 2.27 KB MD5: 521133afa3115211a16f367bcfa02136
SHA1: eb92a2354d3683aa9e62dd82d60ea7280595d085
SHA256: 44d471c766056dcad499f5c94b23036e066a9c3847ffbbcc223dca6e65d0318b
SSDeep: 48:aSvkHZmLav5LYsl0AlkCYuJjkpP0NvdX3zpZ0tY:aSvkH4LWLYc0ETYSvVHzpZl
C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml 4.61 KB MD5: f6e20d1bb451f6ec332bfcecc1cd8a30
SHA1: a36dab0d88190a02fc04ac5177e987ba623f53e3
SHA256: 3c073b1c7e12a2d28caf7bac2333d67ddbf5259562ac7e2444730ad4e9820bc2
SSDeep: 96:OmK1Fe0WwRMzC63vv3EUod61fFfDEzMbLGhSEuYjVHzpZl:/V1w6zT3vv3EU11tfwzCvELBZ
C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab 9.49 MB MD5: f511bf0e1acbc88d4ef3431ac9611bc2
SHA1: 6a9440a4cb8ae2191633fc58fae3626da03a5625
SHA256: fb7d5c5661faf95cd5eb9e9c9f0bd6c95b621364cc30f702136b1a9e882923da
SSDeep: 196608:BGuCyT7CukfQ2OtQnEdOG3o4QK7tZiTn1v9GtsEWImJi58:BgyT7CvBEQ4B7tZiTn1vSslIM
C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi 2.02 MB MD5: 53a4259ffae692a91d2e6fbe3d50e439
SHA1: 81fd20ba5ccba468cc24377e3ab7e4592b0e317c
SHA256: 6c790148c5ce2c616d04ac7488cb9d5ffedf239813789583c984facf1860a5cf
SSDeep: 49152:E3k21YVHgbYHbIakj4HMfyyWfDT2dBHsp53dqCmNzc:E3k21YVAbY7Iak4yWfDT2dBHy
C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab 10.00 MB MD5: a63f29b7dced1560b818d08414cd0c02
SHA1: 823d48ee2954eb47a6e1667a02a6e62000a6a96a
SHA256: e0cc36971644e2ebe6d23ba9f90850743ad5ca79e8e7df99ecfdec2526e3fe0f
SSDeep: 196608:eZH/5rQq9k8M4k8IMj3kMxfGbWaxJMKMA4JxuiNQG3A2r7rfiSFhysD8uxDxKj:iH/pKn8IQkM2BFEx96G3AUf7FnzKj
C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi 1.72 MB MD5: 915dad8631801b67853bf4a3257f2686
SHA1: 6416f03da37a77bbbe5e6594a00dd725b4e9ae89
SHA256: 16b09c1f390521bd8306a66dc3d65d404060fe9a0cc33e7209fcd52a10456f5a
SSDeep: 49152:gMZLdXmOuf3pbrS3VUjCDIHlzMGyyWfDT2/Bqs05qojZTavk:gwdbg3pbfjdfWfDT2/BqyA
C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi 1.72 MB MD5: 55fa4260be16f8bb15c08fa3caa1fc9e
SHA1: 220b1ff21b4544fc55e237f59fa5e66301e9d782
SHA256: 8c04901604b136e1207d0a85afa059294fcd3df2f5d8330937bca8d4289dc2ef
SSDeep: 49152:Z3Sm8GtBbroRhGdMWxwZzLtD7zeMGyyWfDT2/Bqs05qoRPTryj:hSxk9rshdWwzLtEWfDT2/BqyL
C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml 3.12 KB MD5: b38bcaec0886faf34a830edb20018b11
SHA1: 6198b2f0d0273280c5daf4b1aa3af4d0e18072f0
SHA256: bc8c84620a548e687b9d82f311332291f354fa295126edf1be4851ba389ba58e
SSDeep: 96:WTtY8lhkG44nwX5HW2lFS16T4Hz4Mjc67twW2r4otqbE:WBYSyjq6HHUkMo2wWy4gqw
C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml 1.42 KB MD5: 7f6a69af6883c53e8a02369e48526bec
SHA1: 0ffd3361d1f10152c443d5cae2587c74f7dde80c
SHA256: 7192e1a3864276a98a1af5b2231b2e651f06cd6e8897c57e2c4f2581d4e59260
SSDeep: 24:kQHRNZcOiunWvCTarzIliZpZ4JbrBTuXCQ1wN8Xx93+9qOW2PJyDqW/67mG:HxLcZ9qurcliZnmEXCQ1ruWFs1
C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml 1.33 KB MD5: 0a1e87deb2a358428aa563d42fc4ffad
SHA1: 425006c85533ba19ae5f7e0ed7da136c31d355ea
SHA256: aef1c0307b1da7c13fc4f907f04a528e7b2b25e02abf6864cb61ea8f66f875e8
SSDeep: 24:QPRdSnQniM7sxL24Gc8tolIz7hKrgS3kalYnUY96kED:QPRdUap7sxL2Y8toGvEM6p
C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml 1.92 KB MD5: d19dfd98091ff8b0fac976fd0c31ceb8
SHA1: f614c14c222d1ae2fd8a792da08f3f2e0bd1a4dd
SHA256: 5c8c203ee40da796220e377aef9ce5776d418e9685b489da4ceec98f0679826d
SSDeep: 48:HxLcZ9qurcliZnmEXCQ1ruWFsfNvdX3zpZ0tY:HBO9quoREXCQ1QFVHzpZl
C:\\Boot\BOOTSTAT.DAT 64.02 KB MD5: 6aa5a891ef09a21afe1dc73f66f7cb5a
SHA1: dc5d4bdfe0961489121122ca62ec94af62568c9b
SHA256: fe49222c9ff5bb007e9a6d8382e3d6d4e8e4bc62b891e1cc184000c8427ed3fd
SSDeep: 1536:1txZdRKVEkkLbKYGZH/+ESi/Oaa3bL+Cz75K3i:17ZdRKVGyYGJ/+Pi/OZ7Ki
C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab 10.00 MB MD5: 802120617468e92058e8160b1f0dbc76
SHA1: 671abb5a684b314166f9625fddb90085b97c97fa
SHA256: aded3b6fc58d9374457a268f26d1b1ceac5ae6a5a9fef8590f6bb59942fc699f
SSDeep: 196608:jBInULookSSDFoiahBz7xnRBhOH7Cmqp5+YUlzjJQI+F0qTCmLIbO2qCBB+ZhW0P:jmKkSSDFoiahJFRBAb9qwlvJQIi+yIaV
C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml 1.58 KB MD5: aa6c583f183c6ddf6afc3cecdcb27a28
SHA1: e3ad67e7e255fa185c316277694e07f941ed8a30
SHA256: 5bf86d9a381b51c29735fe432445a084dc17a2229beef4fedcc01a2c19baa7e5
SSDeep: 48:zvHj8d32drlMS1kdvW2DFtIaaz9p8JNSfW7Nhhf6DTW:zjs32drlb1yXDIaaz9mNSOxYTW
C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab 10.00 MB MD5: 7327431950f87a40c33bdb9cae5990fb
SHA1: 12cb19d15ad1347f7ccd6630211e6ea0877b9f15
SHA256: ac499dd77c4baa4a186324b0acd2b177e88e571d88fac25dedd71ecaa5226d99
SSDeep: 196608:+jJ7LpE6VvQFsSyYcpcrjj/bvYLhqQIf5O6eELiTfTVcKAsG:yrVvafyfOrPbvoDFRELI6Ko
C:\\autoexec.bat 0.53 KB MD5: d082bc467d44e9e84568d07a9defd80c
SHA1: 6bad626a87c8226d62ac77fede72cb2bbad07bb3
SHA256: 6126ad40a0de85ab07b561379c47817b1d00e6217ec09f5324070eda2a9e3a20
SSDeep: 12:rgLkQDNU7LAn9q1b/enhnVcUXfXn/SNaxvbZM94jZ6P75XU2U:3sNaLA9ZVdXfPSgVbZX16tXjU
C:\\config.sys 0.02 KB MD5: 53b2bf8e1b49e4b43793f8826c98c9bc
SHA1: 08d1ef3446e1232080fc415c39b0a8e3cc226a20
SHA256: 5b309b211f96f89496fa02cab07f20582aca37c4bcd7b009ad9e9a78d339e6c9
SSDeep: 3:HaC78t9:Ha48t9
C:\\$Recycle.Bin\S-1-5-21-3785418085-2572485238-895829336-1000\desktop.ini 0.14 KB MD5: 42b4b41f323c40d76458c35f9857874f
SHA1: db1805d935221505f3eea086391aa6cb77559ade
SHA256: 80efd0452262efaff6802ae7d8790fa1a5f3ee2b8722722c7ef8a4bc9f93dd87
SSDeep: 3:+bMvROcX7kMx0Gduweg2IvSVydCmyIi6qDhgW4CpMeuR+WEQnjABE4q4lSn:+oJzX7FyGdukVqEdCmyIZUh0qMeuR+fu
C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml 2.34 KB MD5: ac0a182bc8245e166d69307edf0cd561
SHA1: 6e6488f4c0d8c2260ae25cfb48ccae89322ea82e
SHA256: 8961f6c24e3c81254ed03a649cb80c0a3e75410fcf9ce915761648dff537da56
SSDeep: 48:ivhEMeW62RMT5RhFzFqNncuhT5mHcnT5eLQ9fhGpsjEOXNvdX3zpZ0tY:qSMeWfRqlzFKjh5vn1FfcWg+VHzpZl
C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab 10.00 MB MD5: 474431a335dfff92143b233b3419b0b2
SHA1: 7f4a6bb6da3f5e093434618512908d0607f99539
SHA256: 9c031ff33f89322e0d22ef3550eba1da33aa9ccf3c984ff4ae7ea3dc842581c2
SSDeep: 196608:bZQRd5xhR46L5h3AHQDZRW+ffvGVyx0G7rZG7kkg/oHLJ8LEeubk:FQkQwHQDZ02fvEyxFRMgw9sEeubk
C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab 1.75 MB MD5: bb01e8d6deceb8268dc0b62872ee19a3
SHA1: 8b863edbf283c10bc3678ba70dc671b33bb87e45
SHA256: b200be290846cb7ac0f24acbd1042d95476ecfad4e92ab1bb257a095b107cc1f
SSDeep: 49152:jyuOCsl3Dja+aJHJJtkyR+fVeogNdp1yKZWMAL024ehpZhT8HW:jBexjLajJiyLogNfkKtAL0kpZF82
C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab 9.49 MB MD5: 6d529eb8c4e4b03a6a0042edbe0f31f7
SHA1: 5a6ac1c09f759ded815c5647f3ecb0942f1438fd
SHA256: 284ecb7dae7a6ba711736e61282c765aab05242add7e26228519699af42e3124
SSDeep: 196608:BGuCyT7CukfQ2OtQnEdOG3o4QK7tZiTn1v9GtsEWImJi54:BgyT7CvBEQ4B7tZiTn1vSslIo
C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml 2.38 KB MD5: 4dee65297e3d0aefc03f993b58df9485
SHA1: f6cf59d5e5db459246863365dfd049a69db42b06
SHA256: 373fc8c97cb28adf9ace48afc368ac8c6ad6d4328a1845fd660778064fc633be
SSDeep: 48:hd2ZdQof4MXo3cGddqwHCQcwUThx4yAfcXwMQKBbT2OXcrRqr2XLETlIO:T2ZdBfaMnTvThx4yAfiFQK5qOQTO
C:\\$Recycle.Bin\S-1-5-21-3785418085-2572485238-895829336-1000\desktop.ini 0.64 KB MD5: 5a75d181325914302969aac4168b72d4
SHA1: d09159cb52b7f56e0bd2c750be374c33c959a299
SHA256: 74292fb27c273076d629c7faa090a9ed47960a6dfba0b5b81f15b33a7397450a
SSDeep: 12:FzcG1DdCmyIZU/Q+fWoStDNU7LAn9q1b/enhnVcUXfXn/SNaxvbZM94jZ6P75XUz:FzNDdoIZU/FW9NaLA9ZVdXfPSgVbZX1T
C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml 1.77 KB MD5: 76eebba7a4b18c0fffbca7d7ccddf153
SHA1: 012ba51908217af709361d4eed9e994788bfb9b2
SHA256: df4da38cc2f5b513d57b7530c9fece6615c44660ef740c00047d380e0145a8ba
SSDeep: 24:a73jyFl0nHg+LTprMGEtKJddAFI7fEdnxSl08xS2tV2Y5SCYfWzoRUt1kEoPIH:aSvkHZmLav5LYsl0AlkCYuJjkpPm
C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi 1.74 MB MD5: 4d55ffef7f142e95853035b09b36b237
SHA1: 97da35040e88ac06dc664695a4d4f38e4e1ba1f7
SHA256: 9f33be0208fcbc447f015c5925ff86e4feb323dc00b483d1e790622392493638
SSDeep: 49152:w8nZxb+GkQma3aI2zJP8XG5GuFgKpMGyyWfDT2/Bqs05qo4PT66:wu1Jjma3+1PJQkWfDT2/Bqy
C:\\config.sys 0.52 KB MD5: 314ef243ea65440c0c84da76611ca4e8
SHA1: 85fcb7bf2d519dd31032335553859ab2f3d4c52a
SHA256: c54c21377dc649c1b52e90a1cac833d721e9df306b0346d1d29896c4eed1f8d4
SSDeep: 12:HaFtbDNU7LAn9q1b/enhnVcUXfXn/SNaxvbZM94jZ6P75XU2U:H2NaLA9ZVdXfPSgVbZX16tXjU
C:\\Boot\BOOTSTAT.DAT 64.52 KB MD5: 7cefd3f9470572f23f5215843de9bc26
SHA1: bd0902ed953a7bd7066f7443fe0770c84abe9de4
SHA256: c5d888b685405df33aeb2ff959f9668f21a576b14b45a0e0d467f501af35e06f
SSDeep: 1536:1txZdRKVEkkLbKYGZH/+ESi/Oaa3bL+Cz75K3kZ:17ZdRKVGyYGJ/+Pi/OZ7KkZ
C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi 1.73 MB MD5: d8ba711dbd5254c43693ac022f915500
SHA1: 2b92621551d7507c218e79c4aab68f5388f10e10
SHA256: 56bc39b7f6eaadc6a01155a000bb26790605a88f0d552c5aad96a7ff9001a208
SSDeep: 49152:u0/oiN7HsoQneMstMUoChsAZlrmjrlMGyyWfDT2/Bqs05qocPT46y:XbX9SCsAkRWfDT2/Bqy
C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml 3.62 KB MD5: ff61ca841ece348a9c3e25ff96bacb1c
SHA1: c6aad975de8b8cdfc7574455318e9e517bb1d3ad
SHA256: 1651434872aad648959b9d7f4eda76bbcf821e19ecf97f6a47968a98098a4b4a
SSDeep: 96:WTtY8lhkG44nwX5HW2lFS16T4Hz4Mjc67twW2r4otqbqVHzpZl:WBYSyjq6HHUkMo2wWy4gqeBZ
C:\\autoexec.bat 0.03 KB MD5: f8962f1f4ac8dfcc91da9cdc88245ed1
SHA1: 46e8bff89e556cbecd6c1e0191012fa9b524f9da
SHA256: 91c466200cad87a68a7e83946cd7fdf748a645d3e632a5a2bc796ed87b9e61ac
SSDeep: 3:rgwKIxzf2J:rgwKEk
C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml 2.75 KB MD5: fab9db6cb5c0cc679b615cac808ac8bb
SHA1: b012a1b3be6e591a8b2c544e9ba8a180914d6692
SHA256: f8c29c5bf0cddb66afd85c006c0f07650058c804f1f2a7c47aad1c81df4d5818
SSDeep: 48:FkBrgql0FcK6UEQiUR7+y7boKMwDbJRb2rSvC/gqDIYXqcZkhMNvdX3zpZ0tY:FkBrZkcK5i6baID4Sauyu0VHzpZl
C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi 642.02 KB MD5: 2578dbbfa968b834afa7fc917c954a84
SHA1: c8c22b02dcceebeeb4e374aefdfead8b8e4c69e5
SHA256: 034e9de26a23d87b8947d1d158197a0326446ff8c58575f8b7ec8462a8a7ff9d
C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml 1.83 KB MD5: b0e3ea4039a5cc2393988232d47bdab6
SHA1: 29d8a94593426d84c468aa7a2b20b24416d0c6b4
SHA256: 8a8649962cd1c42a685a5f99aaf2330da473a89d5ceba6cc9832fbae8c921e2a
SSDeep: 48:QPRdUap7sxL2Y8toGvEM6DNvdX3zpZ0tY:kR/1sxL2YMvX8VHzpZl
C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml 2.03 KB MD5: f3c81b704c49e6bb6f91dad5a6c03509
SHA1: 48a11ad5c099b67a5db0202ce1a677c578fe047c
SHA256: 52b69cae06870668f427f72f8eb91844802ead34fd23d1bb70ca30a9dd67ab3d
SSDeep: 48:4R2Fp4BOA9yXPPQ2gxHs0JsZXRqG/pdzNvdX3zpZ0tY:g2FeEPjgxfSjpdRVHzpZl
C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml 1.53 KB MD5: f0d350089aa638e67e31323335d6ffd3
SHA1: e219ca28be63db9417b489319bcb92ca92b55248
SHA256: 87be97ca95ef6edee2c9b1d94bc8ddea7fa20a50119085f7c5d05a250a2c3809
SSDeep: 24:4bPzTVBK7vFp341HELwYAAdnJK9vHi3CqPPNiiSpmtOxHsDbNeJs2WuWbypyHqGp:4R2Fp4BOA9yXPPQ2gxHs0JsZXRqG/pdZ
C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi 1.72 MB MD5: ed5f6a92c456d91590bdcf376aebe01c
SHA1: 93787b696c2f60909bcefb5e4669fcf5e04321c3
SHA256: f183e49095af7f8862d4a812660bc4e88d20286f849e9f612ac6b3890192bfb9
SSDeep: 49152:Z3Sm8GtBbroRhGdMWxwZzLtD7zeMGyyWfDT2/Bqs05qoRPTry:hSxk9rshdWwzLtEWfDT2/Bqy
C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml 4.11 KB MD5: 4d0d493b0e9ef6c0b1f3c194c4eb5c4f
SHA1: a9f0d12d13d8b728e8eb7afc508337dfb9d5ecf8
SHA256: e57d158f213631fad7f313eb0687484391ba9676539d6d6773d08e52db0de778
SSDeep: 96:OmK1Fe0WwRMzC63vv3EUod61fFfDEzMbLGhSEuYL:/V1w6zT3vv3EU11tfwzCvEj
C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab 10.00 MB MD5: 4d172eef6a4560b7aaaea241ac9b2be2
SHA1: ece46952b9a7bfa0bd5077cacbc6e2810a08d204
SHA256: ed6df3ada96ec7e682d0a77612b0fe7b2139ec3b3bb4f9b7efd557d9c647b065
SSDeep: 196608:URKzgbdLrw0m0EFArjk6F35ceeTiY7LFFjqeXaXZLzr30m3mYXQR3:URpbBQpFokk5ceeTiaFjmZLU6y3
C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml 1.84 KB MD5: 76647613e84066d83de2c9ec600c1756
SHA1: 35ab9e817ca2b2bf8ca8a4c8f49561866f7f6bdc
SHA256: ef85878968fa4a0f5327ab81fb23683b47b98785d3bbf62a696a9d93e67cf1bb
SSDeep: 48:ivhEMeW62RMT5RhFzFqNncuhT5mHcnT5eLQ9fhGpsjEOd:qSMeWfRqlzFKjh5vn1FfcWgQ
C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi 1.73 MB MD5: f22117d6fa6a1a339513f368e70ea823
SHA1: 9da721a4da8b8d5cb8327b5d1e4661359c1afad4
SHA256: 5c7473e31fc35907b4e3adef8154327433326ed5c1b51b24b92e03aef7994d15
SSDeep: 49152:u0/oiN7HsoQneMstMUoChsAZlrmjrlMGyyWfDT2/Bqs05qocPT46yG:XbX9SCsAkRWfDT2/Bqyb
C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml 2.08 KB MD5: 223026698845b351a7ef93b50a50aeda
SHA1: dcd74a5773b1dd5b9ea7cb738ee8fc8d6424e826
SHA256: 3664b5169c2f8d5eacadff0b75a38ab877a91a880fc10ec98e9bec4c55cf1577
SSDeep: 48:zvHj8d32drlMS1kdvW2DFtIaaz9p8JNSfW7Nhhf6DTkNvdX3zpZ0tY:zjs32drlb1yXDIaaz9mNSOxYTMVHzpZl
C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml 2.88 KB MD5: 559db357fce01240fbee096e450e715c
SHA1: 5a41091144e0e6f25003da65a5ca5e52b84e9212
SHA256: fc3ee5bf87cb0af45dadc7f0f8ada1949e479e6f1f8a0792a38837dcacd36108
SSDeep: 48:hd2ZdQof4MXo3cGddqwHCQcwUThx4yAfcXwMQKBbT2OXcrRqr2XLETlIsNvdX3zZ:T2ZdBfaMnTvThx4yAfiFQK5qOQTUVHzZ
C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml 2.03 KB MD5: c4c32359a677f4bc2700529ced732a3b
SHA1: 3adffe79d24911c7e46f03ace07a17d9e7d70091
SHA256: f5ddde542907dfe719b4ed13053abe451159c3ddefeb48b044f238844c839860
SSDeep: 48:TNsq+r18IWszdWcUFem7Ftkv0sCAQ4GNvdX3zpZ0tY:GqvP8Iem7kK4CVHzpZl
Thread 0x9e4
1605 0
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-09-18 12:20:29 (UTC) True 1
Module Get Handle module_name = c:\users\eebsym5\desktop\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe, base_address = 0x230000 True 1
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x76910000 True 1
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = InitializeConditionVariable, address_out = 0x77289981 True 1
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SleepConditionVariableCS, address_out = 0x769418be True 1
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = WakeAllConditionVariable, address_out = 0x772545a5 True 1
Process Create process_name = vssadmin delete shadows /all /quiet, show_window = SW_HIDE True 1
File Create filename = C:\\$Recycle.Bin\S-1-5-21-3785418085-2572485238-895829336-1000\desktop.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\$Recycle.Bin\S-1-5-21-3785418085-2572485238-895829336-1000\desktop.ini, size = 1048576, size_out = 129 True 1
File Write filename = C:\\$Recycle.Bin\S-1-5-21-3785418085-2572485238-895829336-1000\desktop.ini, size = 144 True 1
File Move source_filename = C:\\$Recycle.Bin\S-1-5-21-3785418085-2572485238-895829336-1000\desktop.ini, destination_filename = C:\\$Recycle.Bin\S-1-5-21-3785418085-2572485238-895829336-1000\desktop.ini.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\$Recycle.Bin\S-1-5-21-3785418085-2572485238-895829336-1000\desktop.ini False 1
File Create filename = C:\\autoexec.bat, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\autoexec.bat, size = 1048576, size_out = 24 True 1
File Write filename = C:\\autoexec.bat, size = 32 True 1
File Move source_filename = C:\\autoexec.bat, destination_filename = C:\\autoexec.bat.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\autoexec.bat False 1
File Create filename = C:\\Boot\BCD, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\BCD.LOG, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\BCD.LOG1, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Boot\BCD.LOG1, size = 1048576, size_out = 0 True 1
File Move source_filename = C:\\Boot\BCD.LOG1, destination_filename = C:\\Boot\BCD.LOG1.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Boot\BCD.LOG1 False 1
File Create filename = C:\\Boot\BCD.LOG2, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Boot\BCD.LOG2, size = 1048576, size_out = 0 True 1
File Move source_filename = C:\\Boot\BCD.LOG2, destination_filename = C:\\Boot\BCD.LOG2.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Boot\BCD.LOG2 False 1
File Create filename = C:\\Boot\BOOTSTAT.DAT, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Boot\BOOTSTAT.DAT, size = 1048576, size_out = 65536 True 1
File Write filename = C:\\Boot\BOOTSTAT.DAT, size = 65552 True 1
File Move source_filename = C:\\Boot\BOOTSTAT.DAT, destination_filename = C:\\Boot\BOOTSTAT.DAT.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Boot\BOOTSTAT.DAT False 1
File Create filename = C:\\Boot\cs-CZ\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\da-DK\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\de-DE\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\el-GR\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\en-US\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\en-US\memtest.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\es-ES\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\fi-FI\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\Fonts\chs_boot.ttf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\Fonts\cht_boot.ttf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\Fonts\jpn_boot.ttf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\Fonts\kor_boot.ttf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\Fonts\wgl4_boot.ttf, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\fr-FR\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\hu-HU\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\it-IT\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\ja-JP\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\ko-KR\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\memtest.exe, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\nb-NO\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\nl-NL\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\pl-PL\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\pt-BR\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\pt-PT\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\ru-RU\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\sv-SE\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\tr-TR\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\zh-CN\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\zh-HK\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Boot\zh-TW\bootmgr.exe.mui, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\bootmgr, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\BOOTSECT.BAK, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\config.sys, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\config.sys, size = 1048576, size_out = 10 True 1
File Write filename = C:\\config.sys, size = 16 True 1
File Move source_filename = C:\\config.sys, destination_filename = C:\\config.sys.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\config.sys False 1
File Create filename = C:\\hiberfil.sys, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab, destination_filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi, destination_filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml, size = 1048576, size_out = 1565 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml, size = 1568 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml, destination_filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml, size = 1048576, size_out = 2296 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml, size = 2304 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml, destination_filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi, destination_filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml, size = 1048576, size_out = 1557 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml, size = 1568 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml, destination_filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab, destination_filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml, size = 1048576, size_out = 1886 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml, size = 1888 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml, destination_filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi, destination_filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml, size = 1048576, size_out = 1450 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml, size = 1456 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml, destination_filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab, destination_filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml, size = 1048576, size_out = 1608 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml, size = 1616 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml, destination_filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab, destination_filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab False 1
File Create filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi, destination_filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi False 1
File Create filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml, size = 1048576, size_out = 3186 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml, size = 3200 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml, destination_filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml, size = 1048576, size_out = 4207 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml, size = 4208 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml, destination_filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml, size = 1048576, size_out = 2424 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml, size = 2432 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml, destination_filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab, destination_filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab False 1
File Create filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi, destination_filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi False 1
File Create filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml, size = 1048576, size_out = 1800 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml, size = 1808 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml, destination_filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab, destination_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab False 1
File Create filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi, size = 1048576, size_out = 656896 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi, size = 656912 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi, destination_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi False 1
File Create filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml, size = 1048576, size_out = 1347 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml, size = 1360 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml, destination_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab, destination_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab False 1
File Create filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi, size = 1048576, size_out = 663040 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi, size = 663056 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi, destination_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi False 1
File Create filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml, size = 1048576, size_out = 1457 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml, size = 1472 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml, destination_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab, destination_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab False 1
File Create filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi, size = 1048576, size_out = 667648 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi, size = 667664 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi, destination_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi False 1
File Create filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml, size = 1048576, size_out = 1458 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml, size = 1472 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml, destination_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi, size = 1048576, size_out = 650240 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi, size = 650256 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi, destination_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi False 1
File Create filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml, size = 1048576, size_out = 811 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml, size = 816 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml, destination_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml, size = 1048576, size_out = 5884 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml, size = 5888 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml, destination_filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab, destination_filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi, destination_filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml, size = 1048576, size_out = 1231 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml, size = 1232 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml, destination_filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml, size = 1048576, size_out = 1852 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml, size = 1856 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml, destination_filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\Setup.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\Setup.xml, size = 1048576, size_out = 6241 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\Setup.xml, size = 6256 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\Setup.xml, destination_filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\Setup.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\Setup.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\VisioLR.cab, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\VisioLR.cab, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\VisioLR.cab, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\VisioLR.cab, destination_filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\VisioLR.cab.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\VisioLR.cab False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\VisioMUI.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\VisioMUI.msi, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\VisioMUI.msi, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\VisioMUI.msi, destination_filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\VisioMUI.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\VisioMUI.msi False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\VisioMUI.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\VisioMUI.xml, size = 1048576, size_out = 9502 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\VisioMUI.xml, size = 9504 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\VisioMUI.xml, destination_filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\VisioMUI.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0054-0409-0000-0000000FF1CE}-C\VisioMUI.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi, destination_filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi False 1
File Create filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml, size = 1048576, size_out = 1606 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml, size = 1616 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml, destination_filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab, destination_filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab False 1
File Create filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml, size = 1048576, size_out = 1988 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml, size = 2000 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml, destination_filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\ProjectMUI.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\ProjectMUI.msi, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\ProjectMUI.msi, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\ProjectMUI.msi, destination_filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\ProjectMUI.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\ProjectMUI.msi False 1
File Create filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\ProjectMUI.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\ProjectMUI.xml, size = 1048576, size_out = 1451 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\ProjectMUI.xml, size = 1456 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\ProjectMUI.xml, destination_filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\ProjectMUI.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\ProjectMUI.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\ProjLR.cab, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\ProjLR.cab, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\ProjLR.cab, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\ProjLR.cab, destination_filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\ProjLR.cab.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\ProjLR.cab False 1
File Create filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\Setup.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\Setup.xml, size = 1048576, size_out = 1872 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\Setup.xml, size = 1888 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\Setup.xml, destination_filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\Setup.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-00B4-0409-0000-0000000FF1CE}-C\Setup.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab, destination_filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab False 1
File Create filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi, destination_filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi False 1
File Create filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml, size = 1048576, size_out = 913 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml, size = 928 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml, destination_filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml, size = 1048576, size_out = 1452 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml, size = 1456 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml, destination_filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll, size = 1048576, size_out = 107912 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll, size = 107920 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll, destination_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml, size = 1048576, size_out = 596341 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml, size = 596352 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml, destination_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE, size = 1048576, size_out = 838536 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE, size = 838544 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE, destination_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll, size = 1048576, size_out = 526176 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll, size = 526192 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll, destination_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe, size = 1048576, size_out = 519584 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe, size = 519600 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe, destination_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest, size = 1048576, size_out = 1857 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest, size = 1872 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest, destination_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll, size = 1048576, size_out = 655872 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll, size = 655888 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll, destination_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab, destination_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi, destination_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml, size = 1048576, size_out = 5662 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml, size = 5664 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml, destination_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi, size = 1048576, size_out = 650240 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi, size = 650256 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi, destination_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml, size = 1048576, size_out = 819 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml, size = 832 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml, destination_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll, size = 1048576, size_out = 191872 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll, size = 191888 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll, destination_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm, size = 1048576, size_out = 27195 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm, size = 27200 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm, destination_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm, size = 1048576, size_out = 67190 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm, size = 67200 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm, destination_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml, size = 1048576, size_out = 9598 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml, size = 9600 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml, destination_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST, size = 1048576, size_out = 3584 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST, size = 3600 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST, destination_filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi, destination_filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml, size = 1048576, size_out = 1349 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml, size = 1360 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml, destination_filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab, destination_filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml, size = 1048576, size_out = 596341 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml, size = 596352 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml, destination_filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi, size = 1048576, size_out = 650240 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi, size = 650256 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi, destination_filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml, size = 1048576, size_out = 819 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml, size = 832 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml, destination_filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml False 1
File Create filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml, size = 1048576, size_out = 2624 True 1
File Write filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml, size = 2640 True 1
File Move source_filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml, destination_filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi, destination_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml, size = 1048576, size_out = 4685 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml, size = 4688 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml, destination_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ose.exe, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ose.exe, size = 1048576, size_out = 149352 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ose.exe, size = 149360 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ose.exe, destination_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ose.exe.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ose.exe False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll, destination_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab, destination_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll, destination_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\PidGenX.dll False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms, size = 1048576, size_out = 715834 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms, size = 715840 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms, destination_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPlusrWW.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPlusrWW.msi, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPlusrWW.msi, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPlusrWW.msi, destination_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPlusrWW.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPlusrWW.msi False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPlusrWW.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPlusrWW.xml, size = 1048576, size_out = 17254 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPlusrWW.xml, size = 17264 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPlusrWW.xml, destination_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPlusrWW.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPlusrWW.xml False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPrWW.cab, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPrWW.cab, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPrWW.cab, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPrWW.cab, destination_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPrWW.cab.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPrWW.cab False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPrWW2.cab, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPrWW2.cab, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPrWW2.cab, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPrWW2.cab, destination_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPrWW2.cab.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ProPrWW2.cab False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\setup.exe, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\setup.exe, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\setup.exe, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\setup.exe, destination_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\setup.exe.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\setup.exe False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml, size = 1048576, size_out = 32219 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml, size = 32224 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml, destination_filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml False 1
File Create filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\Office64WW.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\Office64WW.msi, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\Office64WW.msi, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\Office64WW.msi, destination_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\Office64WW.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\Office64WW.msi False 1
File Create filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\Office64WW.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\Office64WW.xml, size = 1048576, size_out = 4685 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\Office64WW.xml, size = 4688 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\Office64WW.xml, destination_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\Office64WW.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\Office64WW.xml False 1
File Create filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\ose.exe, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\ose.exe, size = 1048576, size_out = 149352 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\ose.exe, size = 149360 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\ose.exe, destination_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\ose.exe.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\ose.exe False 1
File Create filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\osetup.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\osetup.dll, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\osetup.dll, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\osetup.dll, destination_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\osetup.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\osetup.dll False 1
File Create filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\OWOW64WW.cab, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\OWOW64WW.cab, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\OWOW64WW.cab, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\OWOW64WW.cab, destination_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\OWOW64WW.cab False 1
File Create filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PidGenX.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PidGenX.dll, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PidGenX.dll, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PidGenX.dll, destination_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PidGenX.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PidGenX.dll False 1
File Create filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms, size = 1048576, size_out = 715834 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms, size = 715840 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms, destination_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms False 1
File Create filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PrjProrWW.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PrjProrWW.msi, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PrjProrWW.msi, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PrjProrWW.msi, destination_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PrjProrWW.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PrjProrWW.msi False 1
File Create filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PrjProrWW.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PrjProrWW.xml, size = 1048576, size_out = 6618 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PrjProrWW.xml, size = 6624 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PrjProrWW.xml, destination_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PrjProrWW.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PrjProrWW.xml False 1
File Create filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PrjPrrWW.cab, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PrjPrrWW.cab, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PrjPrrWW.cab, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PrjPrrWW.cab, destination_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PrjPrrWW.cab.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\PrjPrrWW.cab False 1
File Create filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\setup.exe, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\setup.exe, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\setup.exe, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\setup.exe, destination_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\setup.exe.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\setup.exe False 1
File Create filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\Setup.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\Setup.xml, size = 1048576, size_out = 17352 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\Setup.xml, size = 17360 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\Setup.xml, destination_filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\Setup.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-003B-0000-0000-0000000FF1CE}-C\Setup.xml False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\Office64WW.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\Office64WW.msi, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\Office64WW.msi, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\Office64WW.msi, destination_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\Office64WW.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\Office64WW.msi False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\Office64WW.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\Office64WW.xml, size = 1048576, size_out = 4685 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\Office64WW.xml, size = 4688 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\Office64WW.xml, destination_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\Office64WW.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\Office64WW.xml False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\ose.exe, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\ose.exe, size = 1048576, size_out = 149352 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\ose.exe, size = 149360 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\ose.exe, destination_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\ose.exe.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\ose.exe False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\osetup.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\osetup.dll, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\osetup.dll, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\osetup.dll, destination_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\osetup.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\osetup.dll False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\OWOW64WW.cab, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\OWOW64WW.cab, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\OWOW64WW.cab, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\OWOW64WW.cab, destination_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\OWOW64WW.cab False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\PidGenX.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\PidGenX.dll, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\PidGenX.dll, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\PidGenX.dll, destination_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\PidGenX.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\PidGenX.dll False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms, size = 1048576, size_out = 715834 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms, size = 715840 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms, destination_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\setup.exe, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\setup.exe, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\setup.exe, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\setup.exe, destination_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\setup.exe.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\setup.exe False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\Setup.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\Setup.xml, size = 1048576, size_out = 21246 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\Setup.xml, size = 21248 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\Setup.xml, destination_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\Setup.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\Setup.xml False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\VisiorWW.cab, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\VisiorWW.cab, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\VisiorWW.cab, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\VisiorWW.cab, destination_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\VisiorWW.cab.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\VisiorWW.cab False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\VisiorWW.msi, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\VisiorWW.msi, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\VisiorWW.msi, size = 1048592 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\VisiorWW.msi, destination_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\VisiorWW.msi.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\VisiorWW.msi False 1
File Create filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\VisiorWW.xml, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\VisiorWW.xml, size = 1048576, size_out = 8917 True 1
File Write filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\VisiorWW.xml, size = 8928 True 1
File Move source_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\VisiorWW.xml, destination_filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\VisiorWW.xml.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\MSOCache\All Users\{91140000-0057-0000-0000-0000000FF1CE}-C\VisiorWW.xml False 1
File Create filename = C:\\pagefile.sys, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Benioku.htm, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Benioku.htm, size = 1048576, size_out = 17000 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Benioku.htm, size = 17008 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Benioku.htm, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Benioku.htm.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Benioku.htm False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Berime.htm, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Berime.htm, size = 1048576, size_out = 17082 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Berime.htm, size = 17088 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Berime.htm, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Berime.htm.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Berime.htm False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Esl\AiodLite.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Esl\AiodLite.dll, size = 1048576, size_out = 104344 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Esl\AiodLite.dll, size = 104352 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Esl\AiodLite.dll, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Esl\AiodLite.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Esl\AiodLite.dll False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\IrakHau.htm, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\IrakHau.htm, size = 1048576, size_out = 17032 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\IrakHau.htm, size = 17040 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\IrakHau.htm, destination_filename = C:\\Program Files\Adobe\Reader 10.0\IrakHau.htm.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\IrakHau.htm False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Leame.htm, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Leame.htm, size = 1048576, size_out = 16955 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Leame.htm, size = 16960 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Leame.htm, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Leame.htm.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Leame.htm False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\LeesMij.htm, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\LeesMij.htm, size = 1048576, size_out = 16867 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\LeesMij.htm, size = 16880 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\LeesMij.htm, destination_filename = C:\\Program Files\Adobe\Reader 10.0\LeesMij.htm.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\LeesMij.htm False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Leggimi.htm, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Leggimi.htm, size = 1048576, size_out = 17033 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Leggimi.htm, size = 17040 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Leggimi.htm, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Leggimi.htm.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Leggimi.htm False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\LeiaMe.htm, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\LeiaMe.htm, size = 1048576, size_out = 17011 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\LeiaMe.htm, size = 17024 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\LeiaMe.htm, destination_filename = C:\\Program Files\Adobe\Reader 10.0\LeiaMe.htm.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\LeiaMe.htm False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Liesmich.htm, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Liesmich.htm, size = 1048576, size_out = 17078 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Liesmich.htm, size = 17088 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Liesmich.htm, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Liesmich.htm.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Liesmich.htm False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Lisezmoi.htm, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Lisezmoi.htm, size = 1048576, size_out = 17351 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Lisezmoi.htm, size = 17360 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Lisezmoi.htm, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Lisezmoi.htm.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Lisezmoi.htm False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Llegiu-me.htm, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Llegiu-me.htm, size = 1048576, size_out = 16892 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Llegiu-me.htm, size = 16896 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Llegiu-me.htm, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Llegiu-me.htm.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Llegiu-me.htm False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\LueMinut.htm, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\LueMinut.htm, size = 1048576, size_out = 17230 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\LueMinut.htm, size = 17232 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\LueMinut.htm, destination_filename = C:\\Program Files\Adobe\Reader 10.0\LueMinut.htm.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\LueMinut.htm False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\A3DUtils.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\A3DUtils.dll, size = 1048576, size_out = 205720 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\A3DUtils.dll, size = 205728 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\A3DUtils.dll, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\A3DUtils.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\A3DUtils.dll False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\ACE.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\ACE.dll, size = 1048576, size_out = 818568 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\ACE.dll, size = 818576 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\ACE.dll, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\ACE.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\ACE.dll False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroBroker.exe, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroBroker.exe, size = 1048576, size_out = 294808 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroBroker.exe, size = 294816 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroBroker.exe, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroBroker.exe.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroBroker.exe False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Acrofx32.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Acrofx32.dll, size = 1048576, size_out = 63384 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Acrofx32.dll, size = 63392 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Acrofx32.dll, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Acrofx32.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Acrofx32.dll False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.dll, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.dll, size = 1048592 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.dll, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.dll False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe, size = 1048592 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroRd32Info.exe, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroRd32Info.exe, size = 1048576, size_out = 17824 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroRd32Info.exe, size = 17840 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroRd32Info.exe, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroRd32Info.exe.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroRd32Info.exe False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroTextExtractor.exe, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroTextExtractor.exe, size = 1048576, size_out = 49064 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroTextExtractor.exe, size = 49072 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroTextExtractor.exe, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroTextExtractor.exe.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AcroTextExtractor.exe False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Adobe.Reader.Dependencies.manifest, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Adobe.Reader.Dependencies.manifest, size = 1048576, size_out = 1472 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Adobe.Reader.Dependencies.manifest, size = 1488 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Adobe.Reader.Dependencies.manifest, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Adobe.Reader.Dependencies.manifest.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Adobe.Reader.Dependencies.manifest False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AdobeCollabSync.exe, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AdobeCollabSync.exe, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AdobeCollabSync.exe, size = 1048592 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AdobeCollabSync.exe, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AdobeCollabSync.exe.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AdobeCollabSync.exe False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AdobeLinguistic.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AdobeLinguistic.dll, size = 1048576, size_out = 757664 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AdobeLinguistic.dll, size = 757680 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AdobeLinguistic.dll, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AdobeLinguistic.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AdobeLinguistic.dll False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\adoberfp.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\adoberfp.dll, size = 1048576, size_out = 226200 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\adoberfp.dll, size = 226208 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\adoberfp.dll, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\adoberfp.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\adoberfp.dll False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AdobeXMP.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AdobeXMP.dll, size = 1048576, size_out = 304536 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AdobeXMP.dll, size = 304544 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AdobeXMP.dll, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AdobeXMP.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AdobeXMP.dll False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AGM.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AGM.dll, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AGM.dll, size = 1048592 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AGM.dll, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AGM.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AGM.dll False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AGMGPUOptIn.ini, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AGMGPUOptIn.ini, size = 1048576, size_out = 1727 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AGMGPUOptIn.ini, size = 1728 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AGMGPUOptIn.ini, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AGMGPUOptIn.ini.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AGMGPUOptIn.ini False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\ahclient.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\ahclient.dll, size = 1048576, size_out = 222920 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\ahclient.dll, size = 222928 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\ahclient.dll, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\ahclient.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\ahclient.dll False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CAT, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CAT, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CAT, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CAT, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CAT.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CAT False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CHS, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CHS, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CHS, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CHS, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CHS.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CHS False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CHT, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CHT, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CHT, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CHT, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CHT.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CHT False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CZE, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CZE, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CZE, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CZE, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CZE.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.CZE False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.DAN, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.DAN, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.DAN, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.DAN, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.DAN.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.DAN False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.DEU, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.DEU, size = 1048576, size_out = 8192 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.DEU, size = 8208 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.DEU, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.DEU.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.DEU False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll, size = 1048576, size_out = 135568 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll, size = 135584 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.ESP, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.ESP, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.ESP, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.ESP, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.ESP.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.ESP False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.EUQ, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.EUQ, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.EUQ, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.EUQ, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.EUQ.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.EUQ False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.FRA, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.FRA, size = 1048576, size_out = 8192 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.FRA, size = 8208 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.FRA, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.FRA.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.FRA False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.HRV, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.HRV, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.HRV, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.HRV, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.HRV.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.HRV False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.HUN, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.HUN, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.HUN, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.HUN, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.HUN.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.HUN False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.ITA, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.ITA, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.ITA, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.ITA, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.ITA.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.ITA False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.JPN, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.JPN, size = 1048576, size_out = 6144 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.JPN, size = 6160 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.JPN, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.JPN.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.JPN False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.KOR, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.KOR, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.KOR, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.KOR, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.KOR.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.KOR False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.NLD, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.NLD, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.NLD, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.NLD, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.NLD.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.NLD False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.NOR, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.NOR, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.NOR, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.NOR, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.NOR.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.NOR False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.POL, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.POL, size = 1048576, size_out = 8192 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.POL, size = 8208 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.POL, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.POL.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.POL False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.PTB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.PTB, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.PTB, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.PTB, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.PTB.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.PTB False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.RUM, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.RUM, size = 1048576, size_out = 8192 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.RUM, size = 8208 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.RUM, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.RUM.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.RUM False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.RUS, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.RUS, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.RUS, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.RUS, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.RUS.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.RUS False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SKY, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SKY, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SKY, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SKY, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SKY.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SKY False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SLV, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SLV, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SLV, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SLV, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SLV.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SLV False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SUO, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SUO, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SUO, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SUO, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SUO.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SUO False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SVE, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SVE, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SVE, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SVE, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SVE.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.SVE False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.TUR, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.TUR, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.TUR, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.TUR, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.TUR.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.TUR False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.UKR, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.UKR, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.UKR, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.UKR, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.UKR.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.UKR False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\authplay.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\authplay.dll, size = 1048576, size_out = 1048576 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\authplay.dll, size = 1048592 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\authplay.dll, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\authplay.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\authplay.dll False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AXE8SharedExpat.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AXE8SharedExpat.dll, size = 1048576, size_out = 174496 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AXE8SharedExpat.dll, size = 174512 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AXE8SharedExpat.dll, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AXE8SharedExpat.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AXE8SharedExpat.dll False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AXSLE.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AXSLE.dll, size = 1048576, size_out = 595344 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AXSLE.dll, size = 595360 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AXSLE.dll, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AXSLE.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\AXSLE.dll False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\BIB.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\BIB.dll, size = 1048576, size_out = 110472 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\BIB.dll, size = 110480 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\BIB.dll, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\BIB.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\BIB.dll False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\BIBUtils.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\BIBUtils.dll, size = 1048576, size_out = 154520 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\BIBUtils.dll, size = 154528 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\BIBUtils.dll, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\BIBUtils.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\BIBUtils.dll False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CAT, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CAT, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CAT, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CAT, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CAT.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CAT False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CHS, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CHS, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CHS, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CHS, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CHS.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CHS False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CHT, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CHT, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CHT, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CHT, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CHT.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CHT False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CZE, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CZE, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CZE, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CZE, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CZE.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.CZE False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.DAN, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.DAN, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.DAN, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.DAN, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.DAN.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.DAN False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.DEU, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.DEU, size = 1048576, size_out = 8192 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.DEU, size = 8208 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.DEU, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.DEU.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.DEU False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll, size = 1048576, size_out = 135568 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll, size = 135584 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.ESP, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.ESP, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.ESP, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.ESP, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.ESP.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.ESP False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.EUQ, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.EUQ, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.EUQ, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.EUQ, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.EUQ.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.EUQ False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.FRA, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.FRA, size = 1048576, size_out = 8192 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.FRA, size = 8208 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.FRA, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.FRA.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.FRA False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.HRV, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.HRV, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.HRV, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.HRV, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.HRV.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.HRV False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.HUN, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.HUN, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.HUN, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.HUN, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.HUN.[rmail@rmail.cc].rmaile True 1
File Delete filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.HUN False 1
File Create filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.ITA, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
File Read filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.ITA, size = 1048576, size_out = 7680 True 1
File Write filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.ITA, size = 7696 True 1
File Move source_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.ITA, destination_filename = C:\\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.ITA.[rmail@rmail.cc].rmaile True 1
For performance reasons, the remaining 343 entries are omitted.
The remaining entries can be found in glog.xml.
Process #2: vssadmin.exe
0 0
Information Value
ID #2
File Name c:\windows\system32\vssadmin.exe
Command Line vssadmin delete shadows /all /quiet
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:01:26, Reason: Child Process
Unmonitor End Time: 00:02:15, Reason: Self Terminated
Monitor Duration 00:00:49
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x9e8
Parent PID 0x9e0 (c:\users\eebsym5\desktop\80ca3de5d5f991c872ba07a0ffc035bf019f985bac71f4f379bcdea2de6203af.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9EC
0x A00
0x A08
0x A0C
0x A10
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
vssadmin.exe.mui 0x000e0000 0x000ecfff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x0016ffff Private Memory rw True False False -
pagefile_0x0000000000170000 0x00170000 0x00237fff Pagefile Backed Memory r True False False -
private_0x00000000002a0000 0x002a0000 0x002affff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
pagefile_0x0000000000400000 0x00400000 0x00500fff Pagefile Backed Memory r True False False -
private_0x0000000000560000 0x00560000 0x0059ffff Private Memory rw True False False -
private_0x00000000006b0000 0x006b0000 0x006effff Private Memory rw True False False -
private_0x00000000006f0000 0x006f0000 0x0072ffff Private Memory rw True False False -
sortdefault.nls 0x00730000 0x009fefff Memory Mapped File r False False False -
vssadmin.exe 0x00a30000 0x00a4efff Memory Mapped File rwx False False False -
pagefile_0x0000000000a50000 0x00a50000 0x0164ffff Pagefile Backed Memory r True False False -
private_0x00000000016a0000 0x016a0000 0x016dffff Private Memory rw True False False -
vsstrace.dll 0x70370000 0x7037ffff Memory Mapped File rwx False False False -
vssapi.dll 0x70380000 0x70495fff Memory Mapped File rwx False False False -
vss_ps.dll 0x71f20000 0x71f29fff Memory Mapped File rwx False False False -
atl.dll 0x738a0000 0x738b3fff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bf0000 0x74c2afff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e50000 0x74e65fff Memory Mapped File rwx False False False -
cryptbase.dll 0x752d0000 0x752dbfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75370000 0x7537dfff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75680000 0x75720fff Memory Mapped File rwx False False False -
clbcatq.dll 0x75780000 0x75802fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
ole32.dll 0x76750000 0x768abfff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
advapi32.dll 0x769f0000 0x76a8ffff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
oleaut32.dll 0x76c10000 0x76c9efff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
sechost.dll 0x773c0000 0x773d8fff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #7: System
0 0
Information Value
ID #7
File Name System
Command Line -
Initial Working Directory -
Monitor Start Time: 00:03:12, Reason: Kernel Analysis
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:02:06
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x4
Parent PID 0xffffffffffffffff (Unknown)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 8
0x 14
0x 10
0x C
0x 18
0x 1C
0x 20
0x 24
0x 28
0x 2C
0x 30
0x 34
0x 38
0x 3C
0x 40
0x 44
0x 48
0x 74
0x 4C
0x 50
0x 54
0x 58
0x 5C
0x 60
0x 64
0x 68
0x 6C
0x 70
0x 78
0x 7C
0x 80
0x 84
0x 88
0x 8C
0x 90
0x 94
0x 98
0x 9C
0x A0
0x A4
0x A8
0x AC
0x B0
0x B4
0x B8
0x BC
0x C0
0x C4
0x C8
0x CC
0x DC
0x D0
0x D4
0x D8
0x E0
0x EC
0x F0
0x F4
0x 104
0x 108
0x 10C
0x 110
0x 114
0x 118
0x 130
0x 134
0x 138
0x 13C
0x 190
0x 270
0x 2EC
0x 310
0x 3C4
0x 3C8
0x 4B4
0x 520
0x 524
0x 528
0x 5A8
0x 5CC
0x 5D0
0x 5D8
0x 620
0x 624
0x 684
0x 6A0
0x 6A8
0x 6B4
0x 6BC
0x 6C4
0x 6C8
0x 7B8
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x00032fff Pagefile Backed Memory rw True False False -
Process #9: smss.exe
0 0
Information Value
ID #9
File Name c:\windows\system32\smss.exe
Command Line \SystemRoot\System32\smss.exe
Initial Working Directory C:\Windows
Monitor Start Time: 00:03:32, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:01:46
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0xe4
Parent PID 0x4 (System)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x E8
0x F8
0x 11C
0x 160
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x (null) 0x00000000 0x000fffff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0018ffff Private Memory rw True False False -
smss.exe 0x476c0000 0x476d2fff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #10: autochk.exe
0 0
Information Value
ID #10
File Name c:\windows\system32\autochk.exe
Command Line \??\C:\Windows\system32\autochk.exe *
Initial Working Directory C:\Windows\system32
Monitor Start Time: 00:03:35, Reason: Child Process
Unmonitor End Time: 00:03:35, Reason: Self Terminated
Monitor Duration 00:00:00
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0xfc
Parent PID 0xe4 (c:\windows\system32\smss.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 100
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x001cffff Private Memory rw True False False -
autochk.exe 0x00d90000 0x00e35fff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #11: smss.exe
0 0
Information Value
ID #11
File Name c:\windows\system32\smss.exe
Command Line \SystemRoot\System32\smss.exe 00000000 0000003c
Initial Working Directory C:\Windows\
Monitor Start Time: 00:03:47, Reason: Child Process
Unmonitor End Time: 00:03:49, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x120
Parent PID 0xe4 (c:\windows\system32\smss.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 124
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory rw True False False -
smss.exe 0x476c0000 0x476d2fff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #12: csrss.exe
0 0
Information Value
ID #12
File Name c:\windows\system32\csrss.exe
Command Line %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Initial Working Directory C:\Windows\system32
Monitor Start Time: 00:03:48, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:01:30
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x128
Parent PID 0x120 (c:\windows\system32\smss.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 12C
0x 140
0x 144
0x 148
0x 14C
0x 184
0x 194
0x 198
0x 1C4
0x 1DC
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x (null) 0x00000000 0x000fffff Private Memory rw True False False -
pagefile_0x0000000000100000 0x00100000 0x00106fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000110000 0x00110000 0x00111fff Pagefile Backed Memory rw True False False -
private_0x0000000000120000 0x00120000 0x00120fff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x0016ffff Private Memory rw True False False -
pagefile_0x0000000000130000 0x00130000 0x0013ffff Pagefile Backed Memory rw True False False -
marlett.ttf 0x00140000 0x00146fff Memory Mapped File r False False False -
pagefile_0x0000000000150000 0x00150000 0x0016ffff Pagefile Backed Memory r True False False -
locale.nls 0x00170000 0x001d6fff Memory Mapped File r False False False -
vgasys.fon 0x001e0000 0x001e1fff Memory Mapped File r False False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory rw True False False -
pagefile_0x0000000000200000 0x00200000 0x0020ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000000210000 0x00210000 0x00213fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000210000 0x00210000 0x00210fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000210000 0x00210000 0x0021ffff Pagefile Backed Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0025ffff Private Memory rw True False False -
pagefile_0x0000000000260000 0x00260000 0x0026ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000270000 0x00270000 0x0027ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000280000 0x00280000 0x00280fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000280000 0x00280000 0x0028ffff Pagefile Backed Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x002dffff Private Memory rw True False False -
pagefile_0x00000000002e0000 0x002e0000 0x002effff Pagefile Backed Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
pagefile_0x0000000000430000 0x00430000 0x00530fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000540000 0x00540000 0x00932fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000940000 0x00940000 0x0094ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000950000 0x00950000 0x00951fff Pagefile Backed Memory rw True False False -
private_0x0000000000960000 0x00960000 0x0099ffff Private Memory rw True False False -
pagefile_0x00000000009a0000 0x009a0000 0x009affff Pagefile Backed Memory rw True False False -
private_0x00000000009b0000 0x009b0000 0x009effff Private Memory rw True False False -
pagefile_0x00000000009f0000 0x009f0000 0x009fffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000a00000 0x00a00000 0x00a0ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000a10000 0x00a10000 0x00a11fff Pagefile Backed Memory rw True False False -
windowsshell.manifest 0x00a10000 0x00a10fff Memory Mapped File r False False False -
pagefile_0x0000000000a10000 0x00a10000 0x00a1ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000a20000 0x00a20000 0x00a21fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000a20000 0x00a20000 0x00a2ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000a30000 0x00a30000 0x00a31fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000a30000 0x00a30000 0x00a3ffff Pagefile Backed Memory rw True False False -
private_0x0000000000a40000 0x00a40000 0x00a7ffff Private Memory rw True False False -
segoeui.ttf 0x00a80000 0x00afefff Memory Mapped File r False False False -
pagefile_0x0000000000b00000 0x00b00000 0x00b00fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000b00000 0x00b00000 0x00b0ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000b10000 0x00b10000 0x00b1ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000b20000 0x00b20000 0x00b21fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000b20000 0x00b20000 0x00b20fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000b20000 0x00b20000 0x00b2ffff Pagefile Backed Memory rw True False False -
private_0x0000000000b30000 0x00b30000 0x00b6ffff Private Memory rw True False False -
pagefile_0x0000000000b70000 0x00b70000 0x00c37fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000c40000 0x00c40000 0x0183ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001840000 0x01840000 0x018bffff Pagefile Backed Memory r True False False -
pagefile_0x00000000018c0000 0x018c0000 0x0193ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001940000 0x01940000 0x01940fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001940000 0x01940000 0x0194ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001950000 0x01950000 0x01951fff Pagefile Backed Memory rw True False False -
private_0x0000000001960000 0x01960000 0x0199ffff Private Memory rw True False False -
private_0x00000000019f0000 0x019f0000 0x01a2ffff Private Memory rw True False False -
pagefile_0x0000000001a30000 0x01a30000 0x01aaffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001ab0000 0x01ab0000 0x01b2ffff Pagefile Backed Memory r True False False -
csrss.exe 0x4a3f0000 0x4a3f4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
sxs.dll 0x752b0000 0x7530efff Memory Mapped File rwx False False False -
sxssrv.dll 0x75330000 0x75338fff Memory Mapped File rwx False False False -
winsrv.dll 0x75340000 0x7536bfff Memory Mapped File rwx False False False -
basesrv.dll 0x75370000 0x7537dfff Memory Mapped File rwx False False False -
csrsrv.dll 0x75380000 0x7538cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory rw True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory rw True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #13: smss.exe
0 0
Information Value
ID #13
File Name c:\windows\system32\smss.exe
Command Line \SystemRoot\System32\smss.exe 00000001 0000003c
Initial Working Directory C:\Windows\
Monitor Start Time: 00:03:49, Reason: Child Process
Unmonitor End Time: 00:03:50, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x150
Parent PID 0xe4 (c:\windows\system32\smss.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 154
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x00010fff Pagefile Backed Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0014ffff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
smss.exe 0x476c0000 0x476d2fff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #14: wininit.exe
0 0
Information Value
ID #14
File Name c:\windows\system32\wininit.exe
Command Line wininit.exe
Initial Working Directory C:\Windows\system32
Monitor Start Time: 00:03:49, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:01:29
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x158
Parent PID 0x120 (c:\windows\system32\smss.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 15C
0x 188
0x 18C
0x 1A0
0x 1A4
0x 1B8
0x 1EC
0x 2B0
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
locale.nls 0x00020000 0x00086fff Memory Mapped File r False False False -
imm32.dll 0x00090000 0x000acfff Memory Mapped File r False False False -
pagefile_0x0000000000090000 0x00090000 0x00096fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000a0000 0x000a0000 0x000a1fff Pagefile Backed Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x000b0fff Private Memory rw True False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x0010ffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x0012ffff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0022ffff Private Memory rw True False False -
segoeui.ttf 0x00170000 0x001eefff Memory Mapped File r False False False -
segoeuib.ttf 0x00170000 0x001e9fff Memory Mapped File r False False False -
tahoma.ttf 0x00170000 0x0021afff Memory Mapped File r False False False -
micross.ttf 0x00170000 0x0020ffff Memory Mapped File r False False False -
aero_arrow.cur 0x00170000 0x00173fff Memory Mapped File r False False False -
aero_busy.ani 0x00170000 0x001adfff Memory Mapped File r False False False -
aero_up.cur 0x00170000 0x00173fff Memory Mapped File r False False False -
aero_nwse.cur 0x00170000 0x00173fff Memory Mapped File r False False False -
aero_nesw.cur 0x00170000 0x00173fff Memory Mapped File r False False False -
aero_ew.cur 0x00170000 0x00173fff Memory Mapped File r False False False -
aero_ns.cur 0x00170000 0x00173fff Memory Mapped File r False False False -
aero_move.cur 0x00170000 0x00173fff Memory Mapped File r False False False -
aero_unavail.cur 0x00170000 0x00173fff Memory Mapped File r False False False -
aero_working.ani 0x00170000 0x001adfff Memory Mapped File r False False False -
aero_helpsel.cur 0x00170000 0x00173fff Memory Mapped File r False False False -
aero_pen.cur 0x00170000 0x00173fff Memory Mapped File r False False False -
aero_link.cur 0x00170000 0x00173fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001affff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x001effff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0022ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
pagefile_0x00000000003a0000 0x003a0000 0x00467fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000470000 0x00470000 0x00570fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000580000 0x00580000 0x00972fff Pagefile Backed Memory r True False False -
private_0x0000000000980000 0x00980000 0x00b1ffff Private Memory rw True False False -
private_0x00000000009a0000 0x009a0000 0x009dffff Private Memory rw True False False -
private_0x0000000000a40000 0x00a40000 0x00a7ffff Private Memory rw True False False -
private_0x0000000000ae0000 0x00ae0000 0x00b1ffff Private Memory rw True False False -
private_0x0000000000b20000 0x00b20000 0x00c5ffff Private Memory rw True False False -
private_0x0000000000b20000 0x00b20000 0x00b5ffff Private Memory rw True False False -
private_0x0000000000ba0000 0x00ba0000 0x00bdffff Private Memory rw True False False -
private_0x0000000000c20000 0x00c20000 0x00c5ffff Private Memory rw True False False -
wininit.exe 0x00ce0000 0x00cf9fff Memory Mapped File rwx False False False -
batang.ttc 0x00d00000 0x01c82fff Memory Mapped File r False False False -
gulim.ttc 0x00d00000 0x019e5fff Memory Mapped File r False False False -
malgun.ttf 0x00d00000 0x01122fff Memory Mapped File r False False False -
malgunbd.ttf 0x00d00000 0x0114efff Memory Mapped File r False False False -
meiryo.ttc 0x00d00000 0x01617fff Memory Mapped File r False False False -
meiryob.ttc 0x00d00000 0x0164cfff Memory Mapped File r False False False -
msjh.ttf 0x00d00000 0x021a8fff Memory Mapped File r False False False -
msjhbd.ttf 0x00d00000 0x01ad6fff Memory Mapped File r False False False -
msyh.ttf 0x00d00000 0x021c2fff Memory Mapped File r False False False -
msyhbd.ttf 0x00d00000 0x01aedfff Memory Mapped File r False False False -
mingliu.ttc 0x00d00000 0x02bb9fff Memory Mapped File r False False False -
mingliub.ttc 0x00d00000 0x02d3dfff Memory Mapped File r False False False -
msgothic.ttc 0x00d00000 0x015c0fff Memory Mapped File r False False False -
msmincho.ttc 0x00d00000 0x01697fff Memory Mapped File r False False False -
simsun.ttc 0x00d00000 0x01b9dfff Memory Mapped File r False False False -
simsunb.ttf 0x00d00000 0x01bb1fff Memory Mapped File r False False False -
pagefile_0x0000000000d00000 0x00d00000 0x018fffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01900000 0x01bcefff Memory Mapped File r False False False -
private_0x0000000001bd0000 0x01bd0000 0x01c0ffff Private Memory rw True False False -
private_0x0000000001c10000 0x01c10000 0x01c4ffff Private Memory rw True False False -
wshtcpip.dll 0x74900000 0x74904fff Memory Mapped File rwx False False False -
credssp.dll 0x74ad0000 0x74ad7fff Memory Mapped File rwx False False False -
wship6.dll 0x74dd0000 0x74dd5fff Memory Mapped File rwx False False False -
mswsock.dll 0x74de0000 0x74e1bfff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e20000 0x74e35fff Memory Mapped File rwx False False False -
secur32.dll 0x75210000 0x75217fff Memory Mapped File rwx False False False -
sspicli.dll 0x75250000 0x7526afff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
kbdus.dll 0x752f0000 0x752f3fff Memory Mapped File rwx False False False -
kbdus.dll 0x75300000 0x75303fff Memory Mapped File rwx False False False -
wls0wndh.dll 0x75300000 0x75305fff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75310000 0x7531dfff Memory Mapped File rwx False False False -
profapi.dll 0x75320000 0x7532afff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
ws2_32.dll 0x76ec0000 0x76ef4fff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
nsi.dll 0x77310000 0x77315fff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #15: csrss.exe
0 0
Information Value
ID #15
File Name c:\windows\system32\csrss.exe
Command Line %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Initial Working Directory C:\Windows\system32
Monitor Start Time: 00:03:49, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:01:29
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x164
Parent PID 0x150 (c:\windows\system32\smss.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 168
0x 16C
0x 170
0x 174
0x 178
0x 19C
0x 1D0
0x 1D4
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x (null) 0x00000000 0x000fffff Private Memory rw True False False -
locale.nls 0x00100000 0x00166fff Memory Mapped File r False False False -
pagefile_0x0000000000170000 0x00170000 0x00176fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000180000 0x00180000 0x00181fff Pagefile Backed Memory rw True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory rw True False False -
vgasys.fon 0x001a0000 0x001a1fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x001b0fff Private Memory rw True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001cffff Pagefile Backed Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0022ffff Private Memory rw True False False -
marlett.ttf 0x00210000 0x00216fff Memory Mapped File r False False False -
pagefile_0x0000000000220000 0x00220000 0x0023ffff Pagefile Backed Memory r True False False -
private_0x0000000000240000 0x00240000 0x0027ffff Private Memory rw True False False -
pagefile_0x0000000000280000 0x00280000 0x0028ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000000290000 0x00290000 0x00291fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a3fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a1fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002affff Pagefile Backed Memory rw True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a2fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000002b0000 0x002b0000 0x002b1fff Pagefile Backed Memory rw True False False -
windowsshell.manifest 0x002b0000 0x002b0fff Memory Mapped File r False False False -
pagefile_0x00000000002b0000 0x002b0000 0x002b3fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000002b0000 0x002b0000 0x002b2fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000002b0000 0x002b0000 0x002bffff Pagefile Backed Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x002fffff Private Memory rw True False False -
pagefile_0x0000000000300000 0x00300000 0x00301fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000300000 0x00300000 0x0030ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000310000 0x00310000 0x00311fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000310000 0x00310000 0x00310fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000310000 0x00310000 0x0031ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000320000 0x00320000 0x00321fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000320000 0x00320000 0x00322fff Pagefile Backed Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
pagefile_0x0000000000430000 0x00430000 0x00530fff Pagefile Backed Memory r True False False -
segoeui.ttf 0x00540000 0x005befff Memory Mapped File r False False False -
private_0x00000000005c0000 0x005c0000 0x005cffff Private Memory rw True False False -
pagefile_0x00000000005d0000 0x005d0000 0x009c2fff Pagefile Backed Memory r True False False -
private_0x0000000000a00000 0x00a00000 0x00a3ffff Private Memory rw True False False -
private_0x0000000000a90000 0x00a90000 0x00acffff Private Memory rw True False False -
pagefile_0x0000000000ad0000 0x00ad0000 0x00b97fff Pagefile Backed Memory r True False False -
private_0x0000000000c00000 0x00c00000 0x00c3ffff Private Memory rw True False False -
private_0x0000000000cd0000 0x00cd0000 0x00d0ffff Private Memory rw True False False -
pagefile_0x0000000000d10000 0x00d10000 0x0190ffff Pagefile Backed Memory r True False False -
micross.ttf 0x01910000 0x019affff Memory Mapped File r False False False -
csrss.exe 0x4a3f0000 0x4a3f4fff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
sxs.dll 0x752b0000 0x7530efff Memory Mapped File rwx False False False -
sxssrv.dll 0x75330000 0x75338fff Memory Mapped File rwx False False False -
winsrv.dll 0x75340000 0x7536bfff Memory Mapped File rwx False False False -
basesrv.dll 0x75370000 0x7537dfff Memory Mapped File rwx False False False -
csrsrv.dll 0x75380000 0x7538cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory rw True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #16: winlogon.exe
0 0
Information Value
ID #16
File Name c:\windows\system32\winlogon.exe
Command Line winlogon.exe
Initial Working Directory C:\Windows\system32
Monitor Start Time: 00:03:49, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:01:29
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x17c
Parent PID 0x150 (c:\windows\system32\smss.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 180
0x 1C8
0x 1CC
0x 2C4
0x 314
0x 3F4
0x 3FC
0x 418
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
locale.nls 0x00020000 0x00086fff Memory Mapped File r False False False -
pagefile_0x0000000000090000 0x00090000 0x00157fff Pagefile Backed Memory r True False False -
imm32.dll 0x00160000 0x0017cfff Memory Mapped File r False False False -
pagefile_0x0000000000160000 0x00160000 0x00166fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000170000 0x00170000 0x00171fff Pagefile Backed Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x001dffff Private Memory rw True False False -
winlogon.exe 0x001e0000 0x00227fff Memory Mapped File rwx False False False -
private_0x0000000000230000 0x00230000 0x00230fff Private Memory rw True False False -
pagefile_0x0000000000230000 0x00230000 0x0024ffff Pagefile Backed Memory r True False False -
private_0x0000000000250000 0x00250000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0052ffff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00390fff Pagefile Backed Memory r True False False -
segoeui.ttf 0x003a0000 0x0041efff Memory Mapped File r False False False -
segoeuib.ttf 0x003a0000 0x00419fff Memory Mapped File r False False False -
aero_arrow.cur 0x003a0000 0x003a3fff Memory Mapped File r False False False -
aero_busy.ani 0x003a0000 0x003ddfff Memory Mapped File r False False False -
aero_up.cur 0x003a0000 0x003a3fff Memory Mapped File r False False False -
aero_nwse.cur 0x003a0000 0x003a3fff Memory Mapped File r False False False -
aero_nesw.cur 0x003a0000 0x003a3fff Memory Mapped File r False False False -
aero_ew.cur 0x003a0000 0x003a3fff Memory Mapped File r False False False -
aero_ns.cur 0x003a0000 0x003a3fff Memory Mapped File r False False False -
aero_move.cur 0x003a0000 0x003a3fff Memory Mapped File r False False False -
aero_unavail.cur 0x003a0000 0x003a3fff Memory Mapped File r False False False -
aero_working.ani 0x003a0000 0x003ddfff Memory Mapped File r False False False -
aero_helpsel.cur 0x003a0000 0x003a3fff Memory Mapped File r False False False -
aero_pen.cur 0x003a0000 0x003a3fff Memory Mapped File r False False False -
aero_link.cur 0x003a0000 0x003a3fff Memory Mapped File r False False False -
private_0x00000000003a0000 0x003a0000 0x003a0fff Private Memory rw True False False -
rsaenh.dll 0x003a0000 0x003dbfff Memory Mapped File r False False False -
private_0x00000000003b0000 0x003b0000 0x003b0fff Private Memory rw True False False -
pagefile_0x00000000003c0000 0x003c0000 0x003cffff Pagefile Backed Memory r True False False -
private_0x00000000003d0000 0x003d0000 0x003d0fff Private Memory rw True False False -
aero_arrow.cur 0x003d0000 0x003d3fff Memory Mapped File r False False False -
aero_up.cur 0x003d0000 0x003d3fff Memory Mapped File r False False False -
aero_nwse.cur 0x003d0000 0x003d3fff Memory Mapped File r False False False -
aero_nesw.cur 0x003d0000 0x003d3fff Memory Mapped File r False False False -
aero_ew.cur 0x003d0000 0x003d3fff Memory Mapped File r False False False -
aero_ns.cur 0x003d0000 0x003d3fff Memory Mapped File r False False False -
aero_move.cur 0x003d0000 0x003d3fff Memory Mapped File r False False False -
aero_unavail.cur 0x003d0000 0x003d3fff Memory Mapped File r False False False -
aero_helpsel.cur 0x003d0000 0x003d3fff Memory Mapped File r False False False -
aero_pen.cur 0x003d0000 0x003d3fff Memory Mapped File r False False False -
aero_link.cur 0x003d0000 0x003d3fff Memory Mapped File r False False False -
pagefile_0x00000000003d0000 0x003d0000 0x003d0fff Pagefile Backed Memory r True False False -
private_0x00000000003e0000 0x003e0000 0x003e0fff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x003f0fff Private Memory rw True False False -
aero_busy.ani 0x003f0000 0x0042dfff Memory Mapped File r False False False -
aero_working.ani 0x003f0000 0x0042dfff Memory Mapped File r False False False -
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory rw True False False -
private_0x0000000000530000 0x00530000 0x006dffff Private Memory rw True False False -
private_0x0000000000530000 0x00530000 0x0066ffff Private Memory rw True False False -
private_0x0000000000530000 0x00530000 0x005cffff Private Memory rw True False False -
private_0x0000000000530000 0x00530000 0x0056ffff Private Memory rw True False False -
private_0x0000000000590000 0x00590000 0x005cffff Private Memory rw True False False -
private_0x0000000000630000 0x00630000 0x0066ffff Private Memory rw True False False -
private_0x00000000006d0000 0x006d0000 0x006dffff Private Memory rw True False False -
pagefile_0x00000000006e0000 0x006e0000 0x00ad2fff Pagefile Backed Memory r True False False -
private_0x0000000000ae0000 0x00ae0000 0x00ccffff Private Memory rw True False False -
private_0x0000000000ae0000 0x00ae0000 0x00c5ffff Private Memory rw True False False -
private_0x0000000000b10000 0x00b10000 0x00b4ffff Private Memory rw True False False -
private_0x0000000000b70000 0x00b70000 0x00baffff Private Memory rw True False False -
private_0x0000000000bb0000 0x00bb0000 0x00beffff Private Memory rw True False False -
private_0x0000000000c20000 0x00c20000 0x00c5ffff Private Memory rw True False False -
private_0x0000000000c90000 0x00c90000 0x00ccffff Private Memory rw True False False -
private_0x0000000000cd0000 0x00cd0000 0x00e6ffff Private Memory rw True False False -
tahoma.ttf 0x00cd0000 0x00d7afff Memory Mapped File r False False False -
micross.ttf 0x00cd0000 0x00d6ffff Memory Mapped File r False False False -
aero.msstyles 0x00cd0000 0x00dedfff Memory Mapped File r False False False -
pagefile_0x0000000000cd0000 0x00cd0000 0x00daefff Pagefile Backed Memory r True False False -
private_0x0000000000ce0000 0x00ce0000 0x00d1ffff Private Memory rw True False False -
private_0x0000000000d20000 0x00d20000 0x00d9ffff Private Memory rw True False False -
private_0x0000000000db0000 0x00db0000 0x00deffff Private Memory rw True False False -
private_0x0000000000e30000 0x00e30000 0x00e6ffff Private Memory rw True False False -
batang.ttc 0x00e70000 0x01df2fff Memory Mapped File r False False False -
gulim.ttc 0x00e70000 0x01b55fff Memory Mapped File r False False False -
malgun.ttf 0x00e70000 0x01292fff Memory Mapped File r False False False -
malgunbd.ttf 0x00e70000 0x012befff Memory Mapped File r False False False -
meiryo.ttc 0x00e70000 0x01787fff Memory Mapped File r False False False -
meiryob.ttc 0x00e70000 0x017bcfff Memory Mapped File r False False False -
msjh.ttf 0x00e70000 0x02318fff Memory Mapped File r False False False -
msjhbd.ttf 0x00e70000 0x01c46fff Memory Mapped File r False False False -
msyh.ttf 0x00e70000 0x02332fff Memory Mapped File r False False False -
msyhbd.ttf 0x00e70000 0x01c5dfff Memory Mapped File r False False False -
mingliu.ttc 0x00e70000 0x02d29fff Memory Mapped File r False False False -
mingliub.ttc 0x00e70000 0x02eadfff Memory Mapped File r False False False -
msgothic.ttc 0x00e70000 0x01730fff Memory Mapped File r False False False -
msmincho.ttc 0x00e70000 0x01807fff Memory Mapped File r False False False -
simsun.ttc 0x00e70000 0x01d0dfff Memory Mapped File r False False False -
simsunb.ttf 0x00e70000 0x01d21fff Memory Mapped File r False False False -
private_0x0000000000e70000 0x00e70000 0x0108ffff Private Memory rw True False False -
private_0x0000000000e70000 0x00e70000 0x00fdffff Private Memory rw True False False -
aero.msstyles 0x00e70000 0x00f8dfff Memory Mapped File r False False False -
private_0x0000000000e70000 0x00e70000 0x00f72fff Private Memory rw True False False -
private_0x0000000000e70000 0x00e70000 0x00f6ffff Private Memory rw True False False -
private_0x0000000000fa0000 0x00fa0000 0x00fdffff Private Memory rw True False False -
private_0x0000000001050000 0x01050000 0x0108ffff Private Memory rw True False False -
sortdefault.nls 0x01090000 0x0135efff Memory Mapped File r False False False -
private_0x0000000001360000 0x01360000 0x01d5ffff Private Memory rw True False False -
pagefile_0x0000000001360000 0x01360000 0x01f5ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001d60000 0x01d60000 0x0275ffff Pagefile Backed Memory rw True False False -
private_0x0000000001f60000 0x01f60000 0x020fffff Private Memory rw True False False -
pagefile_0x0000000001f60000 0x01f60000 0x0203efff Pagefile Backed Memory r True False False -
private_0x00000000020c0000 0x020c0000 0x020fffff Private Memory rw True False False -
private_0x0000000002100000 0x02100000 0x0228ffff Private Memory rw True False False -
kbdus.dll 0x72170000 0x72173fff Memory Mapped File rwx False False False -
uxinit.dll 0x73600000 0x73607fff Memory Mapped File rwx False False False -
slc.dll 0x73610000 0x73619fff Memory Mapped File rwx False False False -
wkscli.dll 0x73bb0000 0x73bbefff Memory Mapped File rwx False False False -
netutils.dll 0x73bc0000 0x73bc8fff Memory Mapped File rwx False False False -
windowscodecs.dll 0x73cf0000 0x73deafff Memory Mapped File rwx False False False -
uxtheme.dll 0x74150000 0x7418ffff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bc0000 0x74bfafff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e20000 0x74e35fff Memory Mapped File rwx False False False -
netjoin.dll 0x74ef0000 0x74f1afff Memory Mapped File rwx False False False -
kbdus.dll 0x75200000 0x75203fff Memory Mapped File rwx False False False -
kbdus.dll 0x75210000 0x75213fff Memory Mapped File rwx False False False -
sspicli.dll 0x75250000 0x7526afff Memory Mapped File rwx False False False -
winsta.dll 0x75270000 0x75298fff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75310000 0x7531dfff Memory Mapped File rwx False False False -
profapi.dll 0x75320000 0x7532afff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
ole32.dll 0x76a70000 0x76bcbfff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
For performance reasons, the remaining 1 entries are omitted.
The remaining entries can be found in flog.txt.
Process #17: services.exe
0 0
Information Value
ID #17
File Name c:\windows\system32\services.exe
Command Line C:\Windows\system32\services.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:01:27
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x1a8
Parent PID 0x158 (c:\windows\system32\wininit.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 1AC
0x 204
0x 208
0x 20C
0x 210
0x 214
0x 218
0x 21C
0x 220
0x 224
0x 228
0x 26C
0x 3F8
0x 538
0x 550
0x 558
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
imm32.dll 0x000c0000 0x000dcfff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x0013ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000000140000 0x00140000 0x00141fff Pagefile Backed Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x002dffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x001a0fff Private Memory rw True False False -
tsusbflt.sys 0x001b0000 0x001bcfff Memory Mapped File rwx False False False -
private_0x00000000001b0000 0x001b0000 0x001b0fff Private Memory rw True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b4fff Pagefile Backed Memory rw True False False -
tsusbflt.sys.mui 0x001c0000 0x001c0fff Memory Mapped File rw False False False -
private_0x00000000001c0000 0x001c0000 0x001c0fff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x001d0fff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x0046ffff Private Memory rw True False False -
pagefile_0x00000000002e0000 0x002e0000 0x003a7fff Pagefile Backed Memory r True False False -
private_0x00000000003b0000 0x003b0000 0x003b0fff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x003c0fff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x0040ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x00410fff Private Memory rw True False False -
private_0x0000000000420000 0x00420000 0x00420fff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x00430fff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x00440fff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x00450fff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory rw True False False -
pagefile_0x0000000000470000 0x00470000 0x00570fff Pagefile Backed Memory r True False False -
private_0x0000000000580000 0x00580000 0x005bffff Private Memory rw True False False -
private_0x00000000005c0000 0x005c0000 0x005c0fff Private Memory rw True False False -
private_0x00000000005d0000 0x005d0000 0x005d0fff Private Memory rw True False False -
private_0x00000000005e0000 0x005e0000 0x0061ffff Private Memory rw True False False -
services.exe 0x00620000 0x00660fff Memory Mapped File rwx False False False -
pagefile_0x0000000000670000 0x00670000 0x00a62fff Pagefile Backed Memory r True False False -
private_0x0000000000a70000 0x00a70000 0x00c2ffff Private Memory rw True False False -
private_0x0000000000a70000 0x00a70000 0x00a70fff Private Memory rw True False False -
private_0x0000000000a80000 0x00a80000 0x00abffff Private Memory rw True False False -
private_0x0000000000ac0000 0x00ac0000 0x00ac0fff Private Memory rw True False False -
private_0x0000000000ad0000 0x00ad0000 0x00ad0fff Private Memory rw True False False -
private_0x0000000000ae0000 0x00ae0000 0x00ae0fff Private Memory rw True False False -
private_0x0000000000af0000 0x00af0000 0x00af0fff Private Memory rw True False False -
private_0x0000000000b00000 0x00b00000 0x00b00fff Private Memory rw True False False -
private_0x0000000000b10000 0x00b10000 0x00b10fff Private Memory rw True False False -
private_0x0000000000b20000 0x00b20000 0x00b20fff Private Memory rw True False False -
private_0x0000000000b30000 0x00b30000 0x00b6ffff Private Memory rw True False False -
private_0x0000000000b70000 0x00b70000 0x00b70fff Private Memory rw True False False -
private_0x0000000000b80000 0x00b80000 0x00b80fff Private Memory rw True False False -
private_0x0000000000b90000 0x00b90000 0x00bcffff Private Memory rw True False False -
private_0x0000000000bd0000 0x00bd0000 0x00bd0fff Private Memory rw True False False -
private_0x0000000000be0000 0x00be0000 0x00be0fff Private Memory rw True False False -
private_0x0000000000bf0000 0x00bf0000 0x00c2ffff Private Memory rw True False False -
private_0x0000000000c30000 0x00c30000 0x00c30fff Private Memory rw True False False -
private_0x0000000000c40000 0x00c40000 0x00c40fff Private Memory rw True False False -
private_0x0000000000c50000 0x00c50000 0x00c50fff Private Memory rw True False False -
private_0x0000000000c60000 0x00c60000 0x00c60fff Private Memory rw True False False -
private_0x0000000000c70000 0x00c70000 0x00c70fff Private Memory rw True False False -
private_0x0000000000c80000 0x00c80000 0x00cbffff Private Memory rw True False False -
private_0x0000000000cc0000 0x00cc0000 0x00e0ffff Private Memory rw True False False -
private_0x0000000000cc0000 0x00cc0000 0x00cc0fff Private Memory rw True False False -
private_0x0000000000cd0000 0x00cd0000 0x00cd0fff Private Memory rw True False False -
private_0x0000000000ce0000 0x00ce0000 0x00ce0fff Private Memory rw True False False -
private_0x0000000000cf0000 0x00cf0000 0x00d2ffff Private Memory rw True False False -
private_0x0000000000d30000 0x00d30000 0x00d30fff Private Memory rw True False False -
private_0x0000000000d70000 0x00d70000 0x00daffff Private Memory rw True False False -
private_0x0000000000dd0000 0x00dd0000 0x00e0ffff Private Memory rw True False False -
private_0x0000000000e40000 0x00e40000 0x00e7ffff Private Memory rw True False False -
private_0x0000000000eb0000 0x00eb0000 0x00eeffff Private Memory rw True False False -
private_0x0000000000f00000 0x00f00000 0x00f3ffff Private Memory rw True False False -
private_0x0000000000f90000 0x00f90000 0x00fcffff Private Memory rw True False False -
private_0x0000000000fd0000 0x00fd0000 0x010cffff Private Memory rw True False False -
private_0x00000000010e0000 0x010e0000 0x0111ffff Private Memory rw True False False -
private_0x0000000001170000 0x01170000 0x011affff Private Memory rw True False False -
sortdefault.nls 0x011b0000 0x0147efff Memory Mapped File r False False False -
private_0x0000000001480000 0x01480000 0x0157ffff Private Memory rw True False False -
private_0x0000000001580000 0x01580000 0x0167ffff Private Memory rw True False False -
private_0x0000000001680000 0x01680000 0x0187ffff Private Memory rw True False False -
wtsapi32.dll 0x73cd0000 0x73cdcfff Memory Mapped File rwx False False False -
wshtcpip.dll 0x74900000 0x74904fff Memory Mapped File rwx False False False -
ubpm.dll 0x74aa0000 0x74acbfff Memory Mapped File rwx False False False -
credssp.dll 0x74ad0000 0x74ad7fff Memory Mapped File rwx False False False -
srvcli.dll 0x74ae0000 0x74af8fff Memory Mapped File rwx False False False -
wship6.dll 0x74dd0000 0x74dd5fff Memory Mapped File rwx False False False -
mswsock.dll 0x74de0000 0x74e1bfff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e20000 0x74e35fff Memory Mapped File rwx False False False -
authz.dll 0x74f90000 0x74faafff Memory Mapped File rwx False False False -
scesrv.dll 0x751c0000 0x7520dfff Memory Mapped File rwx False False False -
secur32.dll 0x75210000 0x75217fff Memory Mapped File rwx False False False -
scext.dll 0x75240000 0x7524efff Memory Mapped File rwx False False False -
sspicli.dll 0x75250000 0x7526afff Memory Mapped File rwx False False False -
winsta.dll 0x75270000 0x75298fff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75310000 0x7531dfff Memory Mapped File rwx False False False -
profapi.dll 0x75320000 0x7532afff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
ws2_32.dll 0x76ec0000 0x76ef4fff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
nsi.dll 0x77310000 0x77315fff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
private_0x000000007ffac000 0x7ffac000 0x7ffacfff Private Memory rw True False False -
private_0x000000007ffad000 0x7ffad000 0x7ffadfff Private Memory rw True False False -
private_0x000000007ffae000 0x7ffae000 0x7ffaefff Private Memory rw True False False -
private_0x000000007ffaf000 0x7ffaf000 0x7ffaffff Private Memory rw True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory rw True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory rw True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory rw True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory rw True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #18: lsass.exe
0 0
Information Value
ID #18
File Name c:\windows\system32\lsass.exe
Command Line C:\Windows\system32\lsass.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:01:27
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x1b0
Parent PID 0x158 (c:\windows\system32\wininit.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 1B4
0x 1D8
0x 1E0
0x 1E4
0x 1E8
0x 1F0
0x 1F4
0x 1F8
0x 1FC
0x 200
0x 230
0x 318
0x 328
0x 414
0x 464
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00020fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory rw True False False -
private_0x0000000000050000 0x00050000 0x00050fff Private Memory rw True False False -
tzres.dll 0x00050000 0x00050fff Memory Mapped File r False False False -
private_0x0000000000090000 0x00090000 0x0023ffff Private Memory rw True False False -
locale.nls 0x00090000 0x000f6fff Memory Mapped File r False False False -
imm32.dll 0x00100000 0x0011cfff Memory Mapped File r False False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
pagefile_0x0000000000120000 0x00120000 0x0012ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000130000 0x00130000 0x0013ffff Pagefile Backed Memory rw True False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
pagefile_0x0000000000240000 0x00240000 0x00246fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000250000 0x00250000 0x00251fff Pagefile Backed Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0029ffff Private Memory rw True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002affff Pagefile Backed Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0033ffff Private Memory rw True False False -
pagefile_0x0000000000340000 0x00340000 0x00407fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000410000 0x00410000 0x00510fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000520000 0x00520000 0x0059ffff Pagefile Backed Memory r True False False -
private_0x00000000005a0000 0x005a0000 0x005a0fff Private Memory rw True False False -
pagefile_0x00000000005a0000 0x005a0000 0x005a0fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000005a0000 0x005a0000 0x005affff Pagefile Backed Memory rw True False False -
c_28591.nls 0x005a0000 0x005b0fff Memory Mapped File r False False False -
tspkg.dll 0x005c0000 0x005cffff Memory Mapped File r False False False -
pagefile_0x00000000005c0000 0x005c0000 0x005cffff Pagefile Backed Memory rw True False False -
private_0x00000000005c0000 0x005c0000 0x005c0fff Private Memory rw True False False -
private_0x00000000005d0000 0x005d0000 0x0060ffff Private Memory rw True False False -
private_0x0000000000610000 0x00610000 0x00710fff Private Memory rw True False False -
rsaenh.dll 0x00610000 0x0064bfff Memory Mapped File r False False False -
private_0x0000000000610000 0x00610000 0x00610fff Private Memory rw True False False -
private_0x0000000000620000 0x00620000 0x00620fff Private Memory rw True False False -
private_0x0000000000630000 0x00630000 0x00630fff Private Memory rw True False False -
private_0x0000000000640000 0x00640000 0x00640fff Private Memory rw True False False -
private_0x0000000000650000 0x00650000 0x0068ffff Private Memory rw True False False -
private_0x0000000000690000 0x00690000 0x006cffff Private Memory rw True False False -
sortdefault.nls 0x006d0000 0x0099efff Memory Mapped File r False False False -
private_0x00000000009a0000 0x009a0000 0x009a0fff Private Memory rw True False False -
private_0x00000000009b0000 0x009b0000 0x009b0fff Private Memory rw True False False -
private_0x00000000009c0000 0x009c0000 0x009c0fff Private Memory rw True False False -
private_0x00000000009d0000 0x009d0000 0x009d0fff Private Memory rw True False False -
04ece708-132d-4bf0-a647-e3329269a012 0x009e0000 0x009e0fff Memory Mapped File r False False False -
private_0x00000000009e0000 0x009e0000 0x009e0fff Private Memory rw True False False -
pagefile_0x00000000009f0000 0x009f0000 0x009f4fff Pagefile Backed Memory rw True False False -
lsass.exe 0x00a00000 0x00a08fff Memory Mapped File rwx False False False -
pagefile_0x0000000000a10000 0x00a10000 0x00e02fff Pagefile Backed Memory r True False False -
private_0x0000000000e10000 0x00e10000 0x00f10fff Private Memory rw True False False -
private_0x0000000000e10000 0x00e10000 0x0100ffff Private Memory rw True False False -
private_0x0000000000e10000 0x00e10000 0x00f0ffff Private Memory rw True False False -
private_0x0000000000f10000 0x00f10000 0x00f8ffff Private Memory rw True False False -
private_0x0000000000f30000 0x00f30000 0x00f6ffff Private Memory rw True False False -
private_0x0000000000fd0000 0x00fd0000 0x0100ffff Private Memory rw True False False -
private_0x0000000001020000 0x01020000 0x0105ffff Private Memory rw True False False -
private_0x00000000010a0000 0x010a0000 0x010dffff Private Memory rw True False False -
private_0x00000000010f0000 0x010f0000 0x0112ffff Private Memory rw True False False -
private_0x0000000001110000 0x01110000 0x0114ffff Private Memory rw True False False -
private_0x0000000001190000 0x01190000 0x011cffff Private Memory rw True False False -
private_0x00000000011a0000 0x011a0000 0x011dffff Private Memory rw True False False -
winnsi.dll 0x72220000 0x72226fff Memory Mapped File rwx False False False -
iphlpapi.dll 0x72230000 0x7224bfff Memory Mapped File rwx False False False -
netutils.dll 0x73bc0000 0x73bc8fff Memory Mapped File rwx False False False -
wshtcpip.dll 0x74900000 0x74904fff Memory Mapped File rwx False False False -
userenv.dll 0x749d0000 0x749e6fff Memory Mapped File rwx False False False -
scecli.dll 0x74a70000 0x74a9dfff Memory Mapped File rwx False False False -
credssp.dll 0x74ad0000 0x74ad7fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74b00000 0x74b3cfff Memory Mapped File rwx False False False -
pku2u.dll 0x74b40000 0x74b73fff Memory Mapped File rwx False False False -
tspkg.dll 0x74b80000 0x74b91fff Memory Mapped File rwx False False False -
tspkg.dll 0x74ba0000 0x74bb1fff Memory Mapped File rwx False False False -
credssp.dll 0x74ba0000 0x74ba7fff Memory Mapped File rwx False False False -
efslsaext.dll 0x74bb0000 0x74bbcfff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bc0000 0x74bfafff Memory Mapped File rwx False False False -
wdigest.dll 0x74c00000 0x74c2bfff Memory Mapped File rwx False False False -
schannel.dll 0x74c30000 0x74c69fff Memory Mapped File rwx False False False -
logoncli.dll 0x74c70000 0x74c91fff Memory Mapped File rwx False False False -
dnsapi.dll 0x74ca0000 0x74ce3fff Memory Mapped File rwx False False False -
netlogon.dll 0x74cf0000 0x74d7bfff Memory Mapped File rwx False False False -
msv1_0.dll 0x74d80000 0x74dc1fff Memory Mapped File rwx False False False -
wship6.dll 0x74dd0000 0x74dd5fff Memory Mapped File rwx False False False -
mswsock.dll 0x74de0000 0x74e1bfff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e20000 0x74e35fff Memory Mapped File rwx False False False -
kerberos.dll 0x74e40000 0x74ec7fff Memory Mapped File rwx False False False -
negoexts.dll 0x74ed0000 0x74eeafff Memory Mapped File rwx False False False -
netjoin.dll 0x74ef0000 0x74f1afff Memory Mapped File rwx False False False -
msprivs.dll 0x74f20000 0x74f21fff Memory Mapped File rwx False False False -
bcrypt.dll 0x74f30000 0x74f46fff Memory Mapped File rwx False False False -
ncrypt.dll 0x74f50000 0x74f87fff Memory Mapped File rwx False False False -
authz.dll 0x74f90000 0x74faafff Memory Mapped File rwx False False False -
cngaudit.dll 0x74fb0000 0x74fb5fff Memory Mapped File rwx False False False -
wevtapi.dll 0x74fc0000 0x75001fff Memory Mapped File rwx False False False -
cryptdll.dll 0x75010000 0x75020fff Memory Mapped File rwx False False False -
samsrv.dll 0x75030000 0x750bafff Memory Mapped File rwx False False False -
lsasrv.dll 0x750c0000 0x751bffff Memory Mapped File rwx False False False -
secur32.dll 0x75210000 0x75217fff Memory Mapped File rwx False False False -
sspisrv.dll 0x75230000 0x75236fff Memory Mapped File rwx False False False -
sspicli.dll 0x75250000 0x7526afff Memory Mapped File rwx False False False -
winsta.dll 0x75270000 0x75298fff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75310000 0x7531dfff Memory Mapped File rwx False False False -
profapi.dll 0x75320000 0x7532afff Memory Mapped File rwx False False False -
msasn1.dll 0x75390000 0x7539bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
crypt32.dll 0x75480000 0x7559cfff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
ws2_32.dll 0x76ec0000 0x76ef4fff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
nsi.dll 0x77310000 0x77315fff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory rw True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory rw True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #19: lsm.exe
0 0
Information Value
ID #19
File Name c:\windows\system32\lsm.exe
Command Line C:\Windows\system32\lsm.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:51, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:01:27
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x1bc
Parent PID 0x158 (c:\windows\system32\wininit.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 1C0
0x 22C
0x 2B4
0x 2BC
0x 2D0
0x 2D4
0x 2D8
0x 2DC
0x 2E8
0x 2F0
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00051fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
private_0x0000000000070000 0x00070000 0x000affff Private Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x002bffff Private Memory rw True False False -
locale.nls 0x000b0000 0x00116fff Memory Mapped File r False False False -
private_0x0000000000120000 0x00120000 0x0018ffff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x0015ffff Private Memory rw True False False -
pagefile_0x0000000000160000 0x00160000 0x00166fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000170000 0x00170000 0x00171fff Pagefile Backed Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0018ffff Private Memory rw True False False -
lsm.exe.mui 0x00190000 0x00191fff Memory Mapped File rw False False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory rw True False False -
lsm.exe 0x002e0000 0x00323fff Memory Mapped File rwx False False False -
private_0x0000000000360000 0x00360000 0x0039ffff Private Memory rw True False False -
sortdefault.nls 0x003a0000 0x0066efff Memory Mapped File r False False False -
private_0x0000000000680000 0x00680000 0x006bffff Private Memory rw True False False -
private_0x0000000000700000 0x00700000 0x0073ffff Private Memory rw True False False -
private_0x0000000000740000 0x00740000 0x007effff Private Memory rw True False False -
private_0x0000000000870000 0x00870000 0x008affff Private Memory rw True False False -
private_0x00000000008b0000 0x008b0000 0x008effff Private Memory rw True False False -
private_0x00000000009d0000 0x009d0000 0x00a0ffff Private Memory rw True False False -
private_0x0000000000a30000 0x00a30000 0x00a6ffff Private Memory rw True False False -
private_0x0000000000b00000 0x00b00000 0x00b3ffff Private Memory rw True False False -
pcwum.dll 0x74980000 0x7498afff Memory Mapped File rwx False False False -
credssp.dll 0x74ad0000 0x74ad7fff Memory Mapped File rwx False False False -
wmsgapi.dll 0x74ba0000 0x74ba5fff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e20000 0x74e35fff Memory Mapped File rwx False False False -
secur32.dll 0x75210000 0x75217fff Memory Mapped File rwx False False False -
sysntfy.dll 0x75220000 0x75226fff Memory Mapped File rwx False False False -
sspicli.dll 0x75250000 0x7526afff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75310000 0x7531dfff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory rw True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory rw True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #20: svchost.exe
0 0
Information Value
ID #20
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k DcomLaunch
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:01, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:01:17
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x234
Parent PID 0x1a8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 238
0x 23C
0x 240
0x 244
0x 248
0x 24C
0x 250
0x 254
0x 258
0x 25C
0x 260
0x 264
0x 268
0x 274
0x 280
0x 284
0x 28C
0x 688
0x 6D8
0x 708
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
imm32.dll 0x000c0000 0x000dcfff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x0040ffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x002dffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x00130fff Private Memory rw True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000140000 0x00140000 0x00140fff Pagefile Backed Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0018ffff Private Memory rw True False False -
pagefile_0x0000000000150000 0x00150000 0x00150fff Pagefile Backed Memory r True False False -
private_0x0000000000160000 0x00160000 0x00160fff Private Memory rw True False False -
pagefile_0x0000000000160000 0x00160000 0x0016bfff Pagefile Backed Memory rw True False False -
private_0x0000000000190000 0x00190000 0x001cffff Private Memory rw True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d0fff Pagefile Backed Memory r True False False -
private_0x00000000001e0000 0x001e0000 0x0021ffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0025ffff Private Memory rw True False False -
pagefile_0x0000000000260000 0x00260000 0x00260fff Pagefile Backed Memory r True False False -
private_0x0000000000270000 0x00270000 0x002affff Private Memory rw True False False -
pagefile_0x00000000002b0000 0x002b0000 0x002c6fff Pagefile Backed Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x002dffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
sortdefault.nls 0x00410000 0x006defff Memory Mapped File r False False False -
pagefile_0x00000000006e0000 0x006e0000 0x007a7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007b0000 0x007b0000 0x008b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000008c0000 0x008c0000 0x0093ffff Pagefile Backed Memory r True False False -
private_0x0000000000940000 0x00940000 0x009effff Private Memory rw True False False -
private_0x0000000000960000 0x00960000 0x0099ffff Private Memory rw True False False -
private_0x00000000009a0000 0x009a0000 0x009dffff Private Memory rw True False False -
private_0x00000000009e0000 0x009e0000 0x009effff Private Memory rw True False False -
private_0x0000000000a10000 0x00a10000 0x00a4ffff Private Memory rw True False False -
private_0x0000000000a50000 0x00a50000 0x00a8ffff Private Memory rw True False False -
private_0x0000000000aa0000 0x00aa0000 0x00adffff Private Memory rw True False False -
svchost.exe 0x00ae0000 0x00ae7fff Memory Mapped File rwx False False False -
pagefile_0x0000000000af0000 0x00af0000 0x00ee2fff Pagefile Backed Memory r True False False -
private_0x0000000000ef0000 0x00ef0000 0x00fcffff Private Memory rw True False False -
private_0x0000000000ef0000 0x00ef0000 0x00f2ffff Private Memory rw True False False -
private_0x0000000000f30000 0x00f30000 0x00f6ffff Private Memory rw True False False -
rsaenh.dll 0x00f30000 0x00f6bfff Memory Mapped File r False False False -
private_0x0000000000f90000 0x00f90000 0x00fcffff Private Memory rw True False False -
private_0x0000000000fe0000 0x00fe0000 0x0101ffff Private Memory rw True False False -
private_0x0000000001060000 0x01060000 0x0109ffff Private Memory rw True False False -
private_0x00000000010c0000 0x010c0000 0x010fffff Private Memory rw True False False -
private_0x0000000001110000 0x01110000 0x0114ffff Private Memory rw True False False -
private_0x0000000001180000 0x01180000 0x011bffff Private Memory rw True False False -
private_0x00000000011c0000 0x011c0000 0x012bffff Private Memory rw True False False -
private_0x00000000012c0000 0x012c0000 0x013bffff Private Memory rw True False False -
private_0x00000000013c0000 0x013c0000 0x0155ffff Private Memory rw True False False -
private_0x00000000013c0000 0x013c0000 0x0143ffff Private Memory rw True False False -
private_0x00000000014d0000 0x014d0000 0x0150ffff Private Memory rw True False False -
private_0x0000000001520000 0x01520000 0x0155ffff Private Memory rw True False False -
setupapi.dev.log 0x01560000 0x018c4fff Memory Mapped File rw True True False
setupapi.dev.log 0x01560000 0x018c4fff Memory Mapped File rw True True False
wmiutils.dll 0x70930000 0x70946fff Memory Mapped File rwx False False False -
wbemsvc.dll 0x709a0000 0x709aefff Memory Mapped File rwx False False False -
wbemprox.dll 0x70c20000 0x70c29fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x70c30000 0x70c47fff Memory Mapped File rwx False False False -
fastprox.dll 0x70c50000 0x70ce5fff Memory Mapped File rwx False False False -
wmidcprv.dll 0x70cf0000 0x70d12fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x70e20000 0x70e7bfff Memory Mapped File rwx False False False -
ntmarta.dll 0x74730000 0x74750fff Memory Mapped File rwx False False False -
powrprof.dll 0x74920000 0x74944fff Memory Mapped File rwx False False False -
rpcss.dll 0x74920000 0x7497efff Memory Mapped File rwx False False False -
powrprof.dll 0x74950000 0x74974fff Memory Mapped File rwx False False False -
pcwum.dll 0x74980000 0x7498afff Memory Mapped File rwx False False False -
umpo.dll 0x74990000 0x749affff Memory Mapped File rwx False False False -
gpapi.dll 0x749b0000 0x749c5fff Memory Mapped File rwx False False False -
userenv.dll 0x749d0000 0x749e6fff Memory Mapped File rwx False False False -
devrtl.dll 0x749f0000 0x749fdfff Memory Mapped File rwx False False False -
spinf.dll 0x74a00000 0x74a14fff Memory Mapped File rwx False False False -
umpnpmgr.dll 0x74a20000 0x74a68fff Memory Mapped File rwx False False False -
credssp.dll 0x74ad0000 0x74ad7fff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bc0000 0x74bfafff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e20000 0x74e35fff Memory Mapped File rwx False False False -
sspicli.dll 0x75250000 0x7526afff Memory Mapped File rwx False False False -
winsta.dll 0x75270000 0x75298fff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75310000 0x7531dfff Memory Mapped File rwx False False False -
profapi.dll 0x75320000 0x7532afff Memory Mapped File rwx False False False -
msasn1.dll 0x75390000 0x7539bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
crypt32.dll 0x75480000 0x7559cfff Memory Mapped File rwx False False False -
wintrust.dll 0x755a0000 0x755ccfff Memory Mapped File rwx False False False -
devobj.dll 0x755d0000 0x755e1fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x755f0000 0x75616fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
oleaut32.dll 0x767c0000 0x7684efff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
ole32.dll 0x76a70000 0x76bcbfff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
ws2_32.dll 0x76ec0000 0x76ef4fff Memory Mapped File rwx False False False -
clbcatq.dll 0x76f00000 0x76f82fff Memory Mapped File rwx False False False -
setupapi.dll 0x76f90000 0x7712cfff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
nsi.dll 0x77310000 0x77315fff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
wldap32.dll 0x77370000 0x773b4fff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
private_0x000000007ffac000 0x7ffac000 0x7ffacfff Private Memory rw True False False -
private_0x000000007ffad000 0x7ffad000 0x7ffadfff Private Memory rw True False False -
private_0x000000007ffae000 0x7ffae000 0x7ffaefff Private Memory rw True False False -
private_0x000000007ffaf000 0x7ffaf000 0x7ffaffff Private Memory rw True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory rw True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory rw True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory rw True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory rw True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #21: svchost.exe
0 0
Information Value
ID #21
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k RPCSS
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:02, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:01:16
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x278
Parent PID 0x1a8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Network Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 27C
0x 288
0x 290
0x 294
0x 298
0x 29C
0x 2A0
0x 2A4
0x 400
0x 734
0x 740
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
rsaenh.dll 0x00050000 0x0008bfff Memory Mapped File r False False False -
imm32.dll 0x00050000 0x0006cfff Memory Mapped File r False False False -
pagefile_0x0000000000050000 0x00050000 0x00051fff Pagefile Backed Memory rw True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory rw True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory rw True False False -
pagefile_0x0000000000080000 0x00080000 0x00080fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x000cffff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x0033ffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
pagefile_0x0000000000140000 0x00140000 0x00140fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0045ffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x0037ffff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x0042ffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x0043ffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x004bffff Private Memory rw True False False -
private_0x00000000004c0000 0x004c0000 0x004fffff Private Memory rw True False False -
sortdefault.nls 0x00500000 0x007cefff Memory Mapped File r False False False -
pagefile_0x00000000007d0000 0x007d0000 0x00897fff Pagefile Backed Memory r True False False -
pagefile_0x00000000008a0000 0x008a0000 0x009a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000009b0000 0x009b0000 0x00a2ffff Pagefile Backed Memory r True False False -
private_0x0000000000a40000 0x00a40000 0x00a7ffff Private Memory rw True False False -
svchost.exe 0x00ae0000 0x00ae7fff Memory Mapped File rwx False False False -
pagefile_0x0000000000af0000 0x00af0000 0x00ee2fff Pagefile Backed Memory r True False False -
private_0x0000000000f00000 0x00f00000 0x00f3ffff Private Memory rw True False False -
private_0x0000000000f40000 0x00f40000 0x010fffff Private Memory rw True False False -
private_0x0000000000f40000 0x00f40000 0x00f7ffff Private Memory rw True False False -
private_0x0000000000f80000 0x00f80000 0x0107ffff Private Memory rw True False False -
private_0x00000000010c0000 0x010c0000 0x010fffff Private Memory rw True False False -
fwpuclnt.dll 0x71d20000 0x71d57fff Memory Mapped File rwx False False False -
version.dll 0x74870000 0x74878fff Memory Mapped File rwx False False False -
firewallapi.dll 0x74880000 0x748f5fff Memory Mapped File rwx False False False -
wshqos.dll 0x748e0000 0x748e5fff Memory Mapped File rwx False False False -
wshqos.dll 0x748f0000 0x748f5fff Memory Mapped File rwx False False False -
wshtcpip.dll 0x74900000 0x74904fff Memory Mapped File rwx False False False -
rpcepmap.dll 0x74910000 0x7491dfff Memory Mapped File rwx False False False -
rpcss.dll 0x74920000 0x7497efff Memory Mapped File rwx False False False -
credssp.dll 0x74ad0000 0x74ad7fff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bc0000 0x74bfafff Memory Mapped File rwx False False False -
wship6.dll 0x74dd0000 0x74dd5fff Memory Mapped File rwx False False False -
mswsock.dll 0x74de0000 0x74e1bfff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e20000 0x74e35fff Memory Mapped File rwx False False False -
secur32.dll 0x75210000 0x75217fff Memory Mapped File rwx False False False -
sspicli.dll 0x75250000 0x7526afff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75310000 0x7531dfff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
oleaut32.dll 0x767c0000 0x7684efff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
ole32.dll 0x76a70000 0x76bcbfff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
ws2_32.dll 0x76ec0000 0x76ef4fff Memory Mapped File rwx False False False -
clbcatq.dll 0x76f00000 0x76f82fff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
nsi.dll 0x77310000 0x77315fff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory rw True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory rw True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #22: svchost.exe
0 0
Information Value
ID #22
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:03, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:01:15
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x2a8
Parent PID 0x1a8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Local Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 2AC
0x 2B8
0x 2C0
0x 2C8
0x 2CC
0x 2E0
0x 2E4
0x 334
0x 33C
0x 354
0x 358
0x 364
0x 388
0x 38C
0x 390
0x 3A0
0x 3A8
0x 478
0x 490
0x 4A4
0x 4B8
0x 4CC
0x 4D0
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x00187fff Pagefile Backed Memory r True False False -
imm32.dll 0x00190000 0x001acfff Memory Mapped File r False False False -
pagefile_0x0000000000190000 0x00190000 0x00191fff Pagefile Backed Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x001a0fff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0043ffff Private Memory rw True False False -
pagefile_0x00000000001f0000 0x001f0000 0x002f0fff Pagefile Backed Memory r True False False -
private_0x0000000000300000 0x00300000 0x00300fff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0032ffff Private Memory rw True False False -
tzres.dll 0x00330000 0x00330fff Memory Mapped File r False False False -
private_0x0000000000330000 0x00330000 0x00330fff Private Memory rw True False False -
pagefile_0x0000000000330000 0x00330000 0x00330fff Pagefile Backed Memory r True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x0059ffff Private Memory rw True False False -
pagefile_0x0000000000440000 0x00440000 0x004bffff Pagefile Backed Memory r True False False -
rpcss.dll 0x004c0000 0x0051bfff Memory Mapped File r False False False -
private_0x00000000004c0000 0x004c0000 0x004fffff Private Memory rw True False False -
private_0x0000000000500000 0x00500000 0x00557fff Private Memory rw True False False -
private_0x0000000000500000 0x00500000 0x0051ffff Private Memory rw True False False -
private_0x0000000000520000 0x00520000 0x0053ffff Private Memory rw True False False -
pagefile_0x0000000000540000 0x00540000 0x00540fff Pagefile Backed Memory r True False False -
private_0x0000000000550000 0x00550000 0x00557fff Private Memory rw True False False -
private_0x0000000000560000 0x00560000 0x0057ffff Private Memory rw True False False -
private_0x0000000000580000 0x00580000 0x00580fff Private Memory rw True False False -
private_0x0000000000590000 0x00590000 0x0059ffff Private Memory rw True False False -
pagefile_0x00000000005a0000 0x005a0000 0x00992fff Pagefile Backed Memory r True False False -
private_0x00000000009a0000 0x009a0000 0x009a0fff Private Memory rw True False False -
pagefile_0x00000000009b0000 0x009b0000 0x009b0fff Pagefile Backed Memory rw True False False -
private_0x00000000009c0000 0x009c0000 0x009fffff Private Memory rw True False False -
private_0x0000000000a00000 0x00a00000 0x00a3ffff Private Memory rw True False False -
services.exe 0x00a40000 0x00a80fff Memory Mapped File rwx False False False -
private_0x0000000000a50000 0x00a50000 0x00a8ffff Private Memory rw True False False -
private_0x0000000000aa0000 0x00aa0000 0x00adffff Private Memory rw True False False -
svchost.exe 0x00ae0000 0x00ae7fff Memory Mapped File rwx False False False -
sortdefault.nls 0x00af0000 0x00dbefff Memory Mapped File r False False False -
private_0x0000000000dc0000 0x00dc0000 0x00ebffff Private Memory rw True False False -
fltmgr.sys 0x00ec0000 0x00ef3fff Memory Mapped File rwx False False False -
winlogon.exe 0x00ec0000 0x00f07fff Memory Mapped File rwx False False False -
private_0x0000000000f10000 0x00f10000 0x00f4ffff Private Memory rw True False False -
private_0x0000000000f50000 0x00f50000 0x00f8ffff Private Memory rw True False False -
private_0x0000000000f90000 0x00f90000 0x00fcffff Private Memory rw True False False -
private_0x0000000000ff0000 0x00ff0000 0x0102ffff Private Memory rw True False False -
lsm.exe 0x01030000 0x01073fff Memory Mapped File rwx False False False -
private_0x0000000001070000 0x01070000 0x010affff Private Memory rw True False False -
private_0x0000000001080000 0x01080000 0x010bffff Private Memory rw True False False -
private_0x0000000001100000 0x01100000 0x0113ffff Private Memory rw True False False -
private_0x0000000001170000 0x01170000 0x011affff Private Memory rw True False False -
private_0x00000000011c0000 0x011c0000 0x011fffff Private Memory rw True False False -
private_0x0000000001210000 0x01210000 0x0124ffff Private Memory rw True False False -
private_0x0000000001250000 0x01250000 0x0134ffff Private Memory rw True False False -
private_0x0000000001350000 0x01350000 0x0144ffff Private Memory rw True False False -
private_0x0000000001460000 0x01460000 0x0149ffff Private Memory rw True False False -
private_0x00000000014a0000 0x014a0000 0x014dffff Private Memory rw True False False -
private_0x00000000014e0000 0x014e0000 0x0151ffff Private Memory rw True False False -
private_0x0000000001510000 0x01510000 0x0154ffff Private Memory rw True False False -
private_0x0000000001560000 0x01560000 0x0159ffff Private Memory rw True False False -
private_0x00000000015a0000 0x015a0000 0x016affff Private Memory rw True False False -
private_0x0000000001620000 0x01620000 0x0165ffff Private Memory rw True False False -
private_0x0000000001670000 0x01670000 0x016affff Private Memory rw True False False -
private_0x00000000016b0000 0x016b0000 0x018affff Private Memory rw True False False -
private_0x0000000001900000 0x01900000 0x0193ffff Private Memory rw True False False -
pshed.dll 0x40960000 0x40970fff Memory Mapped File rwx False False False -
dhcpcore6.dll 0x71d90000 0x71dc0fff Memory Mapped File rwx False False False -
dhcpcore.dll 0x71e00000 0x71e3ffff Memory Mapped File rwx False False False -
comres.dll 0x720e0000 0x7221dfff Memory Mapped File rwx False False False -
nrpsrv.dll 0x720f0000 0x720f5fff Memory Mapped File rwx False False False -
lmhsvc.dll 0x72140000 0x72147fff Memory Mapped File rwx False False False -
winnsi.dll 0x72220000 0x72226fff Memory Mapped File rwx False False False -
iphlpapi.dll 0x72230000 0x7224bfff Memory Mapped File rwx False False False -
profsvc.dll 0x73720000 0x7374afff Memory Mapped File rwx False False False -
gpsvc.dll 0x73760000 0x737f2fff Memory Mapped File rwx False False False -
adtschema.dll 0x73810000 0x738b6fff Memory Mapped File rwx False False False -
cscsvc.dll 0x73830000 0x738b7fff Memory Mapped File rwx False False False -
microsoft-windows-kernel-power-events.dll 0x738b0000 0x738bdfff Memory Mapped File rwx False False False -
microsoft-windows-kernel-processor-power-events.dll 0x738b0000 0x738b6fff Memory Mapped File rwx False False False -
avrt.dll 0x738e0000 0x738e6fff Memory Mapped File rwx False False False -
powrprof.dll 0x738f0000 0x73914fff Memory Mapped File rwx False False False -
audiosrv.dll 0x73920000 0x73999fff Memory Mapped File rwx False False False -
powrprof.dll 0x73970000 0x73994fff Memory Mapped File rwx False False False -
mmdevapi.dll 0x73e40000 0x73e78fff Memory Mapped File rwx False False False -
propsys.dll 0x74190000 0x74284fff Memory Mapped File rwx False False False -
powrprof.dll 0x74730000 0x74754fff Memory Mapped File rwx False False False -
ntmarta.dll 0x74730000 0x74750fff Memory Mapped File rwx False False False -
wevtsvc.dll 0x74760000 0x7486bfff Memory Mapped File rwx False False False -
version.dll 0x74870000 0x74878fff Memory Mapped File rwx False False False -
firewallapi.dll 0x74880000 0x748f5fff Memory Mapped File rwx False False False -
wshtcpip.dll 0x74900000 0x74904fff Memory Mapped File rwx False False False -
gpapi.dll 0x749b0000 0x749c5fff Memory Mapped File rwx False False False -
umpnpmgr.dll 0x74a20000 0x74a68fff Memory Mapped File rwx False False False -
credssp.dll 0x74ad0000 0x74ad7fff Memory Mapped File rwx False False False -
dnsapi.dll 0x74ca0000 0x74ce3fff Memory Mapped File rwx False False False -
wship6.dll 0x74dd0000 0x74dd5fff Memory Mapped File rwx False False False -
mswsock.dll 0x74de0000 0x74e1bfff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e20000 0x74e35fff Memory Mapped File rwx False False False -
wevtapi.dll 0x74fc0000 0x75001fff Memory Mapped File rwx False False False -
secur32.dll 0x75210000 0x75217fff Memory Mapped File rwx False False False -
sspicli.dll 0x75250000 0x7526afff Memory Mapped File rwx False False False -
winsta.dll 0x75270000 0x75298fff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75310000 0x7531dfff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
devobj.dll 0x755d0000 0x755e1fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x755f0000 0x75616fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
oleaut32.dll 0x767c0000 0x7684efff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
ole32.dll 0x76a70000 0x76bcbfff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
ws2_32.dll 0x76ec0000 0x76ef4fff Memory Mapped File rwx False False False -
clbcatq.dll 0x76f00000 0x76f82fff Memory Mapped File rwx False False False -
setupapi.dll 0x76f90000 0x7712cfff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
nsi.dll 0x77310000 0x77315fff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
wldap32.dll 0x77370000 0x773b4fff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
private_0x000000007ffa9000 0x7ffa9000 0x7ffa9fff Private Memory rw True False False -
private_0x000000007ffab000 0x7ffab000 0x7ffabfff Private Memory rw True False False -
private_0x000000007ffac000 0x7ffac000 0x7ffacfff Private Memory rw True False False -
private_0x000000007ffad000 0x7ffad000 0x7ffadfff Private Memory rw True False False -
private_0x000000007ffae000 0x7ffae000 0x7ffaefff Private Memory rw True False False -
private_0x000000007ffaf000 0x7ffaf000 0x7ffaffff Private Memory rw True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory rw True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory rw True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory rw True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory rw True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
For performance reasons, the remaining 12 entries are omitted.
The remaining entries can be found in flog.txt.
Process #23: logonui.exe
0 0
Information Value
ID #23
File Name c:\windows\system32\logonui.exe
Command Line "LogonUI.exe" /flags:0x0
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:04, Reason: Child Process
Unmonitor End Time: 00:05:10, Reason: Self Terminated
Monitor Duration 00:01:06
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x2f4
Parent PID 0x17c (c:\windows\system32\winlogon.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 2F8
0x 2FC
0x 300
0x 304
0x 308
0x 30C
0x 31C
0x 320
0x 324
0x 410
0x 7D8
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
imm32.dll 0x000c0000 0x000dcfff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000dffff Pagefile Backed Memory r True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory r True False False -
logonui.exe 0x00100000 0x00105fff Memory Mapped File rwx False False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000120000 0x00120000 0x00121fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000130000 0x00130000 0x00131fff Pagefile Backed Memory r True False False -
windowsshell.manifest 0x00140000 0x00140fff Memory Mapped File r False False False -
pagefile_0x0000000000140000 0x00140000 0x00141fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0029ffff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00191fff Pagefile Backed Memory r True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
pagefile_0x00000000002a0000 0x002a0000 0x00367fff Pagefile Backed Memory r True False False -
private_0x0000000000370000 0x00370000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory rw True False False -
pagefile_0x00000000003a0000 0x003a0000 0x004a0fff Pagefile Backed Memory r True False False -
rpcss.dll 0x004b0000 0x0050bfff Memory Mapped File r False False False -
pagefile_0x00000000004b0000 0x004b0000 0x004b6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000004c0000 0x004c0000 0x004c1fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000004d0000 0x004d0000 0x004d1fff Pagefile Backed Memory r True False False -
private_0x00000000004f0000 0x004f0000 0x004f0fff Private Memory rw True False False -
private_0x0000000000500000 0x00500000 0x00500fff Private Memory rw True False False -
private_0x0000000000510000 0x00510000 0x00510fff Private Memory rw True False False -
private_0x0000000000520000 0x00520000 0x00520fff Private Memory rw True False False -
private_0x0000000000530000 0x00530000 0x0056ffff Private Memory rw True False False -
private_0x0000000000570000 0x00570000 0x0064ffff Private Memory rw True False False -
private_0x0000000000570000 0x00570000 0x005effff Private Memory rw True False False -
private_0x00000000005f0000 0x005f0000 0x005f0fff Private Memory rw True False False -
private_0x0000000000600000 0x00600000 0x00600fff Private Memory rw True False False -
private_0x0000000000610000 0x00610000 0x0064ffff Private Memory rw True False False -
private_0x0000000000650000 0x00650000 0x00650fff Private Memory rw True False False -
private_0x0000000000660000 0x00660000 0x00660fff Private Memory rw True False False -
private_0x0000000000670000 0x00670000 0x00670fff Private Memory rw True False False -
private_0x0000000000680000 0x00680000 0x00680fff Private Memory rw True False False -
private_0x0000000000690000 0x00690000 0x00690fff Private Memory rw True False False -
private_0x00000000006a0000 0x006a0000 0x006a0fff Private Memory rw True False False -
private_0x00000000006b0000 0x006b0000 0x006b0fff Private Memory rw True False False -
private_0x00000000006c0000 0x006c0000 0x006c0fff Private Memory rw True False False -
private_0x00000000006d0000 0x006d0000 0x006d0fff Private Memory rw True False False -
private_0x00000000006e0000 0x006e0000 0x006e0fff Private Memory rw True False False -
private_0x00000000006f0000 0x006f0000 0x006f0fff Private Memory rw True False False -
private_0x0000000000700000 0x00700000 0x0073ffff Private Memory rw True False False -
sortdefault.nls 0x00740000 0x00a0efff Memory Mapped File r False False False -
private_0x0000000000a10000 0x00a10000 0x00b3ffff Private Memory rw True False False -
private_0x0000000000a10000 0x00a10000 0x00a10fff Private Memory rw True False False -
private_0x0000000000a20000 0x00a20000 0x00a20fff Private Memory rw True False False -
private_0x0000000000a30000 0x00a30000 0x00a6ffff Private Memory rw True False False -
private_0x0000000000a70000 0x00a70000 0x00a70fff Private Memory rw True False False -
private_0x0000000000a80000 0x00a80000 0x00a80fff Private Memory rw True False False -
private_0x0000000000a90000 0x00a90000 0x00a90fff Private Memory rw True False False -
private_0x0000000000aa0000 0x00aa0000 0x00aa0fff Private Memory rw True False False -
private_0x0000000000ab0000 0x00ab0000 0x00ab0fff Private Memory rw True False False -
private_0x0000000000ac0000 0x00ac0000 0x00ac0fff Private Memory rw True False False -
private_0x0000000000ad0000 0x00ad0000 0x00ad0fff Private Memory rw True False False -
private_0x0000000000ae0000 0x00ae0000 0x00ae0fff Private Memory rw True False False -
private_0x0000000000af0000 0x00af0000 0x00af0fff Private Memory rw True False False -
private_0x0000000000b00000 0x00b00000 0x00b00fff Private Memory rw True False False -
private_0x0000000000b10000 0x00b10000 0x00b10fff Private Memory rw True False False -
private_0x0000000000b20000 0x00b20000 0x00b20fff Private Memory rw True False False -
private_0x0000000000b30000 0x00b30000 0x00b3ffff Private Memory rw True False False -
pagefile_0x0000000000b40000 0x00b40000 0x00f32fff Pagefile Backed Memory r True False False -
private_0x0000000000f40000 0x00f40000 0x0103ffff Private Memory rw True False False -
private_0x0000000001040000 0x01040000 0x01040fff Private Memory rw True False False -
private_0x0000000001050000 0x01050000 0x01050fff Private Memory rw True False False -
private_0x0000000001060000 0x01060000 0x01060fff Private Memory rw True False False -
private_0x0000000001070000 0x01070000 0x01070fff Private Memory rw True False False -
private_0x0000000001080000 0x01080000 0x01080fff Private Memory rw True False False -
private_0x0000000001090000 0x01090000 0x01096fff Private Memory rw True False False -
private_0x00000000010a0000 0x010a0000 0x010a9fff Private Memory rw True False False -
private_0x00000000010b0000 0x010b0000 0x010b6fff Private Memory rw True False False -
private_0x00000000010c0000 0x010c0000 0x010e3fff Private Memory rw True False False -
private_0x00000000010f0000 0x010f0000 0x010f9fff Private Memory rw True False False -
private_0x0000000001100000 0x01100000 0x01106fff Private Memory rw True False False -
private_0x0000000001110000 0x01110000 0x01119fff Private Memory rw True False False -
private_0x0000000001120000 0x01120000 0x01126fff Private Memory rw True False False -
private_0x0000000001130000 0x01130000 0x01167fff Private Memory rw True False False -
private_0x0000000001170000 0x01170000 0x01179fff Private Memory rw True False False -
private_0x0000000001180000 0x01180000 0x01180fff Private Memory rw True False False -
private_0x0000000001190000 0x01190000 0x01190fff Private Memory rw True False False -
private_0x00000000011a0000 0x011a0000 0x011a0fff Private Memory rw True False False -
private_0x00000000011b0000 0x011b0000 0x011b0fff Private Memory rw True False False -
private_0x00000000011c0000 0x011c0000 0x011c0fff Private Memory rw True False False -
private_0x00000000011d0000 0x011d0000 0x011d1fff Private Memory rw True False False -
private_0x00000000011e0000 0x011e0000 0x011e0fff Private Memory rw True False False -
private_0x00000000011f0000 0x011f0000 0x011f1fff Private Memory rw True False False -
private_0x0000000001200000 0x01200000 0x01200fff Private Memory rw True False False -
private_0x0000000001210000 0x01210000 0x01211fff Private Memory rw True False False -
private_0x0000000001220000 0x01220000 0x01220fff Private Memory rw True False False -
private_0x0000000001230000 0x01230000 0x01231fff Private Memory rw True False False -
private_0x0000000001240000 0x01240000 0x01240fff Private Memory rw True False False -
private_0x0000000001250000 0x01250000 0x01250fff Private Memory rw True False False -
private_0x0000000001260000 0x01260000 0x01260fff Private Memory rw True False False -
private_0x0000000001270000 0x01270000 0x01270fff Private Memory rw True False False -
private_0x0000000001280000 0x01280000 0x01280fff Private Memory rw True False False -
private_0x0000000001290000 0x01290000 0x01290fff Private Memory rw True False False -
xmllite.dll 0x73df0000 0x73e1efff Memory Mapped File rwx False False False -
dwmapi.dll 0x73e20000 0x73e32fff Memory Mapped File rwx False False False -
mmdevapi.dll 0x73e40000 0x73e78fff Memory Mapped File rwx False False False -
hid.dll 0x73e80000 0x73e88fff Memory Mapped File rwx False False False -
sndvolsso.dll 0x73e90000 0x73ec7fff Memory Mapped File rwx False False False -
duser.dll 0x73ed0000 0x73efefff Memory Mapped File rwx False False False -
dui70.dll 0x73f00000 0x73fb1fff Memory Mapped File rwx False False False -
gdiplus.dll 0x73fc0000 0x7414ffff Memory Mapped File rwx False False False -
uxtheme.dll 0x74150000 0x7418ffff Memory Mapped File rwx False False False -
propsys.dll 0x74190000 0x74284fff Memory Mapped File rwx False False False -
samlib.dll 0x74290000 0x742a1fff Memory Mapped File rwx False False False -
shacct.dll 0x742b0000 0x742cdfff Memory Mapped File rwx False False False -
comctl32.dll 0x742d0000 0x7446dfff Memory Mapped File rwx False False False -
cryptui.dll 0x74470000 0x74567fff Memory Mapped File rwx False False False -
authui.dll 0x74570000 0x74726fff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
msasn1.dll 0x75390000 0x7539bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
crypt32.dll 0x75480000 0x7559cfff Memory Mapped File rwx False False False -
devobj.dll 0x755d0000 0x755e1fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x755f0000 0x75616fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
shlwapi.dll 0x765e0000 0x76636fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
oleaut32.dll 0x767c0000 0x7684efff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
ole32.dll 0x76a70000 0x76bcbfff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
clbcatq.dll 0x76f00000 0x76f82fff Memory Mapped File rwx False False False -
setupapi.dll 0x76f90000 0x7712cfff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
For performance reasons, the remaining 249 entries are omitted.
The remaining entries can be found in flog.txt.
Process #24: svchost.exe
0 0
Information Value
ID #24
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:12, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:01:06
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x32c
Parent PID 0x1a8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 330
0x 338
0x 340
0x 344
0x 348
0x 360
0x 368
0x 378
0x 37C
0x 380
0x 3B4
0x 3BC
0x 3CC
0x 3D4
0x 3EC
0x 3F0
0x 420
0x 424
0x 45C
0x 460
0x 47C
0x 480
0x 660
0x 664
0x 66C
0x 6FC
0x 710
0x 748
0x 754
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
imm32.dll 0x000c0000 0x000dcfff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x0013ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000000140000 0x00140000 0x00141fff Pagefile Backed Memory rw True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x00160fff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0040ffff Private Memory rw True False False -
pagefile_0x00000000001b0000 0x001b0000 0x00277fff Pagefile Backed Memory r True False False -
rpcss.dll 0x00280000 0x002dbfff Memory Mapped File r False False False -
pagefile_0x0000000000280000 0x00280000 0x00280fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory r True False False -
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x002b0fff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x002c0fff Private Memory rw True False False -
pagefile_0x00000000002c0000 0x002c0000 0x002c1fff Pagefile Backed Memory r True False False -
windowsshell.manifest 0x002d0000 0x002d0fff Memory Mapped File r False False False -
pagefile_0x00000000002d0000 0x002d0000 0x002d1fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002e0000 0x002e0000 0x002e1fff Pagefile Backed Memory r True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0060ffff Private Memory rw True False False -
pagefile_0x0000000000410000 0x00410000 0x00510fff Pagefile Backed Memory r True False False -
private_0x0000000000540000 0x00540000 0x0057ffff Private Memory rw True False False -
private_0x0000000000580000 0x00580000 0x005bffff Private Memory rw True False False -
private_0x00000000005c0000 0x005c0000 0x005fffff Private Memory rw True False False -
private_0x0000000000600000 0x00600000 0x0060ffff Private Memory rw True False False -
pagefile_0x0000000000610000 0x00610000 0x00a02fff Pagefile Backed Memory r True False False -
private_0x0000000000a40000 0x00a40000 0x00a7ffff Private Memory rw True False False -
private_0x0000000000aa0000 0x00aa0000 0x00adffff Private Memory rw True False False -
svchost.exe 0x00ae0000 0x00ae7fff Memory Mapped File rwx False False False -
private_0x0000000000b20000 0x00b20000 0x00b5ffff Private Memory rw True False False -
private_0x0000000000b90000 0x00b90000 0x00bcffff Private Memory rw True False False -
rsaenh.dll 0x00bd0000 0x00c0bfff Memory Mapped File r False False False -
private_0x0000000000bd0000 0x00bd0000 0x00c0ffff Private Memory rw True False False -
private_0x0000000000c20000 0x00c20000 0x00c5ffff Private Memory rw True False False -
sortdefault.nls 0x00c60000 0x00f2efff Memory Mapped File r False False False -
private_0x0000000000f50000 0x00f50000 0x00f8ffff Private Memory rw True False False -
private_0x0000000000f60000 0x00f60000 0x00f9ffff Private Memory rw True False False -
private_0x0000000000fb0000 0x00fb0000 0x00feffff Private Memory rw True False False -
private_0x0000000000ff0000 0x00ff0000 0x0102ffff Private Memory rw True False False -
private_0x0000000001090000 0x01090000 0x010cffff Private Memory rw True False False -
private_0x0000000001100000 0x01100000 0x0113ffff Private Memory rw True False False -
private_0x0000000001150000 0x01150000 0x0118ffff Private Memory rw True False False -
private_0x0000000001190000 0x01190000 0x0128ffff Private Memory rw True False False -
private_0x00000000012a0000 0x012a0000 0x012dffff Private Memory rw True False False -
private_0x0000000001310000 0x01310000 0x0134ffff Private Memory rw True False False -
private_0x0000000001330000 0x01330000 0x0136ffff Private Memory rw True False False -
private_0x0000000001350000 0x01350000 0x0138ffff Private Memory rw True False False -
private_0x00000000013b0000 0x013b0000 0x013effff Private Memory rw True False False -
private_0x00000000013c0000 0x013c0000 0x013fffff Private Memory rw True False False -
private_0x0000000001450000 0x01450000 0x0148ffff Private Memory rw True False False -
private_0x0000000001470000 0x01470000 0x014affff Private Memory rw True False False -
private_0x00000000014c0000 0x014c0000 0x014fffff Private Memory rw True False False -
private_0x0000000001500000 0x01500000 0x015effff Private Memory rw True False False -
private_0x0000000001600000 0x01600000 0x0163ffff Private Memory rw True False False -
private_0x0000000001640000 0x01640000 0x0172ffff Private Memory rw True False False -
private_0x0000000001680000 0x01680000 0x016bffff Private Memory rw True False False -
private_0x00000000016f0000 0x016f0000 0x0172ffff Private Memory rw True False False -
portabledeviceconnectapi.dll 0x70430000 0x70441fff Memory Mapped File rwx False False False -
portabledeviceapi.dll 0x70450000 0x704d8fff Memory Mapped File rwx False False False -
apphlpdm.dll 0x705a0000 0x705a9fff Memory Mapped File rwx False False False -
apphelp.dll 0x706a0000 0x706ebfff Memory Mapped File rwx False False False -
wer.dll 0x70730000 0x70790fff Memory Mapped File rwx False False False -
wpdbusenum.dll 0x70830000 0x70847fff Memory Mapped File rwx False False False -
wdi.dll 0x70850000 0x70864fff Memory Mapped File rwx False False False -
trkwks.dll 0x70eb0000 0x70ec4fff Memory Mapped File rwx False False False -
sysmain.dll 0x70ed0000 0x70fedfff Memory Mapped File rwx False False False -
uxsms.dll 0x72170000 0x7217afff Memory Mapped File rwx False False False -
mstask.dll 0x73630000 0x73664fff Memory Mapped File rwx False False False -
taskschd.dll 0x736a0000 0x7371cfff Memory Mapped File rwx False False False -
peerdist.dll 0x73800000 0x73824fff Memory Mapped File rwx False False False -
cscsvc.dll 0x73830000 0x738b7fff Memory Mapped File rwx False False False -
avrt.dll 0x738e0000 0x738e6fff Memory Mapped File rwx False False False -
powrprof.dll 0x738f0000 0x73914fff Memory Mapped File rwx False False False -
audiosrv.dll 0x73920000 0x73999fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x73cd0000 0x73cdcfff Memory Mapped File rwx False False False -
mmdevapi.dll 0x73e40000 0x73e78fff Memory Mapped File rwx False False False -
propsys.dll 0x74190000 0x74284fff Memory Mapped File rwx False False False -
comctl32.dll 0x742d0000 0x7446dfff Memory Mapped File rwx False False False -
ntmarta.dll 0x74730000 0x74750fff Memory Mapped File rwx False False False -
pcwum.dll 0x74980000 0x7498afff Memory Mapped File rwx False False False -
gpapi.dll 0x749b0000 0x749c5fff Memory Mapped File rwx False False False -
userenv.dll 0x749d0000 0x749e6fff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bc0000 0x74bfafff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e20000 0x74e35fff Memory Mapped File rwx False False False -
authz.dll 0x74f90000 0x74faafff Memory Mapped File rwx False False False -
sspicli.dll 0x75250000 0x7526afff Memory Mapped File rwx False False False -
winsta.dll 0x75270000 0x75298fff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75310000 0x7531dfff Memory Mapped File rwx False False False -
profapi.dll 0x75320000 0x7532afff Memory Mapped File rwx False False False -
msasn1.dll 0x75390000 0x7539bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
crypt32.dll 0x75480000 0x7559cfff Memory Mapped File rwx False False False -
wintrust.dll 0x755a0000 0x755ccfff Memory Mapped File rwx False False False -
devobj.dll 0x755d0000 0x755e1fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x755f0000 0x75616fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
shell32.dll 0x758f0000 0x76539fff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
shlwapi.dll 0x765e0000 0x76636fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
oleaut32.dll 0x767c0000 0x7684efff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
ole32.dll 0x76a70000 0x76bcbfff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
clbcatq.dll 0x76f00000 0x76f82fff Memory Mapped File rwx False False False -
setupapi.dll 0x76f90000 0x7712cfff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
wldap32.dll 0x77370000 0x773b4fff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
private_0x000000007ffa6000 0x7ffa6000 0x7ffa6fff Private Memory rw True False False -
private_0x000000007ffa7000 0x7ffa7000 0x7ffa7fff Private Memory rw True False False -
private_0x000000007ffa8000 0x7ffa8000 0x7ffa8fff Private Memory rw True False False -
private_0x000000007ffa9000 0x7ffa9000 0x7ffa9fff Private Memory rw True False False -
private_0x000000007ffaa000 0x7ffaa000 0x7ffaafff Private Memory rw True False False -
private_0x000000007ffab000 0x7ffab000 0x7ffabfff Private Memory rw True False False -
private_0x000000007ffac000 0x7ffac000 0x7ffacfff Private Memory rw True False False -
private_0x000000007ffad000 0x7ffad000 0x7ffadfff Private Memory rw True False False -
private_0x000000007ffae000 0x7ffae000 0x7ffaefff Private Memory rw True False False -
private_0x000000007ffaf000 0x7ffaf000 0x7ffaffff Private Memory rw True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory rw True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory rw True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory rw True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory rw True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #25: svchost.exe
0 0
Information Value
ID #25
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k netsvcs
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:12, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:01:06
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x34c
Parent PID 0x1a8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 350
0x 35C
0x 36C
0x 370
0x 374
0x 384
0x 3B8
0x 3C0
0x 3D0
0x 3E4
0x 3E8
0x 42C
0x 430
0x 434
0x 458
0x 4E0
0x 4EC
0x 500
0x 488
0x 48C
0x 518
0x 51C
0x 534
0x 668
0x 670
0x 674
0x 678
0x 67C
0x 680
0x 68C
0x 690
0x 694
0x 698
0x 69C
0x 6A4
0x 6AC
0x 6B0
0x 6C0
0x 6CC
0x 75C
0x 760
0x 778
0x 77C
0x 780
0x 784
0x 790
0x 7AC
0x 7BC
0x 7C0
0x 7C4
0x 7C8
0x 7F0
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x0010ffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0028ffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0016ffff Private Memory rw True False False -
imm32.dll 0x00110000 0x0012cfff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x00120fff Private Memory rw True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000140000 0x00140000 0x00140fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000150000 0x00150000 0x00150fff Pagefile Backed Memory r True False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
sens.dll 0x00170000 0x0017bfff Memory Mapped File r False False False -
stdole2.tlb 0x00180000 0x00183fff Memory Mapped File r False False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00357fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000360000 0x00360000 0x00460fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000470000 0x00470000 0x004effff Pagefile Backed Memory r True False False -
pagefile_0x00000000004f0000 0x004f0000 0x008e2fff Pagefile Backed Memory r True False False -
rpcss.dll 0x008f0000 0x0094bfff Memory Mapped File r False False False -
private_0x0000000000910000 0x00910000 0x0094ffff Private Memory rw True False False -
private_0x0000000000950000 0x00950000 0x0098ffff Private Memory rw True False False -
rsaenh.dll 0x00990000 0x009cbfff Memory Mapped File r False False False -
private_0x00000000009b0000 0x009b0000 0x009effff Private Memory rw True False False -
private_0x00000000009f0000 0x009f0000 0x00a2ffff Private Memory rw True False False -
private_0x0000000000a40000 0x00a40000 0x00a7ffff Private Memory rw True False False -
private_0x0000000000aa0000 0x00aa0000 0x00adffff Private Memory rw True False False -
svchost.exe 0x00ae0000 0x00ae7fff Memory Mapped File rwx False False False -
private_0x0000000000b00000 0x00b00000 0x00b3ffff Private Memory rw True False False -
private_0x0000000000b70000 0x00b70000 0x00baffff Private Memory rw True False False -
sortdefault.nls 0x00bb0000 0x00e7efff Memory Mapped File r False False False -
private_0x0000000000e80000 0x00e80000 0x00eeffff Private Memory rw True False False -
private_0x0000000000ea0000 0x00ea0000 0x00edffff Private Memory rw True False False -
private_0x0000000000ee0000 0x00ee0000 0x00eeffff Private Memory rw True False False -
aero.msstyles 0x00ef0000 0x0100dfff Memory Mapped File r False False False -
private_0x0000000000ef0000 0x00ef0000 0x00feffff Private Memory rw True False False -
private_0x0000000000f00000 0x00f00000 0x00f3ffff Private Memory rw True False False -
private_0x0000000000f20000 0x00f20000 0x00f5ffff Private Memory rw True False False -
private_0x0000000000fb0000 0x00fb0000 0x00feffff Private Memory rw True False False -
private_0x0000000000fc0000 0x00fc0000 0x00ffffff Private Memory rw True False False -
private_0x0000000001000000 0x01000000 0x0120ffff Private Memory rw True False False -
private_0x0000000001000000 0x01000000 0x0103ffff Private Memory rw True False False -
private_0x0000000001050000 0x01050000 0x0108ffff Private Memory rw True False False -
private_0x0000000001090000 0x01090000 0x0118ffff Private Memory rw True False False -
private_0x00000000011d0000 0x011d0000 0x0120ffff Private Memory rw True False False -
pagefile_0x0000000001210000 0x01210000 0x01c0ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001210000 0x01210000 0x012eefff Pagefile Backed Memory r True False False -
private_0x0000000001240000 0x01240000 0x0127ffff Private Memory rw True False False -
private_0x0000000001300000 0x01300000 0x0133ffff Private Memory rw True False False -
private_0x00000000013b0000 0x013b0000 0x013effff Private Memory rw True False False -
private_0x00000000013c0000 0x013c0000 0x013fffff Private Memory rw True False False -
private_0x0000000001400000 0x01400000 0x0150ffff Private Memory rw True False False -
private_0x0000000001510000 0x01510000 0x0163ffff Private Memory rw True False False -
pagefile_0x0000000001c10000 0x01c10000 0x0260ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000002610000 0x02610000 0x026eefff Pagefile Backed Memory rw True False False -
wiarpc.dll 0x71b40000 0x71b4afff Memory Mapped File rwx False False False -
ktmw32.dll 0x71b50000 0x71b58fff Memory Mapped File rwx False False False -
schedsvc.dll 0x71b60000 0x71c19fff Memory Mapped File rwx False False False -
fvecerts.dll 0x71c20000 0x71c27fff Memory Mapped File rwx False False False -
tbs.dll 0x71c30000 0x71c36fff Memory Mapped File rwx False False False -
fveapi.dll 0x71c40000 0x71c82fff Memory Mapped File rwx False False False -
shsvcs.dll 0x71c90000 0x71ce1fff Memory Mapped File rwx False False False -
sens.dll 0x720d0000 0x720defff Memory Mapped File rwx False False False -
es.dll 0x735b0000 0x735f6fff Memory Mapped File rwx False False False -
slc.dll 0x73610000 0x73619fff Memory Mapped File rwx False False False -
dsrole.dll 0x73620000 0x73628fff Memory Mapped File rwx False False False -
themeservice.dll 0x73670000 0x7367bfff Memory Mapped File rwx False False False -
atl.dll 0x73680000 0x73693fff Memory Mapped File rwx False False False -
profsvc.dll 0x73720000 0x7374afff Memory Mapped File rwx False False False -
nlaapi.dll 0x73750000 0x7375ffff Memory Mapped File rwx False False False -
gpsvc.dll 0x73760000 0x737f2fff Memory Mapped File rwx False False False -
mmcss.dll 0x738c0000 0x738d1fff Memory Mapped File rwx False False False -
avrt.dll 0x738e0000 0x738e6fff Memory Mapped File rwx False False False -
wkscli.dll 0x73bb0000 0x73bbefff Memory Mapped File rwx False False False -
netutils.dll 0x73bc0000 0x73bc8fff Memory Mapped File rwx False False False -
netapi32.dll 0x73bd0000 0x73be0fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x73cd0000 0x73cdcfff Memory Mapped File rwx False False False -
xmllite.dll 0x73df0000 0x73e1efff Memory Mapped File rwx False False False -
uxtheme.dll 0x74150000 0x7418ffff Memory Mapped File rwx False False False -
samlib.dll 0x74290000 0x742a1fff Memory Mapped File rwx False False False -
ntmarta.dll 0x74730000 0x74750fff Memory Mapped File rwx False False False -
pcwum.dll 0x74980000 0x7498afff Memory Mapped File rwx False False False -
gpapi.dll 0x749b0000 0x749c5fff Memory Mapped File rwx False False False -
userenv.dll 0x749d0000 0x749e6fff Memory Mapped File rwx False False False -
ubpm.dll 0x74aa0000 0x74acbfff Memory Mapped File rwx False False False -
srvcli.dll 0x74ae0000 0x74af8fff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bc0000 0x74bfafff Memory Mapped File rwx False False False -
logoncli.dll 0x74c70000 0x74c91fff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e20000 0x74e35fff Memory Mapped File rwx False False False -
authz.dll 0x74f90000 0x74faafff Memory Mapped File rwx False False False -
wevtapi.dll 0x74fc0000 0x75001fff Memory Mapped File rwx False False False -
secur32.dll 0x75210000 0x75217fff Memory Mapped File rwx False False False -
sysntfy.dll 0x75220000 0x75226fff Memory Mapped File rwx False False False -
sspicli.dll 0x75250000 0x7526afff Memory Mapped File rwx False False False -
winsta.dll 0x75270000 0x75298fff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
sxs.dll 0x752b0000 0x7530efff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75310000 0x7531dfff Memory Mapped File rwx False False False -
profapi.dll 0x75320000 0x7532afff Memory Mapped File rwx False False False -
msasn1.dll 0x75390000 0x7539bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
crypt32.dll 0x75480000 0x7559cfff Memory Mapped File rwx False False False -
wintrust.dll 0x755a0000 0x755ccfff Memory Mapped File rwx False False False -
devobj.dll 0x755d0000 0x755e1fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x755f0000 0x75616fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
shell32.dll 0x758f0000 0x76539fff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
shlwapi.dll 0x765e0000 0x76636fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
oleaut32.dll 0x767c0000 0x7684efff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
ole32.dll 0x76a70000 0x76bcbfff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
ws2_32.dll 0x76ec0000 0x76ef4fff Memory Mapped File rwx False False False -
clbcatq.dll 0x76f00000 0x76f82fff Memory Mapped File rwx False False False -
setupapi.dll 0x76f90000 0x7712cfff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
nsi.dll 0x77310000 0x77315fff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
wldap32.dll 0x77370000 0x773b4fff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
private_0x000000007ffad000 0x7ffad000 0x7ffadfff Private Memory rw True False False -
private_0x000000007ffae000 0x7ffae000 0x7ffaefff Private Memory rw True False False -
private_0x000000007ffaf000 0x7ffaf000 0x7ffaffff Private Memory rw True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory rw True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory rw True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory rw True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory rw True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
For performance reasons, the remaining 179 entries are omitted.
The remaining entries can be found in flog.txt.
Process #26: audiodg.exe
0 0
Information Value
ID #26
File Name c:\windows\system32\audiodg.exe
Command Line C:\Windows\system32\AUDIODG.EXE 0x2e0
Initial Working Directory C:\Windows
Monitor Start Time: 00:04:14, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:01:04
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x394
Parent PID 0x2a8 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Local Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 398
0x 39C
0x 3A4
0x 3AC
0x 3B0
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
locale.nls 0x00020000 0x00086fff Memory Mapped File r False False False -
private_0x0000000000090000 0x00090000 0x000cffff Private Memory rw True False False -
imm32.dll 0x00090000 0x000acfff Memory Mapped File r False False False -
pagefile_0x0000000000090000 0x00090000 0x00096fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000a0000 0x000a0000 0x000a1fff Pagefile Backed Memory rw True False False -
audiodg.exe.mui 0x000b0000 0x000b0fff Memory Mapped File rw False False False -
private_0x00000000000c0000 0x000c0000 0x000cffff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0042ffff Private Memory rw True False False -
pagefile_0x0000000000150000 0x00150000 0x00217fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000220000 0x00220000 0x00320fff Pagefile Backed Memory r True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
pagefile_0x0000000000430000 0x00430000 0x004affff Pagefile Backed Memory r True False False -
rpcss.dll 0x004b0000 0x0050bfff Memory Mapped File r False False False -
rsaenh.dll 0x004b0000 0x004ebfff Memory Mapped File r False False False -
audiodg.exe 0x005e0000 0x005fdfff Memory Mapped File rwx False False False -
private_0x0000000000640000 0x00640000 0x0067ffff Private Memory rw True False False -
private_0x00000000006e0000 0x006e0000 0x0071ffff Private Memory rw True False False -
sortdefault.nls 0x00720000 0x009eefff Memory Mapped File r False False False -
private_0x0000000000a50000 0x00a50000 0x00a8ffff Private Memory rw True False False -
private_0x0000000000aa0000 0x00aa0000 0x00adffff Private Memory rw True False False -
mmdevapi.dll 0x73e40000 0x73e78fff Memory Mapped File rwx False False False -
propsys.dll 0x74190000 0x74284fff Memory Mapped File rwx False False False -
ntmarta.dll 0x74730000 0x74750fff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bc0000 0x74bfafff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e20000 0x74e35fff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75310000 0x7531dfff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
oleaut32.dll 0x767c0000 0x7684efff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
ole32.dll 0x76a70000 0x76bcbfff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
clbcatq.dll 0x76f00000 0x76f82fff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
wldap32.dll 0x77370000 0x773b4fff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #27: svchost.exe
0 0
Information Value
ID #27
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k LocalService
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:17, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:01:01
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x3d8
Parent PID 0x1a8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Local Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 3DC
0x 3E0
0x 404
0x 408
0x 40C
0x 41C
0x 428
0x 484
0x 60C
0x 6F4
0x 70C
0x 718
0x 72C
0x 730
0x 73C
0x 770
0x 788
0x 78C
0x 7CC
0x 7F4
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x001cffff Private Memory rw True False False -
imm32.dll 0x00090000 0x000acfff Memory Mapped File r False False False -
pagefile_0x0000000000090000 0x00090000 0x00096fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000a0000 0x000a0000 0x000a1fff Pagefile Backed Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x000b0fff Private Memory rw True False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
locale.nls 0x001d0000 0x00236fff Memory Mapped File r False False False -
pagefile_0x0000000000240000 0x00240000 0x00307fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000310000 0x00310000 0x00410fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000420000 0x00420000 0x0049ffff Pagefile Backed Memory r True False False -
pagefile_0x00000000004a0000 0x004a0000 0x00892fff Pagefile Backed Memory r True False False -
rpcss.dll 0x008a0000 0x008fbfff Memory Mapped File r False False False -
private_0x00000000008a0000 0x008a0000 0x008dffff Private Memory rw True False False -
pagefile_0x00000000008e0000 0x008e0000 0x008e0fff Pagefile Backed Memory r True False False -
es.dll 0x008f0000 0x008fffff Memory Mapped File r False False False -
private_0x0000000000900000 0x00900000 0x0093ffff Private Memory rw True False False -
private_0x0000000000940000 0x00940000 0x0097ffff Private Memory rw True False False -
rsaenh.dll 0x00980000 0x009bbfff Memory Mapped File r False False False -
private_0x0000000000980000 0x00980000 0x009bffff Private Memory rw True False False -
private_0x00000000009c0000 0x009c0000 0x00a3ffff Private Memory rw True False False -
private_0x0000000000a40000 0x00a40000 0x00a7ffff Private Memory rw True False False -
stdole2.tlb 0x00a80000 0x00a83fff Memory Mapped File r False False False -
private_0x0000000000a90000 0x00a90000 0x00acffff Private Memory rw True False False -
pagefile_0x0000000000ad0000 0x00ad0000 0x00ad1fff Pagefile Backed Memory r True False False -
svchost.exe 0x00ae0000 0x00ae7fff Memory Mapped File rwx False False False -
private_0x0000000000af0000 0x00af0000 0x00baffff Private Memory rw True False False -
private_0x0000000000af0000 0x00af0000 0x00b2ffff Private Memory rw True False False -
private_0x0000000000b20000 0x00b20000 0x00b5ffff Private Memory rw True False False -
private_0x0000000000b30000 0x00b30000 0x00b8ffff Private Memory rw True False False -
private_0x0000000000b30000 0x00b30000 0x00b30fff Private Memory rw True False False -
private_0x0000000000b30000 0x00b30000 0x00b6ffff Private Memory rw True False False -
private_0x0000000000b70000 0x00b70000 0x00b70fff Private Memory rw True False False -
pagefile_0x0000000000b70000 0x00b70000 0x00b71fff Pagefile Backed Memory rw True False False -
private_0x0000000000b80000 0x00b80000 0x00b8ffff Private Memory rw True False False -
private_0x0000000000ba0000 0x00ba0000 0x00bdffff Private Memory rw True False False -
private_0x0000000000ba0000 0x00ba0000 0x00baffff Private Memory rw True False False -
sortdefault.nls 0x00be0000 0x00eaefff Memory Mapped File r False False False -
private_0x0000000000eb0000 0x00eb0000 0x00eeffff Private Memory rw True False False -
private_0x0000000000f00000 0x00f00000 0x00f3ffff Private Memory rw True False False -
kernelbase.dll.mui 0x00f40000 0x00ffffff Memory Mapped File rw False False False -
private_0x0000000001000000 0x01000000 0x0103ffff Private Memory rw True False False -
private_0x0000000001040000 0x01040000 0x0115ffff Private Memory rw True False False -
private_0x00000000010e0000 0x010e0000 0x0111ffff Private Memory rw True False False -
private_0x0000000001120000 0x01120000 0x0115ffff Private Memory rw True False False -
private_0x0000000001160000 0x01160000 0x0125ffff Private Memory rw True False False -
private_0x0000000001280000 0x01280000 0x012bffff Private Memory rw True False False -
private_0x00000000012c0000 0x012c0000 0x013bffff Private Memory rw True False False -
private_0x0000000001440000 0x01440000 0x0147ffff Private Memory rw True False False -
private_0x0000000001480000 0x01480000 0x015bffff Private Memory rw True False False -
private_0x00000000015c0000 0x015c0000 0x017affff Private Memory rw True False False -
private_0x00000000015c0000 0x015c0000 0x0171ffff Private Memory rw True False False -
private_0x00000000015f0000 0x015f0000 0x0162ffff Private Memory rw True False False -
private_0x00000000016e0000 0x016e0000 0x0171ffff Private Memory rw True False False -
private_0x00000000017a0000 0x017a0000 0x017affff Private Memory rw True False False -
winrnr.dll 0x703b0000 0x703b7fff Memory Mapped File rwx False False False -
pnrpnsp.dll 0x703c0000 0x703d1fff Memory Mapped File rwx False False False -
napinsp.dll 0x703e0000 0x703effff Memory Mapped File rwx False False False -
npmproxy.dll 0x70590000 0x70597fff Memory Mapped File rwx False False False -
apphelp.dll 0x706a0000 0x706ebfff Memory Mapped File rwx False False False -
sfc_os.dll 0x706f0000 0x706fcfff Memory Mapped File rwx False False False -
sfc.dll 0x70700000 0x70702fff Memory Mapped File rwx False False False -
aepic.dll 0x70710000 0x70721fff Memory Mapped File rwx False False False -
wer.dll 0x70730000 0x70790fff Memory Mapped File rwx False False False -
perftrack.dll 0x707a0000 0x7082ffff Memory Mapped File rwx False False False -
wdi.dll 0x70850000 0x70864fff Memory Mapped File rwx False False False -
netprofm.dll 0x70870000 0x708c9fff Memory Mapped File rwx False False False -
rasadhlp.dll 0x708d0000 0x708d5fff Memory Mapped File rwx False False False -
webio.dll 0x71820000 0x7186efff Memory Mapped File rwx False False False -
fwpuclnt.dll 0x71d20000 0x71d57fff Memory Mapped File rwx False False False -
nsisvc.dll 0x72130000 0x72137fff Memory Mapped File rwx False False False -
winhttp.dll 0x721c0000 0x72217fff Memory Mapped File rwx False False False -
winnsi.dll 0x72220000 0x72226fff Memory Mapped File rwx False False False -
iphlpapi.dll 0x72230000 0x7224bfff Memory Mapped File rwx False False False -
es.dll 0x735b0000 0x735f6fff Memory Mapped File rwx False False False -
nlaapi.dll 0x73750000 0x7375ffff Memory Mapped File rwx False False False -
dwmapi.dll 0x73e20000 0x73e32fff Memory Mapped File rwx False False False -
version.dll 0x74870000 0x74878fff Memory Mapped File rwx False False False -
wshtcpip.dll 0x74900000 0x74904fff Memory Mapped File rwx False False False -
gpapi.dll 0x749b0000 0x749c5fff Memory Mapped File rwx False False False -
credssp.dll 0x74ad0000 0x74ad7fff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bc0000 0x74bfafff Memory Mapped File rwx False False False -
dnsapi.dll 0x74ca0000 0x74ce3fff Memory Mapped File rwx False False False -
wship6.dll 0x74dd0000 0x74dd5fff Memory Mapped File rwx False False False -
mswsock.dll 0x74de0000 0x74e1bfff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e20000 0x74e35fff Memory Mapped File rwx False False False -
secur32.dll 0x75210000 0x75217fff Memory Mapped File rwx False False False -
sspicli.dll 0x75250000 0x7526afff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
sxs.dll 0x752b0000 0x7530efff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75310000 0x7531dfff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
shlwapi.dll 0x765e0000 0x76636fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
oleaut32.dll 0x767c0000 0x7684efff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
ole32.dll 0x76a70000 0x76bcbfff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
ws2_32.dll 0x76ec0000 0x76ef4fff Memory Mapped File rwx False False False -
clbcatq.dll 0x76f00000 0x76f82fff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
nsi.dll 0x77310000 0x77315fff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
private_0x000000007ffac000 0x7ffac000 0x7ffacfff Private Memory rw True False False -
private_0x000000007ffad000 0x7ffad000 0x7ffadfff Private Memory rw True False False -
private_0x000000007ffae000 0x7ffae000 0x7ffaefff Private Memory rw True False False -
private_0x000000007ffaf000 0x7ffaf000 0x7ffaffff Private Memory rw True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory rw True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory rw True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory rw True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory rw True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #28: dllhost.exe
0 0
Information Value
ID #28
File Name c:\windows\system32\dllhost.exe
Command Line C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:20, Reason: Child Process
Unmonitor End Time: 00:04:31, Reason: Self Terminated
Monitor Duration 00:00:11
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x438
Parent PID 0x234 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 43C
0x 440
0x 444
0x 448
0x 44C
0x 450
0x 454
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
locale.nls 0x00040000 0x000a6fff Memory Mapped File r False False False -
imm32.dll 0x000b0000 0x000ccfff Memory Mapped File r False False False -
pagefile_0x00000000000b0000 0x000b0000 0x0012ffff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0030ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
rpcss.dll 0x00180000 0x001dbfff Memory Mapped File r False False False -
pagefile_0x0000000000180000 0x00180000 0x00180fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
rsaenh.dll 0x001a0000 0x001dbfff Memory Mapped File r False False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x003dffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0034ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x003dffff Private Memory rw True False False -
pagefile_0x00000000003e0000 0x003e0000 0x004a7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000004b0000 0x004b0000 0x005b0fff Pagefile Backed Memory r True False False -
private_0x00000000005f0000 0x005f0000 0x0062ffff Private Memory rw True False False -
private_0x0000000000690000 0x00690000 0x006cffff Private Memory rw True False False -
private_0x0000000000720000 0x00720000 0x0075ffff Private Memory rw True False False -
sortdefault.nls 0x00760000 0x00a2efff Memory Mapped File r False False False -
private_0x0000000000ab0000 0x00ab0000 0x00aeffff Private Memory rw True False False -
private_0x0000000000af0000 0x00af0000 0x00c7ffff Private Memory rw True False False -
dllhost.exe 0x00eb0000 0x00eb4fff Memory Mapped File rwx False False False -
idstore.dll 0x72180000 0x7218dfff Memory Mapped File rwx False False False -
comctl32.dll 0x72190000 0x72213fff Memory Mapped File rwx False False False -
samlib.dll 0x74290000 0x742a1fff Memory Mapped File rwx False False False -
shacct.dll 0x742b0000 0x742cdfff Memory Mapped File rwx False False False -
ntmarta.dll 0x74730000 0x74750fff Memory Mapped File rwx False False False -
userenv.dll 0x749d0000 0x749e6fff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bc0000 0x74bfafff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e20000 0x74e35fff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75310000 0x7531dfff Memory Mapped File rwx False False False -
profapi.dll 0x75320000 0x7532afff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
shell32.dll 0x758f0000 0x76539fff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
shlwapi.dll 0x765e0000 0x76636fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
oleaut32.dll 0x767c0000 0x7684efff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
ole32.dll 0x76a70000 0x76bcbfff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
clbcatq.dll 0x76f00000 0x76f82fff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
wldap32.dll 0x77370000 0x773b4fff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #29: dwm.exe
0 0
Information Value
ID #29
File Name c:\windows\system32\dwm.exe
Command Line "C:\Windows\system32\Dwm.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:21, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:00:57
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x468
Parent PID 0x32c (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 46C
0x 494
0x 498
0x 49C
0x 4A0
0x 7E0
0x 7E4
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x002affff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
pagefile_0x00000000002b0000 0x002b0000 0x00377fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000380000 0x00380000 0x00480fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000490000 0x00490000 0x00882fff Pagefile Backed Memory r True False False -
private_0x0000000000890000 0x00890000 0x0090ffff Private Memory rw True False False -
private_0x0000000000890000 0x00890000 0x008cffff Private Memory rw True False False -
private_0x00000000008d0000 0x008d0000 0x0090ffff Private Memory rw True False False -
pagefile_0x0000000000910000 0x00910000 0x009eefff Pagefile Backed Memory r True False False -
private_0x00000000009f0000 0x009f0000 0x00aeffff Private Memory rw True False False -
private_0x0000000000ae0000 0x00ae0000 0x00b1ffff Private Memory rw True False False -
private_0x0000000000b20000 0x00b20000 0x00b5ffff Private Memory rw True False False -
sortdefault.nls 0x00b60000 0x00e2efff Memory Mapped File r False False False -
dwm.exe 0x00ea0000 0x00eb9fff Memory Mapped File rwx False False False -
pagefile_0x0000000000ec0000 0x00ec0000 0x01abffff Pagefile Backed Memory r True False False -
private_0x0000000001ac0000 0x01ac0000 0x01b3ffff Private Memory rw True False False -
dxgi.dll 0x71e40000 0x71ec2fff Memory Mapped File rwx False False False -
d3d10_1core.dll 0x71ed0000 0x71f09fff Memory Mapped File rwx False False False -
dwmcore.dll 0x71f70000 0x720c0fff Memory Mapped File rwx False False False -
d3d10_1.dll 0x72100000 0x7212bfff Memory Mapped File rwx False False False -
dwmredir.dll 0x72150000 0x7216afff Memory Mapped File rwx False False False -
powrprof.dll 0x738f0000 0x73914fff Memory Mapped File rwx False False False -
windowscodecs.dll 0x73cf0000 0x73deafff Memory Mapped File rwx False False False -
dwmapi.dll 0x73e20000 0x73e32fff Memory Mapped File rwx False False False -
uxtheme.dll 0x74150000 0x7418ffff Memory Mapped File rwx False False False -
version.dll 0x74870000 0x74878fff Memory Mapped File rwx False False False -
msasn1.dll 0x75390000 0x7539bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
crypt32.dll 0x75480000 0x7559cfff Memory Mapped File rwx False False False -
wintrust.dll 0x755a0000 0x755ccfff Memory Mapped File rwx False False False -
devobj.dll 0x755d0000 0x755e1fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x755f0000 0x75616fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
psapi.dll 0x76560000 0x76564fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
oleaut32.dll 0x767c0000 0x7684efff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
ole32.dll 0x76a70000 0x76bcbfff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
setupapi.dll 0x76f90000 0x7712cfff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #30: slui.exe
0 0
Information Value
ID #30
File Name c:\windows\system32\slui.exe
Command Line "C:\Windows\system32\slui.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:21, Reason: Child Process
Unmonitor End Time: 00:05:11, Reason: Self Terminated
Monitor Duration 00:00:50
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x470
Parent PID 0x17c (c:\windows\system32\winlogon.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 474
0x 4F4
0x 4F8
0x 504
0x 508
0x 50C
0x 510
0x 514
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00021fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00042fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
slui.exe.mui 0x000e0000 0x000e2fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
windowsshell.manifest 0x00110000 0x00110fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
pagefile_0x0000000000120000 0x00120000 0x00121fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000140000 0x00140000 0x00140fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0036ffff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00257fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000260000 0x00260000 0x00260fff Pagefile Backed Memory r True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x0056ffff Private Memory rw True False False -
pagefile_0x0000000000370000 0x00370000 0x00470fff Pagefile Backed Memory r True False False -
rpcss.dll 0x00480000 0x004dbfff Memory Mapped File r False False False -
pagefile_0x0000000000480000 0x00480000 0x0055efff Pagefile Backed Memory r True False False -
private_0x0000000000560000 0x00560000 0x0056ffff Private Memory rw True False False -
rsaenh.dll 0x00570000 0x005abfff Memory Mapped File r False False False -
private_0x0000000000570000 0x00570000 0x005affff Private Memory rw True False False -
private_0x00000000005b0000 0x005b0000 0x005effff Private Memory rw True False False -
pagefile_0x00000000005f0000 0x005f0000 0x005f1fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000600000 0x00600000 0x00601fff Pagefile Backed Memory r True False False -
sppcomapi.dll 0x00610000 0x0061dfff Memory Mapped File r False False False -
slui.exe 0x00620000 0x00672fff Memory Mapped File rwx False False False -
pagefile_0x0000000000680000 0x00680000 0x0127ffff Pagefile Backed Memory r True False False -
private_0x0000000001280000 0x01280000 0x0139ffff Private Memory rw True False False -
stdole2.tlb 0x01280000 0x01283fff Memory Mapped File r False False False -
private_0x00000000012c0000 0x012c0000 0x012fffff Private Memory rw True False False -
private_0x0000000001360000 0x01360000 0x0139ffff Private Memory rw True False False -
private_0x0000000001440000 0x01440000 0x0147ffff Private Memory rw True False False -
private_0x00000000014a0000 0x014a0000 0x014dffff Private Memory rw True False False -
sortdefault.nls 0x014e0000 0x017aefff Memory Mapped File r False False False -
private_0x00000000017e0000 0x017e0000 0x0181ffff Private Memory rw True False False -
private_0x00000000018b0000 0x018b0000 0x018effff Private Memory rw True False False -
private_0x00000000018f0000 0x018f0000 0x019effff Private Memory rw True False False -
pagefile_0x00000000019f0000 0x019f0000 0x01de2fff Pagefile Backed Memory r True False False -
slwga.dll 0x71540000 0x71546fff Memory Mapped File rwx False False False -
msi.dll 0x71550000 0x7178ffff Memory Mapped File rwx False False False -
webio.dll 0x71820000 0x7186efff Memory Mapped File rwx False False False -
winscard.dll 0x71950000 0x71972fff Memory Mapped File rwx False False False -
sppcext.dll 0x71990000 0x71aa2fff Memory Mapped File rwx False False False -
sppcomapi.dll 0x71b00000 0x71b32fff Memory Mapped File rwx False False False -
sppc.dll 0x71dd0000 0x71df0fff Memory Mapped File rwx False False False -
sppcommdlg.dll 0x71f10000 0x71f67fff Memory Mapped File rwx False False False -
tapi32.dll 0x72180000 0x721b1fff Memory Mapped File rwx False False False -
winhttp.dll 0x721c0000 0x72217fff Memory Mapped File rwx False False False -
slc.dll 0x73610000 0x73619fff Memory Mapped File rwx False False False -
rasman.dll 0x73a80000 0x73a94fff Memory Mapped File rwx False False False -
rasapi32.dll 0x73aa0000 0x73af1fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x73cd0000 0x73cdcfff Memory Mapped File rwx False False False -
winbrand.dll 0x73ce0000 0x73ce6fff Memory Mapped File rwx False False False -
uxtheme.dll 0x74150000 0x7418ffff Memory Mapped File rwx False False False -
comctl32.dll 0x742d0000 0x7446dfff Memory Mapped File rwx False False False -
cryptui.dll 0x74470000 0x74567fff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bc0000 0x74bfafff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e20000 0x74e35fff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
sxs.dll 0x752b0000 0x7530efff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75310000 0x7531dfff Memory Mapped File rwx False False False -
msasn1.dll 0x75390000 0x7539bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
crypt32.dll 0x75480000 0x7559cfff Memory Mapped File rwx False False False -
devobj.dll 0x755d0000 0x755e1fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x755f0000 0x75616fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
shell32.dll 0x758f0000 0x76539fff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
shlwapi.dll 0x765e0000 0x76636fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
oleaut32.dll 0x767c0000 0x7684efff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
ole32.dll 0x76a70000 0x76bcbfff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
ws2_32.dll 0x76ec0000 0x76ef4fff Memory Mapped File rwx False False False -
clbcatq.dll 0x76f00000 0x76f82fff Memory Mapped File rwx False False False -
setupapi.dll 0x76f90000 0x7712cfff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
nsi.dll 0x77310000 0x77315fff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #31: svchost.exe
0 0
Information Value
ID #31
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k NetworkService
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:23, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:00:55
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x4a8
Parent PID 0x1a8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Network Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 4AC
0x 4B0
0x 4BC
0x 4C0
0x 4C4
0x 4C8
0x 4D4
0x 4D8
0x 4DC
0x 4E4
0x 4E8
0x 4F0
0x 4FC
0x 5B0
0x 5C4
0x 5D4
0x 5DC
0x 5E4
0x 604
0x 61C
0x 62C
0x 634
0x 638
0x 63C
0x 5E0
0x 74C
0x 750
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
imm32.dll 0x000c0000 0x000dcfff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000100000 0x00100000 0x00100fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x003fffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0029ffff Private Memory rw True False False -
pagefile_0x0000000000150000 0x00150000 0x00217fff Pagefile Backed Memory r True False False -
rpcss.dll 0x00220000 0x0027bfff Memory Mapped File r False False False -
private_0x0000000000220000 0x00220000 0x00220fff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x00230fff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0027ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x002dffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
pagefile_0x0000000000400000 0x00400000 0x00500fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000510000 0x00510000 0x0058ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000000590000 0x00590000 0x00982fff Pagefile Backed Memory r True False False -
rsaenh.dll 0x00990000 0x009cbfff Memory Mapped File r False False False -
private_0x0000000000990000 0x00990000 0x009cffff Private Memory rw True False False -
private_0x00000000009d0000 0x009d0000 0x00a0ffff Private Memory rw True False False -
private_0x0000000000a20000 0x00a20000 0x00a5ffff Private Memory rw True False False -
private_0x0000000000a60000 0x00a60000 0x00adffff Private Memory rw True False False -
private_0x0000000000aa0000 0x00aa0000 0x00adffff Private Memory rw True False False -
svchost.exe 0x00ae0000 0x00ae7fff Memory Mapped File rwx False False False -
sortdefault.nls 0x00af0000 0x00dbefff Memory Mapped File r False False False -
private_0x0000000000dc0000 0x00dc0000 0x00efffff Private Memory rw True False False -
private_0x0000000000dd0000 0x00dd0000 0x00e0ffff Private Memory rw True False False -
private_0x0000000000e30000 0x00e30000 0x00e6ffff Private Memory rw True False False -
private_0x0000000000ec0000 0x00ec0000 0x00efffff Private Memory rw True False False -
private_0x0000000000f00000 0x00f00000 0x010dffff Private Memory rw True False False -
private_0x0000000000f10000 0x00f10000 0x00f4ffff Private Memory rw True False False -
private_0x0000000000f50000 0x00f50000 0x00f8ffff Private Memory rw True False False -
private_0x0000000000f70000 0x00f70000 0x00faffff Private Memory rw True False False -
private_0x0000000000f90000 0x00f90000 0x00fcffff Private Memory rw True False False -
private_0x0000000000fd0000 0x00fd0000 0x0100ffff Private Memory rw True False False -
private_0x0000000001030000 0x01030000 0x0106ffff Private Memory rw True False False -
private_0x00000000010a0000 0x010a0000 0x010dffff Private Memory rw True False False -
private_0x00000000010e0000 0x010e0000 0x0125ffff Private Memory rw True False False -
private_0x00000000010e0000 0x010e0000 0x0111ffff Private Memory rw True False False -
private_0x00000000010f0000 0x010f0000 0x0112ffff Private Memory rw True False False -
private_0x0000000001130000 0x01130000 0x0122ffff Private Memory rw True False False -
private_0x0000000001250000 0x01250000 0x0125ffff Private Memory rw True False False -
private_0x0000000001260000 0x01260000 0x0129ffff Private Memory rw True False False -
private_0x00000000012a0000 0x012a0000 0x012dffff Private Memory rw True False False -
private_0x00000000012e0000 0x012e0000 0x0140ffff Private Memory rw True False False -
private_0x00000000012e0000 0x012e0000 0x013dffff Private Memory rw True False False -
private_0x0000000001310000 0x01310000 0x0134ffff Private Memory rw True False False -
private_0x0000000001380000 0x01380000 0x013bffff Private Memory rw True False False -
private_0x0000000001400000 0x01400000 0x0140ffff Private Memory rw True False False -
private_0x0000000001410000 0x01410000 0x0156ffff Private Memory rw True False False -
private_0x0000000001410000 0x01410000 0x0150ffff Private Memory rw True False False -
private_0x0000000001560000 0x01560000 0x0156ffff Private Memory rw True False False -
private_0x00000000015a0000 0x015a0000 0x015dffff Private Memory rw True False False -
private_0x0000000001610000 0x01610000 0x0164ffff Private Memory rw True False False -
private_0x0000000001680000 0x01680000 0x016bffff Private Memory rw True False False -
nlasvc.dll 0x71150000 0x7118dfff Memory Mapped File rwx False False False -
ssdpapi.dll 0x71270000 0x7127cfff Memory Mapped File rwx False False False -
ncsi.dll 0x712b0000 0x712d7fff Memory Mapped File rwx False False False -
vsstrace.dll 0x71380000 0x7138ffff Memory Mapped File rwx False False False -
vssapi.dll 0x71390000 0x714a5fff Memory Mapped File rwx False False False -
cryptsvc.dll 0x714e0000 0x71503fff Memory Mapped File rwx False False False -
wkssvc.dll 0x71520000 0x71536fff Memory Mapped File rwx False False False -
webio.dll 0x71820000 0x7186efff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x71cf0000 0x71d01fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x71d10000 0x71d1cfff Memory Mapped File rwx False False False -
fwpuclnt.dll 0x71d20000 0x71d57fff Memory Mapped File rwx False False False -
dnsrslvr.dll 0x71d60000 0x71d82fff Memory Mapped File rwx False False False -
dnsext.dll 0x720e0000 0x720e4fff Memory Mapped File rwx False False False -
winhttp.dll 0x721c0000 0x72217fff Memory Mapped File rwx False False False -
winnsi.dll 0x72220000 0x72226fff Memory Mapped File rwx False False False -
iphlpapi.dll 0x72230000 0x7224bfff Memory Mapped File rwx False False False -
es.dll 0x735b0000 0x735f6fff Memory Mapped File rwx False False False -
atl.dll 0x73680000 0x73693fff Memory Mapped File rwx False False False -
samcli.dll 0x73ba0000 0x73baefff Memory Mapped File rwx False False False -
wkscli.dll 0x73bb0000 0x73bbefff Memory Mapped File rwx False False False -
netutils.dll 0x73bc0000 0x73bc8fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x73cd0000 0x73cdcfff Memory Mapped File rwx False False False -
propsys.dll 0x74190000 0x74284fff Memory Mapped File rwx False False False -
samlib.dll 0x74290000 0x742a1fff Memory Mapped File rwx False False False -
wshtcpip.dll 0x74900000 0x74904fff Memory Mapped File rwx False False False -
gpapi.dll 0x749b0000 0x749c5fff Memory Mapped File rwx False False False -
userenv.dll 0x749d0000 0x749e6fff Memory Mapped File rwx False False False -
credssp.dll 0x74ad0000 0x74ad7fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74b00000 0x74b3cfff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bc0000 0x74bfafff Memory Mapped File rwx False False False -
dnsapi.dll 0x74ca0000 0x74ce3fff Memory Mapped File rwx False False False -
wship6.dll 0x74dd0000 0x74dd5fff Memory Mapped File rwx False False False -
mswsock.dll 0x74de0000 0x74e1bfff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e20000 0x74e35fff Memory Mapped File rwx False False False -
netjoin.dll 0x74ef0000 0x74f1afff Memory Mapped File rwx False False False -
bcrypt.dll 0x74f30000 0x74f46fff Memory Mapped File rwx False False False -
wevtapi.dll 0x74fc0000 0x75001fff Memory Mapped File rwx False False False -
secur32.dll 0x75210000 0x75217fff Memory Mapped File rwx False False False -
sspicli.dll 0x75250000 0x7526afff Memory Mapped File rwx False False False -
winsta.dll 0x75270000 0x75298fff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75310000 0x7531dfff Memory Mapped File rwx False False False -
profapi.dll 0x75320000 0x7532afff Memory Mapped File rwx False False False -
msasn1.dll 0x75390000 0x7539bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
crypt32.dll 0x75480000 0x7559cfff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x755f0000 0x75616fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
oleaut32.dll 0x767c0000 0x7684efff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
ole32.dll 0x76a70000 0x76bcbfff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
ws2_32.dll 0x76ec0000 0x76ef4fff Memory Mapped File rwx False False False -
clbcatq.dll 0x76f00000 0x76f82fff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
nsi.dll 0x77310000 0x77315fff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
private_0x000000007ffab000 0x7ffab000 0x7ffabfff Private Memory rw True False False -
private_0x000000007ffac000 0x7ffac000 0x7ffacfff Private Memory rw True False False -
private_0x000000007ffad000 0x7ffad000 0x7ffadfff Private Memory rw True False False -
private_0x000000007ffae000 0x7ffae000 0x7ffaefff Private Memory rw True False False -
private_0x000000007ffaf000 0x7ffaf000 0x7ffaffff Private Memory rw True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory rw True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory rw True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory rw True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory rw True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
For performance reasons, the remaining 5 entries are omitted.
The remaining entries can be found in flog.txt.
Process #32: spoolsv.exe
0 0
Information Value
ID #32
File Name c:\windows\system32\spoolsv.exe
Command Line C:\Windows\System32\spoolsv.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:28, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:00:50
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x52c
Parent PID 0x1a8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 530
0x 53C
0x 540
0x 544
0x 554
0x 560
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x0010ffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0036ffff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x001d7fff Pagefile Backed Memory r True False False -
imm32.dll 0x001e0000 0x001fcfff Memory Mapped File r False False False -
private_0x00000000001e0000 0x001e0000 0x001e0fff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory rw True False False -
rpcss.dll 0x00200000 0x0025bfff Memory Mapped File r False False False -
private_0x0000000000200000 0x00200000 0x00200fff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x0000000000370000 0x00370000 0x004effff Private Memory rw True False False -
pagefile_0x0000000000370000 0x00370000 0x00470fff Pagefile Backed Memory r True False False -
private_0x00000000004a0000 0x004a0000 0x004dffff Private Memory rw True False False -
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory rw True False False -
pagefile_0x00000000004f0000 0x004f0000 0x008e2fff Pagefile Backed Memory r True False False -
private_0x00000000008f0000 0x008f0000 0x0099ffff Private Memory rw True False False -
private_0x0000000000910000 0x00910000 0x0094ffff Private Memory rw True False False -
private_0x0000000000960000 0x00960000 0x0099ffff Private Memory rw True False False -
private_0x00000000009b0000 0x009b0000 0x009effff Private Memory rw True False False -
private_0x0000000000a30000 0x00a30000 0x00a6ffff Private Memory rw True False False -
private_0x0000000000a70000 0x00a70000 0x00beffff Private Memory rw True False False -
private_0x0000000000bf0000 0x00bf0000 0x00d6ffff Private Memory rw True False False -
spoolsv.exe 0x00f70000 0x00fbffff Memory Mapped File rwx False False False -
pagefile_0x0000000000fc0000 0x00fc0000 0x01bbffff Pagefile Backed Memory r True False False -
slc.dll 0x73610000 0x73619fff Memory Mapped File rwx False False False -
powrprof.dll 0x738f0000 0x73914fff Memory Mapped File rwx False False False -
credssp.dll 0x74ad0000 0x74ad7fff Memory Mapped File rwx False False False -
dnsapi.dll 0x74ca0000 0x74ce3fff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e20000 0x74e35fff Memory Mapped File rwx False False False -
secur32.dll 0x75210000 0x75217fff Memory Mapped File rwx False False False -
sspicli.dll 0x75250000 0x7526afff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75310000 0x7531dfff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
devobj.dll 0x755d0000 0x755e1fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x755f0000 0x75616fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
oleaut32.dll 0x767c0000 0x7684efff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
ole32.dll 0x76a70000 0x76bcbfff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
ws2_32.dll 0x76ec0000 0x76ef4fff Memory Mapped File rwx False False False -
setupapi.dll 0x76f90000 0x7712cfff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
nsi.dll 0x77310000 0x77315fff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #33: taskhost.exe
0 0
Information Value
ID #33
File Name c:\windows\system32\taskhost.exe
Command Line "taskhost.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:29, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:00:49
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x548
Parent PID 0x1a8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 54C
0x 55C
0x 564
0x 570
0x 574
0x 578
0x 58C
0x 594
0x 598
0x 5A0
0x 628
0x 644
0x 7A8
0x 7D0
0x 7EC
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
locale.nls 0x00040000 0x000a6fff Memory Mapped File r False False False -
pagefile_0x00000000000b0000 0x000b0000 0x00177fff Pagefile Backed Memory r True False False -
imm32.dll 0x00180000 0x0019cfff Memory Mapped File r False False False -
pagefile_0x0000000000180000 0x00180000 0x00181fff Pagefile Backed Memory rw True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x001a0fff Private Memory rw True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c0fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x004dffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0035ffff Private Memory rw True False False -
pagefile_0x0000000000210000 0x00210000 0x00310fff Pagefile Backed Memory r True False False -
sptip.dll 0x00320000 0x0033efff Memory Mapped File r False False False -
pagefile_0x0000000000320000 0x00320000 0x00321fff Pagefile Backed Memory rw True False False -
msutb.dll.mui 0x00330000 0x00331fff Memory Mapped File rw False False False -
private_0x0000000000340000 0x00340000 0x00340fff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory rw True False False -
rpcss.dll 0x00360000 0x003bbfff Memory Mapped File r False False False -
input.dll 0x00360000 0x00391fff Memory Mapped File r False False False -
tiptsf.dll 0x00360000 0x003b4fff Memory Mapped File r False False False -
tabletextservice.dll 0x00360000 0x003affff Memory Mapped File r False False False -
private_0x0000000000360000 0x00360000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x00380fff Private Memory rw True False False -
rsaenh.dll 0x00390000 0x003cbfff Memory Mapped File r False False False -
pagefile_0x0000000000390000 0x00390000 0x00392fff Pagefile Backed Memory r True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
pagefile_0x00000000004e0000 0x004e0000 0x008d2fff Pagefile Backed Memory r True False False -
private_0x0000000000910000 0x00910000 0x0094ffff Private Memory rw True False False -
private_0x0000000000950000 0x00950000 0x0098ffff Private Memory rw True False False -
pagefile_0x0000000000990000 0x00990000 0x00a6efff Pagefile Backed Memory r True False False -
private_0x0000000000a80000 0x00a80000 0x00abffff Private Memory rw True False False -
private_0x0000000000ac0000 0x00ac0000 0x00cdffff Private Memory rw True False False -
private_0x0000000000ac0000 0x00ac0000 0x00afffff Private Memory rw True False False -
private_0x0000000000af0000 0x00af0000 0x00b2ffff Private Memory rw True False False -
private_0x0000000000b30000 0x00b30000 0x00b6ffff Private Memory rw True False False -
private_0x0000000000b80000 0x00b80000 0x00bbffff Private Memory rw True False False -
private_0x0000000000c20000 0x00c20000 0x00c5ffff Private Memory rw True False False -
private_0x0000000000c60000 0x00c60000 0x00c9ffff Private Memory rw True False False -
private_0x0000000000ca0000 0x00ca0000 0x00cdffff Private Memory rw True False False -
private_0x0000000000ce0000 0x00ce0000 0x00e3ffff Private Memory rw True False False -
kernelbase.dll.mui 0x00ce0000 0x00d9ffff Memory Mapped File rw False False False -
private_0x0000000000db0000 0x00db0000 0x00deffff Private Memory rw True False False -
private_0x0000000000e00000 0x00e00000 0x00e3ffff Private Memory rw True False False -
private_0x0000000000e40000 0x00e40000 0x00f2ffff Private Memory rw True False False -
private_0x0000000000e60000 0x00e60000 0x00e9ffff Private Memory rw True False False -
private_0x0000000000ef0000 0x00ef0000 0x00f2ffff Private Memory rw True False False -
taskhost.exe 0x00fa0000 0x00faefff Memory Mapped File rwx False False False -
pagefile_0x0000000000fb0000 0x00fb0000 0x01baffff Pagefile Backed Memory r True False False -
private_0x0000000001bf0000 0x01bf0000 0x01c2ffff Private Memory rw True False False -
private_0x0000000001c30000 0x01c30000 0x01c6ffff Private Memory rw True False False -
private_0x0000000001c30000 0x01c30000 0x01d2ffff Private Memory rw True False False -
private_0x0000000001d30000 0x01d30000 0x01deffff Private Memory rw True False False -
sortdefault.nls 0x01df0000 0x020befff Memory Mapped File r False False False -
pautoenr.dll 0x70220000 0x7022cfff Memory Mapped File rwx False False False -
dimsjob.dll 0x703a0000 0x703aafff Memory Mapped File rwx False False False -
npmproxy.dll 0x70590000 0x70597fff Memory Mapped File rwx False False False -
netprofm.dll 0x70870000 0x708c9fff Memory Mapped File rwx False False False -
playsndsrv.dll 0x71870000 0x71885fff Memory Mapped File rwx False False False -
msutb.dll 0x71890000 0x718bbfff Memory Mapped File rwx False False False -
msctfmonitor.dll 0x718c0000 0x718c7fff Memory Mapped File rwx False False False -
hotstartuseragent.dll 0x71980000 0x71988fff Memory Mapped File rwx False False False -
slc.dll 0x73610000 0x73619fff Memory Mapped File rwx False False False -
atl.dll 0x73680000 0x73693fff Memory Mapped File rwx False False False -
taskschd.dll 0x736a0000 0x7371cfff Memory Mapped File rwx False False False -
nlaapi.dll 0x73750000 0x7375ffff Memory Mapped File rwx False False False -
wtsapi32.dll 0x73cd0000 0x73cdcfff Memory Mapped File rwx False False False -
dwmapi.dll 0x73e20000 0x73e32fff Memory Mapped File rwx False False False -
winmm.dll 0x73fa0000 0x73fd1fff Memory Mapped File rwx False False False -
uxtheme.dll 0x74150000 0x7418ffff Memory Mapped File rwx False False False -
certenroll.dll 0x74560000 0x746a7fff Memory Mapped File rwx False False False -
certcli.dll 0x746d0000 0x74725fff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bc0000 0x74bfafff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e20000 0x74e35fff Memory Mapped File rwx False False False -
sspicli.dll 0x75250000 0x7526afff Memory Mapped File rwx False False False -
winsta.dll 0x75270000 0x75298fff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75310000 0x7531dfff Memory Mapped File rwx False False False -
msasn1.dll 0x75390000 0x7539bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
crypt32.dll 0x75480000 0x7559cfff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
shlwapi.dll 0x765e0000 0x76636fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
oleaut32.dll 0x767c0000 0x7684efff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
ole32.dll 0x76a70000 0x76bcbfff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
clbcatq.dll 0x76f00000 0x76f82fff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
nsi.dll 0x77310000 0x77315fff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
wldap32.dll 0x77370000 0x773b4fff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory rw True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory rw True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory rw True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #34: svchost.exe
0 0
Information Value
ID #34
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:29, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:00:49
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x568
Parent PID 0x1a8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Local Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 56C
0x 57C
0x 580
0x 584
0x 588
0x 590
0x 5A4
0x 5AC
0x 5B4
0x 5B8
0x 5BC
0x 5C0
0x 5C8
0x 5E8
0x 5F8
0x 5FC
0x 600
0x 608
0x 640
0x 6F8
0x 71C
0x 720
0x 724
0x 744
0x 758
0x 764
0x 768
0x 774
0x 7B0
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
imm32.dll 0x000c0000 0x000dcfff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x0012ffff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x0037ffff Private Memory rw True False False -
pagefile_0x0000000000130000 0x00130000 0x001f7fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000200000 0x00200000 0x0027ffff Pagefile Backed Memory r True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0054ffff Private Memory rw True False False -
pagefile_0x0000000000380000 0x00380000 0x00480fff Pagefile Backed Memory r True False False -
rpcss.dll 0x00490000 0x004ebfff Memory Mapped File r False False False -
private_0x0000000000490000 0x00490000 0x004cffff Private Memory rw True False False -
firewallapi.dll.mui 0x004d0000 0x004ebfff Memory Mapped File rw False False False -
private_0x00000000004f0000 0x004f0000 0x0052ffff Private Memory rw True False False -
private_0x0000000000530000 0x00530000 0x00530fff Private Memory rw True False False -
private_0x0000000000540000 0x00540000 0x0054ffff Private Memory rw True False False -
pagefile_0x0000000000550000 0x00550000 0x00942fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000950000 0x00950000 0x00950fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000960000 0x00960000 0x00960fff Pagefile Backed Memory r True False False -
private_0x0000000000970000 0x00970000 0x00970fff Private Memory rw True False False -
private_0x0000000000970000 0x00970000 0x00977fff Private Memory rw True False False -
private_0x0000000000980000 0x00980000 0x00983fff Private Memory rw True False False -
private_0x0000000000990000 0x00990000 0x00993fff Private Memory rw True False False -
private_0x00000000009a0000 0x009a0000 0x009dffff Private Memory rw True False False -
private_0x00000000009a0000 0x009a0000 0x009a3fff Private Memory rw True False False -
private_0x00000000009b0000 0x009b0000 0x009b0fff Private Memory rw True False False -
private_0x00000000009c0000 0x009c0000 0x009c1fff Private Memory rw True False False -
private_0x00000000009d0000 0x009d0000 0x00a0ffff Private Memory rw True False False -
private_0x0000000000a10000 0x00a10000 0x00a4ffff Private Memory rw True False False -
private_0x0000000000a50000 0x00a50000 0x00a50fff Private Memory rw True False False -
private_0x0000000000a60000 0x00a60000 0x00a9ffff Private Memory rw True False False -
private_0x0000000000aa0000 0x00aa0000 0x00aa0fff Private Memory rw True False False -
private_0x0000000000ab0000 0x00ab0000 0x00ab0fff Private Memory rw True False False -
private_0x0000000000ac0000 0x00ac0000 0x00ac0fff Private Memory rw True False False -
private_0x0000000000ad0000 0x00ad0000 0x00ad0fff Private Memory rw True False False -
svchost.exe 0x00ae0000 0x00ae7fff Memory Mapped File rwx False False False -
private_0x0000000000af0000 0x00af0000 0x00b2ffff Private Memory rw True False False -
private_0x0000000000b30000 0x00b30000 0x00b30fff Private Memory rw True False False -
private_0x0000000000b40000 0x00b40000 0x00b7ffff Private Memory rw True False False -
sortdefault.nls 0x00b80000 0x00e4efff Memory Mapped File r False False False -
private_0x0000000000e50000 0x00e50000 0x00efffff Private Memory rw True False False -
private_0x0000000000e50000 0x00e50000 0x00e8ffff Private Memory rw True False False -
private_0x0000000000e90000 0x00e90000 0x00e90fff Private Memory rw True False False -
private_0x0000000000ea0000 0x00ea0000 0x00ea0fff Private Memory rw True False False -
private_0x0000000000eb0000 0x00eb0000 0x00eb0fff Private Memory rw True False False -
private_0x0000000000ec0000 0x00ec0000 0x00efffff Private Memory rw True False False -
private_0x0000000000f00000 0x00f00000 0x00f00fff Private Memory rw True False False -
private_0x0000000000f10000 0x00f10000 0x00f10fff Private Memory rw True False False -
private_0x0000000000f20000 0x00f20000 0x00f20fff Private Memory rw True False False -
private_0x0000000000f30000 0x00f30000 0x00f30fff Private Memory rw True False False -
snmptrap.exe 0x00f40000 0x00f45fff Memory Mapped File rwx False False False -
private_0x0000000000f40000 0x00f40000 0x00f52fff Private Memory - True False False -
servicemodelevents.dll.mui 0x00f40000 0x00f4afff Memory Mapped File rw False False False -
private_0x0000000000f70000 0x00f70000 0x00faffff Private Memory rw True False False -
private_0x0000000000fb0000 0x00fb0000 0x010affff Private Memory rw True False False -
private_0x00000000010c0000 0x010c0000 0x010fffff Private Memory rw True False False -
private_0x0000000001100000 0x01100000 0x011fffff Private Memory rw True False False -
private_0x0000000001120000 0x01120000 0x0115ffff Private Memory rw True False False -
private_0x0000000001160000 0x01160000 0x012fffff Private Memory rw True False False -
private_0x0000000001280000 0x01280000 0x012bffff Private Memory rw True False False -
private_0x00000000012c0000 0x012c0000 0x012fffff Private Memory rw True False False -
private_0x0000000001390000 0x01390000 0x013cffff Private Memory rw True False False -
private_0x00000000013e0000 0x013e0000 0x0141ffff Private Memory rw True False False -
private_0x0000000001470000 0x01470000 0x014affff Private Memory rw True False False -
private_0x0000000001500000 0x01500000 0x0153ffff Private Memory rw True False False -
mscms.dll 0x71110000 0x71188fff Memory Mapped File rwx False False False -
servicemodelevents.dll 0x71140000 0x71141fff Memory Mapped File rwx True False False -
pcasvc.dll 0x71160000 0x71187fff Memory Mapped File rwx False False False -
mscms.dll 0x71260000 0x712d8fff Memory Mapped File rwx False False False -
servicemodelevents.dll 0x71260000 0x71261fff Memory Mapped File rwx True False False -
pcasvc.dll 0x712b0000 0x712d7fff Memory Mapped File rwx False False False -
wfapigp.dll 0x71370000 0x71377fff Memory Mapped File rwx False False False -
dps.dll 0x714b0000 0x714d4fff Memory Mapped File rwx False False False -
wshqos.dll 0x71510000 0x71515fff Memory Mapped File rwx False False False -
mpssvc.dll 0x71790000 0x7181cfff Memory Mapped File rwx False False False -
bfe.dll 0x718d0000 0x7194dfff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x71cf0000 0x71d01fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x71d10000 0x71d1cfff Memory Mapped File rwx False False False -
fwpuclnt.dll 0x71d20000 0x71d57fff Memory Mapped File rwx False False False -
dhcpcore.dll 0x71e00000 0x71e3ffff Memory Mapped File rwx False False False -
lmhsvc.dll 0x72140000 0x72147fff Memory Mapped File rwx False False False -
winnsi.dll 0x72220000 0x72226fff Memory Mapped File rwx False False False -
iphlpapi.dll 0x72230000 0x7224bfff Memory Mapped File rwx False False False -
slc.dll 0x73610000 0x73619fff Memory Mapped File rwx False False False -
taskschd.dll 0x736a0000 0x7371cfff Memory Mapped File rwx False False False -
ntmarta.dll 0x74730000 0x74750fff Memory Mapped File rwx False False False -
version.dll 0x74870000 0x74878fff Memory Mapped File rwx False False False -
firewallapi.dll 0x74880000 0x748f5fff Memory Mapped File rwx False False False -
wshtcpip.dll 0x74900000 0x74904fff Memory Mapped File rwx False False False -
pcwum.dll 0x74980000 0x7498afff Memory Mapped File rwx False False False -
gpapi.dll 0x749b0000 0x749c5fff Memory Mapped File rwx False False False -
userenv.dll 0x749d0000 0x749e6fff Memory Mapped File rwx False False False -
credssp.dll 0x74ad0000 0x74ad7fff Memory Mapped File rwx False False False -
wship6.dll 0x74dd0000 0x74dd5fff Memory Mapped File rwx False False False -
mswsock.dll 0x74de0000 0x74e1bfff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e20000 0x74e35fff Memory Mapped File rwx False False False -
authz.dll 0x74f90000 0x74faafff Memory Mapped File rwx False False False -
secur32.dll 0x75210000 0x75217fff Memory Mapped File rwx False False False -
sspicli.dll 0x75250000 0x7526afff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75310000 0x7531dfff Memory Mapped File rwx False False False -
profapi.dll 0x75320000 0x7532afff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x755f0000 0x75616fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
shlwapi.dll 0x765e0000 0x76636fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
oleaut32.dll 0x767c0000 0x7684efff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
ole32.dll 0x76a70000 0x76bcbfff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
ws2_32.dll 0x76ec0000 0x76ef4fff Memory Mapped File rwx False False False -
clbcatq.dll 0x76f00000 0x76f82fff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
nsi.dll 0x77310000 0x77315fff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
wldap32.dll 0x77370000 0x773b4fff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
private_0x000000007ffac000 0x7ffac000 0x7ffacfff Private Memory rw True False False -
private_0x000000007ffad000 0x7ffad000 0x7ffadfff Private Memory rw True False False -
private_0x000000007ffae000 0x7ffae000 0x7ffaefff Private Memory rw True False False -
private_0x000000007ffaf000 0x7ffaf000 0x7ffaffff Private Memory rw True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory rw True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory rw True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory rw True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory rw True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
For performance reasons, the remaining 60 entries are omitted.
The remaining entries can be found in flog.txt.
Process #35: svchost.exe
0 0
Information Value
ID #35
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:35, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:00:43
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x5ec
Parent PID 0x1a8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Local Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 5F0
0x 5F4
0x 610
0x 614
0x 618
0x 630
0x 648
0x 64C
0x 650
0x 654
0x 658
0x 65C
0x 6B8
0x 728
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
private_0x0000000000030000 0x00030000 0x0006ffff Private Memory rw True False False -
pagefile_0x0000000000070000 0x00070000 0x00073fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000080000 0x00080000 0x00080fff Pagefile Backed Memory r True False False -
private_0x0000000000090000 0x00090000 0x0020ffff Private Memory rw True False False -
locale.nls 0x00090000 0x000f6fff Memory Mapped File r False False False -
pagefile_0x0000000000100000 0x00100000 0x00101fff Pagefile Backed Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0031ffff Private Memory rw True False False -
pagefile_0x0000000000210000 0x00210000 0x002d7fff Pagefile Backed Memory r True False False -
imm32.dll 0x002e0000 0x002fcfff Memory Mapped File r False False False -
private_0x00000000002e0000 0x002e0000 0x002e0fff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x002f0fff Private Memory rw True False False -
pagefile_0x0000000000300000 0x00300000 0x00300fff Pagefile Backed Memory r True False False -
private_0x0000000000310000 0x00310000 0x0031ffff Private Memory rw True False False -
pagefile_0x0000000000320000 0x00320000 0x00420fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000430000 0x00430000 0x004affff Pagefile Backed Memory r True False False -
pagefile_0x00000000004b0000 0x004b0000 0x008a2fff Pagefile Backed Memory r True False False -
rpcss.dll 0x008b0000 0x0090bfff Memory Mapped File r False False False -
pagefile_0x00000000008b0000 0x008b0000 0x008b0fff Pagefile Backed Memory r True False False -
msxml6r.dll 0x008c0000 0x008c0fff Memory Mapped File r False False False -
private_0x00000000008d0000 0x008d0000 0x008effff Private Memory - True False False -
private_0x0000000000910000 0x00910000 0x0094ffff Private Memory rw True False False -
rsaenh.dll 0x00950000 0x0098bfff Memory Mapped File r False False False -
private_0x00000000009b0000 0x009b0000 0x009effff Private Memory rw True False False -
private_0x0000000000a40000 0x00a40000 0x00a7ffff Private Memory rw True False False -
svchost.exe 0x00ae0000 0x00ae7fff Memory Mapped File rwx False False False -
private_0x0000000000b10000 0x00b10000 0x00b4ffff Private Memory rw True False False -
private_0x0000000000b70000 0x00b70000 0x00baffff Private Memory rw True False False -
private_0x0000000000bf0000 0x00bf0000 0x00c2ffff Private Memory rw True False False -
private_0x0000000000c20000 0x00c20000 0x00c5ffff Private Memory rw True False False -
sortdefault.nls 0x00c60000 0x00f2efff Memory Mapped File r False False False -
private_0x0000000000f30000 0x00f30000 0x0102ffff Private Memory rw True False False -
private_0x0000000001050000 0x01050000 0x0108ffff Private Memory rw True False False -
private_0x00000000010b0000 0x010b0000 0x010effff Private Memory rw True False False -
private_0x00000000010f0000 0x010f0000 0x0119ffff Private Memory rw True False False -
private_0x00000000011a0000 0x011a0000 0x0123ffff Private Memory rw True False False -
private_0x0000000001240000 0x01240000 0x012effff Private Memory rw True False False -
private_0x0000000001260000 0x01260000 0x0129ffff Private Memory rw True False False -
private_0x00000000012b0000 0x012b0000 0x012effff Private Memory rw True False False -
kernelbase.dll.mui 0x012f0000 0x013affff Memory Mapped File rw False False False -
private_0x00000000013b0000 0x013b0000 0x017affff Private Memory rw True False False -
private_0x00000000017d0000 0x017d0000 0x0180ffff Private Memory rw True False False -
private_0x0000000001830000 0x01830000 0x0186ffff Private Memory rw True False False -
msxml6.dll 0x70ff0000 0x71147fff Memory Mapped File rwx False False False -
webservices.dll 0x71190000 0x71251fff Memory Mapped File rwx False False False -
httpapi.dll 0x71260000 0x7126afff Memory Mapped File rwx False False False -
fundisc.dll 0x71280000 0x712aafff Memory Mapped File rwx False False False -
wsdapi.dll 0x712e0000 0x71352fff Memory Mapped File rwx False False False -
fdrespub.dll 0x71360000 0x71369fff Memory Mapped File rwx False False False -
wshqos.dll 0x71510000 0x71515fff Memory Mapped File rwx False False False -
webio.dll 0x71820000 0x7186efff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x71cf0000 0x71d01fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x71d10000 0x71d1cfff Memory Mapped File rwx False False False -
winhttp.dll 0x721c0000 0x72217fff Memory Mapped File rwx False False False -
winnsi.dll 0x72220000 0x72226fff Memory Mapped File rwx False False False -
iphlpapi.dll 0x72230000 0x7224bfff Memory Mapped File rwx False False False -
atl.dll 0x73680000 0x73693fff Memory Mapped File rwx False False False -
wkscli.dll 0x73bb0000 0x73bbefff Memory Mapped File rwx False False False -
netutils.dll 0x73bc0000 0x73bc8fff Memory Mapped File rwx False False False -
xmllite.dll 0x73df0000 0x73e1efff Memory Mapped File rwx False False False -
version.dll 0x74870000 0x74878fff Memory Mapped File rwx False False False -
firewallapi.dll 0x74880000 0x748f5fff Memory Mapped File rwx False False False -
wshtcpip.dll 0x74900000 0x74904fff Memory Mapped File rwx False False False -
pcwum.dll 0x74980000 0x7498afff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bc0000 0x74bfafff Memory Mapped File rwx False False False -
wship6.dll 0x74dd0000 0x74dd5fff Memory Mapped File rwx False False False -
mswsock.dll 0x74de0000 0x74e1bfff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e20000 0x74e35fff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
shlwapi.dll 0x765e0000 0x76636fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
oleaut32.dll 0x767c0000 0x7684efff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
ole32.dll 0x76a70000 0x76bcbfff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
ws2_32.dll 0x76ec0000 0x76ef4fff Memory Mapped File rwx False False False -
clbcatq.dll 0x76f00000 0x76f82fff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
nsi.dll 0x77310000 0x77315fff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory rw True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory rw True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory rw True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory rw True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #36: sppsvc.exe
0 0
Information Value
ID #36
File Name c:\windows\system32\sppsvc.exe
Command Line C:\Windows\system32\sppsvc.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:49, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:00:29
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x6d0
Parent PID 0x1a8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Network Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6D4
0x 6E4
0x 6E8
0x 6EC
0x 6F0
0x 794
0x 7B4
0x 7D4
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
imm32.dll 0x00050000 0x0006cfff Memory Mapped File r False False False -
pagefile_0x0000000000050000 0x00050000 0x00051fff Pagefile Backed Memory rw True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory rw True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory rw True False False -
pagefile_0x0000000000080000 0x00080000 0x00080fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000080000 0x00080000 0x00081fff Pagefile Backed Memory rw True False False -
private_0x0000000000090000 0x00090000 0x000cffff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x002dffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
pagefile_0x0000000000140000 0x00140000 0x001bffff Pagefile Backed Memory r True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c0fff Pagefile Backed Memory r True False False -
private_0x00000000001e0000 0x001e0000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x004cffff Private Memory rw True False False -
pagefile_0x00000000002e0000 0x002e0000 0x003a7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000003b0000 0x003b0000 0x004b0fff Pagefile Backed Memory r True False False -
private_0x00000000004c0000 0x004c0000 0x004cffff Private Memory rw True False False -
rpcss.dll 0x004d0000 0x0052bfff Memory Mapped File r False False False -
rsaenh.dll 0x004d0000 0x0050bfff Memory Mapped File r False False False -
private_0x00000000004f0000 0x004f0000 0x0052ffff Private Memory rw True False False -
sppsvc.exe 0x00540000 0x0084afff Memory Mapped File rwx False False False -
pagefile_0x0000000000850000 0x00850000 0x00c42fff Pagefile Backed Memory r True False False -
private_0x0000000000c70000 0x00c70000 0x00caffff Private Memory rw True False False -
private_0x0000000000cb0000 0x00cb0000 0x00d2ffff Private Memory rw True False False -
private_0x0000000000d30000 0x00d30000 0x00d6ffff Private Memory rw True False False -
private_0x0000000000db0000 0x00db0000 0x00deffff Private Memory rw True False False -
private_0x0000000000e00000 0x00e00000 0x00e3ffff Private Memory rw True False False -
sortdefault.nls 0x00e40000 0x0110efff Memory Mapped File r False False False -
private_0x0000000000f30000 0x00f30000 0x00f6ffff Private Memory rw True False False -
private_0x0000000001110000 0x01110000 0x0120ffff Private Memory rw True False False -
sppwinob.dll 0x01210000 0x01274fff Memory Mapped File r False False False -
sppobjs.dll 0x01210000 0x012fdfff Memory Mapped File r False False False -
private_0x0000000001210000 0x01210000 0x0126ffff Private Memory rw True False False -
private_0x0000000001270000 0x01270000 0x01460fff Private Memory rw True False False -
private_0x0000000001270000 0x01270000 0x0136ffff Private Memory rw True False False -
private_0x0000000001470000 0x01470000 0x01660fff Private Memory rw True False False -
private_0x0000000001500000 0x01500000 0x0153ffff Private Memory rw True False False -
private_0x0000000001670000 0x01670000 0x01860fff Private Memory rw True False False -
private_0x0000000001870000 0x01870000 0x01a6ffff Private Memory rw True False False -
sppobjs.dll 0x700c0000 0x701b0fff Memory Mapped File rwx False False False -
sppobjs.dll 0x701c0000 0x702b0fff Memory Mapped File rwx False False False -
sppwinob.dll 0x702c0000 0x70326fff Memory Mapped File rwx False False False -
sppwinob.dll 0x70330000 0x70396fff Memory Mapped File rwx False False False -
taskschd.dll 0x736a0000 0x7371cfff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bc0000 0x74bfafff Memory Mapped File rwx False False False -
dnsapi.dll 0x74ca0000 0x74ce3fff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e20000 0x74e35fff Memory Mapped File rwx False False False -
sspicli.dll 0x75250000 0x7526afff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75310000 0x7531dfff Memory Mapped File rwx False False False -
msasn1.dll 0x75390000 0x7539bfff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
crypt32.dll 0x75480000 0x7559cfff Memory Mapped File rwx False False False -
wintrust.dll 0x755a0000 0x755ccfff Memory Mapped File rwx False False False -
devobj.dll 0x755d0000 0x755e1fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x755f0000 0x75616fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
oleaut32.dll 0x767c0000 0x7684efff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
ole32.dll 0x76a70000 0x76bcbfff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
ws2_32.dll 0x76ec0000 0x76ef4fff Memory Mapped File rwx False False False -
clbcatq.dll 0x76f00000 0x76f82fff Memory Mapped File rwx False False False -
setupapi.dll 0x76f90000 0x7712cfff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
nsi.dll 0x77310000 0x77315fff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #37: drvinst.exe
0 0
Information Value
ID #37
File Name c:\windows\system32\drvinst.exe
Command Line DrvInst.exe "1" "200" "acpi\genuineintel_-_x86_family_6_model_94_-_intel(r)_core(tm)_i5-7500_cpu_@_3.40ghz\_0" "" "" "68a85eb53" "00000000" "00000548" "0000054C"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:50, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:00:28
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x6dc
Parent PID 0x234 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 6E0
0x 714
0x 738
0x 76C
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
imm32.dll 0x000c0000 0x000dcfff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
drvinst.exe.mui 0x000d0000 0x000d0fff Memory Mapped File rw False False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
setupapi.ev3 0x00100000 0x00107fff Memory Mapped File rw True True False
setupapi.ev1 0x00100000 0x00101fff Memory Mapped File rw True True False
cpu.pnf 0x00100000 0x00106fff Memory Mapped File r False False False -
apps.inf 0x00100000 0x0010ffff Memory Mapped File r False False False -
defltbase.inf 0x00100000 0x0010afff Memory Mapped File r False False False -
dshowext.inf 0x00100000 0x00100fff Memory Mapped File r False False False -
dwup.inf 0x00100000 0x00109fff Memory Mapped File r False False False -
lltdio.inf 0x00100000 0x00101fff Memory Mapped File r False False False -
ndiscap.inf 0x00100000 0x00101fff Memory Mapped File r False False False -
ndisuio.inf 0x00100000 0x00100fff Memory Mapped File r False False False -
netavpna.inf 0x00100000 0x00101fff Memory Mapped File r False False False -
netavpnt.inf 0x00100000 0x00100fff Memory Mapped File r False False False -
netbrdgm.inf 0x00100000 0x00100fff Memory Mapped File r False False False -
netbrdgs.inf 0x00100000 0x00100fff Memory Mapped File r False False False -
netip6.inf 0x00100000 0x00102fff Memory Mapped File r False False False -
netmscli.inf 0x00100000 0x00101fff Memory Mapped File r False False False -
netnb.inf 0x00100000 0x00100fff Memory Mapped File r False False False -
netnwifi.inf 0x00100000 0x00108fff Memory Mapped File r False False False -
netpacer.inf 0x00100000 0x00101fff Memory Mapped File r False False False -
netpgm.inf 0x00100000 0x00102fff Memory Mapped File r False False False -
netrasa.inf 0x00100000 0x00107fff Memory Mapped File r False False False -
netrass.inf 0x00100000 0x00101fff Memory Mapped File r False False False -
netrast.inf 0x00100000 0x00103fff Memory Mapped File r False False False -
netserv.inf 0x00100000 0x00100fff Memory Mapped File r False False False -
netsstpa.inf 0x00100000 0x00101fff Memory Mapped File r False False False -
netsstpt.inf 0x00100000 0x00100fff Memory Mapped File r False False False -
nettcpip.inf 0x00100000 0x00109fff Memory Mapped File r False False False -
netvwififlt.inf 0x00100000 0x00101fff Memory Mapped File r False False False -
netvwifimp.inf 0x00100000 0x00101fff Memory Mapped File r False False False -
printupg.inf 0x00100000 0x00101fff Memory Mapped File r False False False -
puwk.inf 0x00100000 0x00102fff Memory Mapped File r False False False -
rspndr.inf 0x00100000 0x00101fff Memory Mapped File r False False False -
sceregvl.inf 0x00100000 0x00103fff Memory Mapped File r False False False -
secrecs.inf 0x00100000 0x00102fff Memory Mapped File r False False False -
wfplwf.inf 0x00100000 0x00101fff Memory Mapped File r False False False -
private_0x0000000000110000 0x00110000 0x0014ffff Private Memory rw True False False -
infpub.dat 0x00150000 0x00164fff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x001affff Private Memory rw True False False -
drvinst.exe 0x001c0000 0x00200fff Memory Mapped File rwx False False False -
private_0x0000000000210000 0x00210000 0x003bffff Private Memory rw True False False -
pagefile_0x0000000000210000 0x00210000 0x0028ffff Pagefile Backed Memory r True False False -
infstrng.dat 0x00290000 0x002b2fff Memory Mapped File r False False False -
infpub.dat 0x00290000 0x002a4fff Memory Mapped File r False False False -
errata.inf 0x00290000 0x002a3fff Memory Mapped File r False False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x0058ffff Private Memory rw True False False -
pagefile_0x00000000003c0000 0x003c0000 0x00487fff Pagefile Backed Memory r True False False -
infstor.dat 0x00490000 0x004b2fff Memory Mapped File r False False False -
fontsetup.inf 0x00490000 0x004cefff Memory Mapped File r False False False -
infpub.dat 0x004c0000 0x004d4fff Memory Mapped File r False False False -
infstor.dat 0x004e0000 0x00502fff Memory Mapped File r False False False -
private_0x00000000004e0000 0x004e0000 0x0051ffff Private Memory rw True False False -
private_0x0000000000530000 0x00530000 0x0056ffff Private Memory rw True False False -
private_0x0000000000580000 0x00580000 0x0058ffff Private Memory rw True False False -
pagefile_0x0000000000590000 0x00590000 0x00690fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006a0000 0x006a0000 0x00a92fff Pagefile Backed Memory r True False False -
setupapi.dev.log 0x00aa0000 0x00e04fff Memory Mapped File rw True True False
setupapi.dev.log 0x00aa0000 0x00e04fff Memory Mapped File rw True True False
setupapi.dev.log 0x00aa0000 0x00e04fff Memory Mapped File rw True True False
setupapi.dev.log 0x00aa0000 0x00e04fff Memory Mapped File rw True True False
sortdefault.nls 0x00aa0000 0x00d6efff Memory Mapped File r False False False -
setupapi.dev.log 0x00d70000 0x010d4fff Memory Mapped File rw True True False
setupapi.dev.log 0x00d70000 0x010d4fff Memory Mapped File rw True True False
setupapi.dev.log 0x00d70000 0x010d4fff Memory Mapped File rw True True False
setupapi.dev.log 0x00d70000 0x010d4fff Memory Mapped File rw True True False
setupapi.dev.log 0x00d70000 0x010d4fff Memory Mapped File rw True True False
setupapi.dev.log 0x00d70000 0x010d4fff Memory Mapped File rw True True False
setupapi.dev.log 0x00d70000 0x010d4fff Memory Mapped File rw True True False
setupapi.dev.log 0x00d70000 0x010d4fff Memory Mapped File rw True True False
setupapi.dev.log 0x00d70000 0x010d4fff Memory Mapped File rw True True False
setupapi.dev.log 0x00d70000 0x010d4fff Memory Mapped File rw True True False
setupapi.dev.log 0x00d70000 0x010d4fff Memory Mapped File rw True True False
setupapi.dev.log 0x00d70000 0x010d4fff Memory Mapped File rw True True False
infcache.1 0x00d70000 0x00edefff Memory Mapped File r False False False -
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
setupapi.dev.log 0x00ee0000 0x01244fff Memory Mapped File rw True True False
devrtl.dll 0x749f0000 0x749fdfff Memory Mapped File rwx False False False -
spinf.dll 0x74a00000 0x74a14fff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
devobj.dll 0x755d0000 0x755e1fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x755f0000 0x75616fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
oleaut32.dll 0x767c0000 0x7684efff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
ole32.dll 0x76a70000 0x76bcbfff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
setupapi.dll 0x76f90000 0x7712cfff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #38: taskhost.exe
0 0
Information Value
ID #38
File Name c:\windows\system32\taskhost.exe
Command Line taskhost.exe SYSTEM
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:04:50, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:00:28
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x700
Parent PID 0x1a8 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 704
0x 798
0x 79C
0x 7A0
0x 7A4
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
locale.nls 0x00040000 0x000a6fff Memory Mapped File r False False False -
imm32.dll 0x000b0000 0x000ccfff Memory Mapped File r False False False -
pagefile_0x00000000000b0000 0x000b0000 0x0012ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000000130000 0x00130000 0x00131fff Pagefile Backed Memory rw True False False -
private_0x0000000000140000 0x00140000 0x00140fff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0038ffff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00257fff Pagefile Backed Memory r True False False -
private_0x0000000000260000 0x00260000 0x00260fff Private Memory rw True False False -
pagefile_0x0000000000270000 0x00270000 0x00270fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000280000 0x00280000 0x00280fff Pagefile Backed Memory r True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x004dffff Private Memory rw True False False -
pagefile_0x0000000000390000 0x00390000 0x00490fff Pagefile Backed Memory r True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
private_0x00000000004d0000 0x004d0000 0x004dffff Private Memory rw True False False -
pagefile_0x00000000004e0000 0x004e0000 0x008d2fff Pagefile Backed Memory r True False False -
rpcss.dll 0x008e0000 0x0093bfff Memory Mapped File r False False False -
private_0x0000000000900000 0x00900000 0x0093ffff Private Memory rw True False False -
rsaenh.dll 0x00940000 0x0097bfff Memory Mapped File r False False False -
private_0x00000000009c0000 0x009c0000 0x009fffff Private Memory rw True False False -
private_0x0000000000a70000 0x00a70000 0x00aaffff Private Memory rw True False False -
private_0x0000000000b30000 0x00b30000 0x00b6ffff Private Memory rw True False False -
private_0x0000000000b70000 0x00b70000 0x00d8ffff Private Memory rw True False False -
taskhost.exe 0x00fa0000 0x00faefff Memory Mapped File rwx False False False -
sortdefault.nls 0x00fb0000 0x0127efff Memory Mapped File r False False False -
dimsjob.dll 0x703a0000 0x703aafff Memory Mapped File rwx False False False -
netprofm.dll 0x70870000 0x708c9fff Memory Mapped File rwx False False False -
taskschd.dll 0x736a0000 0x7371cfff Memory Mapped File rwx False False False -
nlaapi.dll 0x73750000 0x7375ffff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bc0000 0x74bfafff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e20000 0x74e35fff Memory Mapped File rwx False False False -
sspicli.dll 0x75250000 0x7526afff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75310000 0x7531dfff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
shlwapi.dll 0x765e0000 0x76636fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
oleaut32.dll 0x767c0000 0x7684efff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
ole32.dll 0x76a70000 0x76bcbfff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
clbcatq.dll 0x76f00000 0x76f82fff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
nsi.dll 0x77310000 0x77315fff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #39: userinit.exe
0 0
Information Value
ID #39
File Name c:\windows\system32\userinit.exe
Command Line C:\Windows\system32\userinit.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:05:11, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:00:07
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x7f8
Parent PID 0x17c (c:\windows\system32\winlogon.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7FC
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x0017ffff Private Memory rw True False False -
imm32.dll 0x000c0000 0x000dcfff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0017ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0043ffff Private Memory rw True False False -
pagefile_0x0000000000250000 0x00250000 0x00317fff Pagefile Backed Memory r True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
pagefile_0x0000000000440000 0x00440000 0x00540fff Pagefile Backed Memory r True False False -
private_0x0000000000550000 0x00550000 0x0060ffff Private Memory rw True False False -
userinit.exe 0x00610000 0x00618fff Memory Mapped File rwx False False False -
pagefile_0x0000000000620000 0x00620000 0x0121ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001220000 0x01220000 0x01612fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001620000 0x01620000 0x016fefff Pagefile Backed Memory r True False False -
dwmapi.dll 0x73e20000 0x73e32fff Memory Mapped File rwx False False False -
uxtheme.dll 0x74150000 0x7418ffff Memory Mapped File rwx False False False -
userenv.dll 0x749d0000 0x749e6fff Memory Mapped File rwx False False False -
profapi.dll 0x75320000 0x7532afff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #40: explorer.exe
0 0
Information Value
ID #40
File Name c:\windows\explorer.exe
Command Line C:\Windows\Explorer.EXE
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:05:12, Reason: Child Process
Unmonitor End Time: 00:05:18, Reason: Terminated by Timeout
Monitor Duration 00:00:06
Remark No high level activity detected in monitored regions
OS Process Information
Information Value
PID 0x64
Parent PID 0x7f8 (c:\windows\system32\userinit.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x CC
0x 100
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00021fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x00187fff Pagefile Backed Memory r True False False -
private_0x0000000000190000 0x00190000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0038ffff Private Memory rw True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001e0000 0x001e0000 0x001e1fff Pagefile Backed Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x00200fff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0022ffff Private Memory rw True False False -
pagefile_0x0000000000230000 0x00230000 0x00230fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000240000 0x00240000 0x00241fff Pagefile Backed Memory r True False False -
windowsshell.manifest 0x00250000 0x00250fff Memory Mapped File r False False False -
private_0x0000000000250000 0x00250000 0x00250fff Private Memory rw True False False -
pagefile_0x0000000000260000 0x00260000 0x00261fff Pagefile Backed Memory r True False False -
private_0x0000000000270000 0x00270000 0x00278fff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x00288fff Private Memory rw True False False -
pagefile_0x0000000000280000 0x00280000 0x00280fff Pagefile Backed Memory r True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x0053ffff Private Memory rw True False False -
pagefile_0x0000000000390000 0x00390000 0x00490fff Pagefile Backed Memory r True False False -
private_0x00000000004a0000 0x004a0000 0x004c3fff Private Memory rw True False False -
private_0x00000000004a0000 0x004a0000 0x004a8fff Private Memory rw True False False -
private_0x00000000004b0000 0x004b0000 0x004d3fff Private Memory rw True False False -
pagefile_0x00000000004e0000 0x004e0000 0x004e0fff Pagefile Backed Memory r True False False -
private_0x00000000004f0000 0x004f0000 0x0052ffff Private Memory rw True False False -
private_0x0000000000530000 0x00530000 0x0053ffff Private Memory rw True False False -
pagefile_0x0000000000540000 0x00540000 0x00932fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000940000 0x00940000 0x00a1efff Pagefile Backed Memory r True False False -
pagefile_0x0000000000a20000 0x00a20000 0x00a22fff Pagefile Backed Memory r True False False -
explorer.exe 0x00a30000 0x00cb0fff Memory Mapped File rwx False False False -
pagefile_0x0000000000cc0000 0x00cc0000 0x018bffff Pagefile Backed Memory r True False False -
private_0x00000000018c0000 0x018c0000 0x01a9ffff Private Memory rw True False False -
private_0x00000000018c0000 0x018c0000 0x019bffff Private Memory rw True False False -
rpcss.dll 0x019c0000 0x01a1bfff Memory Mapped File r False False False -
private_0x00000000019c0000 0x019c0000 0x019e3fff Private Memory rw True False False -
private_0x00000000019c0000 0x019c0000 0x019c3fff Private Memory rw True False False -
private_0x00000000019d0000 0x019d0000 0x019e7fff Private Memory rw True False False -
private_0x00000000019f0000 0x019f0000 0x01a13fff Private Memory rw True False False -
private_0x0000000001a20000 0x01a20000 0x01a2ffff Private Memory rw True False False -
private_0x0000000001a30000 0x01a30000 0x01a30fff Private Memory rw True False False -
private_0x0000000001a40000 0x01a40000 0x01a4ffff Private Memory - True False False -
private_0x0000000001a50000 0x01a50000 0x01a5ffff Private Memory rw True False False -
private_0x0000000001a60000 0x01a60000 0x01a9ffff Private Memory rw True False False -
sortdefault.nls 0x01aa0000 0x01d6efff Memory Mapped File r False False False -
private_0x0000000001d70000 0x01d70000 0x01e6ffff Private Memory rw True False False -
private_0x0000000001e70000 0x01e70000 0x01ecffff Private Memory rw True False False -
private_0x0000000001e70000 0x01e70000 0x01e7ffff Private Memory rw True False False -
private_0x0000000001e80000 0x01e80000 0x01e8ffff Private Memory rw True False False -
private_0x0000000001e90000 0x01e90000 0x01e9ffff Private Memory rw True False False -
private_0x0000000001ea0000 0x01ea0000 0x01eaffff Private Memory - True False False -
private_0x0000000001ec0000 0x01ec0000 0x01ecffff Private Memory rw True False False -
private_0x0000000001ed0000 0x01ed0000 0x01f5ffff Private Memory rw True False False -
apphelp.dll 0x706a0000 0x706ebfff Memory Mapped File rwx False False False -
grooveex.dll 0x73010000 0x7341afff Memory Mapped File rwx False False False -
gdiplus.dll 0x73420000 0x735affff Memory Mapped File rwx False False False -
slc.dll 0x73610000 0x73619fff Memory Mapped File rwx False False False -
powrprof.dll 0x738f0000 0x73914fff Memory Mapped File rwx False False False -
msvcp90.dll 0x73c40000 0x73ccdfff Memory Mapped File rwx False False False -
windowscodecs.dll 0x73cf0000 0x73deafff Memory Mapped File rwx False False False -
dwmapi.dll 0x73e20000 0x73e32fff Memory Mapped File rwx False False False -
atl90.dll 0x73e80000 0x73eaafff Memory Mapped File rwx False False False -
msvcr90.dll 0x73eb0000 0x73f52fff Memory Mapped File rwx False False False -
ehstorshell.dll 0x73f60000 0x73f90fff Memory Mapped File rwx False False False -
explorerframe.dll 0x73fe0000 0x7414efff Memory Mapped File rwx False False False -
uxtheme.dll 0x74150000 0x7418ffff Memory Mapped File rwx False False False -
propsys.dll 0x74190000 0x74284fff Memory Mapped File rwx False False False -
comctl32.dll 0x742d0000 0x7446dfff Memory Mapped File rwx False False False -
dui70.dll 0x74470000 0x74521fff Memory Mapped File rwx False False False -
duser.dll 0x74530000 0x7455efff Memory Mapped File rwx False False False -
secur32.dll 0x75210000 0x75217fff Memory Mapped File rwx False False False -
sspicli.dll 0x75250000 0x7526afff Memory Mapped File rwx False False False -
winsta.dll 0x75270000 0x75298fff Memory Mapped File rwx False False False -
cryptbase.dll 0x752a0000 0x752abfff Memory Mapped File rwx False False False -
profapi.dll 0x75320000 0x7532afff Memory Mapped File rwx False False False -
kernelbase.dll 0x753a0000 0x753e9fff Memory Mapped File rwx False False False -
devobj.dll 0x755d0000 0x755e1fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x755f0000 0x75616fff Memory Mapped File rwx False False False -
msctf.dll 0x75820000 0x758ebfff Memory Mapped File rwx False False False -
shell32.dll 0x758f0000 0x76539fff Memory Mapped File rwx False False False -
sechost.dll 0x76540000 0x76558fff Memory Mapped File rwx False False False -
lpk.dll 0x765d0000 0x765d9fff Memory Mapped File rwx False False False -
shlwapi.dll 0x765e0000 0x76636fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76640000 0x766e0fff Memory Mapped File rwx False False False -
user32.dll 0x766f0000 0x767b8fff Memory Mapped File rwx False False False -
oleaut32.dll 0x767c0000 0x7684efff Memory Mapped File rwx False False False -
kernel32.dll 0x76990000 0x76a63fff Memory Mapped File rwx False False False -
ole32.dll 0x76a70000 0x76bcbfff Memory Mapped File rwx False False False -
usp10.dll 0x76cd0000 0x76d6cfff Memory Mapped File rwx False False False -
imm32.dll 0x76df0000 0x76e0efff Memory Mapped File rwx False False False -
msvcrt.dll 0x76e10000 0x76ebbfff Memory Mapped File rwx False False False -
clbcatq.dll 0x76f00000 0x76f82fff Memory Mapped File rwx False False False -
setupapi.dll 0x76f90000 0x7712cfff Memory Mapped File rwx False False False -
advapi32.dll 0x77130000 0x771cffff Memory Mapped File rwx False False False -
ntdll.dll 0x771d0000 0x7730bfff Memory Mapped File rwx False False False -
gdi32.dll 0x77320000 0x7736dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77410000 0x77410fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
