Bad Rabbit Ransomware | Grouped Behavior

Monitored Processes

Behavior Information - Grouped by Category

Process #1: ifzkkpwij.exe

(Host: 9, Network: 0)

Information	Value
ID	#1
File Name	c:\users\5p5nrgjn0js halpmcxz\desktop\ifzkkpwij.exe
Command Line	"C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ifzkkpwij.exe"
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:11, Reason: Analysis Target
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:01:39

OS Process Information

Information	Value
PID	0x948
Parent PID	0x55c (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 94C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions Download Dump
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000190000	0x00190000	0x001cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000280000	0x00280000	0x0037ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000490000	0x00490000	0x0050ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000620000	0x00620000	0x0071ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000840000	0x00840000	0x0084ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000850000	0x00850000	0x009d7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000009e0000	0x009e0000	0x00b60fff	Pagefile Backed Memory	Readable	Region Actions
ifzkkpwij.exe	0x00ff0000	0x01001fff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x0000000001010000	0x01010000	0x0240ffff	Pagefile Backed Memory	Readable	Region Actions
wow64cpu.dll	0x744a0000	0x744a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x744b0000	0x7450bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74510000	0x7454efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ac0000	0x74acbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ad0000	0x74b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74b30000	0x74b8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74ca0000	0x74d9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x74da0000	0x74da9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x74db0000	0x74e7bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e80000	0x74e98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74ea0000	0x74f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x74f40000	0x75b89fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75ee0000	0x75fcffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76070000	0x760c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x763f0000	0x7647ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76510000	0x765acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x765b0000	0x765f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76600000	0x7670ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76a40000	0x76aebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076b70000	0x76b70000	0x76c69fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000076c70000	0x76c70000	0x76d8efff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f70000	0x770effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\windows\infpub.dat	401.13 KB (410760 bytes)	MD5: 1d724f95c61f1055f0d02c2154bbccd3 SHA1: 79116fe99f2b421c52ef64097f0f39b815b20907 SHA256: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648		File Actions Show Properties Download
c:\windows\infpub.dat	401.13 KB (410760 bytes)	MD5: c4f26ed277b51ef45fa180be597d96e8 SHA1: e9efc622924fb965d4a14bdb6223834d9a9007e7 SHA256: 14d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958		File Actions Show Properties Download

Host Behavior

File (5)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ifzkkpwij.exe	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\infpub.dat	desired_access = GENERIC_WRITE	1	Fn
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ifzkkpwij.exe	type = size	1	Fn
Read	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ifzkkpwij.exe	size = 441899, size_out = 441899	1	Fn Data
Write	C:\Windows\infpub.dat	size = 410760	1	Fn Data

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\system32\rundll32.exe	os_pid = 0x960, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE		1	Fn

Module (2)

Operation	Module	Additional Information	Success	Count	Logfile
Get Handle	c:\users\5p5nrgjn0js halpmcxz\desktop\ifzkkpwij.exe	base_address = 0xff0000		1	Fn
Get Filename	c:\users\5p5nrgjn0js halpmcxz\desktop\ifzkkpwij.exe	process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\ifzkkpwij.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ifzkkpwij.exe, size = 780		1	Fn

System (1)

Operation	Additional Information	Success	Count	Logfile
Get Info	type = System Directory, result_out = C:\Windows\system32		1	Fn

Process #2: rundll32.exe

(Host: 1167, Network: 25)

Information	Value
ID	#2
File Name	c:\windows\syswow64\rundll32.exe
Command Line	C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:14, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:01:36

OS Process Information

Information	Value
PID	0x960
Parent PID	0x948 (c:\users\5p5nrgjn0js halpmcxz\desktop\ifzkkpwij.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 964 0x 968 0x 9AC 0x 9C8 0x 9CC 0x 9D0 0x 9DC 0x A00 0x A04 0x A08 0x A0C 0x A10 0x A14 0x A18

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00031fff	Pagefile Backed Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000090000	0x00090000	0x00090fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000a0000	0x000a0000	0x000affff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000000a0000	0x000a0000	0x000a6fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000a0000	0x000a0000	0x000affff	Private Memory	Readable, Writable	Region Actions Download Dump
excellr.cab	0x000a0000	0x000affff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
excelmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
excelmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
powerpointmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
powerpointmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
pptlr.cab	0x000a0000	0x000aafff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
publishermui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
publishermui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
publr.cab	0x000a0000	0x000affff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
outlklr.cab	0x000a0000	0x000a1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
outlookmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
outlookmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
wordlr.cab	0x000a0000	0x000a6fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
wordmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
wordmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
proof.cab	0x000a0000	0x000a3fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
proof.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
proof.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
proof.cab	0x000a0000	0x000a2fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
proof.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
proof.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
proof.cab	0x000a0000	0x000a6fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
proof.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
proof.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
proofing.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
proofing.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
office32mui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
office32mui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
owow32lr.cab	0x000a0000	0x000abfff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
inflr.cab	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
infopathmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
infopathmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
visiolr.cab	0x000a0000	0x000a8fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
visiomui.xml	0x000a0000	0x000a2fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
visiomui.xml	0x000a0000	0x000a2fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
onenotemui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
onenotemui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
onotelr.cab	0x000a0000	0x000a5fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
projectmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
projectmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
projlr.cab	0x000a0000	0x000a1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
groovelr.cab	0x000a0000	0x000a7fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
groovemui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
groovemui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
branding.xml	0x000a0000	0x000a1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
officelr.cab	0x000a0000	0x000a9fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
officemui.xml	0x000a0000	0x000a1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
officemui.xml	0x000a0000	0x000a1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
officemuiset.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
officemuiset.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a2fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
setup.xml	0x000a0000	0x000a2fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
accessmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
accessmui.xml	0x000a0000	0x000a0fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000000b0000	0x000b0000	0x000b6fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x001cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001a0000	0x001a0000	0x001dffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001f0000	0x001f0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x00230000	0x0026bfff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x00230000	0x0026bfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000230000	0x00230000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x0038ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00390000	0x003f6fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000400000	0x00400000	0x004fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000550000	0x00550000	0x0055ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000560000	0x00560000	0x006e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006f0000	0x006f0000	0x00870fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000880000	0x00880000	0x00bc2fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000bd0000	0x00bd0000	0x00caefff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000cb0000	0x00cb0000	0x00ceffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d00000	0x00d00000	0x00d3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d40000	0x00d40000	0x00da7fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000db0000	0x00db0000	0x00e5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000de0000	0x00de0000	0x00e1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e20000	0x00e20000	0x00e5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e60000	0x00e60000	0x00e9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ea0000	0x00ea0000	0x00edffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ee0000	0x00ee0000	0x00f1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f20000	0x00f20000	0x00f5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f70000	0x00f70000	0x00faffff	Private Memory	Readable, Writable	Region Actions
rundll32.exe	0x00fb0000	0x00fbdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000fc0000	0x00fc0000	0x023bffff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000023c0000	0x023c0000	0x0257ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000023c0000	0x023c0000	0x0251ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000023c0000	0x023c0000	0x024bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024e0000	0x024e0000	0x0251ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002540000	0x02540000	0x0257ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x02580000	0x0284efff	Memory Mapped File	Readable	Region Actions
branding.xml	0x02850000	0x028e1fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
private_0x0000000002870000	0x02870000	0x028affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000028b0000	0x028b0000	0x028effff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002900000	0x02900000	0x0293ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002960000	0x02960000	0x0299ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029c0000	0x029c0000	0x029fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a60000	0x02a60000	0x02a9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a80000	0x02a80000	0x02abffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002ad0000	0x02ad0000	0x02b0ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002b40000	0x02b40000	0x02b7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b90000	0x02b90000	0x02bcffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002bf0000	0x02bf0000	0x02c2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c40000	0x02c40000	0x02c7ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002c80000	0x02c80000	0x03072fff	Pagefile Backed Memory	Readable	Region Actions
publr.cab	0x03240000	0x03bbffff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
owow32lr.cab	0x03240000	0x0350bfff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
projlr.cab	0x03240000	0x03a21fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
groovelr.cab	0x03240000	0x03627fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
dwmapi.dll	0x743f0000	0x74402fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x74410000	0x7448ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x744a0000	0x744a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x744b0000	0x7450bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74510000	0x7454efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x746f0000	0x7472bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74760000	0x7479afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x747a0000	0x747b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x747c0000	0x74803fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x747c0000	0x747c4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x747d0000	0x747e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscapi.dll	0x74800000	0x7480afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
adsldpc.dll	0x74810000	0x74843fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x74830000	0x74873fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dsauth.dll	0x74850000	0x7485afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x74860000	0x7486efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpsapi.dll	0x74870000	0x74885fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
adsldpc.dll	0x74880000	0x748b3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
browcli.dll	0x74890000	0x7489cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x748a0000	0x748aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x748b0000	0x748c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dsauth.dll	0x748c0000	0x748cafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x748d0000	0x748d8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x748d0000	0x748defff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x748e0000	0x748f0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpsapi.dll	0x748e0000	0x748f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x74900000	0x74911fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
browcli.dll	0x74900000	0x7490cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x74910000	0x7491efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x74920000	0x74926fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x74920000	0x74938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x74930000	0x7494bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x74940000	0x74948fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
infpub.dat	0x74950000	0x749b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
netapi32.dll	0x74950000	0x74960fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x74970000	0x74981fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x74990000	0x74996fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x749a0000	0x749bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ac0000	0x74acbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ad0000	0x74b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74b30000	0x74b8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74ca0000	0x74d9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x74da0000	0x74da9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x74db0000	0x74e7bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e80000	0x74e98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74ea0000	0x74f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x74f40000	0x75b89fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75ee0000	0x75fcffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x75fd0000	0x75fd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x75fd0000	0x75fd5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76070000	0x760c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x760d0000	0x761ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x760d0000	0x761ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x76280000	0x762c4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x76280000	0x762c4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x762f0000	0x76324fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x762f0000	0x76324fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x763f0000	0x7647ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76510000	0x765acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x765b0000	0x765f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76600000	0x7670ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76710000	0x7686bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76710000	0x7686bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x76870000	0x76899fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76a40000	0x76aebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076b70000	0x76b70000	0x76c69fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076c70000	0x76c70000	0x76d8efff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x76f40000	0x76f4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x76f40000	0x76f4bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f70000	0x770effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efa1000	0x7efa1000	0x7efa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa4000	0x7efa4000	0x7efa6fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efa7000	0x7efa7000	0x7efa9fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions
For performance reasons, the remaining 76 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	Actions
c:\windows\cscc.dat	205.70 KB (210632 bytes)	MD5: edb72f4a46c39452d1a5414f7d26454a SHA1: 08f94684e83a27f2414f439975b7f8a6d61fc056 SHA256: 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6	File Actions Show Properties Download
c:\windows\dispci.exe	139.50 KB (142848 bytes)	MD5: b14d8faf7f0cbcfad051cefe5f39645f SHA1: afeee8b4acff87bc469a6f0364a81ae5d60a2add SHA256: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93	File Actions Show Properties Download
c:\windows\41d0.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\windows\41d0.tmp	60.87 KB (62328 bytes)	MD5: 347ac3b6b791054de3e5720a7144a977 SHA1: 413eba3973a15c1a6429d9f170f3e8287f98c21c SHA256: 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c	File Actions Show Properties Download
c:\windows\41d0.tmp	60.87 KB (62328 bytes)	MD5: c7ca77d847f1802502ef3b9228d388e4 SHA1: 80ab09116d877b924dfec5b6e8eb6d3dde35869e SHA256: fdef2f6da8c5e8002fa5822e8e4fea278fba66c22df9e13b61c8a95c2f9d585f	File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	Actions
c:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\excellr.cab	10.00 MB (10485760 bytes)	MD5: 87cf3392dfc386ebd494fa4e72b747fc SHA1: f940f7e3770462a4809bad3e995ae46d522190ef SHA256: fa125a9e042003f5443f6c8ac5eb108cd7a5483eab39e1b3b5c059d60215d9e7	File Actions Show Properties Download
c:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\excelmui.xml	1.56 KB (1602 bytes)	MD5: a20a768a81afee200bf6db18a3056541 SHA1: 3592d4d77e481c9b7eaa614deeb36e72a994218e SHA256: 448403a1b7ca253b91174d36a3881cc183d2ffeaaa3eed0496d802539538c114	File Actions Show Properties Download
c:\msocache\all users\{90140000-0016-0409-1000-0000000ff1ce}-c\setup.xml	2.28 KB (2338 bytes)	MD5: a5cfdf621750a94cbc0f0719a533eaf4 SHA1: 6e282e3fb7afc487422d73271a729e7e4718a328 SHA256: dfe114759d655205b57f759e89f6da508d36aa1a4a84cee2fc6d743ef2655d40	File Actions Show Properties Download
c:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\powerpointmui.xml	1.46 KB (1490 bytes)	MD5: 380dcda4098e62f1f5664921cf6cdd6c SHA1: 0c64f4559ed2f12cf42ee1ff2dd14d806e16ce87 SHA256: 12744847431c8b2fc23c7e47dc6ec275419958ebdbcb39af589eda58dce9ead3	File Actions Show Properties Download
c:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\pptlr.cab	10.00 MB (10485760 bytes)	MD5: 43425a50ee06e30dd272c3ff17bb0427 SHA1: 230a74cfbf7ae520dd726174711e0d3533f60fff SHA256: 752cc8c341f4e4d0a6036607a12df396047a4e9f3a461be21dadea54f5de67a3	File Actions Show Properties Download
c:\msocache\all users\{90140000-0018-0409-1000-0000000ff1ce}-c\setup.xml	1.88 KB (1922 bytes)	MD5: be16f68fd043d935ad963ea4c3d736bc SHA1: 3693091b6827d78dd9414a6f485abb53b8edfbca SHA256: e21fac606118ecf75d5a4d1966574895104dd3024f7122339edbabb634cf5d13	File Actions Show Properties Download
c:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\publishermui.xml	1.46 KB (1490 bytes)	MD5: cf6fa18c52894350bea091528fc31218 SHA1: 7057c7772d2b3290ddea402ff765e67901afaa63 SHA256: 8f2a61e71446971c5f5010abf0d324222993e7f79e0b3a3a8d6719eb9f3f2546	File Actions Show Properties Download
c:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\publr.cab	9.50 MB (9958434 bytes)	MD5: 85a68488be13ebc093b067ea1475ccf4 SHA1: 3fc88da1570badea2c61a9517e06e1a41e51035b SHA256: 7cda2a6ea0faca19b16802165b3a6add583fe06141ee843e5b8c10f89a9106bb	File Actions Show Properties Download
c:\msocache\all users\{90140000-0019-0409-1000-0000000ff1ce}-c\setup.xml	1.61 KB (1650 bytes)	MD5: 146cee28b00dbf679ed697b6f33d6fc0 SHA1: 4b22431fa5e445f6f630e7f8a6b668125c4d3ec3 SHA256: a32fc1e86edbf4a24426684c8700693b511c649ddd36e25090018e00f37e7300	File Actions Show Properties Download
c:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\outlklr.cab	10.00 MB (10485760 bytes)	MD5: ea9b20690debbe698df7bcdee8af861e SHA1: 383953c3903f3def7f4a8dfc961b632bc747f58a SHA256: 7a63a991eeae97834d4ee1911ccded08b7f9f47167bb73717551bedd1f3b3071	File Actions Show Properties Download
c:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\outlookmui.xml	3.16 KB (3234 bytes)	MD5: 3db069e923ed265020abbe0aeeb20516 SHA1: dde8ecfc4f9d094feb2e9b831193fcc4cddb98da SHA256: 73c778eb6570c7c49aa0c5fc4b3b246f6bc335819cacd7f68716be0384068d9a	File Actions Show Properties Download
c:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\setup.xml	4.14 KB (4242 bytes)	MD5: 4bde0423f361b421519b65c28bde6cc2 SHA1: 4e05353ba59608761c42ab503768718fd4ea9d0e SHA256: 87f2dc684dbabea1b50206f66acef5d1164deb93327b6cb03201e9f0b4e4735a	File Actions Show Properties Download
c:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\setup.xml	2.41 KB (2466 bytes)	MD5: 2c56ebeae266b0945b278f8cb01732c8 SHA1: b29ffe456e5fb9ed0f8e90effbf30fc96862b153 SHA256: ffe497bab3fb4bd8401b6ded8d9f23d3bd07ac5d3ee0489ffa4f06254a053264	File Actions Show Properties Download
c:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\wordlr.cab	10.00 MB (10485760 bytes)	MD5: 8ab2632c2d433efc3b75df58f9d73dae SHA1: 2d627a56bd4283688e4c69c4b418010b0c7d1820 SHA256: 0a0c05a8af443700679eef4db9d19a12a22e19342bc56351be4738eb7f17f3d9	File Actions Show Properties Download
c:\msocache\all users\{90140000-001b-0409-1000-0000000ff1ce}-c\wordmui.xml	1.80 KB (1842 bytes)	MD5: 5b5f9cedbc03caf54b38039ff2b1487b SHA1: fea2f54353593e4d88887393b651fdbb3ba79324 SHA256: 425d33325b790e9ad234441f1a2adc245d397f19f07bbf53c6b53282c443cb8a	File Actions Show Properties Download
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.en\proof.cab	10.00 MB (10485760 bytes)	MD5: b7ed442d187f7892bc057b6004e83599 SHA1: cf0239dd6407ffb1bfaff75c154e5b6ff261be74 SHA256: e50f152da6840a55a0f185499b2381bac2668aa38a61d70ac191cc8f456025e0	File Actions Show Properties Download
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.en\proof.xml	1.36 KB (1394 bytes)	MD5: 15153c4f2a05f30d0283700f557c85d2 SHA1: 49e02205a4b52d394ff129472c75f31f24be11bd SHA256: 5135fa2425ba2cdff867dc297ca432bcaef9bf0c3755c1304e4a661767f36607	File Actions Show Properties Download
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.es\proof.cab	10.00 MB (10485760 bytes)	MD5: 01522cc818e3cb5c1f88f0af6b71d2a9 SHA1: 89ab8491fb830a0e1f96fa654820c80e3853e31a SHA256: 72245180f2d45a7ff7fad89fda1cd0bf4aea2bc5f1467c58b56ecb83c86c146f	File Actions Show Properties Download
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.es\proof.xml	1.47 KB (1506 bytes)	MD5: 3b30045ad6c97ff866342decbf09ab28 SHA1: 4bba2d45d8bca9bc168ca55f74d02c80eaaf6828 SHA256: a44f1691b44e6bd338b74ddaad4a6be3ec62789882a1cf42a53d6a97ba611c09	File Actions Show Properties Download
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.fr\proof.cab	10.00 MB (10485760 bytes)	MD5: 0335234c7c545ba002aeb3df922f7686 SHA1: 04a74035ae437f4fc5aaad4eb15931f65853e82b SHA256: 669e004f14ac15858414dffdc0d4002a2fc54621f1b1ce33ae0c72ff26edd29a	File Actions Show Properties Download
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proof.fr\proof.xml	1.47 KB (1506 bytes)	MD5: d4ea0313aa839edf612c9ee1b33b92c5 SHA1: 54de0ac01c3d5567499e29454eedaa473ed79d93 SHA256: 882b5924b55e8ee500f7aff61a11abea43771ea12cc474a714ccfb8255ab2343	File Actions Show Properties Download
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\proofing.xml	0.83 KB (850 bytes)	MD5: f570a344598fb3126736a6ed636f069d SHA1: 8333909319182a2e880bb757ec6498650fa81889 SHA256: 1fd1b9d62a4c31ce9bbccc238b5c2968b64a6124a8c6fe1934ea7820326e0614	File Actions Show Properties Download
c:\msocache\all users\{90140000-002c-0409-1000-0000000ff1ce}-c\setup.xml	5.78 KB (5922 bytes)	MD5: aad695e82a73aba6565adf1251f3bb6b SHA1: 0d863f3a8d023547553c16663170df3dc63c2a79 SHA256: fa6379ddcc35d29cd142c0a68bc6fb0289ced7fcea8bd8328a544e7d3d5472c4	File Actions Show Properties Download
c:\msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\office32mui.xml	1.39 KB (1426 bytes)	MD5: 5c46b16a535150be984a13005a582bb1 SHA1: ea8a7e2020fe6c3fb672596a0d13c548e6660dae SHA256: f2f29f4820305a8e6f1d233b87212df1f9deb506b6050090b4a5cca29f7872d9	File Actions Show Properties Download
c:\msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\owow32lr.cab	2.79 MB (2928994 bytes)	MD5: 53dff27d197fac5fec615fd204378274 SHA1: 724edbe96e984e05486c8f051f3f3cd7b4f50252 SHA256: 034a8515267cffff2909d9d2c241aa7b63d1f1b9298f5c97b928830fc4003e4c	File Actions Show Properties Download
c:\msocache\all users\{90140000-0043-0409-1000-0000000ff1ce}-c\setup.xml	2.35 KB (2402 bytes)	MD5: 938647548a6e4b74ea13e78465570a88 SHA1: 72117b74130db120ea4631d81f05ba317719856f SHA256: bc8e71a789537b982077972a1d3cf2d5cf548e2c0d584e262198198d53398f23	File Actions Show Properties Download
c:\msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\inflr.cab	10.00 MB (10485760 bytes)	MD5: b1942518b15f0af4b81329b96a4cd97b SHA1: cd1bcdf2dcea0c11a73203fb61387fb5b20a33ec SHA256: eea2e87a37f7f432cb7761a90407d1ec10abb4311e59d8361e55a214cc97e546	File Actions Show Properties Download
c:\msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\infopathmui.xml	1.24 KB (1266 bytes)	MD5: 180f8b1fde6c589a1c9e529a8dedfb42 SHA1: 885f800cd0d0904b4dac55a6c9b840ac34ca1b09 SHA256: 614c51f1e9a2760f1f308724e5520d61749aaf8e3e282244bad26a4031e1aa47	File Actions Show Properties Download
c:\msocache\all users\{90140000-0044-0409-1000-0000000ff1ce}-c\setup.xml	1.85 KB (1890 bytes)	MD5: fe2c346594a0317e1cd552fbb55709fa SHA1: e2afd9514e47e3708d68d5d7e0cb22cf348cde99 SHA256: 18d690cf2acfd0f7b7cfcd994563e5ed40e2e1fae7466a8a6b8a372205c62195	File Actions Show Properties Download
c:\msocache\all users\{90140000-0054-0409-1000-0000000ff1ce}-c\setup.xml	6.14 KB (6290 bytes)	MD5: f11d38f5e08ff6023b55931f8836aee0 SHA1: 728d5d4529be7a2e640df048a134f345c46b20d4 SHA256: 88745aa40fb3f942c8df5b10a58eb80f95f8fdac2afb828962b8de98949dd55c	File Actions Show Properties Download
c:\msocache\all users\{90140000-0054-0409-1000-0000000ff1ce}-c\visiolr.cab	6.43 MB (6737708 bytes)	MD5: 8a0831714fbd219ad2cc0411a7666ae3 SHA1: 3aa7f94dc84e5db74d8a202deb652c5811f18a2d SHA256: c5ba50319cf18e9e9c71ca4c724a6ea66676c9138efe8cd2b2ce59c920c7c8f7	File Actions Show Properties Download

Host Behavior

File (118)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Windows\infpub.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\infpub.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\infpub.dat	desired_access = GENERIC_WRITE	1	Fn
Create	C:\Windows\cscc.dat	desired_access = GENERIC_WRITE	1	Fn
Create	C:\Windows\dispci.exe	desired_access = GENERIC_WRITE	1	Fn
Create	C:\Windows\41D0.tmp	desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_HIDDEN	2	Fn
Create	C:\BOOTSECT.BAK	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create	C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccLR.cab	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Create Temp File	C:\Windows\41D0.tmp	path = C:\Windows\	1	Fn
Create Pipe	\device\namedpipe\{2fdfcf81-bd74-41c3-9115-f628925cc568}	open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, pipe_mode = PIPE_READMODE_MESSAGE, PIPE_TYPE_MESSAGE, max_instances = 1	2	Fn
Get Info	C:\Windows\infpub.dat	type = size	1	Fn
Get Info	C:\Windows\infpub.dat	type = size	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab	type = size, size_out = 16972987	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml	type = size, size_out = 1565	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 2296	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml	type = size, size_out = 1450	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab	type = size, size_out = 70361744	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 1886	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml	type = size, size_out = 1450	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab	type = size, size_out = 9958388	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 1608	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab	type = size, size_out = 14819276	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml	type = size, size_out = 3186	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 4207	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 2424	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab	type = size, size_out = 43806141	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml	type = size, size_out = 1800	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab	type = size, size_out = 11482605	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml	type = size, size_out = 1347	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab	type = size, size_out = 13642474	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml	type = size, size_out = 1457	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab	type = size, size_out = 21064532	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml	type = size, size_out = 1458	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml	type = size, size_out = 811	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 5884	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml	type = size, size_out = 1383	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab	type = size, size_out = 2928955	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 2362	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab	type = size, size_out = 18874884	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml	type = size, size_out = 1231	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 1852	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 6241	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab	type = size, size_out = 50823389	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml	type = size, size_out = 9503	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml	type = size, size_out = 1606	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab	type = size, size_out = 17456632	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 1988	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml	type = size, size_out = 1452	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab	type = size, size_out = 8265165	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 1872	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab	type = size, size_out = 4095519	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml	type = size, size_out = 913	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 1452	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml	type = size, size_out = 596341	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab	type = size, size_out = 14127746	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml	type = size, size_out = 5557	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml	type = size, size_out = 819	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml	type = size, size_out = 9352	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml	type = size, size_out = 1349	1	Fn
Get Info	C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccLR.cab	type = size, size_out = 28016276	1	Fn
Read	C:\Windows\infpub.dat	size = 410760, size_out = 410760	1	Fn Data
Read	-	size = 82, size_out = 82	1	Fn Data
Write	C:\Windows\infpub.dat	size = 410760	1	Fn Data
Write	C:\Windows\cscc.dat	size = 210632	1	Fn Data
Write	C:\Windows\dispci.exe	size = 142848	1	Fn Data
Write	C:\Windows\41D0.tmp	size = 62328	2	Fn Data
Delete	C:\Windows\infpub.dat	-	1	Fn
Delete	C:\Windows\41D0.tmp	-	1	Fn

Registry (9)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}	value_name = LowerFilters, data = 1632268, type = REG_MULTI_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}	value_name = UpperFilters, data = 99, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl	value_name = DumpFilters, data = 1632268, type = REG_MULTI_SZ	1	Fn
Write Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}	value_name = LowerFilters, data = 1632268, size = 44, type = REG_MULTI_SZ	1	Fn
Write Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}	value_name = UpperFilters, data = 1632268, size = 12, type = REG_MULTI_SZ	1	Fn
Write Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl	value_name = DumpFilters, data = 1632268, size = 36, type = REG_MULTI_SZ	1	Fn

Process (6)

Operation	Process	Additional Information	Count	Logfile
Create	C:\Windows\system32\cmd.exe	os_pid = 0x974, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
Create	C:\Windows\system32\cmd.exe	os_pid = 0x998, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
Create	C:\Windows\system32\cmd.exe	os_pid = 0x9b0, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
Create	C:\Windows\41D0.tmp	os_pid = 0x9d4, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
Create	C:\Windows\system32\cmd.exe	os_pid = 0xa38, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
Create	C:\Windows\system32\cmd.exe	os_pid = 0xa84, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn

Module (412)

Operation	Module	Additional Information	Count	Logfile
Load	KERNEL32.dll	base_address = 0x76600000	1	Fn
Load	USER32.dll	base_address = 0x74ca0000	1	Fn
Load	ADVAPI32.dll	base_address = 0x74ea0000	1	Fn
Load	SHELL32.dll	base_address = 0x74f40000	1	Fn
Load	ole32.dll	base_address = 0x76710000	1	Fn
Load	CRYPT32.dll	base_address = 0x760d0000	1	Fn
Load	SHLWAPI.dll	base_address = 0x76070000	1	Fn
Load	IPHLPAPI.DLL	base_address = 0x749a0000	1	Fn
Load	WS2_32.dll	base_address = 0x762f0000	1	Fn
Load	MPR.dll	base_address = 0x74970000	1	Fn
Load	NETAPI32.dll	base_address = 0x74950000	1	Fn
Load	DHCPSAPI.DLL	base_address = 0x748e0000	1	Fn
Load	msvcrt.dll	base_address = 0x76a40000	1	Fn
Load	iphlpapi.dll	base_address = 0x749a0000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x76600000	3	Fn
Get Filename	-	process_name = c:\windows\syswow64\rundll32.exe, file_name_orig = C:\Windows\infpub.dat, size = 780	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InterlockedExchange, address_out = 0x76611462	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTempFileNameW, address_out = 0x7663d1b6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = PeekNamedPipe, address_out = 0x76694821	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address_out = 0x7661103d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ConnectNamedPipe, address_out = 0x766940fb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address_out = 0x766134b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateNamedPipeW, address_out = 0x7669414b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateThread, address_out = 0x76617a2f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DisconnectNamedPipe, address_out = 0x766941df	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address_out = 0x766189b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalAlloc, address_out = 0x7661588e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetComputerNameExW, address_out = 0x7663bb9e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GlobalFree, address_out = 0x76615558	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x76617a10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x76614950	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DisableThreadLibraryCalls, address_out = 0x766148e5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ResumeThread, address_out = 0x766143ef	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateMutexW, address_out = 0x7661424c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindResourceW, address_out = 0x76615971	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address_out = 0x766154ee	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetComputerNameW, address_out = 0x7661dd0e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThread, address_out = 0x766117ec	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address_out = 0x76611986	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SizeofResource, address_out = 0x76615ac9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address_out = 0x7662d802	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocalTime, address_out = 0x76615aa6	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32FirstW, address_out = 0x76638baf	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LockResource, address_out = 0x76615959	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Process32NextW, address_out = 0x7663896c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateToolhelp32Snapshot, address_out = 0x7663735f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address_out = 0x766111f8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryA, address_out = 0x766149d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualProtect, address_out = 0x7661435f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTimeAsFileTime, address_out = 0x76613509	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x7661170d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetExitCodeProcess, address_out = 0x7662174d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleA, address_out = 0x76611245	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSection, address_out = 0x76fa2c42	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address_out = 0x76fb1f6e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x76f922b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x766111a9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x76f92270	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x7661110c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x7661192e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemInfo, address_out = 0x766149ca	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventW, address_out = 0x7661183e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileMappingW, address_out = 0x76611909	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindClose, address_out = 0x76614442	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSizeEx, address_out = 0x766159e2	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentVariableW, address_out = 0x76611b48	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address_out = 0x7661469b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushViewOfFile, address_out = 0x7663b909	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalDrives, address_out = 0x76615371	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEvent, address_out = 0x766116c5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x76611136	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointerEx, address_out = 0x7662c807	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEndOfFile, address_out = 0x7662ce2e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDriveTypeW, address_out = 0x7661418b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = UnmapViewOfFile, address_out = 0x76611826	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MapViewOfFile, address_out = 0x766118f1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address_out = 0x76614435	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalFree, address_out = 0x76612d3c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalAlloc, address_out = 0x7661168c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeZoneInformation, address_out = 0x7661465a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemDefaultLCID, address_out = 0x766132a9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address_out = 0x76f9e026	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address_out = 0x76611856	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x76611222	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x76613ed3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersionExW, address_out = 0x76611ae5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryW, address_out = 0x7661492b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x76611282	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address_out = 0x7661186e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x76611809	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address_out = 0x766134c8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileSize, address_out = 0x7661196e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x76611410	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x76613f5c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetVersion, address_out = 0x76614467	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x766111c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExpandEnvironmentStringsW, address_out = 0x76614173	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcatW, address_out = 0x7663828e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForMultipleObjects, address_out = 0x76614220	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x766134d5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x766110ff	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemDirectoryW, address_out = 0x76615063	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcessHeap, address_out = 0x766114e9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapFree, address_out = 0x766114c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadResource, address_out = 0x7661594c	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = ExitWindowsEx, address_out = 0x74d01497	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = GetSystemMetrics, address_out = 0x74cb7d2f	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = CharUpperW, address_out = 0x74cbf350	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = wsprintfW, address_out = 0x74cde061	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = wsprintfA, address_out = 0x74ccae5f	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegFlushKey, address_out = 0x74ec773f	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CloseServiceHandle, address_out = 0x74eb369c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenSCManagerW, address_out = 0x74eaca64	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegQueryValueExW, address_out = 0x74eb46ad	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyW, address_out = 0x74eb2459	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = QueryServiceStatus, address_out = 0x74eb2a86	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = StartServiceW, address_out = 0x74ea7974	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CreateProcessAsUserW, address_out = 0x74eac592	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = DeleteService, address_out = 0x74ec715c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitiateSystemShutdownExW, address_out = 0x74efdb3a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = DuplicateTokenEx, address_out = 0x74eaca24	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetTokenInformation, address_out = 0x74ea9a92	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = DuplicateToken, address_out = 0x74eac7e6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetTokenInformation, address_out = 0x74eb431c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthorityCount, address_out = 0x74eb0e0c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenThreadToken, address_out = 0x74eb432c	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthority, address_out = 0x74eb0e24	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetThreadToken, address_out = 0x74eac7ce	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CredEnumerateW, address_out = 0x74ee7481	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CredFree, address_out = 0x74eab2ec	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorDacl, address_out = 0x74eb415e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = InitializeSecurityDescriptor, address_out = 0x74eb4620	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDuplicateKey, address_out = 0x74ee31a8	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDuplicateHash, address_out = 0x74ee3198	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptEncrypt, address_out = 0x74ec779b	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptGenRandom, address_out = 0x74eadfc8	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptGetKeyParam, address_out = 0x74ec77cb	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptSetKeyParam, address_out = 0x74ec77b3	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDeriveKey, address_out = 0x74ee3188	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptHashData, address_out = 0x74eadf36	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyHash, address_out = 0x74eadf66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyKey, address_out = 0x74eac51a	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptCreateHash, address_out = 0x74eadf4e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptImportKey, address_out = 0x74eac532	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptReleaseContext, address_out = 0x74eae124	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptAcquireContextW, address_out = 0x74eadf14	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptGetHashParam, address_out = 0x74eadf7e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptSetHashParam, address_out = 0x74ee3248	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AdjustTokenPrivileges, address_out = 0x74eb418e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CheckTokenMembership, address_out = 0x74eadf04	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = FreeSid, address_out = 0x74eb412e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = AllocateAndInitializeSid, address_out = 0x74eb40e6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = LookupPrivilegeValueW, address_out = 0x74eb41b3	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = OpenProcessToken, address_out = 0x74eb4304	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegSetValueExW, address_out = 0x74eb14d6	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegCloseKey, address_out = 0x74eb469d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = RegOpenKeyExW, address_out = 0x74eb468d	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CreateServiceW, address_out = 0x74ec712c	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = CommandLineToArgvW, address_out = 0x74f59ee8	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoCreateGuid, address_out = 0x767515d5	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = CoTaskMemFree, address_out = 0x76766f41	1	Fn
Get Address	c:\windows\syswow64\ole32.dll	function = StringFromCLSID, address_out = 0x7672eb17	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptStringToBinaryW, address_out = 0x76105f65	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptImportPublicKeyInfo, address_out = 0x760e6c0e	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptBinaryToStringW, address_out = 0x7610a546	1	Fn
Get Address	c:\windows\syswow64\crypt32.dll	function = CryptDecodeObjectEx, address_out = 0x760dd718	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindFileNameW, address_out = 0x7608bb71	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrChrW, address_out = 0x76084640	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrCmpW, address_out = 0x76088277	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrCmpIW, address_out = 0x7608a147	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrToIntW, address_out = 0x760850be	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathAppendW, address_out = 0x760881ef	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrStrW, address_out = 0x7607e52d	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathCombineW, address_out = 0x7608c39c	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrStrIW, address_out = 0x760846e9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionW, address_out = 0x7608a1b9	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = StrCatW, address_out = 0x760ae105	1	Fn
Get Address	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsW, address_out = 0x760845bf	1	Fn
Get Address	c:\windows\infpub.dat	function = GetAdaptersInfo, address_out = 0x749a9263	1	Fn
Get Address	c:\windows\infpub.dat	function = GetIpNetTable, address_out = 0x749ae52a	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 18, address_out = 0x762f6989	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 10, address_out = 0x762f3084	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 52, address_out = 0x76307673	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 12, address_out = 0x762fb131	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 14, address_out = 0x762f2d57	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 115, address_out = 0x762f3ab2	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 4, address_out = 0x762f6bdd	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 11, address_out = 0x762f311b	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 9, address_out = 0x762f2d8b	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 23, address_out = 0x762f3eb8	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 3, address_out = 0x762f3918	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 19, address_out = 0x762f6f01	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 16, address_out = 0x762f6b0e	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 151, address_out = 0x762f6a8a	1	Fn
Get Address	c:\windows\infpub.dat	function = WNetOpenEnumW, address_out = 0x74972f06	1	Fn
Get Address	c:\windows\infpub.dat	function = WNetEnumResourceW, address_out = 0x74973058	1	Fn
Get Address	c:\windows\infpub.dat	function = WNetCancelConnection2W, address_out = 0x74978cd1	1	Fn
Get Address	c:\windows\infpub.dat	function = WNetAddConnection2W, address_out = 0x74974744	1	Fn
Get Address	c:\windows\infpub.dat	function = WNetCloseEnum, address_out = 0x74972dd6	1	Fn
Get Address	c:\windows\infpub.dat	function = NetApiBufferFree, address_out = 0x749413d2	1	Fn
Get Address	c:\windows\infpub.dat	function = NetWkstaGetInfo, address_out = 0x74955570	1	Fn
Get Address	c:\windows\infpub.dat	function = NetServerEnum, address_out = 0x74902f61	1	Fn
Get Address	c:\windows\infpub.dat	function = NetServerGetInfo, address_out = 0x74923cfa	1	Fn
Get Address	c:\windows\syswow64\netapi32.dll	function = DhcpEnumSubnetClients, address_out = 0x748e77b5	1	Fn
Get Address	c:\windows\syswow64\netapi32.dll	function = DhcpEnumSubnets, address_out = 0x748e6b7c	1	Fn
Get Address	c:\windows\syswow64\netapi32.dll	function = DhcpRpcFreeMemory, address_out = 0x748e79ed	1	Fn
Get Address	c:\windows\syswow64\netapi32.dll	function = DhcpGetSubnetInfo, address_out = 0x748e7003	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = memcpy, address_out = 0x76a49910	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = srand, address_out = 0x76a4f757	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = memset, address_out = 0x76a49790	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = memmove, address_out = 0x76a49e5a	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = free, address_out = 0x76a49894	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = malloc, address_out = 0x76a49cee	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = sprintf, address_out = 0x76a5d354	1	Fn
Get Address	c:\windows\syswow64\msvcrt.dll	function = rand, address_out = 0x76a4c070	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsWow64Process, address_out = 0x7661195e	2	Fn
Get Address	c:\windows\infpub.dat	function = GetExtendedTcpTable, address_out = 0x749b1a8a	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab	filename = C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab, protection = PAGE_READWRITE, maximum_size = 16973021	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml	filename = C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml, protection = PAGE_READWRITE, maximum_size = 1602	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 2338	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml	filename = C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml, protection = PAGE_READWRITE, maximum_size = 1490	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab	filename = C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab, protection = PAGE_READWRITE, maximum_size = 70361778	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 1922	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml	filename = C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml, protection = PAGE_READWRITE, maximum_size = 1490	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab	filename = C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab, protection = PAGE_READWRITE, maximum_size = 9958434	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 1650	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab	filename = C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab, protection = PAGE_READWRITE, maximum_size = 14819314	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml	filename = C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml, protection = PAGE_READWRITE, maximum_size = 3234	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 4242	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 2466	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab	filename = C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab, protection = PAGE_READWRITE, maximum_size = 43806175	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml	filename = C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml, protection = PAGE_READWRITE, maximum_size = 1842	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab	filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab, protection = PAGE_READWRITE, maximum_size = 11482642	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml	filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml, protection = PAGE_READWRITE, maximum_size = 1394	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab	filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab, protection = PAGE_READWRITE, maximum_size = 13642514	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml	filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml, protection = PAGE_READWRITE, maximum_size = 1506	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab	filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab, protection = PAGE_READWRITE, maximum_size = 21064566	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml	filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml, protection = PAGE_READWRITE, maximum_size = 1506	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml	filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml, protection = PAGE_READWRITE, maximum_size = 850	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 5922	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml	filename = C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml, protection = PAGE_READWRITE, maximum_size = 1426	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab	filename = C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab, protection = PAGE_READWRITE, maximum_size = 2928994	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 2402	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab	filename = C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab, protection = PAGE_READWRITE, maximum_size = 18874918	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml	filename = C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml, protection = PAGE_READWRITE, maximum_size = 1266	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 1890	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 6290	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab	filename = C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab, protection = PAGE_READWRITE, maximum_size = 50823423	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml	filename = C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml, protection = PAGE_READWRITE, maximum_size = 9538	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml	filename = C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml, protection = PAGE_READWRITE, maximum_size = 1650	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab	filename = C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab, protection = PAGE_READWRITE, maximum_size = 17456666	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 2034	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml	filename = C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml, protection = PAGE_READWRITE, maximum_size = 1490	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab	filename = C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab, protection = PAGE_READWRITE, maximum_size = 8265202	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 1922	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab	filename = C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab, protection = PAGE_READWRITE, maximum_size = 4095554	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml	filename = C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml, protection = PAGE_READWRITE, maximum_size = 962	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 1490	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml	filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml, protection = PAGE_READWRITE, maximum_size = 596386	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab	filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab, protection = PAGE_READWRITE, maximum_size = 14127794	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml	filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml, protection = PAGE_READWRITE, maximum_size = 5602	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml	filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml, protection = PAGE_READWRITE, maximum_size = 866	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml	filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml, protection = PAGE_READWRITE, maximum_size = 9394	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml	filename = C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml, protection = PAGE_READWRITE, maximum_size = 1394	1	Fn
Create Mapping	C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccLR.cab	filename = C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccLR.cab, protection = PAGE_READWRITE, maximum_size = 28016310	1	Fn
Map	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_READ	1	Fn
Map	C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccLR.cab	process_name = c:\windows\syswow64\rundll32.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ	1	Fn

Service (2)

Operation	Additional Information	Success	Count	Logfile
Create	service_name = cscc		1	Fn
Open Manager	database_name = SERVICES_ACTIVE_DATABASE		1	Fn

System (414)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = XDUWTFONO	1	Fn
Get Computer Name	result_out = XDUWTFONO, type = ComputerNamePhysicalNetBIOS	1	Fn
Sleep	duration = 0 milliseconds (0.000 seconds)	269	Fn
Sleep	duration = 2000 milliseconds (2.000 seconds)	1	Fn
Sleep	duration = 500 milliseconds (0.500 seconds)	29	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Sleep	duration = 300000 milliseconds (300.000 seconds)	1	Fn
Sleep	duration = 900000 milliseconds (900.000 seconds)	1	Fn
Sleep	duration = 840000 milliseconds (840.000 seconds)	1	Fn
Sleep	duration = 10000 milliseconds (10.000 seconds)	2	Fn
Sleep	duration = 3000 milliseconds (3.000 seconds)	1	Fn
Sleep	duration = 180000 milliseconds (180.000 seconds)	1	Fn
Get Time	type = Ticks, time = 79919	2	Fn
Get Time	type = Ticks, time = 82337	2	Fn
Get Time	type = Local Time, time = 2017-10-26 02:16:43 (Local Time)	1	Fn
Get Time	type = Ticks, time = 83975	1	Fn
Get Time	type = Ticks, time = 93943	1	Fn
Power Control	type = SHUTDOWN_RESTART, reason = SHTDN_REASON_FLAG_PLANNED	1	Fn
Get Info	type = Operating System	1	Fn
Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Get Info	type = Hardware Information	95	Fn

Mutex (1)

Operation	Additional Information	Success	Count	Logfile
Create	mutex_name = 9A1966663AD6FDE5		1	Fn

Environment (6)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	name = ComSpec, result_out = C:\Windows\system32\cmd.exe		6	Fn

Network Behavior

TCP Sessions (9)

Information	Value
Total Data Sent	0.00 KB (0 bytes)
Total Data Received	0.00 KB (0 bytes)
Contacted Host Count	8
Contacted Hosts	192.168.0.0:445, 192.168.0.0:139, 192.168.0.1:445, 192.168.0.1:139, 192.168.0.2:445, 192.168.0.2:139, 192.168.0.3:445, 192.168.0.3:139

TCP Session #1

Information	Value
Handle	0x1ec
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_IP
Remote Address	192.168.0.0
Remote Port	445
Local Address	0.0.0.0
Local Port	1728
Data Sent	0.00 KB (0 bytes)
Data Received	0.00 KB (0 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 192.168.0.0, remote_port = 445	1	Fn
Close	type = SOCK_STREAM	1	Fn

TCP Session #2

Information	Value
Handle	0x1ec
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_IP
Remote Address	192.168.0.0
Remote Port	139
Local Address	0.0.0.0
Local Port	2752
Data Sent	0.00 KB (0 bytes)
Data Received	0.00 KB (0 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 192.168.0.0, remote_port = 139	1	Fn
Close	type = SOCK_STREAM	1	Fn

TCP Session #3

Information	Value
Handle	0x1ec
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_IP
Remote Address	192.168.0.1
Remote Port	445
Local Address	0.0.0.0
Local Port	3008
Data Sent	0.00 KB (0 bytes)
Data Received	0.00 KB (0 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 192.168.0.1, remote_port = 445	1	Fn
Close	type = SOCK_STREAM	1	Fn

TCP Session #4

Information	Value
Handle	0x1ec
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_IP
Remote Address	192.168.0.1
Remote Port	139
Local Address	0.0.0.0
Local Port	3264
Data Sent	0.00 KB (0 bytes)
Data Received	0.00 KB (0 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 192.168.0.1, remote_port = 139	1	Fn
Close	type = SOCK_STREAM	1	Fn

TCP Session #5

Information	Value
Handle	0x1ec
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_IP
Remote Address	192.168.0.2
Remote Port	445
Local Address	0.0.0.0
Local Port	3520
Data Sent	0.00 KB (0 bytes)
Data Received	0.00 KB (0 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 192.168.0.2, remote_port = 445	1	Fn
Close	type = SOCK_STREAM	1	Fn

TCP Session #6

Information	Value
Handle	0x1ec
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_IP
Remote Address	192.168.0.2
Remote Port	139
Local Address	0.0.0.0
Local Port	3776
Data Sent	0.00 KB (0 bytes)
Data Received	0.00 KB (0 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 192.168.0.2, remote_port = 139	1	Fn
Close	type = SOCK_STREAM	1	Fn

TCP Session #7

Information	Value
Handle	0x27c
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_TCP
Remote Address	192.168.0.1
Remote Port	445
Local Address	-
Local Port	-
Data Sent	0.00 KB (0 bytes)
Data Received	0.00 KB (0 bytes)

Operations

Operation	Additional Information	Success	Count	Logfile
Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM		1	Fn
Connect	remote_address = 192.168.0.1, remote_port = 445		1	Fn

TCP Session #8

Information	Value
Handle	0x1ec
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_IP
Remote Address	192.168.0.3
Remote Port	445
Local Address	0.0.0.0
Local Port	4288
Data Sent	0.00 KB (0 bytes)
Data Received	0.00 KB (0 bytes)

Operations

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Connect	remote_address = 192.168.0.3, remote_port = 445	1	Fn
Close	type = SOCK_STREAM	1	Fn

TCP Session #9

Information	Value
Handle	0x1ec
Address Family	AF_INET
Type	SOCK_STREAM
Protocol	IPPROTO_IP
Remote Address	192.168.0.3
Remote Port	139
Local Address	0.0.0.0
Local Port	4544
Data Sent	0.00 KB (0 bytes)
Data Received	0.00 KB (0 bytes)

Operations

Operation	Additional Information	Success	Count	Logfile
Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM		1	Fn
Connect	remote_address = 192.168.0.3, remote_port = 139		1	Fn

Process #3: cmd.exe

(Host: 57, Network: 0)

Information	Value
ID	#3
File Name	c:\windows\syswow64\cmd.exe
Command Line	/c schtasks /Delete /F /TN rhaegal
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:15, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:01:35

OS Process Information

Information	Value
PID	0x974
Parent PID	0x960 (c:\windows\syswow64\rundll32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 978

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000b0000	0x000b0000	0x001affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001b0000	0x001b0000	0x001effff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x001f0000	0x00256fff	Memory Mapped File	Readable	Region Actions
private_0x00000000002a0000	0x002a0000	0x002affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000320000	0x00320000	0x0039ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000004d0000	0x004d0000	0x005cffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000005d0000	0x005d0000	0x00757fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000760000	0x00760000	0x008e0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000008f0000	0x008f0000	0x01ceffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001cf0000	0x01cf0000	0x02032fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x02040000	0x0230efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x4a5a0000	0x4a5ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x744a0000	0x744a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x744b0000	0x7450bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74510000	0x7454efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x74820000	0x74826fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ac0000	0x74acbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ad0000	0x74b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74b30000	0x74b8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74ca0000	0x74d9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x74da0000	0x74da9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x74db0000	0x74e7bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e80000	0x74e98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74ea0000	0x74f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75ee0000	0x75fcffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x763f0000	0x7647ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76510000	0x765acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x765b0000	0x765f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76600000	0x7670ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76a40000	0x76aebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076b70000	0x76b70000	0x76c69fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000076c70000	0x76c70000	0x76d8efff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f70000	0x770effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

File (10)

Operation	Filename	Additional Information	Count	Logfile
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop	type = file_attributes	2	Fn
Open	STD_OUTPUT_HANDLE	-	5	Fn
Open	STD_INPUT_HANDLE	-	3	Fn

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\system32\schtasks.exe	os_pid = 0x988, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL		1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\syswow64\cmd.exe	base_address = 0x4a5a0000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x76600000	2	Fn
Get Filename	-	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadUILanguage, address_out = 0x7662a84f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x76633b92	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x76614a5d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x7662a79d	1	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2017-10-25 15:16:41 (UTC)		1	Fn
Get Time	type = Ticks, time = 80246		1	Fn

Environment (19)

Operation	Additional Information	Count	Logfile
Get Environment String	-	7	Fn Data
Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	2	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	2	Fn
Get Environment String	name = PROMPT	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = PROMPT, value = $P$G	1	Fn
Set Environment String	name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop	1	Fn
Set Environment String	name = COPYCMD	1	Fn
Set Environment String	name = =ExitCode, value = 00000001	1	Fn
Set Environment String	name = =ExitCodeAscii	1	Fn

Process #4: schtasks.exe

(Host: 30, Network: 0)

Information	Value
ID	#4
File Name	c:\windows\syswow64\schtasks.exe
Command Line	schtasks /Delete /F /TN rhaegal
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:15, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:01:35

OS Process Information

Information	Value
PID	0x988
Parent PID	0x974 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 98C 0x 990

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable, Writable	Region Actions
schtasks.exe.mui	0x00080000	0x00091fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000a0000	0x000a0000	0x000a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000b0000	0x000b0000	0x000b0fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000000c0000	0x000c0000	0x000c0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0010ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000110000	0x00110000	0x00110fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000160000	0x00160000	0x001dffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x001e0000	0x00246fff	Memory Mapped File	Readable	Region Actions
schtasks.exe	0x00250000	0x0027dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000002e0000	0x002e0000	0x0031ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000370000	0x00370000	0x0046ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000470000	0x00470000	0x005f7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000600000	0x00600000	0x0060ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000610000	0x00610000	0x00790fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007a0000	0x007a0000	0x01b9ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01ba0000	0x01e6efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001e80000	0x01e80000	0x01ebffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001f60000	0x01f60000	0x01f9ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001fa0000	0x01fa0000	0x020bffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001fa0000	0x01fa0000	0x0207efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002080000	0x02080000	0x020bffff	Private Memory	Readable, Writable	Region Actions Download Dump
kernelbase.dll.mui	0x020c0000	0x0217ffff	Memory Mapped File	Readable, Writable	Region Actions
uxtheme.dll	0x74410000	0x7448ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x744a0000	0x744a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x744b0000	0x7450bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74510000	0x7454efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskschd.dll	0x746e0000	0x7475cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74800000	0x74808fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x74810000	0x74818fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ac0000	0x74acbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ad0000	0x74b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74b30000	0x74b8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74ca0000	0x74d9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x74da0000	0x74da9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x74db0000	0x74e7bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e80000	0x74e98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74ea0000	0x74f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75ee0000	0x75fcffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75fe0000	0x7606efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76070000	0x760c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x761f0000	0x76272fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x763f0000	0x7647ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76510000	0x765acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x765b0000	0x765f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76600000	0x7670ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76710000	0x7686bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76a40000	0x76aebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076b70000	0x76b70000	0x76c69fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000076c70000	0x76c70000	0x76d8efff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f70000	0x770effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

COM (3)

Operation	Class	Interface	Additional Information	Count	Logfile
Create	TaskScheduler	ITaskService	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Execute	TaskScheduler	ITaskService	method_name = Connect	1	Fn
Execute	TaskScheduler	ITaskService	method_name = GetFolder, path = 0, new_interface = ITaskFolder	1	Fn

File (10)

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_ERROR_HANDLE	type = file_type	2	Fn
Open	STD_ERROR_HANDLE	-	6	Fn
Write	STD_ERROR_HANDLE	size = 7	1	Fn Data
Write	STD_ERROR_HANDLE	size = 44	1	Fn Data

Module (14)

Operation	Module	Additional Information	Count	Logfile
Load	VERSION.dll	base_address = 0x74800000	1	Fn
Load	API-MS-WIN-Service-Management-L1-1-0.dll	base_address = 0x74e80000	1	Fn
Load	API-MS-WIN-Service-winsvc-L1-1-0.dll	base_address = 0x74e80000	1	Fn
Get Handle	c:\windows\syswow64\schtasks.exe	base_address = 0x250000	1	Fn
Get Filename	-	process_name = c:\windows\syswow64\schtasks.exe, file_name_orig = C:\Windows\SysWOW64\schtasks.exe, size = 260	2	Fn
Get Address	c:\windows\syswow64\version.dll	function = GetFileVersionInfoSizeW, address_out = 0x748019d9	1	Fn
Get Address	c:\windows\syswow64\version.dll	function = GetFileVersionInfoW, address_out = 0x748019f4	1	Fn
Get Address	c:\windows\syswow64\version.dll	function = VerQueryValueW, address_out = 0x74801b51	1	Fn
Get Address	c:\windows\syswow64\sechost.dll	function = OpenSCManagerW, address_out = 0x74e863ad	1	Fn
Get Address	c:\windows\syswow64\sechost.dll	function = OpenServiceW, address_out = 0x74e8714b	1	Fn
Get Address	c:\windows\syswow64\sechost.dll	function = QueryServiceStatus, address_out = 0x74e84e4b	1	Fn
Get Address	c:\windows\syswow64\sechost.dll	function = CloseServiceHandle, address_out = 0x74e84dc3	2	Fn

Service (3)

Operation	Additional Information	Count	Logfile
Get Info	service_name = Schedule	1	Fn
Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2017-10-25 15:16:41 (UTC)		1	Fn
Get Time	type = Ticks, time = 80340		1	Fn

Process #5: cmd.exe

(Host: 57, Network: 0)

Information	Value
ID	#5
File Name	c:\windows\syswow64\cmd.exe
Command Line	/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1550063777 && exit"
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:17, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:01:33

OS Process Information

Information	Value
PID	0x998
Parent PID	0x960 (c:\windows\syswow64\rundll32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 99C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000090000	0x00090000	0x00093fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000a0000	0x000a0000	0x000a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000b0000	0x000b0000	0x000b1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000100000	0x00100000	0x0017ffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x00180000	0x001e6fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000230000	0x00230000	0x0032ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000380000	0x00380000	0x0047ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000480000	0x00480000	0x00607fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000640000	0x00640000	0x0064ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000650000	0x00650000	0x007d0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007e0000	0x007e0000	0x01bdffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001be0000	0x01be0000	0x01f22fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01f30000	0x021fefff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x4a590000	0x4a5dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x744a0000	0x744a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x744b0000	0x7450bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74510000	0x7454efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x74810000	0x74816fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ac0000	0x74acbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ad0000	0x74b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74b30000	0x74b8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74ca0000	0x74d9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x74da0000	0x74da9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x74db0000	0x74e7bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e80000	0x74e98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74ea0000	0x74f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75ee0000	0x75fcffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x763f0000	0x7647ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76510000	0x765acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x765b0000	0x765f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76600000	0x7670ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76a40000	0x76aebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076b70000	0x76b70000	0x76c69fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000076c70000	0x76c70000	0x76d8efff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f70000	0x770effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

File (10)

Operation	Filename	Additional Information	Count	Logfile
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop	type = file_attributes	2	Fn
Open	STD_OUTPUT_HANDLE	-	5	Fn
Open	STD_INPUT_HANDLE	-	3	Fn

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\system32\schtasks.exe	os_pid = 0x9b8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL		1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\syswow64\cmd.exe	base_address = 0x4a590000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x76600000	2	Fn
Get Filename	-	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadUILanguage, address_out = 0x7662a84f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x76633b92	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x76614a5d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x7662a79d	1	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2017-10-25 15:16:43 (UTC)		1	Fn
Get Time	type = Ticks, time = 82321		1	Fn

Environment (19)

Operation	Additional Information	Count	Logfile
Get Environment String	-	7	Fn Data
Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	2	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	2	Fn
Get Environment String	name = PROMPT	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = PROMPT, value = $P$G	1	Fn
Set Environment String	name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop	1	Fn
Set Environment String	name = COPYCMD	1	Fn
Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Set Environment String	name = =ExitCodeAscii	1	Fn

Process #6: cmd.exe

(Host: 57, Network: 0)

Information	Value
ID	#6
File Name	c:\windows\syswow64\cmd.exe
Command Line	/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:34:00
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:17, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:01:33

OS Process Information

Information	Value
PID	0x9b0
Parent PID	0x960 (c:\windows\syswow64\rundll32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9B4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000b0000	0x000b0000	0x0012ffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x00130000	0x00196fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001d0000	0x001d0000	0x0020ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002f0000	0x002f0000	0x002fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000300000	0x00300000	0x003fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000440000	0x00440000	0x0053ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000540000	0x00540000	0x006c7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006d0000	0x006d0000	0x00850fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000860000	0x00860000	0x01c5ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001c60000	0x01c60000	0x01fa2fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01fb0000	0x0227efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x4a590000	0x4a5dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x744a0000	0x744a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x744b0000	0x7450bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74510000	0x7454efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x74810000	0x74816fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ac0000	0x74acbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ad0000	0x74b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74b30000	0x74b8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74ca0000	0x74d9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x74da0000	0x74da9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x74db0000	0x74e7bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e80000	0x74e98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74ea0000	0x74f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75ee0000	0x75fcffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x763f0000	0x7647ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76510000	0x765acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x765b0000	0x765f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76600000	0x7670ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76a40000	0x76aebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076b70000	0x76b70000	0x76c69fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000076c70000	0x76c70000	0x76d8efff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f70000	0x770effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

File (10)

Operation	Filename	Additional Information	Count	Logfile
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop	type = file_attributes	2	Fn
Open	STD_OUTPUT_HANDLE	-	5	Fn
Open	STD_INPUT_HANDLE	-	3	Fn

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\system32\schtasks.exe	os_pid = 0x9f0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL		1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\syswow64\cmd.exe	base_address = 0x4a590000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x76600000	2	Fn
Get Filename	-	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadUILanguage, address_out = 0x7662a84f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x76633b92	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x76614a5d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x7662a79d	1	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2017-10-25 15:16:43 (UTC)		1	Fn
Get Time	type = Ticks, time = 82571		1	Fn

Environment (19)

Operation	Additional Information	Count	Logfile
Get Environment String	-	7	Fn Data
Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	2	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	2	Fn
Get Environment String	name = PROMPT	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = PROMPT, value = $P$G	1	Fn
Set Environment String	name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop	1	Fn
Set Environment String	name = COPYCMD	1	Fn
Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Set Environment String	name = =ExitCodeAscii	1	Fn

Process #7: schtasks.exe

(Host: 23, Network: 0)

Information	Value
ID	#7
File Name	c:\windows\syswow64\schtasks.exe
Command Line	schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1550063777 && exit"
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:17, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:01:33

OS Process Information

Information	Value
PID	0x9b8
Parent PID	0x998 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9BC 0x 9F8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x000affff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x000b0000	0x00116fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x00121fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000130000	0x00130000	0x0016ffff	Private Memory	Readable, Writable	Region Actions Download Dump
schtasks.exe.mui	0x00170000	0x00181fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x00190fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001a0000	0x001a0000	0x001a0fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000001b0000	0x001b0000	0x001b0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001cffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000001d0000	0x001d0000	0x001d0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000290000	0x00290000	0x0030ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000310000	0x00310000	0x003eefff	Pagefile Backed Memory	Readable	Region Actions
schtasks.exe	0x00450000	0x0047dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000560000	0x00560000	0x0059ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000005a0000	0x005a0000	0x0069ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000006a0000	0x006a0000	0x00827fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000830000	0x00830000	0x009b0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000009c0000	0x009c0000	0x01dbffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01dc0000	0x0208efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002090000	0x02090000	0x0225ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000020e0000	0x020e0000	0x0211ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002220000	0x02220000	0x0225ffff	Private Memory	Readable, Writable	Region Actions Download Dump
uxtheme.dll	0x74410000	0x7448ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x744a0000	0x744a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x744b0000	0x7450bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74510000	0x7454efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskschd.dll	0x74660000	0x746dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
xmllite.dll	0x74730000	0x7475efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x747f0000	0x747f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x74820000	0x74828fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ac0000	0x74acbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ad0000	0x74b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74b30000	0x74b8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74ca0000	0x74d9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x74da0000	0x74da9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x74db0000	0x74e7bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e80000	0x74e98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74ea0000	0x74f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75ee0000	0x75fcffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75fe0000	0x7606efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76070000	0x760c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x761f0000	0x76272fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x763f0000	0x7647ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76510000	0x765acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x765b0000	0x765f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76600000	0x7670ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76710000	0x7686bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76a40000	0x76aebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076b70000	0x76b70000	0x76c69fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000076c70000	0x76c70000	0x76d8efff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f70000	0x770effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

COM (8)

Operation	Class	Interface	Additional Information	Count	Logfile
Create	TaskScheduler	ITaskService	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Execute	TaskScheduler	ITaskService	method_name = Connect, user = 716224, domain = 4561230, password = 3431958528	1	Fn
Execute	TaskScheduler	ITaskService	method_name = GetFolder, path = 0, new_interface = ITaskFolder	1	Fn
Execute	TaskScheduler	ITaskService	method_name = NewTask, new_interface = ITaskDefinition	1	Fn
Execute	TaskScheduler	ITaskDefinition	method_name = get_Actions, new_interface = IActionCollection	1	Fn
Execute	TaskScheduler	ITaskDefinition	method_name = get_Triggers, new_interface = ITriggerCollection	1	Fn
Execute	TaskScheduler	ITriggerCollection	method_name = Create, type = TASK_TRIGGER_BOOT, new_interface = IDailyTrigger	1	Fn
Execute	TaskScheduler	IDailyTrigger	method_name = put_StartBoundary, start_boundary = 2017-10-26T02:16:00	1	Fn

File (5)

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	3	Fn
Write	STD_OUTPUT_HANDLE	size = 69	1	Fn Data

Module (11)

Operation	Module	Additional Information	Count	Logfile
Load	VERSION.dll	base_address = 0x747f0000	1	Fn
Load	ADVAPI32.dll	base_address = 0x74ea0000	1	Fn
Load	API-MS-Win-Security-SDDL-L1-1-0.dll	base_address = 0x74e80000	1	Fn
Get Handle	c:\windows\syswow64\schtasks.exe	base_address = 0x450000	1	Fn
Get Filename	-	process_name = c:\windows\syswow64\schtasks.exe, file_name_orig = C:\Windows\SysWOW64\schtasks.exe, size = 260	2	Fn
Get Address	c:\windows\syswow64\version.dll	function = GetFileVersionInfoSizeW, address_out = 0x747f19d9	1	Fn
Get Address	c:\windows\syswow64\version.dll	function = GetFileVersionInfoW, address_out = 0x747f19f4	1	Fn
Get Address	c:\windows\syswow64\version.dll	function = VerQueryValueW, address_out = 0x747f1b51	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetUserNameW, address_out = 0x74eb157a	1	Fn
Get Address	c:\windows\syswow64\sechost.dll	function = ConvertSidToStringSidW, address_out = 0x74e8a901	1	Fn

System (5)

Operation	Additional Information	Count	Logfile
Get Time	type = System Time, time = 2017-10-25 15:16:43 (UTC)	1	Fn
Get Time	type = Ticks, time = 82493	1	Fn
Get Time	type = Local Time, time = 2017-10-26 02:16:43 (Local Time)	3	Fn

Process #8: 41d0.tmp

(Host: 913, Network: 0)

Information	Value
ID	#8
File Name	c:\windows\41d0.tmp
Command Line	"C:\Windows\41D0.tmp" \\.\pipe\{2FDFCF81-BD74-41C3-9115-F628925CC568}
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:17, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:01:33

OS Process Information

Information	Value
PID	0x9d4
Parent PID	0x960 (c:\windows\syswow64\rundll32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9D8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000040000	0x00040000	0x00040fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000080000	0x00080000	0x0017ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000190000	0x00190000	0x0028ffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x00290000	0x002f6fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000300000	0x00300000	0x003fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000470000	0x00470000	0x0047ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000480000	0x00480000	0x00607fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000610000	0x00610000	0x00790fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007a0000	0x007a0000	0x01b9ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001cc0000	0x01cc0000	0x01ccffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001cd0000	0x01cd0000	0x01e37fff	Private Memory	Readable, Writable	Region Actions Download Dump
user32.dll	0x76b70000	0x76c69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76c70000	0x76d8efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff2000	0x7fff2000	0x7fff2fff	Private Memory	Readable, Writable	Region Actions Download Dump
41d0.tmp	0x13f340000	0x13f352fff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
bcryptprimitives.dll	0x7fefc210000	0x7fefc25bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x7fefc700000	0x7fefc721fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd000000	0x7fefd06afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe440000	0x7fefe56cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefe860000	0x7fefe968fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe970000	0x7fefea0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefeaf0000	0x7fefeafdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefeb00000	0x7fefeb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefeb70000	0x7fefebe0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefec10000	0x7fefecd8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefeec0000	0x7fefeeedfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefef00000	0x7fefef1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff0b0000	0x7feff0b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffde000	0x7fffffde000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions Download Dump

Host Behavior

File (9)

Operation	Filename	Additional Information	Count	Logfile
Create	\\.\pipe\{2FDFCF81-BD74-41C3-9115-F628925CC568}	desired_access = GENERIC_WRITE, GENERIC_READ	1	Fn
Get Info	STD_INPUT_HANDLE	type = file_type	1	Fn
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Get Info	STD_ERROR_HANDLE	type = file_type	1	Fn
Open	STD_INPUT_HANDLE	-	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Write	\\.\pipe\{2FDFCF81-BD74-41C3-9115-F628925CC568}	size = 82	1	Fn Data
Write	\\.\pipe\{2FDFCF81-BD74-41C3-9115-F628925CC568}	size = 82	1	Fn

Process (3)

Operation	Process	Additional Information	Count	Logfile
Get Info	c:\windows\system32\lsass.exe	type = PROCESS_BASIC_INFORMATION	1	Fn
Get Info	c:\windows\system32\lsass.exe	type = PROCESS_WOW64_INFORMATION	1	Fn
Open	c:\windows\system32\lsass.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_LIMITED_INFORMATION	1	Fn

Memory (392)

Operation	Process	Additional Information	Count	Logfile
Read	c:\windows\system32\lsass.exe	address = 0x7fffffd7000, size = 32	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x76ec2640, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x524a0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x52336, size = 20	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xffb60000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xffb600f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xffb600f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x52590, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x76ea53f8, size = 20	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x76d90000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x76d900e0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x76d900e0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x52910, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x528e8, size = 26	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x76c70000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x76c700e8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x76c700e8, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x52a80, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x52a58, size = 30	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefd000000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefd0000f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefd0000f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x537b0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x53788, size = 22	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefe970000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefe9700e8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefe9700e8, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x539e0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x539b8, size = 22	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefe440000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefe4400f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefe4400f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x53ef0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x53ec8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefca80000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefca800f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefca800f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x677d0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x677a8, size = 22	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc910000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc9100e8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc9100e8, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x678c0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x67758, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefef00000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefef000e8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefef000e8, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x675a0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x67578, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefcba0000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefcba00e8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefcba00e8, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x679b0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x67528, size = 26	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefe780000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefe7800e0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefe7800e0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x67aa0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x676b8, size = 22	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x76b70000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x76b700f8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x76b700f8, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x67b90, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x67708, size = 20	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefeb00000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefeb000f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefeb000f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x67c80, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x661c8, size = 16	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefeaf0000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefeaf00e0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefeaf00e0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x67dc0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x67d98, size = 20	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefec10000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefec100e0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefec100e0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x68980, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x68958, size = 22	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc850000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc8500f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc8500f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x69a70, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x68b18, size = 26	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc830000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc8300e8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc8300e8, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x69b90, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x68ac8, size = 22	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefcd80000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefcd800e0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefcd800e0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x69c80, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x68bb8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc7c0000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc7c00f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc7c00f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x69d70, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x68b68, size = 20	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefeec0000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefeec00f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefeec00f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x69e60, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x68c08, size = 20	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefe860000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefe8600f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefe8600f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x69f50, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x69068, size = 26	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc7b0000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc7b00e8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc7b00e8, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6a040, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x690b8, size = 20	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc780000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc7800f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc7800f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6a130, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x68e38, size = 22	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc730000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc7300f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc7300f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6a220, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x68cf8, size = 22	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc700000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc7000f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc7000f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6a310, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x68d98, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x74ab0000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x74ab00b8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x74ab00b8, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6a400, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x68f28, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefca90000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefca900e8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefca900e8, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6a4f0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x692e8, size = 26	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc6b0000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc6b00e8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc6b00e8, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6a5e0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x69338, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefcb70000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefcb700f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefcb700f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6a6d0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x69388, size = 28	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefcbd0000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefcbd00f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefcbd00f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6a7c0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x694c8, size = 26	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc5f0000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc5f00f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc5f00f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6a8b0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x695b8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc5d0000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc5d00e8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc5d00e8, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6a9a0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x69608, size = 22	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7feff050000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7feff0500e0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7feff0500e0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6aa90, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x88608, size = 16	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefeef0000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefeef00f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefeef00f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6ab80, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x696a8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc570000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc5700e8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc5700e8, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6ac70, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x696f8, size = 22	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc560000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc5600f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc5600f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6ad60, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x69838, size = 22	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc500000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc5000e0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc5000e0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6ae50, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x69978, size = 26	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc450000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc4500e0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc4500e0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6af40, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x699c8, size = 22	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc3f0000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc3f00e8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc3f00e8, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6b030, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x69a18, size = 26	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc3c0000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc3c00e0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc3c00e0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6b120, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x909f8, size = 26	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc360000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc3600e0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc3600e0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6b210, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x909a8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefce90000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefce900f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefce900f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6b300, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x97318, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc320000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc3200e0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc3200e0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6b3f0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x97458, size = 22	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc2d0000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc2d00f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc2d00f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6b4e0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x97598, size = 20	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc2b0000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc2b00e0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc2b00e0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6b5d0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x976d8, size = 20	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc260000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc2600f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc2600f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6b6c0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x98778, size = 42	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc210000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc2100e8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc2100e8, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6b7b0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x69248, size = 32	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefccc0000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefccc00e0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefccc00e0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6b8a0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x978b8, size = 28	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc1f0000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc1f00f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc1f00f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x6b990, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x97a98, size = 22	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xc6a50, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x97b38, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc1d0000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc1d00e8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc1d00e8, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xc6b40, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xc5278, size = 22	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefcc80000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefcc800e0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefcc800e0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xc71d0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xc5b38, size = 26	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefb370000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefb3700f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefb3700f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xc70e0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xc5b88, size = 22	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefb360000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefb3600f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefb3600f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xc73b0, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x1124c8, size = 26	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefb0b0000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefb0b00e0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefb0b00e0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xc7590, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x112608, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc080000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc0800e8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc0800e8, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xc7680, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x112658, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefcce0000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefcce00f0, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefcce00f0, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xc7770, size = 104	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x113008, size = 26	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefbf70000, size = 64	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefbf700e8, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefbf700e8, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc910000, size = 1470464	2	Fn
Read	c:\windows\system32\lsass.exe	address = 0x7fefc9b5ada, size = 4	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc9b5ac3, size = 4	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc97fc17, size = 4	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefca5c840, size = 16	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc97fb9f, size = 4	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefca5c830, size = 8	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x840000, size = 32	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x840020, size = 32	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x84003c, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc97fbf5, size = 4	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefca614b0, size = 8	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x840200, size = 32	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x840220, size = 32	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x84023c, size = 16	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefca597c0, size = 4	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefca5d440, size = 8	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x12a590, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x114930, size = 32	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x1148d0, size = 26	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x110a41, size = 1	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x110a40, size = 12	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc320000, size = 221184	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc3217c2, size = 4	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7fefc3512c0, size = 8	7	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xa75d0, size = 40	7	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xa74b0, size = 40	6	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xa6e80, size = 40	5	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xd0b80, size = 40	4	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xa08f0, size = 40	3	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x10f740, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x103b20, size = 42	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x110700, size = 20	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x102b80, size = 18	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x102ba1, size = 1	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x102ba0, size = 28	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xa75d0, size = 96	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x103ee0, size = 42	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x110820, size = 20	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x110840, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x10eb60, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x103b60, size = 42	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x110720, size = 20	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x102be0, size = 18	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x102c01, size = 1	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x102c00, size = 28	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xa74b0, size = 96	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x103ba0, size = 42	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x1107e0, size = 20	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x110800, size = 24	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xe0470, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xd30a0, size = 28	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xd3100, size = 26	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xc66b1, size = 1	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xc66b0, size = 12	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xa6e80, size = 96	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x894e0, size = 2	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x894d0, size = 2	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xbb600, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xc6490, size = 22	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xc64b0, size = 20	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xc64d1, size = 1	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xc64d0, size = 12	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xd0b80, size = 96	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xc6530, size = 22	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xc6510, size = 20	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x8f590, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x1, size = 1	1	Fn
Read	c:\windows\system32\lsass.exe	address = 0x7ff40, size = 264	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x84460, size = 22	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x84480, size = 20	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7e631, size = 1	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x7e630, size = 12	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0xa08f0, size = 96	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x84500, size = 22	1	Fn Data
Read	c:\windows\system32\lsass.exe	address = 0x84520, size = 20	1	Fn Data

Module (499)

Operation	Module	Additional Information	Count	Logfile
Load	bcrypt	base_address = 0x7fefc700000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x76c70000	244	Fn
Get Handle	mscoree.dll	base_address = 0x0	1	Fn
Get Filename	-	process_name = c:\windows\41d0.tmp, file_name_orig = C:\Windows\41D0.tmp, size = 260	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LoadLibraryW, address_out = 0x76c86f80	1	Fn
Get Address	c:\windows\system32\bcrypt.dll	function = BCryptOpenAlgorithmProvider, address_out = 0x7fefc702640	1	Fn
Get Address	c:\windows\system32\bcrypt.dll	function = BCryptSetProperty, address_out = 0x7fefc705160	1	Fn
Get Address	c:\windows\system32\bcrypt.dll	function = BCryptGetProperty, address_out = 0x7fefc701510	1	Fn
Get Address	c:\windows\system32\bcrypt.dll	function = BCryptGenerateSymmetricKey, address_out = 0x7fefc701aa0	1	Fn
Get Address	c:\windows\system32\bcrypt.dll	function = BCryptEncrypt, address_out = 0x7fefc701130	1	Fn
Get Address	c:\windows\system32\bcrypt.dll	function = BCryptDecrypt, address_out = 0x7fefc701030	1	Fn
Get Address	c:\windows\system32\bcrypt.dll	function = BCryptDestroyKey, address_out = 0x7fefc7016a0	1	Fn
Get Address	c:\windows\system32\bcrypt.dll	function = BCryptCloseAlgorithmProvider, address_out = 0x7fefc7032b0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = LocalAlloc, address_out = 0x76c847c0	241	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WriteFile, address_out = 0x76c935a0	2	Fn

System (8)

Operation	Additional Information	Count	Logfile
Get Time	type = System Time, time = 2017-10-25 15:16:43 (UTC)	1	Fn
Get Time	type = Ticks, time = 82758	1	Fn
Get Info	type = Operating System	1	Fn
Get Info	type = SYSTEM_PROCESS_INFORMATION	4	Fn
Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		1	Fn Data

Process #9: schtasks.exe

(Host: 23, Network: 0)

Information	Value
ID	#9
File Name	c:\windows\syswow64\schtasks.exe
Command Line	schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:34:00
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:17, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:01:33

OS Process Information

Information	Value
PID	0x9f0
Parent PID	0x9b0 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9F4 0x 9FC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x000affff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000000b0000	0x000b0000	0x000b1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
schtasks.exe.mui	0x000c0000	0x000d1fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000100000	0x00100000	0x00100fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x00150000	0x001b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001c0000	0x001c0000	0x0023ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000001c0000	0x001c0000	0x001c0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000200000	0x00200000	0x0023ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000290000	0x00290000	0x002cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002f0000	0x002f0000	0x0036ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000370000	0x00370000	0x0044efff	Pagefile Backed Memory	Readable	Region Actions
schtasks.exe	0x00450000	0x0047dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000480000	0x00480000	0x00607fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000620000	0x00620000	0x0071ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000720000	0x00720000	0x008a0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000008c0000	0x008c0000	0x008cffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000008d0000	0x008d0000	0x01ccffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01cd0000	0x01f9efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002150000	0x02150000	0x0218ffff	Private Memory	Readable, Writable	Region Actions Download Dump
uxtheme.dll	0x74410000	0x7448ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x744a0000	0x744a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x744b0000	0x7450bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74510000	0x7454efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskschd.dll	0x74660000	0x746dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
xmllite.dll	0x74730000	0x7475efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x747f0000	0x747f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x74820000	0x74828fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ac0000	0x74acbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ad0000	0x74b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74b30000	0x74b8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74ca0000	0x74d9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x74da0000	0x74da9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x74db0000	0x74e7bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e80000	0x74e98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74ea0000	0x74f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75ee0000	0x75fcffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75fe0000	0x7606efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76070000	0x760c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x761f0000	0x76272fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x763f0000	0x7647ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76510000	0x765acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x765b0000	0x765f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76600000	0x7670ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76710000	0x7686bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76a40000	0x76aebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076b70000	0x76b70000	0x76c69fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000076c70000	0x76c70000	0x76d8efff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f70000	0x770effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

COM (8)

Operation	Class	Interface	Additional Information	Count	Logfile
Create	TaskScheduler	ITaskService	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Execute	TaskScheduler	ITaskService	method_name = Connect, user = 1371816, domain = 4561230, password = 1	1	Fn
Execute	TaskScheduler	ITaskService	method_name = GetFolder, path = 0, new_interface = ITaskFolder	1	Fn
Execute	TaskScheduler	ITaskService	method_name = NewTask, new_interface = ITaskDefinition	1	Fn
Execute	TaskScheduler	ITaskDefinition	method_name = get_Actions, new_interface = IActionCollection	1	Fn
Execute	TaskScheduler	ITaskDefinition	method_name = get_Triggers, new_interface = ITriggerCollection	1	Fn
Execute	TaskScheduler	ITriggerCollection	method_name = Create, type = TASK_TRIGGER_TIME, new_interface = IDailyTrigger	1	Fn
Execute	TaskScheduler	IDailyTrigger	method_name = put_StartBoundary, start_boundary = 2017-10-26T02:34:00	1	Fn

File (5)

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	3	Fn
Write	STD_OUTPUT_HANDLE	size = 68	1	Fn Data

Module (11)

Operation	Module	Additional Information	Count	Logfile
Load	VERSION.dll	base_address = 0x747f0000	1	Fn
Load	ADVAPI32.dll	base_address = 0x74ea0000	1	Fn
Load	API-MS-Win-Security-SDDL-L1-1-0.dll	base_address = 0x74e80000	1	Fn
Get Handle	c:\windows\syswow64\schtasks.exe	base_address = 0x450000	1	Fn
Get Filename	-	process_name = c:\windows\syswow64\schtasks.exe, file_name_orig = C:\Windows\SysWOW64\schtasks.exe, size = 260	2	Fn
Get Address	c:\windows\syswow64\version.dll	function = GetFileVersionInfoSizeW, address_out = 0x747f19d9	1	Fn
Get Address	c:\windows\syswow64\version.dll	function = GetFileVersionInfoW, address_out = 0x747f19f4	1	Fn
Get Address	c:\windows\syswow64\version.dll	function = VerQueryValueW, address_out = 0x747f1b51	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetUserNameW, address_out = 0x74eb157a	1	Fn
Get Address	c:\windows\syswow64\sechost.dll	function = ConvertSidToStringSidW, address_out = 0x74e8a901	1	Fn

System (5)

Operation	Additional Information	Count	Logfile
Get Time	type = System Time, time = 2017-10-25 15:16:43 (UTC)	1	Fn
Get Time	type = Ticks, time = 82711	1	Fn
Get Time	type = Local Time, time = 2017-10-26 02:16:43 (Local Time)	3	Fn

Process #10: taskeng.exe'

Information	Value
ID	#10
File Name	c:\windows\system32\taskeng.exe
Command Line	taskeng.exe {E7027C3A-1DB2-40E8-88FC-68D4A38CC290} S-1-5-18:NT AUTHORITY\System:Service:
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:18, Reason: Created Scheduled Job
Unmonitor	End Time: 00:01:15, Reason: Terminated
Monitor Duration	00:00:57
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x6c0
Parent PID	0x348 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\BDESVC (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\BITS (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\CertPropSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\EapHost (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\hkmsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\IKEEXT (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\iphlpsvc (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\LanmanServer (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\MMCSS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\MSiSCSI (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasAuto (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasMan (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RemoteAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Schedule (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SCPolicySvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SENS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SessionEnv (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SharedAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\ShellHWDetection (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\wercplsupport (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Winmgmt (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\wuauserv (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:0000b5a2 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER)
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 56C 0x 500 0x 4F8 0x 4A4 0x 7EC 0x 6C4 0x B10 0x 5F8

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000130000	0x00130000	0x0013ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x001fffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x0038ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x004fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000500000	0x00500000	0x00687fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000690000	0x00690000	0x00810fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000820000	0x00820000	0x00c12fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000c20000	0x00c20000	0x00d1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d70000	0x00d70000	0x00deffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e50000	0x00e50000	0x00ecffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ed0000	0x00ed0000	0x00f4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000fb0000	0x00fb0000	0x0102ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x010b0000	0x0137efff	Memory Mapped File	Readable	Region Actions
private_0x00000000013f0000	0x013f0000	0x0146ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001520000	0x01520000	0x0159ffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x76b70000	0x76c69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76c70000	0x76d8efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
taskeng.exe	0xff2b0000	0xff323fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
tschannel.dll	0x7fef6ed0000	0x7fef6ed8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
xmllite.dll	0x7fefaf10000	0x7fefaf44fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x7fefaf50000	0x7fefaf59fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefc2d0000	0x7fefc316fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefc5d0000	0x7fefc5e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefc7c0000	0x7fefc82cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefcba0000	0x7fefcbc4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefcbd0000	0x7fefcbdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefccc0000	0x7fefccd3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd000000	0x7fefd06afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefd350000	0x7fefd3e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe440000	0x7fefe56cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe570000	0x7fefe772fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefe860000	0x7fefe968fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe970000	0x7fefea0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefea10000	0x7fefeae6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefeaf0000	0x7fefeafdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefeb00000	0x7fefeb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefeb70000	0x7fefebe0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefec10000	0x7fefecd8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefeec0000	0x7fefeeedfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefef00000	0x7fefef1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff0b0000	0x7feff0b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #11: taskeng.exe'

Information	Value
ID	#11
File Name	c:\windows\system32\taskeng.exe
Command Line	taskeng.exe {896F3D9B-55A7-4F1F-A74F-2820A0C0801C} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1]
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:18, Reason: Created Scheduled Job
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:01:32
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x5bc
Parent PID	0x348 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 644 0x 640 0x 624 0x 5CC 0x 5C4 0x 5C0 0x B20

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000110000	0x00110000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x0019ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000230000	0x00230000	0x0032ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000350000	0x00350000	0x0044ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000450000	0x00450000	0x005d7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005e0000	0x005e0000	0x00760fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000770000	0x00770000	0x01b6ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001b70000	0x01b70000	0x01f62fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001fa0000	0x01fa0000	0x0201ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002100000	0x02100000	0x0217ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002200000	0x02200000	0x0227ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002280000	0x02280000	0x0237ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x02380000	0x0264efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002730000	0x02730000	0x027affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000027b0000	0x027b0000	0x0288efff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000029a0000	0x029a0000	0x02a1ffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x76b70000	0x76c69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76c70000	0x76d8efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
taskeng.exe	0xff2b0000	0xff323fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
tschannel.dll	0x7fef6ed0000	0x7fef6ed8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefa710000	0x7fefa727fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefaaf0000	0x7fefab45fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
xmllite.dll	0x7fefaf10000	0x7fefaf44fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x7fefaf50000	0x7fefaf59fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefc2d0000	0x7fefc316fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefc5d0000	0x7fefc5e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefc7c0000	0x7fefc82cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefcba0000	0x7fefcbc4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefcbd0000	0x7fefcbdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefccc0000	0x7fefccd3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd000000	0x7fefd06afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefd350000	0x7fefd3e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefe440000	0x7fefe56cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe570000	0x7fefe772fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefe780000	0x7fefe85afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefe860000	0x7fefe968fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefe970000	0x7fefea0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefea10000	0x7fefeae6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefeaf0000	0x7fefeafdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefeb00000	0x7fefeb66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefeb70000	0x7fefebe0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefec10000	0x7fefecd8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefeec0000	0x7fefeeedfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefef00000	0x7fefef1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff0b0000	0x7feff0b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #12: cmd.exe

(Host: 93, Network: 0)

Information	Value
ID	#12
File Name	c:\windows\syswow64\cmd.exe
Command Line	/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:30, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:01:20

OS Process Information

Information	Value
PID	0xa38
Parent PID	0x960 (c:\windows\syswow64\rundll32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A3C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000150000	0x00150000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00317fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000320000	0x00320000	0x0041ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000420000	0x00420000	0x005a0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005b0000	0x005b0000	0x005bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000005e0000	0x005e0000	0x0065ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000820000	0x00820000	0x0091ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000920000	0x00920000	0x01d1ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001d20000	0x01d20000	0x02062fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x02070000	0x0233efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x4a4c0000	0x4a50bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x744a0000	0x744a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x744b0000	0x7450bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74510000	0x7454efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x747f0000	0x747f6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ac0000	0x74acbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ad0000	0x74b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74b30000	0x74b8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74ca0000	0x74d9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x74da0000	0x74da9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x74db0000	0x74e7bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e80000	0x74e98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74ea0000	0x74f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75ee0000	0x75fcffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x763f0000	0x7647ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76510000	0x765acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x765b0000	0x765f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76600000	0x7670ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76a40000	0x76aebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076b70000	0x76b70000	0x76c69fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076c70000	0x76c70000	0x76d8efff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f70000	0x770effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

File (10)

Operation	Filename	Additional Information	Count	Logfile
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop	type = file_attributes	2	Fn
Open	STD_OUTPUT_HANDLE	-	5	Fn
Open	STD_INPUT_HANDLE	-	3	Fn

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Process (5)

Operation	Process	Additional Information	Count	Logfile
Create	C:\Windows\system32\wevtutil.exe	os_pid = 0xa4c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Create	C:\Windows\system32\wevtutil.exe	os_pid = 0xa58, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Create	C:\Windows\system32\wevtutil.exe	os_pid = 0xa64, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Create	C:\Windows\system32\wevtutil.exe	os_pid = 0xa70, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Create	C:\Windows\system32\fsutil.exe	os_pid = 0xa7c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\syswow64\cmd.exe	base_address = 0x4a4c0000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x76600000	2	Fn
Get Filename	-	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadUILanguage, address_out = 0x7662a84f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x76633b92	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x76614a5d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x7662a79d	1	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2017-10-25 15:16:54 (UTC)		1	Fn
Get Time	type = Ticks, time = 93990		1	Fn

Environment (51)

Operation	Additional Information	Count	Logfile
Get Environment String	-	19	Fn Data
Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	6	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	6	Fn
Get Environment String	name = PROMPT	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = PROMPT, value = $P$G	1	Fn
Set Environment String	name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop	1	Fn
Set Environment String	name = COPYCMD	5	Fn
Set Environment String	name = =ExitCode, value = 00000000	5	Fn
Set Environment String	name = =ExitCodeAscii	5	Fn

Process #13: wevtutil.exe'

Information	Value
ID	#13
File Name	c:\windows\syswow64\wevtutil.exe
Command Line	wevtutil cl Setup
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:30, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:01:20
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xa4c
Parent PID	0xa38 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A50 0x A54

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
wevtutil.exe.mui	0x000f0000	0x000fafff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000110000	0x00110000	0x00110fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000120000	0x00120000	0x00121fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000170000	0x00170000	0x001affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001f0000	0x001f0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000320000	0x00320000	0x0039ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000490000	0x00490000	0x0058ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000680000	0x00680000	0x0068ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000690000	0x00690000	0x00817fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000820000	0x00820000	0x009a0fff	Pagefile Backed Memory	Readable	Region Actions
wevtutil.exe	0x00f30000	0x00f5cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000f60000	0x00f60000	0x0235ffff	Pagefile Backed Memory	Readable	Region Actions
comctl32.dll	0x740b0000	0x7424dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x744a0000	0x744a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x744b0000	0x7450bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74510000	0x7454efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x74630000	0x74671fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credui.dll	0x74680000	0x746aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ac0000	0x74acbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ad0000	0x74b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74b30000	0x74b8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74ca0000	0x74d9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x74da0000	0x74da9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x74db0000	0x74e7bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e80000	0x74e98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74ea0000	0x74f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75ee0000	0x75fcffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75fe0000	0x7606efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76070000	0x760c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x763f0000	0x7647ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76510000	0x765acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x765b0000	0x765f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76600000	0x7670ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76710000	0x7686bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76a40000	0x76aebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076b70000	0x76b70000	0x76c69fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000076c70000	0x76c70000	0x76d8efff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f70000	0x770effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Process #14: wevtutil.exe'

Information	Value
ID	#14
File Name	c:\windows\syswow64\wevtutil.exe
Command Line	wevtutil cl System
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:30, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:01:20
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xa58
Parent PID	0xa38 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A5C 0x A60

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x0012ffff	Private Memory	Readable, Writable	Region Actions Download Dump
wevtutil.exe.mui	0x00130000	0x0013afff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000140000	0x00140000	0x00140fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000160000	0x00160000	0x00161fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000180000	0x00180000	0x001bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002b0000	0x002b0000	0x002bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000003b0000	0x003b0000	0x0042ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000430000	0x00430000	0x005b7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000620000	0x00620000	0x0071ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000720000	0x00720000	0x008a0fff	Pagefile Backed Memory	Readable	Region Actions
wevtutil.exe	0x00e00000	0x00e2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000e30000	0x00e30000	0x0222ffff	Pagefile Backed Memory	Readable	Region Actions
comctl32.dll	0x740b0000	0x7424dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x744a0000	0x744a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x744b0000	0x7450bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74510000	0x7454efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x74630000	0x74671fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credui.dll	0x74680000	0x746aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ac0000	0x74acbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ad0000	0x74b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74b30000	0x74b8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74ca0000	0x74d9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x74da0000	0x74da9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x74db0000	0x74e7bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e80000	0x74e98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74ea0000	0x74f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75ee0000	0x75fcffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75fe0000	0x7606efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76070000	0x760c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x763f0000	0x7647ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76510000	0x765acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x765b0000	0x765f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76600000	0x7670ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76710000	0x7686bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76a40000	0x76aebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076b70000	0x76b70000	0x76c69fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000076c70000	0x76c70000	0x76d8efff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f70000	0x770effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Process #15: wevtutil.exe'

Information	Value
ID	#15
File Name	c:\windows\syswow64\wevtutil.exe
Command Line	wevtutil cl Security
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:30, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:01:20
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xa64
Parent PID	0xa38 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A68 0x A6C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x000affff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x000b0000	0x00116fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x00121fff	Pagefile Backed Memory	Readable, Writable	Region Actions
wevtutil.exe.mui	0x00130000	0x0013afff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000140000	0x00140000	0x001bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001c0000	0x001c0000	0x001c0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001d0000	0x001d0000	0x001d0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001e0000	0x001e0000	0x001effff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000001f0000	0x001f0000	0x001f1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000230000	0x00230000	0x0026ffff	Private Memory	Readable, Writable	Region Actions Download Dump
wevtutil.exe	0x00340000	0x0036cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000400000	0x00400000	0x004fffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000500000	0x00500000	0x00687fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000690000	0x00690000	0x00810fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000820000	0x00820000	0x01c1ffff	Pagefile Backed Memory	Readable	Region Actions
comctl32.dll	0x740b0000	0x7424dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x744a0000	0x744a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x744b0000	0x7450bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74510000	0x7454efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x74630000	0x74671fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credui.dll	0x74680000	0x746aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ac0000	0x74acbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ad0000	0x74b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74b30000	0x74b8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74ca0000	0x74d9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x74da0000	0x74da9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x74db0000	0x74e7bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e80000	0x74e98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74ea0000	0x74f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75ee0000	0x75fcffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75fe0000	0x7606efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76070000	0x760c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x763f0000	0x7647ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76510000	0x765acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x765b0000	0x765f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76600000	0x7670ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76710000	0x7686bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76a40000	0x76aebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076b70000	0x76b70000	0x76c69fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000076c70000	0x76c70000	0x76d8efff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f70000	0x770effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Process #16: wevtutil.exe'

Information	Value
ID	#16
File Name	c:\windows\syswow64\wevtutil.exe
Command Line	wevtutil cl Application
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:30, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:01:20
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xa70
Parent PID	0xa38 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A74 0x A78

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
wevtutil.exe.mui	0x000f0000	0x000fafff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000160000	0x00160000	0x00161fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000180000	0x00180000	0x001bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000280000	0x00280000	0x002fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000003c0000	0x003c0000	0x004bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000610000	0x00610000	0x0061ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000620000	0x00620000	0x007a7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007b0000	0x007b0000	0x00930fff	Pagefile Backed Memory	Readable	Region Actions
wevtutil.exe	0x00b20000	0x00b4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000b50000	0x00b50000	0x01f4ffff	Pagefile Backed Memory	Readable	Region Actions
comctl32.dll	0x74250000	0x743edfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x744a0000	0x744a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x744b0000	0x7450bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74510000	0x7454efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x74600000	0x74641fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credui.dll	0x74650000	0x7467afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ac0000	0x74acbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ad0000	0x74b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74b30000	0x74b8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74ca0000	0x74d9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x74da0000	0x74da9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x74db0000	0x74e7bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e80000	0x74e98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74ea0000	0x74f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75ee0000	0x75fcffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75fe0000	0x7606efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76070000	0x760c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x763f0000	0x7647ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76510000	0x765acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x765b0000	0x765f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76600000	0x7670ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76710000	0x7686bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76a40000	0x76aebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076b70000	0x76b70000	0x76c69fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000076c70000	0x76c70000	0x76d8efff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f70000	0x770effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Process #17: fsutil.exe'

Information	Value
ID	#17
File Name	c:\windows\syswow64\fsutil.exe
Command Line	fsutil usn deletejournal /D C:
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:31, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:01:19
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xa7c
Parent PID	0xa38 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A80

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001effff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001f0000	0x001f0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000360000	0x00360000	0x0036ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000370000	0x00370000	0x003effff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000530000	0x00530000	0x0062ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000630000	0x00630000	0x007b7fff	Pagefile Backed Memory	Readable	Region Actions
fsutil.exe	0x00f10000	0x00f23fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x744a0000	0x744a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x744b0000	0x7450bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74510000	0x7454efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x746a0000	0x746a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x74910000	0x7491efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x74920000	0x74938fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x74940000	0x74948fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x74950000	0x74960fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ac0000	0x74acbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ad0000	0x74b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74b30000	0x74b8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74ca0000	0x74d9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x74da0000	0x74da9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x74db0000	0x74e7bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e80000	0x74e98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74ea0000	0x74f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75ee0000	0x75fcffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x763f0000	0x7647ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76510000	0x765acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x765b0000	0x765f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76600000	0x7670ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76710000	0x7686bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76a40000	0x76aebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076b70000	0x76b70000	0x76c69fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000076c70000	0x76c70000	0x76d8efff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f70000	0x770effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Process #18: cmd.exe

(Host: 47, Network: 0)

Information	Value
ID	#18
File Name	c:\windows\syswow64\cmd.exe
Command Line	/c schtasks /Delete /F /TN drogon
Initial Working Directory	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor	Start Time: 00:00:33, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:01:17

OS Process Information

Information	Value
PID	0xa84
Parent PID	0x960 (c:\windows\syswow64\rundll32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0001076e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A88

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x000cffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x000d0000	0x00136fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000140000	0x00140000	0x001bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001c0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x0034ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003c0000	0x003c0000	0x004bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000630000	0x00630000	0x0063ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000640000	0x00640000	0x007c7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007d0000	0x007d0000	0x00950fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000960000	0x00960000	0x01d5ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001d60000	0x01d60000	0x020a2fff	Pagefile Backed Memory	Readable	Region Actions
cmd.exe	0x4a940000	0x4a98bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x744a0000	0x744a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x744b0000	0x7450bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74510000	0x7454efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x746a0000	0x746a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ac0000	0x74acbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ad0000	0x74b2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74b30000	0x74b8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x74ca0000	0x74d9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x74da0000	0x74da9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x74db0000	0x74e7bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e80000	0x74e98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74ea0000	0x74f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75ee0000	0x75fcffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x763f0000	0x7647ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76510000	0x765acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x765b0000	0x765f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76600000	0x7670ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76a40000	0x76aebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076b70000	0x76b70000	0x76c69fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076c70000	0x76c70000	0x76d8efff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76d90000	0x76f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f70000	0x770effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

File (7)

Operation	Filename	Additional Information	Count	Logfile
Get Info	C:\Users\5p5NrGJn0jS HALPmcxz\Desktop	type = file_attributes	2	Fn
Open	STD_OUTPUT_HANDLE	-	3	Fn
Open	STD_INPUT_HANDLE	-	2	Fn

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\syswow64\cmd.exe	base_address = 0x4a940000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x76600000	2	Fn
Get Filename	-	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadUILanguage, address_out = 0x7662a84f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x76633b92	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x76614a5d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x7662a79d	1	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2017-10-25 15:17:02 (UTC)		1	Fn
Get Time	type = Ticks, time = 101416		1	Fn

Environment (13)

Operation	Additional Information	Count	Logfile
Get Environment String	-	4	Fn Data
Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	2	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	2	Fn
Get Environment String	name = PROMPT	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = PROMPT, value = $P$G	1	Fn
Set Environment String	name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop	1	Fn

Process #19: taskeng.exe'

Information	Value
ID	#19
File Name	c:\windows\system32\taskeng.exe
Command Line	taskeng.exe {4222EA2E-0F28-4DC3-9F30-F6A79682CE97} S-1-5-18:NT AUTHORITY\System:Service:
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:57, Reason: Created Scheduled Job
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:53
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x444
Parent PID	0x374 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\BDESVC (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\BITS (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\CertPropSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\EapHost (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\hkmsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\IKEEXT (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\iphlpsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\LanmanServer (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\MMCSS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\MSiSCSI (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasAuto (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasMan (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RemoteAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Schedule (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SCPolicySvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SENS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SessionEnv (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SharedAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\ShellHWDetection (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\wercplsupport (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Winmgmt (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\wuauserv (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:0000ce9f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER)
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 448 0x 704 0x 428 0x 600 0x 4FC 0x 5C0 0x 5F0 0x 60C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
imm32.dll	0x000c0000	0x000e8fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x0017ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000180000	0x00180000	0x00181fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000210000	0x00210000	0x0033ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000210000	0x00210000	0x0030ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000310000	0x00310000	0x00310fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000320000	0x00320000	0x00320fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000330000	0x00330000	0x0033ffff	Private Memory	Readable, Writable	Region Actions
rpcss.dll	0x00340000	0x003bcfff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x00340000	0x00384fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000340000	0x00340000	0x00340fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003c0000	0x003c0000	0x004bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004c0000	0x004c0000	0x00647fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000650000	0x00650000	0x007d0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007e0000	0x007e0000	0x00bd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000be0000	0x00be0000	0x00dbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000be0000	0x00be0000	0x00cdffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d40000	0x00d40000	0x00dbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e80000	0x00e80000	0x00efffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f90000	0x00f90000	0x0100ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001070000	0x01070000	0x010effff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x010f0000	0x013befff	Memory Mapped File	Readable	Region Actions
private_0x00000000013c0000	0x013c0000	0x0143ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001440000	0x01440000	0x014bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014f0000	0x014f0000	0x0156ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016e0000	0x016e0000	0x0175ffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
taskeng.exe	0xff910000	0xff983fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
tschannel.dll	0x7fef6fc0000	0x7fef6fc8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x7fefafc0000	0x7fefafc9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
xmllite.dll	0x7fefbeb0000	0x7fefbee4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefcff0000	0x7fefd036fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd2f0000	0x7fefd306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefd520000	0x7fefd58cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd8c0000	0x7fefd8e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd9e0000	0x7fefd9f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff340000	0x7feff416fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff890000	0x7feff928fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feffa50000	0x7feffc52fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feffc60000	0x7feffcd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #20: System'

Information	Value
ID	#20
File Name	System
Command Line	-
Initial Working Directory	-
Monitor	Start Time: 00:01:03, Reason: Kernel Analysis
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x4
Parent PID	0xffffffffffffffff (Unknown)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 434 0x 438 0x 94 0x 78 0x 52C 0x 4C8 0x 114 0x 430 0x 4C 0x 3DC 0x D8 0x 88 0x 80 0x 8C 0x 28 0x 68 0x 310 0x 84 0x 298 0x 74 0x 98 0x 9C 0x 5C 0x 128 0x 104 0x B0 0x 19C 0x B8 0x 160 0x 15C 0x 158 0x 154 0x 134 0x 90 0x 13C 0x C8 0x BC 0x 3C 0x 24 0x 38 0x 40 0x 64 0x 48 0x 110 0x C4 0x 34 0x 44 0x 8 0x 0 0x FC 0x 5A0 0x 5AC 0x 5F4 0x 50 0x 734 0x 740 0x 754 0x 788 0x 790 0x 79C 0x 7A8 0x 7AC 0x 7B4 0x 60 0x 20 0x C0 0x 698 0x B4 0x 1C 0x 18 0x D4

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x00032fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x0005ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x0007ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000080000	0x00080000	0x00080fff	Pagefile Backed Memory	Readable, Writable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c90000	0x77e0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
pagefile_0x000007fff64d0000	0x7fff64d0000	0x7fff64fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fff69d0000	0x7fff69d0000	0x7fff69fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fff6ed0000	0x7fff6ed0000	0x7fff6efffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fff73d0000	0x7fff73d0000	0x7fff73fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fff78d0000	0x7fff78d0000	0x7fff78fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fff7dd0000	0x7fff7dd0000	0x7fff7dfffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fff82d0000	0x7fff82d0000	0x7fff82fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fff87d0000	0x7fff87d0000	0x7fff87fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fff8cd0000	0x7fff8cd0000	0x7fff8cfffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fff91d0000	0x7fff91d0000	0x7fff91fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fff96d0000	0x7fff96d0000	0x7fff96fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fff9bd0000	0x7fff9bd0000	0x7fff9bfffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fffa0d0000	0x7fffa0d0000	0x7fffa0fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fffa5d0000	0x7fffa5d0000	0x7fffa5fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fffaad0000	0x7fffaad0000	0x7fffaafffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fffafd0000	0x7fffafd0000	0x7fffaffffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fffb4d0000	0x7fffb4d0000	0x7fffb4fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fffb9d0000	0x7fffb9d0000	0x7fffb9fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fffbed0000	0x7fffbed0000	0x7fffbefffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fffc3d0000	0x7fffc3d0000	0x7fffc3fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fffc8d0000	0x7fffc8d0000	0x7fffc8fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fffcdd0000	0x7fffcdd0000	0x7fffcdfffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fffd2d0000	0x7fffd2d0000	0x7fffd2fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fffd7d0000	0x7fffd7d0000	0x7fffd7fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fffdcd0000	0x7fffdcd0000	0x7fffdcfffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fffe1d0000	0x7fffe1d0000	0x7fffe1fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fffe6d0000	0x7fffe6d0000	0x7fffe6fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007fffebd0000	0x7fffebd0000	0x7fffebfffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007ffff0d0000	0x7ffff0d0000	0x7ffff0fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007ffff5d0000	0x7ffff5d0000	0x7ffff5fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x000007ffffad0000	0x7ffffad0000	0x7ffffafffff	Pagefile Backed Memory	Readable, Writable	Region Actions

Process #21: smss.exe'

Information	Value
ID	#21
File Name	c:\windows\system32\smss.exe
Command Line	\SystemRoot\System32\smss.exe
Initial Working Directory	C:\Windows
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x108
Parent PID	0x4 (System)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 184 0x 140 0x 118 0x 10C

Process #22: csrss.exe'

Information	Value
ID	#22
File Name	c:\windows\system32\csrss.exe
Command Line	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x14c
Parent PID	0x144 (c:\windows\system32\smss.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 1FC 0x 1C0 0x 1BC 0x 190 0x 170 0x 16C 0x 168 0x 164 0x 150 0x 5C4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x (null)	0x00000000	0x000fffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00100000	0x00166fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000170000	0x00170000	0x00176fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000180000	0x00180000	0x00181fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x00190fff	Private Memory	Readable, Writable	Region Actions
vgasys.fon	0x001a0000	0x001a1fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x001f0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000200000	0x00200000	0x0020ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
marlett.ttf	0x00210000	0x00216fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000220000	0x00220000	0x0022ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000230000	0x00230000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
segoeui.ttf	0x00270000	0x002eefff	Memory Mapped File	Readable	Region Actions
private_0x00000000002f0000	0x002f0000	0x002fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000300000	0x00300000	0x0032ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000330000	0x00330000	0x00347fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000350000	0x00350000	0x0035ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000360000	0x00360000	0x0036ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000370000	0x00370000	0x0037ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000380000	0x00380000	0x0038ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000390000	0x00390000	0x0048ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000490000	0x00490000	0x0058ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000590000	0x00590000	0x00710fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000720000	0x00720000	0x00b12fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000b20000	0x00b20000	0x00b2ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000b30000	0x00b30000	0x00b31fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000b40000	0x00b40000	0x00b4ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000b50000	0x00b50000	0x00b8ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000b90000	0x00b90000	0x00b9ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000ba0000	0x00ba0000	0x00baffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000bb0000	0x00bb0000	0x00bbffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000bc0000	0x00bc0000	0x00bcffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000bd0000	0x00bd0000	0x00c0ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000c10000	0x00c10000	0x00c1ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000c20000	0x00c20000	0x00c2ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000c30000	0x00c30000	0x00c3ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000c40000	0x00c40000	0x00c7ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000c80000	0x00c80000	0x00e07fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000e10000	0x00e10000	0x00e11fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000e10000	0x00e10000	0x00e10fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000e10000	0x00e10000	0x00e1ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000e20000	0x00e20000	0x00e20fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000e20000	0x00e20000	0x00e22fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000e20000	0x00e20000	0x00e2ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000e30000	0x00e30000	0x00e3ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000e30000	0x00e30000	0x00e30fff	Pagefile Backed Memory	Readable, Writable	Region Actions
vgaoem.fon	0x00e40000	0x00e41fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000e50000	0x00e50000	0x00e8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e90000	0x00e90000	0x00ecffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000ed0000	0x00ed0000	0x022cffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000022d0000	0x022d0000	0x0238ffff	Pagefile Backed Memory	Readable	Region Actions
dosapp.fon	0x02390000	0x02398fff	Memory Mapped File	Readable	Region Actions
private_0x00000000023a0000	0x023a0000	0x023dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000023e0000	0x023e0000	0x0249ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000024a0000	0x024a0000	0x0255ffff	Pagefile Backed Memory	Readable	Region Actions
cga40woa.fon	0x02560000	0x02561fff	Memory Mapped File	Readable	Region Actions
cga80woa.fon	0x02570000	0x02571fff	Memory Mapped File	Readable	Region Actions
ega40woa.fon	0x02580000	0x02582fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002590000	0x02590000	0x02593fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000002590000	0x02590000	0x02590fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000002590000	0x02590000	0x0259ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000025a0000	0x025a0000	0x025affff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000025b0000	0x025b0000	0x025bffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000025c0000	0x025c0000	0x025cffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000025d0000	0x025d0000	0x025dffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000025e0000	0x025e0000	0x025effff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000025f0000	0x025f0000	0x025fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000002600000	0x02600000	0x02600fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000002710000	0x02710000	0x0274ffff	Private Memory	Readable, Writable	Region Actions
csrss.exe	0x49d30000	0x49d35fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x7fefd900000	0x7fefd990fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxssrv.dll	0x7fefda10000	0x7fefda1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsrv.dll	0x7fefda20000	0x7fefda57fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
basesrv.dll	0x7fefda60000	0x7fefda70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
csrsrv.dll	0x7fefda80000	0x7fefda92fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions

Process #23: wininit.exe'

Information	Value
ID	#23
File Name	c:\windows\system32\wininit.exe
Command Line	wininit.exe
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x17c
Parent PID	0x144 (c:\windows\system32\smss.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeTcbPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 218 0x 214 0x 1F0 0x 1D4 0x 198 0x 194 0x 180

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00031fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000040000	0x00040000	0x0013ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00140000	0x001a6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000250000	0x00250000	0x0027ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000280000	0x00280000	0x00280fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002c0000	0x002c0000	0x002cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003d0000	0x003d0000	0x00557fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000560000	0x00560000	0x006e0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006f0000	0x006f0000	0x00ae2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000b70000	0x00b70000	0x00beffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c00000	0x00c00000	0x00c7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000cb0000	0x00cb0000	0x00d2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00daffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000de0000	0x00de0000	0x00e5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ed0000	0x00ed0000	0x00f4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ff0000	0x00ff0000	0x0106ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001070000	0x01070000	0x0246ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000025c0000	0x025c0000	0x0263ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x02640000	0x0290efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002930000	0x02930000	0x029affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029d0000	0x029d0000	0x02a4ffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
wininit.exe	0xff140000	0xff162fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x7fefcc90000	0x7fefcc96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcef0000	0x7fefcef9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd280000	0x7fefd286fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd290000	0x7fefd2e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd890000	0x7fefd89afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd8c0000	0x7fefd8e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd9e0000	0x7fefd9f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda00000	0x7fefda0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feff0b0000	0x7feff0b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feffd50000	0x7feffd9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #24: csrss.exe'

Information	Value
ID	#24
File Name	c:\windows\system32\csrss.exe
Command Line	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x188
Parent PID	0x174 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 1F8 0x 1F4 0x 1C4 0x 1B0 0x 1AC 0x 1A8 0x 1A4 0x 18C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x (null)	0x00000000	0x000fffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00100000	0x00166fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000170000	0x00170000	0x00176fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000180000	0x00180000	0x00181fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x00190fff	Private Memory	Readable, Writable	Region Actions
vgasys.fon	0x001a0000	0x001a1fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001bffff	Pagefile Backed Memory	Readable, Writable	Region Actions
marlett.ttf	0x001c0000	0x001c6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000001d0000	0x001d0000	0x001e7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001f0000	0x001f0000	0x001f0fff	Private Memory	Readable, Writable	Region Actions
segoeui.ttf	0x00200000	0x0027efff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000280000	0x00280000	0x002affff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002b0000	0x002b0000	0x002b1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000002c0000	0x002c0000	0x002cffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000002c0000	0x002c0000	0x002c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000002c0000	0x002c0000	0x002c2fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x002dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002e0000	0x002e0000	0x002effff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000002f0000	0x002f0000	0x0032ffff	Private Memory	Readable, Writable	Region Actions
micross.ttf	0x00330000	0x003cffff	Memory Mapped File	Readable	Region Actions
private_0x00000000003d0000	0x003d0000	0x004cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004d0000	0x004d0000	0x005cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005d0000	0x005d0000	0x00750fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000760000	0x00760000	0x00b52fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000b60000	0x00b60000	0x00b9ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000ba0000	0x00ba0000	0x00baffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000bb0000	0x00bb0000	0x00bbffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000bc0000	0x00bc0000	0x00bcffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000bd0000	0x00bd0000	0x00bdffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000bd0000	0x00bd0000	0x00bd2fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000bd0000	0x00bd0000	0x00bd1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000bd0000	0x00bd0000	0x00bd0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000be0000	0x00be0000	0x00beffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000be0000	0x00be0000	0x00be1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000be0000	0x00be0000	0x00be0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000be0000	0x00be0000	0x00be2fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000bf0000	0x00bf0000	0x00bf1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000bf0000	0x00bf0000	0x00bfffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000c00000	0x00c00000	0x00c3ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000c40000	0x00c40000	0x00c40fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000c40000	0x00c40000	0x00c4ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000c50000	0x00c50000	0x00c51fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000c90000	0x00c90000	0x00ccffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000cd0000	0x00cd0000	0x00e57fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000ea0000	0x00ea0000	0x00edffff	Private Memory	Readable, Writable	Region Actions
segoeuii.ttf	0x00ee0000	0x00f3efff	Memory Mapped File	Readable	Region Actions
private_0x0000000000f50000	0x00f50000	0x00f8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000fc0000	0x00fc0000	0x00ffffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001000000	0x01000000	0x023fffff	Pagefile Backed Memory	Readable	Region Actions
csrss.exe	0x49d30000	0x49d35fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x7fefd900000	0x7fefd990fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxssrv.dll	0x7fefda10000	0x7fefda1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsrv.dll	0x7fefda20000	0x7fefda57fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
basesrv.dll	0x7fefda60000	0x7fefda70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
csrsrv.dll	0x7fefda80000	0x7fefda92fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #25: winlogon.exe'

Information	Value
ID	#25
File Name	c:\windows\system32\winlogon.exe
Command Line	winlogon.exe
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x1b4
Parent PID	0x174 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeTcbPrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 3D8 0x 324 0x 2E8 0x 1CC 0x 1C8 0x 1B8

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
locale.nls	0x00020000	0x00086fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000090000	0x00090000	0x00096fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000a0000	0x000a0000	0x000a1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000b0000	0x000b0000	0x000b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x0012ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000130000	0x00130000	0x00147fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000160000	0x00160000	0x00160fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x001effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002e0000	0x002e0000	0x003dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003e0000	0x003e0000	0x004dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004e0000	0x004e0000	0x00667fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000670000	0x00670000	0x007f0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000800000	0x00800000	0x00bf2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000c40000	0x00c40000	0x00cbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00daffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000db0000	0x00db0000	0x00e2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ea0000	0x00ea0000	0x00f1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f40000	0x00f40000	0x00fbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000fe0000	0x00fe0000	0x0105ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001080000	0x01080000	0x010fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001120000	0x01120000	0x0119ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000011a0000	0x011a0000	0x0129ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000012a0000	0x012a0000	0x0131ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001360000	0x01360000	0x013dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013e0000	0x013e0000	0x0145ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001500000	0x01500000	0x0157ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01580000	0x0184efff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000001850000	0x01850000	0x02c4ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002c50000	0x02c50000	0x02d4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002de0000	0x02de0000	0x02e5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002f10000	0x02f10000	0x02f8ffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
winlogon.exe	0xffc70000	0xffcd1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x7fefadb0000	0x7fefadc7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxinit.dll	0x7fefb180000	0x7fefb189fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb480000	0x7fefb48afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x7fefbbf0000	0x7fefbc04fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x7fefbc10000	0x7fefbc1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windowscodecs.dll	0x7fefbd80000	0x7fefbea9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc320000	0x7fefc375fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefcff0000	0x7fefd036fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd2f0000	0x7fefd306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netjoin.dll	0x7fefd400000	0x7fefd431fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd8c0000	0x7fefd8e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefd9a0000	0x7fefd9dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd9e0000	0x7fefd9f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda00000	0x7fefda0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feffa50000	0x7feffc52fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #26: services.exe'

Information	Value
ID	#26
File Name	c:\windows\system32\services.exe
Command Line	C:\Windows\system32\services.exe
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x1d8
Parent PID	0x17c (c:\windows\system32\wininit.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 4B4 0x 4B0 0x 4A8 0x 454 0x 310 0x 294 0x 258 0x 254 0x 250 0x 24C 0x 248 0x 244 0x 240 0x 234 0x 230 0x 22C 0x 228 0x 1DC

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000170000	0x00170000	0x0022ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000230000	0x00230000	0x00237fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000240000	0x00240000	0x00240fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x0034ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000350000	0x00350000	0x0044ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000450000	0x00450000	0x00450fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000460000	0x00460000	0x00460fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000470000	0x00470000	0x004affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004b0000	0x004b0000	0x004b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004c0000	0x004c0000	0x004cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004d0000	0x004d0000	0x00657fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000660000	0x00660000	0x007e0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007f0000	0x007f0000	0x00be2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000bf0000	0x00bf0000	0x00bf0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c00000	0x00c00000	0x00c00fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c10000	0x00c10000	0x00c10fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c20000	0x00c20000	0x00c20fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c30000	0x00c30000	0x00caffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000cb0000	0x00cb0000	0x00cb0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000cc0000	0x00cc0000	0x00cc0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000cd0000	0x00cd0000	0x00cd0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ce0000	0x00ce0000	0x00ce0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000cf0000	0x00cf0000	0x00d6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d70000	0x00d70000	0x00deffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000df0000	0x00df0000	0x00df0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e00000	0x00e00000	0x00e00fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e10000	0x00e10000	0x00e10fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e20000	0x00e20000	0x00e20fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e30000	0x00e30000	0x00e30fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e40000	0x00e40000	0x00ebffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ec0000	0x00ec0000	0x00f3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f40000	0x00f40000	0x00f40fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f50000	0x00f50000	0x00fcffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000fd0000	0x00fd0000	0x00fd0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000fe0000	0x00fe0000	0x00fe0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ff0000	0x00ff0000	0x0106ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001070000	0x01070000	0x01070fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001080000	0x01080000	0x01080fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001090000	0x01090000	0x0110ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001110000	0x01110000	0x0118ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001190000	0x01190000	0x01190fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000011a0000	0x011a0000	0x011a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000011b0000	0x011b0000	0x011b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000011c0000	0x011c0000	0x011c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000011d0000	0x011d0000	0x011d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000011e0000	0x011e0000	0x011e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000011f0000	0x011f0000	0x011f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001200000	0x01200000	0x01200fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001210000	0x01210000	0x01210fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001220000	0x01220000	0x0129ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000012a0000	0x012a0000	0x0131ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001320000	0x01320000	0x01320fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001330000	0x01330000	0x01330fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001350000	0x01350000	0x013cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001450000	0x01450000	0x014cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014e0000	0x014e0000	0x0155ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001580000	0x01580000	0x015fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001620000	0x01620000	0x0169ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001750000	0x01750000	0x017cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000017d0000	0x017d0000	0x018cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000019a0000	0x019a0000	0x01a1ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01a20000	0x01ceefff	Memory Mapped File	Readable	Region Actions
private_0x0000000001cf0000	0x01cf0000	0x01deffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001df0000	0x01df0000	0x01feffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ff0000	0x01ff0000	0x021effff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
taskhost.exe	0xff940000	0xff953fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
services.exe	0xffd30000	0xffd82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefbd50000	0x7fefbd60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x7fefcc90000	0x7fefcc96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ubpm.dll	0x7fefceb0000	0x7fefcee8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcef0000	0x7fefcef9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd280000	0x7fefd286fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd290000	0x7fefd2e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
authz.dll	0x7fefd4e0000	0x7fefd50efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x7fefd7f0000	0x7fefd812fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
scesrv.dll	0x7fefd820000	0x7fefd886fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd890000	0x7fefd89afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
scext.dll	0x7fefd8a0000	0x7fefd8b8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd8c0000	0x7fefd8e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefd9a0000	0x7fefd9dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd9e0000	0x7fefd9f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda00000	0x7fefda0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feff0b0000	0x7feff0b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feffd50000	0x7feffd9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff98000	0x7fffff98000	0x7fffff99fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9a000	0x7fffff9a000	0x7fffff9bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9c000	0x7fffff9c000	0x7fffff9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #27: lsass.exe'

Information	Value
ID	#27
File Name	c:\windows\system32\lsass.exe
Command Line	C:\Windows\system32\lsass.exe
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x1e0
Parent PID	0x17c (c:\windows\system32\wininit.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeCreateTokenPrivilege, SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 408 0x 320 0x 23C 0x 21C 0x 210 0x 20C 0x 208 0x 204 0x 200

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00020fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000effff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000fffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00106fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000110000	0x00110000	0x00111fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x0012ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
c_28591.nls	0x00130000	0x00140fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000160000	0x00160000	0x00160fff	Private Memory	Readable, Writable	Region Actions
2be989a0-16a1-424b-9211-51aa3bb43e5d	0x00170000	0x00170fff	Memory Mapped File	Readable	Region Actions
credhist	0x00170000	0x00170fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000180000	0x00180000	0x00180fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x0036ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000370000	0x00370000	0x0046ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000470000	0x00470000	0x0052ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000530000	0x00530000	0x00530fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000540000	0x00540000	0x0054ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000550000	0x00550000	0x00550fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000560000	0x00560000	0x00560fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000570000	0x00570000	0x00570fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000580000	0x00580000	0x00580fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000590000	0x00590000	0x00590fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005a0000	0x005a0000	0x005a0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000660000	0x00660000	0x006dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000006e0000	0x006e0000	0x00867fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000870000	0x00870000	0x009f0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000a90000	0x00a90000	0x00b0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000b70000	0x00b70000	0x00beffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000bf0000	0x00bf0000	0x00c6ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000c70000	0x00c70000	0x01062fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001080000	0x01080000	0x010fffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01100000	0x013cefff	Memory Mapped File	Readable	Region Actions
private_0x0000000001470000	0x01470000	0x014effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001560000	0x01560000	0x015dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001680000	0x01680000	0x016fffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000017b0000	0x017b0000	0x0182ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001830000	0x01830000	0x0192ffff	Private Memory	Readable, Writable	Region Actions
msprivs.dll	0x757d0000	0x757d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
lsass.exe	0xff9a0000	0xff9abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefb390000	0x7fefb39afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x7fefb3a0000	0x7fefb3c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x7fefbc10000	0x7fefbc1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x7fefcc90000	0x7fefcc96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefcda0000	0x7fefcdbdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
scecli.dll	0x7fefce70000	0x7fefceadfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcef0000	0x7fefcef9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
efslsaext.dll	0x7fefcf10000	0x7fefcf21fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x7fefcf30000	0x7fefcf7bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pku2u.dll	0x7fefcf80000	0x7fefcfc4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
tspkg.dll	0x7fefcfd0000	0x7fefcfe7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefcff0000	0x7fefd036fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wdigest.dll	0x7fefd040000	0x7fefd075fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
schannel.dll	0x7fefd080000	0x7fefd0d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
logoncli.dll	0x7fefd0e0000	0x7fefd10ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x7fefd110000	0x7fefd16afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netlogon.dll	0x7fefd170000	0x7fefd21dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msv1_0.dll	0x7fefd220000	0x7fefd270fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd280000	0x7fefd286fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd290000	0x7fefd2e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd2f0000	0x7fefd306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kerberos.dll	0x7fefd310000	0x7fefd3c3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
negoexts.dll	0x7fefd3d0000	0x7fefd3f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netjoin.dll	0x7fefd400000	0x7fefd431fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x7fefd460000	0x7fefd481fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ncrypt.dll	0x7fefd490000	0x7fefd4ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
authz.dll	0x7fefd4e0000	0x7fefd50efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cngaudit.dll	0x7fefd510000	0x7fefd518fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefd520000	0x7fefd58cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptdll.dll	0x7fefd590000	0x7fefd5a3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samsrv.dll	0x7fefd5b0000	0x7fefd66cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lsasrv.dll	0x7fefd670000	0x7fefd7d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspisrv.dll	0x7fefd7e0000	0x7fefd7eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd890000	0x7fefd89afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd8c0000	0x7fefd8e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefd9a0000	0x7fefd9dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd9e0000	0x7fefd9f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda00000	0x7fefda0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdaa0000	0x7fefdaaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdbc0000	0x7fefdd26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feff0b0000	0x7feff0b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feffd50000	0x7feffd9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #28: lsm.exe'

Information	Value
ID	#28
File Name	c:\windows\system32\lsm.exe
Command Line	C:\Windows\system32\lsm.exe
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x1e8
Parent PID	0x17c (c:\windows\system32\wininit.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 314 0x 30C 0x 300 0x 2F4 0x 2EC 0x 2E4 0x 2E0 0x 2D8 0x 264 0x 1EC 0x 5A8

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x0017ffff	Private Memory	Readable, Writable	Region Actions
lsm.exe.mui	0x00180000	0x00181fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x0019ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x0036ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003a0000	0x003a0000	0x0049ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004e0000	0x004e0000	0x0055ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x00560000	0x0082efff	Memory Mapped File	Readable	Region Actions
private_0x0000000000850000	0x00850000	0x008cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000930000	0x00930000	0x009affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000009d0000	0x009d0000	0x00a4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a80000	0x00a80000	0x00afffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000b40000	0x00b40000	0x00bbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c00000	0x00c00000	0x00c7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c80000	0x00c80000	0x00cfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000db0000	0x00db0000	0x00e2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000eb0000	0x00eb0000	0x00f2ffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
lsm.exe	0xff3f0000	0xff446fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcef0000	0x7fefcef9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pcwum.dll	0x7fefcf00000	0x7fefcf0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wmsgapi.dll	0x7fefd440000	0x7fefd447fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sysntfy.dll	0x7fefd450000	0x7fefd459fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd890000	0x7fefd89afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd8c0000	0x7fefd8e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd9e0000	0x7fefd9f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #29: svchost.exe'

Information	Value
ID	#29
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe -k DcomLaunch
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x25c
Parent PID	0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\DcomLaunch (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\PlugPlay (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\Power (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:00006c0a (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID, OWNER) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER)
Enabled Privileges	SeTcbPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 120 0x 3FC 0x 2B4 0x 2AC 0x 2A8 0x 290 0x 28C 0x 288 0x 284 0x 280 0x 27C 0x 274 0x 26C 0x 268 0x 260 0x 768

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x000cffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x000d0000	0x00136fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000140000	0x00140000	0x0023ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000240000	0x00240000	0x00241fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x0025ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000260000	0x00260000	0x00260fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x00270fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000280000	0x00280000	0x00280fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000290000	0x00290000	0x00290fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000002a0000	0x002a0000	0x002a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002b0000	0x002b0000	0x002b0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000002c0000	0x002c0000	0x003bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003c0000	0x003c0000	0x003c0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003d0000	0x003d0000	0x003dbfff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000003e0000	0x003e0000	0x0045ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000460000	0x00460000	0x004dffff	Private Memory	Readable, Writable	Region Actions
hdaudio.pnf	0x004e0000	0x00509fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000520000	0x00520000	0x0052ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000560000	0x00560000	0x005dffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x005e0000	0x008aefff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000008b0000	0x008b0000	0x00a37fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000a40000	0x00a40000	0x00bc0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000bd0000	0x00bd0000	0x00c8ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000c90000	0x00c90000	0x01082fff	Pagefile Backed Memory	Readable	Region Actions
rsaenh.dll	0x01090000	0x010d4fff	Memory Mapped File	Readable	Region Actions
private_0x00000000010f0000	0x010f0000	0x0116ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001170000	0x01170000	0x0126ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000011d0000	0x011d0000	0x0124ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001280000	0x01280000	0x012fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001300000	0x01300000	0x0139ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013c0000	0x013c0000	0x0143ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001440000	0x01440000	0x0153ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001540000	0x01540000	0x015bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001600000	0x01600000	0x0167ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001680000	0x01680000	0x016fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001710000	0x01710000	0x0178ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001820000	0x01820000	0x0189ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000018b0000	0x018b0000	0x0192ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001930000	0x01930000	0x019affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000019c0000	0x019c0000	0x01a3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ac0000	0x01ac0000	0x01b3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b40000	0x01b40000	0x01c3ffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xff3b0000	0xff3bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dllhost.exe	0xff4e0000	0xff4e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dllhost.exe	0xffa30000	0xffa36fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wmiutils.dll	0x7fef59c0000	0x7fef59e5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemsvc.dll	0x7fef5a10000	0x7fef5a23fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemprox.dll	0x7fef5e90000	0x7fef5e9efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdsapi.dll	0x7fef5ea0000	0x7fef5ec6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fastprox.dll	0x7fef5fe0000	0x7fef60c1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wmidcprv.dll	0x7fef60d0000	0x7fef6101fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemcomn.dll	0x7fef6230000	0x7fef62b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefbd50000	0x7fefbd60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefc9f0000	0x7fefca1cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcss.dll	0x7fefccc0000	0x7fefcd40fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
umpo.dll	0x7fefcd50000	0x7fefcd7bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7fefcd80000	0x7fefcd9afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefcda0000	0x7fefcdbdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devrtl.dll	0x7fefcdc0000	0x7fefcdd1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
spinf.dll	0x7fefcde0000	0x7fefcdfefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
umpnpmgr.dll	0x7fefce00000	0x7fefce66fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcef0000	0x7fefcef9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pcwum.dll	0x7fefcf00000	0x7fefcf0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefcff0000	0x7fefd036fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd2f0000	0x7fefd306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd8c0000	0x7fefd8e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefd9a0000	0x7fefd9dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd9e0000	0x7fefd9f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda00000	0x7fefda0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdaa0000	0x7fefdaaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefdab0000	0x7fefdac9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefdb40000	0x7fefdb75fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x7fefdb80000	0x7fefdbb9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdbc0000	0x7fefdd26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x7fefdea0000	0x7fefdef1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feff0b0000	0x7feff0b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7feff0c0000	0x7feff296fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff340000	0x7feff416fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff890000	0x7feff928fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feffa50000	0x7feffc52fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feffd50000	0x7feffd9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff9c000	0x7fffff9c000	0x7fffff9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #30: svchost.exe'

Information	Value
ID	#30
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe -k RPCSS
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x2a0
Parent PID	0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\Network Service
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\RpcEptMapper (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\RpcSs (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:0000b32b (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID, OWNER) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x CC 0x 2CC 0x 2C8 0x 2C4 0x 2C0 0x 2B8 0x 2B0 0x 2A4 0x 728 0x 794 0x 7E4 0x 7FC

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00100fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000150000	0x00150000	0x001cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x002cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x0034ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000360000	0x00360000	0x0036ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000370000	0x00370000	0x0046ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000470000	0x00470000	0x004effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000530000	0x00530000	0x005affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005d0000	0x005d0000	0x0064ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000650000	0x00650000	0x006cffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x006d0000	0x0099efff	Memory Mapped File	Readable	Region Actions
private_0x00000000009f0000	0x009f0000	0x00a6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ae0000	0x00ae0000	0x00b5ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000b60000	0x00b60000	0x00ce7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000cf0000	0x00cf0000	0x00e70fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000e80000	0x00e80000	0x00f3ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000f40000	0x00f40000	0x01332fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001340000	0x01340000	0x0143ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001480000	0x01480000	0x014fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001540000	0x01540000	0x015bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001610000	0x01610000	0x0168ffff	Private Memory	Readable, Writable	Region Actions
explorer.exe	0x01690000	0x0194dfff	Memory Mapped File	Readable	Region Actions
private_0x0000000001770000	0x01770000	0x017effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000018c0000	0x018c0000	0x0193ffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xff3b0000	0xff3bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fwpuclnt.dll	0x7fefb240000	0x7fefb292fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcbc0000	0x7fefcbcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
firewallapi.dll	0x7fefcbd0000	0x7fefcc8afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x7fefcc90000	0x7fefcc96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcepmap.dll	0x7fefcca0000	0x7fefccb3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcss.dll	0x7fefccc0000	0x7fefcd40fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcef0000	0x7fefcef9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefcff0000	0x7fefd036fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd280000	0x7fefd286fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd290000	0x7fefd2e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd2f0000	0x7fefd306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd890000	0x7fefd89afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd8c0000	0x7fefd8e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd9e0000	0x7fefd9f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feff0b0000	0x7feff0b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff340000	0x7feff416fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff890000	0x7feff928fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feffa50000	0x7feffc52fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feffd50000	0x7feffd9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #31: svchost.exe'

Information	Value
ID	#31
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x2d0
Parent PID	0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\Local Service
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\Audiosrv (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Dhcp (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\eventlog (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\HomeGroupProvider (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\lmhosts (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\WPCSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\wscsvc (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:0000b632 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID, OWNER) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 550 0x 544 0x 540 0x 370 0x 1E4 0x 224 0x 1D0 0x 174 0x 3C4 0x 3BC 0x 3AC 0x 308 0x 304 0x 2F8 0x 2F0 0x 2DC 0x 2D4 0x 608 0x 630 0x 640 0x 658 0x 6B8 0x 6BC 0x 7D0 0x 7D8 0x 734

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00051fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000060000	0x00060000	0x00060fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x0009ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000a0000	0x000a0000	0x000a0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000b0000	0x000b0000	0x0012ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00130000	0x00196fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001a0000	0x001a0000	0x0029ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002a0000	0x002a0000	0x002dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002e0000	0x002e0000	0x002fffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002e0000	0x002e0000	0x002e0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000300000	0x00300000	0x00307fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000310000	0x00310000	0x00310fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000320000	0x00320000	0x0041ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000420000	0x00420000	0x005a7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005b0000	0x005b0000	0x005bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005c0000	0x005c0000	0x00740fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000750000	0x00750000	0x0080ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000810000	0x00810000	0x00c02fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000c10000	0x00c10000	0x00c2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c10000	0x00c10000	0x00c10fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c30000	0x00c30000	0x00c30fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c40000	0x00c40000	0x00c40fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000c50000	0x00c50000	0x00c50fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000c60000	0x00c60000	0x00c61fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c80000	0x00c80000	0x00cfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d00000	0x00d00000	0x00d7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d80000	0x00d80000	0x00dfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e00000	0x00e00000	0x00efffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f40000	0x00f40000	0x00fbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000fd0000	0x00fd0000	0x0104ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01050000	0x0131efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001340000	0x01340000	0x013bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013d0000	0x013d0000	0x0144ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001450000	0x01450000	0x014cffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x014d0000	0x01514fff	Memory Mapped File	Readable	Region Actions
winlogon.exe	0x01580000	0x015e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000001630000	0x01630000	0x016affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001730000	0x01730000	0x017affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001750000	0x01750000	0x017cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000017d0000	0x017d0000	0x018cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000018d0000	0x018d0000	0x0194ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001950000	0x01950000	0x019cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000019d0000	0x019d0000	0x01a4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b00000	0x01b00000	0x01b7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001bc0000	0x01bc0000	0x01c3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c40000	0x01c40000	0x01e3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001eb0000	0x01eb0000	0x01f2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ed0000	0x01ed0000	0x01f4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f50000	0x01f50000	0x01fcffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001fd0000	0x01fd0000	0x023cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023f0000	0x023f0000	0x0246ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002490000	0x02490000	0x0250ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002530000	0x02530000	0x025affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000025b0000	0x025b0000	0x029b2fff	Private Memory	Readable, Writable	Region Actions
winmgmtr.dll	0x757a0000	0x757a2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmgmtr.dll	0x757b0000	0x757b2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
aeevts.dll	0x757b0000	0x757b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xff3b0000	0xff3bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winlogon.exe	0xffc70000	0xffcd1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
services.exe	0xffd30000	0xffd82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
radardt.dll	0x7fef54e0000	0x7fef54fcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpssvc.dll	0x7fef9290000	0x7fef935dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x7fefb1f0000	0x7fefb207fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc6.dll	0x7fefb210000	0x7fefb220fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcore6.dll	0x7fefb2d0000	0x7fefb30afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcore.dll	0x7fefb310000	0x7fefb360fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nrpsrv.dll	0x7fefb380000	0x7fefb387fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefb390000	0x7fefb39afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x7fefb3a0000	0x7fefb3c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lmhsvc.dll	0x7fefb3d0000	0x7fefb3d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
avrt.dll	0x7fefb870000	0x7fefb878fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x7fefb880000	0x7fefb8abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
audiosrv.dll	0x7fefb8b0000	0x7fefb95bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dps.dll	0x7fefbca0000	0x7fefbccbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
audioses.dll	0x7fefbcd0000	0x7fefbd1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mmdevapi.dll	0x7fefbf10000	0x7fefbf5afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc380000	0x7fefc4abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefc9f0000	0x7fefca1cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtsvc.dll	0x7fefca20000	0x7fefcbb5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcbc0000	0x7fefcbcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
firewallapi.dll	0x7fefcbd0000	0x7fefcc8afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x7fefcc90000	0x7fefcc96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7fefcd80000	0x7fefcd9afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcef0000	0x7fefcef9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefcff0000	0x7fefd036fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x7fefd110000	0x7fefd16afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd280000	0x7fefd286fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd290000	0x7fefd2e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd2f0000	0x7fefd306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefd520000	0x7fefd58cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd890000	0x7fefd89afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd8c0000	0x7fefd8e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefd9a0000	0x7fefd9dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd9e0000	0x7fefd9f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefdab0000	0x7fefdac9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefdb40000	0x7fefdb75fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x7fefdea0000	0x7fefdef1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feff0b0000	0x7feff0b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7feff0c0000	0x7feff296fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff340000	0x7feff416fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff890000	0x7feff928fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feffa50000	0x7feffc52fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feffc60000	0x7feffcd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feffd50000	0x7feffd9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff94000	0x7fffff94000	0x7fffff95fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff96000	0x7fffff96000	0x7fffff97fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff98000	0x7fffff98000	0x7fffff99fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9a000	0x7fffff9a000	0x7fffff9bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9c000	0x7fffff9c000	0x7fffff9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #32: logonui.exe'

Information	Value
ID	#32
File Name	c:\windows\system32\logonui.exe
Command Line	"LogonUI.exe" /flags:0x0
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x318
Parent PID	0x1b4 (c:\windows\system32\winlogon.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 354 0x 350 0x 34C 0x 344 0x 338 0x 334 0x 330 0x 32C 0x 328 0x 31C 0x 620

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000effff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00100fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000110000	0x00110000	0x00110fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x00121fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000130000	0x00130000	0x00131fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00141fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000150000	0x00150000	0x00151fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000160000	0x00160000	0x00166fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000170000	0x00170000	0x001effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x002effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002f0000	0x002f0000	0x0032ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000330000	0x00330000	0x00331fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000340000	0x00340000	0x00341fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000350000	0x00350000	0x00350fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000360000	0x00360000	0x0036ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000370000	0x00370000	0x0046ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000470000	0x00470000	0x005f7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000600000	0x00600000	0x00780fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000790000	0x00790000	0x00790fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007a0000	0x007a0000	0x007a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007b0000	0x007b0000	0x007b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007c0000	0x007c0000	0x007c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007d0000	0x007d0000	0x0084ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000850000	0x00850000	0x008cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008d0000	0x008d0000	0x008d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008e0000	0x008e0000	0x008e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008f0000	0x008f0000	0x008f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000900000	0x00900000	0x00900fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000910000	0x00910000	0x00910fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000920000	0x00920000	0x00920fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000930000	0x00930000	0x00930fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000940000	0x00940000	0x00940fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000950000	0x00950000	0x00950fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000960000	0x00960000	0x00960fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000970000	0x00970000	0x009effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000009f0000	0x009f0000	0x009f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a00000	0x00a00000	0x00a00fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a10000	0x00a10000	0x00a10fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a20000	0x00a20000	0x00a9ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x00aa0000	0x00d6efff	Memory Mapped File	Readable	Region Actions
private_0x0000000000d70000	0x00d70000	0x00d70fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d80000	0x00d80000	0x00d80fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d90000	0x00d90000	0x00d90fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000da0000	0x00da0000	0x00da0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000db0000	0x00db0000	0x00db0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000dc0000	0x00dc0000	0x00dc0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000dd0000	0x00dd0000	0x00dd0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000de0000	0x00de0000	0x00de0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000df0000	0x00df0000	0x00df0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e00000	0x00e00000	0x00e00fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e10000	0x00e10000	0x00e10fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e20000	0x00e20000	0x00e20fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e30000	0x00e30000	0x00e30fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e40000	0x00e40000	0x00e40fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e50000	0x00e50000	0x00e50fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e60000	0x00e60000	0x00e6ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000e70000	0x00e70000	0x01262fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001270000	0x01270000	0x0136ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001370000	0x01370000	0x01370fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001380000	0x01380000	0x01380fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001390000	0x01390000	0x01390fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013a0000	0x013a0000	0x013a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013b0000	0x013b0000	0x013b6fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013c0000	0x013c0000	0x013c9fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013d0000	0x013d0000	0x013d6fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000013e0000	0x013e0000	0x01403fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001410000	0x01410000	0x01419fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001420000	0x01420000	0x01426fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001430000	0x01430000	0x01439fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001440000	0x01440000	0x01446fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001450000	0x01450000	0x01487fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001490000	0x01490000	0x01499fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014a0000	0x014a0000	0x014a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014b0000	0x014b0000	0x014b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014c0000	0x014c0000	0x014c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014d0000	0x014d0000	0x014d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014e0000	0x014e0000	0x014e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014f0000	0x014f0000	0x014f1fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001500000	0x01500000	0x01500fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001510000	0x01510000	0x01511fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001520000	0x01520000	0x01520fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001530000	0x01530000	0x01531fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001540000	0x01540000	0x01540fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001550000	0x01550000	0x01551fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001560000	0x01560000	0x01560fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001570000	0x01570000	0x01570fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001580000	0x01580000	0x01580fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001590000	0x01590000	0x01590fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015a0000	0x015a0000	0x015a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015b0000	0x015b0000	0x015b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015c0000	0x015c0000	0x015c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015d0000	0x015d0000	0x015d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015e0000	0x015e0000	0x015e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015f0000	0x015f0000	0x015f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001600000	0x01600000	0x01600fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001610000	0x01610000	0x01610fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001620000	0x01620000	0x01620fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001630000	0x01630000	0x01630fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001640000	0x01640000	0x01640fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001650000	0x01650000	0x01650fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001660000	0x01660000	0x01660fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001670000	0x01670000	0x01670fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001680000	0x01680000	0x0177ffff	Private Memory	Readable, Writable	Region Actions
imageres.dll	0x01780000	0x02ad4fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002ae0000	0x02ae0000	0x02ae0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002af0000	0x02af0000	0x02b01fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002b10000	0x02b10000	0x02b11fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002b20000	0x02b20000	0x02b21fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002b30000	0x02b30000	0x02b32fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002b40000	0x02b40000	0x02b4ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000002b50000	0x02b50000	0x02b51fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000002b60000	0x02b60000	0x02b60fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000002b70000	0x02b70000	0x02b70fff	Private Memory	Readable, Writable	Region Actions
msctf.dll.mui	0x02b80000	0x02b80fff	Memory Mapped File	Readable, Writable	Region Actions
oleaccrc.dll	0x02b90000	0x02b90fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002ba0000	0x02ba0000	0x02ba5fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002bb0000	0x02bb0000	0x02bb7fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002bd0000	0x02bd0000	0x02bd0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c20000	0x02c20000	0x02c9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002cb0000	0x02cb0000	0x02d2ffff	Private Memory	Readable, Writable	Region Actions
kernelbase.dll.mui	0x02d30000	0x02deffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000002e20000	0x02e20000	0x02e9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002f40000	0x02f40000	0x02fbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002fe0000	0x02fe0000	0x0305ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000030d0000	0x030d0000	0x0314ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000003150000	0x03150000	0x0322efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000003270000	0x03270000	0x032effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000034f0000	0x034f0000	0x035effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000035f0000	0x035f0000	0x035f1fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003600000	0x03600000	0x03af1fff	Private Memory	Readable, Writable	Region Actions
staticcache.dat	0x03b00000	0x0442ffff	Memory Mapped File	Readable	Region Actions
private_0x00000000044d0000	0x044d0000	0x044d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000044e0000	0x044e0000	0x044e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000044f0000	0x044f0000	0x044f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004500000	0x04500000	0x04500fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004510000	0x04510000	0x04510fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004520000	0x04520000	0x04520fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004530000	0x04530000	0x04530fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004540000	0x04540000	0x0473ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004740000	0x04740000	0x04740fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004750000	0x04750000	0x04750fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004760000	0x04760000	0x04760fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004770000	0x04770000	0x04770fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004780000	0x04780000	0x04780fff	Private Memory	Readable, Writable	Region Actions
For performance reasons, the remaining 147 entries are omitted. The remaining entries can be found in flog.txt.

Process #33: svchost.exe'

Information	Value
ID	#33
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x33c
Parent PID	0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\AudioEndpointBuilder (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\CscService (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\dot3svc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\hidserv (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\HomeGroupListener (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\IPBusEnum (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Netman (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\PcaSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\StorSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\TabletInputService (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\TrkWks (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\UmRdpService (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\UxSms (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\WdiSystemHost (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Wlansvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\WPDBusEnum (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\wudfsvc (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:0000bb2f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER)
Enabled Privileges	SeTcbPrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 4C4 0x 18C 0x 134 0x 12C 0x 3F4 0x 3F0 0x 3E8 0x 3E4 0x 3D4 0x 3D0 0x 39C 0x 398 0x 388 0x 384 0x 36C 0x 368 0x 348 0x 340 0x 73C 0x 744 0x 748 0x 758 0x 75C 0x 7D8 0x 7E8 0x 7F4 0x 40C 0x 490 0x 35C 0x 534

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000100000	0x00100000	0x001fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000200000	0x00200000	0x00200fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x00290fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002a0000	0x002a0000	0x002a0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002b0000	0x002b0000	0x002b1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002c0000	0x002c0000	0x002c1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002d0000	0x002d0000	0x002d1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000002e0000	0x002e0000	0x002effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002f0000	0x002f0000	0x003effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003f0000	0x003f0000	0x00577fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000580000	0x00580000	0x00700fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000710000	0x00710000	0x007cffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007d0000	0x007d0000	0x00bc2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000bd0000	0x00bd0000	0x00c4ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000c50000	0x00c50000	0x00c50fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000cf0000	0x00cf0000	0x00d6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000dc0000	0x00dc0000	0x00e3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e50000	0x00e50000	0x00ecffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ed0000	0x00ed0000	0x00f4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f70000	0x00f70000	0x00feffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x00ff0000	0x012befff	Memory Mapped File	Readable	Region Actions
private_0x00000000012e0000	0x012e0000	0x0135ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001390000	0x01390000	0x0140ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001450000	0x01450000	0x014cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001500000	0x01500000	0x0157ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015a0000	0x015a0000	0x0161ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001690000	0x01690000	0x0170ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001780000	0x01780000	0x017fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001800000	0x01800000	0x0187ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001910000	0x01910000	0x0198ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001990000	0x01990000	0x01a0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a10000	0x01a10000	0x01acffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a80000	0x01a80000	0x01afffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b30000	0x01b30000	0x01baffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001bb0000	0x01bb0000	0x01c7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001bd0000	0x01bd0000	0x01c4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c70000	0x01c70000	0x01c7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c80000	0x01c80000	0x01cfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c80000	0x01c80000	0x01d7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d00000	0x01d00000	0x01dfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d60000	0x01d60000	0x01ddffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001df0000	0x01df0000	0x01dfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e00000	0x01e00000	0x01e7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e80000	0x01e80000	0x01f7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f80000	0x01f80000	0x0207ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001fe0000	0x01fe0000	0x0205ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002070000	0x02070000	0x0207ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000021a0000	0x021a0000	0x0221ffff	Private Memory	Readable, Writable	Region Actions
sfc.dll	0x757c0000	0x757c2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xff3b0000	0xff3bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wpdbusenum.dll	0x7fef55f0000	0x7fef5610fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netman.dll	0x7fef5780000	0x7fef57dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
trkwks.dll	0x7fef6300000	0x7fef6321fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sysmain.dll	0x7fef6330000	0x7fef64ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sfc_os.dll	0x7fef64e0000	0x7fef64effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pcasvc.dll	0x7fef64f0000	0x7fef6521fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscobj.dll	0x7fef6920000	0x7fef695efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netshell.dll	0x7fef6fe0000	0x7fef726afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
aepic.dll	0x7fef7360000	0x7fef7371fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wdi.dll	0x7fef76c0000	0x7fef76d8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x7fefa7e0000	0x7fefa836fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefb390000	0x7fefb39afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxsms.dll	0x7fefb3e0000	0x7fefb3effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mstask.dll	0x7fefb510000	0x7fefb54cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskschd.dll	0x7fefb640000	0x7fefb766fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
peerdist.dll	0x7fefb770000	0x7fefb79ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscsvc.dll	0x7fefb7a0000	0x7fefb84bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
avrt.dll	0x7fefb870000	0x7fefb878fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x7fefb880000	0x7fefb8abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
audiosrv.dll	0x7fefb8b0000	0x7fefb95bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefbd50000	0x7fefbd60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
xmllite.dll	0x7fefbeb0000	0x7fefbee4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mmdevapi.dll	0x7fefbf10000	0x7fefbf5afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc380000	0x7fefc4abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefc500000	0x7fefc6f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefc9f0000	0x7fefca1cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcbc0000	0x7fefcbcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7fefcd80000	0x7fefcd9afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefcda0000	0x7fefcdbdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pcwum.dll	0x7fefcf00000	0x7fefcf0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefcff0000	0x7fefd036fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd2f0000	0x7fefd306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
authz.dll	0x7fefd4e0000	0x7fefd50efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefd520000	0x7fefd58cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd8c0000	0x7fefd8e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefd9a0000	0x7fefd9dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd9e0000	0x7fefd9f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda00000	0x7fefda0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefdab0000	0x7fefdac9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefdb40000	0x7fefdb75fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x7fefdea0000	0x7fefdef1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7fefe320000	0x7feff0a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feff0b0000	0x7feff0b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7feff0c0000	0x7feff296fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff340000	0x7feff416fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff890000	0x7feff928fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feffa50000	0x7feffc52fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feffc60000	0x7feffcd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff8e000	0x7fffff8e000	0x7fffff8ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff90000	0x7fffff90000	0x7fffff91fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff92000	0x7fffff92000	0x7fffff93fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff94000	0x7fffff94000	0x7fffff95fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff96000	0x7fffff96000	0x7fffff97fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff98000	0x7fffff98000	0x7fffff99fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9a000	0x7fffff9a000	0x7fffff9bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9c000	0x7fffff9c000	0x7fffff9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions
For performance reasons, the remaining 140 entries are omitted. The remaining entries can be found in flog.txt.

Process #34: svchost.exe'

Information	Value
ID	#34
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe -k netsvcs
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x374
Parent PID	0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\BDESVC (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\BITS (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\CertPropSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\EapHost (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\hkmsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\IKEEXT (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\iphlpsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\LanmanServer (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\MMCSS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\MSiSCSI (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasAuto (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasMan (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RemoteAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Schedule (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SCPolicySvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SENS (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SessionEnv (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SharedAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\ShellHWDetection (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\wercplsupport (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Winmgmt (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\wuauserv (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:0000ce9f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER)
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 160 0x 46C 0x 420 0x 41C 0x 418 0x 414 0x 404 0x 128 0x 29C 0x 144 0x F4 0x 3F8 0x 3EC 0x 3A0 0x 394 0x 390 0x 38C 0x 380 0x 378 0x 498 0x 750 0x 760 0x 764 0x 76C 0x 770 0x 774 0x 778 0x 77C 0x 780 0x 784 0x 78C 0x 798 0x 7A0 0x 7A4 0x 7B0 0x 7B8 0x 7BC 0x 7C0 0x 7C4 0x 7C8 0x 7CC 0x 7DC 0x 560 0x 570 0x 598 0x 568 0x 5DC 0x 464

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00100fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000110000	0x00110000	0x00110fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000120000	0x00120000	0x00120fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000130000	0x00130000	0x00131fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x00140000	0x00143fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000150000	0x00150000	0x00151fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000160000	0x00160000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
cversions.2.db	0x00170000	0x00173fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000190000	0x00190000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000210000	0x00210000	0x0030ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000320000	0x00320000	0x0041ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000420000	0x00420000	0x005a7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005b0000	0x005b0000	0x00730fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000740000	0x00740000	0x007fffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000800000	0x00800000	0x00bf2fff	Pagefile Backed Memory	Readable	Region Actions
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db	0x00c00000	0x00c2ffff	Memory Mapped File	Readable	Region Actions
private_0x0000000000c60000	0x00c60000	0x00cdffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ce0000	0x00ce0000	0x00d5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d60000	0x00d60000	0x00ddffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000de0000	0x00de0000	0x00e5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e80000	0x00e80000	0x00efffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f30000	0x00f30000	0x00faffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ff0000	0x00ff0000	0x0106ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01070000	0x0133efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001370000	0x01370000	0x013effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001410000	0x01410000	0x0148ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014e0000	0x014e0000	0x0155ffff	Private Memory	Readable, Writable	Region Actions
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x01560000	0x015c5fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001640000	0x01640000	0x0164ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001690000	0x01690000	0x0170ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001730000	0x01730000	0x017affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000017b0000	0x017b0000	0x0182ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000018e0000	0x018e0000	0x0195ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001960000	0x01960000	0x019dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ab0000	0x01ab0000	0x01b2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b40000	0x01b40000	0x01bbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c10000	0x01c10000	0x01c8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d00000	0x01d00000	0x01d7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001df0000	0x01df0000	0x01e6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f00000	0x01f00000	0x01f7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001fd0000	0x01fd0000	0x0204ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002050000	0x02050000	0x0214ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002220000	0x02220000	0x0229ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000022a0000	0x022a0000	0x025e2fff	Pagefile Backed Memory	Readable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xff3b0000	0xff3bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
actxprxy.dll	0x7fef8e20000	0x7fef8f0dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskcomp.dll	0x7fefaf40000	0x7fefafb6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x7fefafc0000	0x7fefafc9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
schedsvc.dll	0x7fefafd0000	0x7fefb0e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wiarpc.dll	0x7fefb0f0000	0x7fefb0fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fvecerts.dll	0x7fefb100000	0x7fefb108fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
tbs.dll	0x7fefb110000	0x7fefb118fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fveapi.dll	0x7fefb120000	0x7fefb175fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shsvcs.dll	0x7fefb190000	0x7fefb1edfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sens.dll	0x7fefb3f0000	0x7fefb403fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
es.dll	0x7fefb410000	0x7fefb476fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb480000	0x7fefb48afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dsrole.dll	0x7fefb490000	0x7fefb49bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
themeservice.dll	0x7fefb4a0000	0x7fefb4affff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefb4b0000	0x7fefb4c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profsvc.dll	0x7fefb4d0000	0x7fefb506fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x7fefb550000	0x7fefb564fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpsvc.dll	0x7fefb570000	0x7fefb631fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mmcss.dll	0x7fefb850000	0x7fefb86cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
avrt.dll	0x7fefb870000	0x7fefb878fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x7fefbbf0000	0x7fefbc04fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x7fefbc10000	0x7fefbc1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x7fefbc20000	0x7fefbc35fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefbd50000	0x7fefbd60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
xmllite.dll	0x7fefbeb0000	0x7fefbee4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc320000	0x7fefc375fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc380000	0x7fefc4abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samlib.dll	0x7fefc4b0000	0x7fefc4ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefc500000	0x7fefc6f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefc9f0000	0x7fefca1cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcbc0000	0x7fefcbcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x7fefcc90000	0x7fefcc96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7fefcd80000	0x7fefcd9afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefcda0000	0x7fefcdbdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ubpm.dll	0x7fefceb0000	0x7fefcee8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcef0000	0x7fefcef9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pcwum.dll	0x7fefcf00000	0x7fefcf0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefcff0000	0x7fefd036fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
logoncli.dll	0x7fefd0e0000	0x7fefd10ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd280000	0x7fefd286fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd290000	0x7fefd2e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd2f0000	0x7fefd306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netjoin.dll	0x7fefd400000	0x7fefd431fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sysntfy.dll	0x7fefd450000	0x7fefd459fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
authz.dll	0x7fefd4e0000	0x7fefd50efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefd520000	0x7fefd58cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x7fefd7f0000	0x7fefd812fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd890000	0x7fefd89afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd8c0000	0x7fefd8e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x7fefd900000	0x7fefd990fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefd9a0000	0x7fefd9dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd9e0000	0x7fefd9f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda00000	0x7fefda0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdaa0000	0x7fefdaaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefdab0000	0x7fefdac9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefdb40000	0x7fefdb75fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x7fefdb80000	0x7fefdbb9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdbc0000	0x7fefdd26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x7fefdea0000	0x7fefdef1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7fefe320000	0x7feff0a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feff0b0000	0x7feff0b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7feff0c0000	0x7feff296fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff340000	0x7feff416fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff890000	0x7feff928fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feffa50000	0x7feffc52fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feffc60000	0x7feffcd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feffd50000	0x7feffd9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff92000	0x7fffff92000	0x7fffff93fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff96000	0x7fffff96000	0x7fffff97fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff98000	0x7fffff98000	0x7fffff99fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9a000	0x7fffff9a000	0x7fffff9bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9c000	0x7fffff9c000	0x7fffff9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
For performance reasons, the remaining 178 entries are omitted. The remaining entries can be found in flog.txt.

Process #35: audiodg.exe'

Information	Value
ID	#35
File Name	c:\windows\system32\audiodg.exe
Command Line	C:\Windows\system32\AUDIODG.EXE 0x2e4
Initial Working Directory	C:\Windows
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x3b0
Parent PID	0x2d0 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\Local Service
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\Audiosrv (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\Dhcp (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\eventlog (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\HomeGroupProvider (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\lmhosts (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\WPCSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\wscsvc (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:0000b632 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID, OWNER) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 3CC 0x 3C8 0x 3C0 0x 3B8 0x 3B4 0x 6F4 0x 708 0x 714 0x 724 0x 72C 0x 730

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
locale.nls	0x00020000	0x00086fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000090000	0x00090000	0x00096fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000a0000	0x000a0000	0x000a1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
audiodg.exe.mui	0x000b0000	0x000b0fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f1fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00100fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000110000	0x00110000	0x00111fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000120000	0x00120000	0x0012ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000130000	0x00130000	0x001affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x002affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002b0000	0x002b0000	0x0036ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000370000	0x00370000	0x00371fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000380000	0x00380000	0x0047ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000480000	0x00480000	0x00607fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000610000	0x00610000	0x00790fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000007a0000	0x007a0000	0x007a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007b0000	0x007b0000	0x007b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007c0000	0x007c0000	0x007c1fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007d0000	0x007d0000	0x007d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007e0000	0x007e0000	0x0085ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000860000	0x00860000	0x00861fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000870000	0x00870000	0x008b1fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008c0000	0x008c0000	0x008c1fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008d0000	0x008d0000	0x008d9fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008e0000	0x008e0000	0x008e0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000008f0000	0x008f0000	0x008f1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000960000	0x00960000	0x009dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a00000	0x00a00000	0x00a7ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x00a80000	0x00d4efff	Memory Mapped File	Readable	Region Actions
private_0x0000000000d60000	0x00d60000	0x00ddffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e00000	0x00e00000	0x00e7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000eb0000	0x00eb0000	0x00f2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f30000	0x00f30000	0x01332fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001340000	0x01340000	0x01742fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001750000	0x01750000	0x01b42fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001b50000	0x01b50000	0x01f52fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f90000	0x01f90000	0x0200ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002140000	0x02140000	0x021bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002240000	0x02240000	0x022bffff	Private Memory	Readable, Writable	Region Actions
ksuser.dll	0x738c0000	0x738c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
audiodg.exe	0xff630000	0xff653fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mfplat.dll	0x7fef72f0000	0x7fef735bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wmalfxgfxdsp.dll	0x7fef7420000	0x7fef75a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
audiokse.dll	0x7fef75c0000	0x7fef763ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
audioeng.dll	0x7fef7640000	0x7fef76b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
avrt.dll	0x7fefb870000	0x7fefb878fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
audioses.dll	0x7fefbcd0000	0x7fefbd1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mmdevapi.dll	0x7fefbf10000	0x7fefbf5afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc380000	0x7fefc4abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefc9f0000	0x7fefca1cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefcff0000	0x7fefd036fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd2f0000	0x7fefd306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd9e0000	0x7fefd9f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdaa0000	0x7fefdaaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefdab0000	0x7fefdac9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefdb40000	0x7fefdb75fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x7fefdb80000	0x7fefdbb9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdbc0000	0x7fefdd26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x7fefdea0000	0x7fefdef1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feff0b0000	0x7feff0b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7feff0c0000	0x7feff296fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff340000	0x7feff416fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff890000	0x7feff928fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feffa50000	0x7feffc52fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feffc60000	0x7feffcd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feffd50000	0x7feffd9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #36: svchost.exe'

Information	Value
ID	#36
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe -k LocalService
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x11c
Parent PID	0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\Local Service
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\EventSystem (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\fdPHost (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\lltdsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\netprofm (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\nsi (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\sppuinotify (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SstpSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\THREADORDER (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\W32Time (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\WdiServiceHost (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\WebClient (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\WinHttpAutoProxySvc (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:0000dd1a (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID, OWNER) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 148 0x 150 0x 158 0x 154 0x 130 0x 124 0x 6D0 0x 6D4 0x 7D0 0x 7D4 0x 7E0 0x 7F8 0x 530 0x 360 0x 364 0x 468 0x 410 0x 450

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000260000	0x00260000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x00270fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000280000	0x00280000	0x00280fff	Pagefile Backed Memory	Readable	Region Actions
es.dll	0x00290000	0x002a0fff	Memory Mapped File	Readable	Region Actions
stdole2.tlb	0x002b0000	0x002b3fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000002c0000	0x002c0000	0x002c1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002d0000	0x002d0000	0x002d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x002d0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002d0000	0x002d0000	0x002d0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000002e0000	0x002e0000	0x002e0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000300000	0x00300000	0x003fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000400000	0x00400000	0x00587fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000590000	0x00590000	0x00710fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000720000	0x00720000	0x007dffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007e0000	0x007e0000	0x00bd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000bf0000	0x00bf0000	0x00c6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d00000	0x00d00000	0x00d7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d80000	0x00d80000	0x00e7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e80000	0x00e80000	0x00efffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f30000	0x00f30000	0x00faffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000fb0000	0x00fb0000	0x0104ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000fb0000	0x00fb0000	0x0102ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001040000	0x01040000	0x0104ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01060000	0x0132efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001340000	0x01340000	0x013bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001440000	0x01440000	0x014bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001530000	0x01530000	0x015affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015b0000	0x015b0000	0x016affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016c0000	0x016c0000	0x0173ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001760000	0x01760000	0x017dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001770000	0x01770000	0x017effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001830000	0x01830000	0x018affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000018e0000	0x018e0000	0x0195ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001980000	0x01980000	0x019fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a00000	0x01a00000	0x01b3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a00000	0x01a00000	0x01afffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b30000	0x01b30000	0x01b3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b40000	0x01b40000	0x01d2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b50000	0x01b50000	0x01bcffff	Private Memory	Readable, Writable	Region Actions
kernelbase.dll.mui	0x01bd0000	0x01c8ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000001cb0000	0x01cb0000	0x01d2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001dd0000	0x01dd0000	0x01e4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e50000	0x01e50000	0x0206ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f40000	0x01f40000	0x01fbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002070000	0x02070000	0x0224ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002250000	0x02250000	0x0245ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002460000	0x02460000	0x0265ffff	Private Memory	Readable, Writable	Region Actions
sfc.dll	0x757c0000	0x757c2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xff3b0000	0xff3bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
perftrack.dll	0x7fef5510000	0x7fef55e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
npmproxy.dll	0x7fef5620000	0x7fef562bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netprofm.dll	0x7fef5a30000	0x7fef5aa3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sfc_os.dll	0x7fef64e0000	0x7fef64effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pnrpnsp.dll	0x7fef6db0000	0x7fef6dc8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
napinsp.dll	0x7fef6dd0000	0x7fef6de4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
aepic.dll	0x7fef7360000	0x7fef7371fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wdi.dll	0x7fef76c0000	0x7fef76d8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winrnr.dll	0x7fef76e0000	0x7fef76eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
webio.dll	0x7fef77f0000	0x7fef7853fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winhttp.dll	0x7fef7860000	0x7fef78d0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wer.dll	0x7fef8650000	0x7fef86cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasadhlp.dll	0x7fef8f10000	0x7fef8f17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x7fefb1f0000	0x7fefb207fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc6.dll	0x7fefb210000	0x7fefb220fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fwpuclnt.dll	0x7fefb240000	0x7fefb292fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsisvc.dll	0x7fefb370000	0x7fefb379fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefb390000	0x7fefb39afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x7fefb3a0000	0x7fefb3c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
es.dll	0x7fefb410000	0x7fefb476fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x7fefb550000	0x7fefb564fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefbef0000	0x7fefbf07fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcbc0000	0x7fefcbcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x7fefcc90000	0x7fefcc96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7fefcd80000	0x7fefcd9afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcef0000	0x7fefcef9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefcff0000	0x7fefd036fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x7fefd110000	0x7fefd16afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd280000	0x7fefd286fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd290000	0x7fefd2e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd2f0000	0x7fefd306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd890000	0x7fefd89afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd8c0000	0x7fefd8e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x7fefd900000	0x7fefd990fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd9e0000	0x7fefd9f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feff0b0000	0x7feff0b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff340000	0x7feff416fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff890000	0x7feff928fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feffa50000	0x7feffc52fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feffc60000	0x7feffcd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feffd50000	0x7feffd9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff9a000	0x7fffff9a000	0x7fffff9bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9c000	0x7fffff9c000	0x7fffff9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #37: svchost.exe'

Information	Value
ID	#37
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe -k NetworkService
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x138
Parent PID	0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\Network Service
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\CryptSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Dnscache (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\LanmanWorkstation (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\napagent (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\NlaSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\TapiSrv (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\TermService (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Wecsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\WinRM (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:0000e26d (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID, OWNER) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 410 0x 3A8 0x 3A4 0x 37C 0x 2BC 0x 270 0x 220 0x 13C 0x 238 0x 5C8 0x 5E4 0x 614 0x 638 0x 64C 0x 690 0x 6A8 0x 6D8 0x 700 0x 70C 0x 648 0x 71C 0x 508 0x 460

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00051fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000060000	0x00060000	0x00060fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000080000	0x00080000	0x00080fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000090000	0x00090000	0x00090fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000a0000	0x000a0000	0x000a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000b0000	0x000b0000	0x0012ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00130000	0x00196fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001a0000	0x001a0000	0x001a0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001c0000	0x001c0000	0x002bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002c0000	0x002c0000	0x003bffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x003c0000	0x00404fff	Memory Mapped File	Readable	Region Actions
private_0x00000000003c0000	0x003c0000	0x0040ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000420000	0x00420000	0x0042ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000430000	0x00430000	0x005b7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005c0000	0x005c0000	0x00740fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000750000	0x00750000	0x0080ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000810000	0x00810000	0x00c02fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000c30000	0x00c30000	0x00caffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000cb0000	0x00cb0000	0x00d2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d70000	0x00d70000	0x00deffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e40000	0x00e40000	0x00ebffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ec0000	0x00ec0000	0x00f3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f40000	0x00f40000	0x00fbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000fc0000	0x00fc0000	0x00fcffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01070000	0x0133efff	Memory Mapped File	Readable	Region Actions
private_0x00000000013a0000	0x013a0000	0x0141ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001480000	0x01480000	0x014fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001500000	0x01500000	0x0157ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000015b0000	0x015b0000	0x0162ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001640000	0x01640000	0x016bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016c0000	0x016c0000	0x017bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001790000	0x01790000	0x0180ffff	Private Memory	Readable, Writable	Region Actions
kernelbase.dll.mui	0x017c0000	0x0187ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000017f0000	0x017f0000	0x0186ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001800000	0x01800000	0x0187ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001880000	0x01880000	0x018fffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000018a0000	0x018a0000	0x0191ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001910000	0x01910000	0x0198ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000019a0000	0x019a0000	0x01a1ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000019e0000	0x019e0000	0x019effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a20000	0x01a20000	0x01b7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a30000	0x01a30000	0x01aaffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001af0000	0x01af0000	0x01b6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001b70000	0x01b70000	0x01b7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001bc0000	0x01bc0000	0x01c3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c40000	0x01c40000	0x01d3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d40000	0x01d40000	0x01e3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e40000	0x01e40000	0x01f3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001fe0000	0x01fe0000	0x0205ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002080000	0x02080000	0x020fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002100000	0x02100000	0x021fffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000022d0000	0x022d0000	0x0234ffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xff3b0000	0xff3bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
webio.dll	0x7fef77f0000	0x7fef7853fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winhttp.dll	0x7fef7860000	0x7fef78d0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ncsi.dll	0x7fef78e0000	0x7fef7917fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkssvc.dll	0x7fef7df0000	0x7fef7e0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ssdpapi.dll	0x7fefae90000	0x7fefaea0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x7fefb1f0000	0x7fefb207fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc6.dll	0x7fefb210000	0x7fefb220fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsext.dll	0x7fefb230000	0x7fefb236fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fwpuclnt.dll	0x7fefb240000	0x7fefb292fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsrslvr.dll	0x7fefb2a0000	0x7fefb2cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefb390000	0x7fefb39afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x7fefb3a0000	0x7fefb3c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
es.dll	0x7fefb410000	0x7fefb476fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefb4b0000	0x7fefb4c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlasvc.dll	0x7fefb9d0000	0x7fefba1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vssapi.dll	0x7fefba20000	0x7fefbbcffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x7fefbbd0000	0x7fefbbe3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x7fefbbf0000	0x7fefbc04fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x7fefbc10000	0x7fefbc1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vsstrace.dll	0x7fefbc80000	0x7fefbc96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsvc.dll	0x7fefbd20000	0x7fefbd4ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefbd50000	0x7fefbd60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc380000	0x7fefc4abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samlib.dll	0x7fefc4b0000	0x7fefc4ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x7fefcc90000	0x7fefcc96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7fefcd80000	0x7fefcd9afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefcda0000	0x7fefcdbdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcef0000	0x7fefcef9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x7fefcf30000	0x7fefcf7bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefcff0000	0x7fefd036fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x7fefd110000	0x7fefd16afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd280000	0x7fefd286fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd290000	0x7fefd2e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd2f0000	0x7fefd306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netjoin.dll	0x7fefd400000	0x7fefd431fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x7fefd460000	0x7fefd481fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefd520000	0x7fefd58cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd890000	0x7fefd89afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd8c0000	0x7fefd8e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefd9a0000	0x7fefd9dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd9e0000	0x7fefd9f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda00000	0x7fefda0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdaa0000	0x7fefdaaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefdb40000	0x7fefdb75fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdbc0000	0x7fefdd26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feff0b0000	0x7feff0b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff340000	0x7feff416fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff890000	0x7feff928fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feffa50000	0x7feffc52fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feffc60000	0x7feffcd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feffd50000	0x7feffd9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff98000	0x7fffff98000	0x7fffff99fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9a000	0x7fffff9a000	0x7fffff9bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9c000	0x7fffff9c000	0x7fffff9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #38: dllhost.exe'

Information	Value
ID	#38
File Name	c:\windows\system32\dllhost.exe
Command Line	C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x424
Parent PID	0x25c (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\BDESVC (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\BITS (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\CertPropSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\EapHost (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\hkmsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\IKEEXT (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\iphlpsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\LanmanServer (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\MMCSS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\MSiSCSI (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasAuto (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasMan (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RemoteAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Schedule (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SCPolicySvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SENS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SessionEnv (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SharedAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\ShellHWDetection (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\wercplsupport (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Winmgmt (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\wuauserv (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:0000ce9f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER)
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 468 0x 464 0x 460 0x 450 0x 42C 0x 428

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00040000	0x000a6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000b0000	0x000b0000	0x0016ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000170000	0x00170000	0x00170fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000180000	0x00180000	0x00180fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000190000	0x00190000	0x0019ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x001dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x002effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002f0000	0x002f0000	0x003effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x004fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000500000	0x00500000	0x00687fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000690000	0x00690000	0x00810fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000900000	0x00900000	0x009fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a00000	0x00a00000	0x00afffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000b00000	0x00b00000	0x00bfffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x00c00000	0x00ecefff	Memory Mapped File	Readable	Region Actions
private_0x0000000000fc0000	0x00fc0000	0x010bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001150000	0x01150000	0x0124ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001280000	0x01280000	0x0137ffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
dllhost.exe	0xff700000	0xff706fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
idstore.dll	0x7fefae80000	0x7fefae91fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefaea0000	0x7fefaf3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samlib.dll	0x7fefc4b0000	0x7fefc4ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shacct.dll	0x7fefc4d0000	0x7fefc4f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefc9f0000	0x7fefca1cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefcda0000	0x7fefcdbdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefcff0000	0x7fefd036fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd2f0000	0x7fefd306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd9e0000	0x7fefd9f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda00000	0x7fefda0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x7fefdea0000	0x7fefdef1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7fefe320000	0x7feff0a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff340000	0x7feff416fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff890000	0x7feff928fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feffa50000	0x7feffc52fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feffc60000	0x7feffcd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #39: spoolsv.exe'

Information	Value
ID	#39
File Name	c:\windows\system32\spoolsv.exe
Command Line	C:\Windows\System32\spoolsv.exe
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x43c
Parent PID	0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\Spooler (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT AUTHORITY\Logon Session 00000000:0000f592 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID, OWNER) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER)
Enabled Privileges	SeTcbPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege
Thread IDs	0x 59C 0x 56C 0x 54C 0x 4FC 0x 478 0x 470 0x 45C 0x 458 0x 44C 0x 440 0x 5A4 0x 5B4 0x 5C0 0x 5E8 0x 5EC 0x 5F0 0x 60C 0x 610 0x 650 0x 680

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00100fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000250000	0x00250000	0x00250fff	Pagefile Backed Memory	Readable	Region Actions
msxml6r.dll	0x00260000	0x00260fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000270000	0x00270000	0x0028ffff	Private Memory	-	Region Actions
faxcn002.inf	0x00290000	0x00290fff	Memory Mapped File	Readable	Region Actions
private_0x00000000002a0000	0x002a0000	0x002affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002b0000	0x002b0000	0x002effff	Private Memory	Readable, Writable	Region Actions
infpub.dat	0x002f0000	0x00304fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000310000	0x00310000	0x0040ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000410000	0x00410000	0x00597fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005a0000	0x005a0000	0x00720fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000730000	0x00730000	0x01b2ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001b30000	0x01b30000	0x01f22fff	Pagefile Backed Memory	Readable	Region Actions
infstrng.dat	0x01f30000	0x01f52fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001f60000	0x01f60000	0x01f9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001fb0000	0x01fb0000	0x01feffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002010000	0x02010000	0x0208ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000020a0000	0x020a0000	0x0211ffff	Private Memory	Readable, Writable	Region Actions
infstor.dat	0x02120000	0x02142fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002150000	0x02150000	0x0218ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002190000	0x02190000	0x021cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000021d0000	0x021d0000	0x0223ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002240000	0x02240000	0x0227ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000022a0000	0x022a0000	0x022affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002300000	0x02300000	0x0233ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x02340000	0x0260efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002620000	0x02620000	0x0265ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002660000	0x02660000	0x0269ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000026a0000	0x026a0000	0x026affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002720000	0x02720000	0x0275ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002760000	0x02760000	0x027dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000027e0000	0x027e0000	0x028e0fff	Private Memory	Readable, Writable	Region Actions
kernelbase.dll.mui	0x028f0000	0x029affff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000029b0000	0x029b0000	0x02a2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a30000	0x02a30000	0x02b2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b60000	0x02b60000	0x02b9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ba0000	0x02ba0000	0x02c1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002c30000	0x02c30000	0x02c6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002cb0000	0x02cb0000	0x02ceffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d00000	0x02d00000	0x02d3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d90000	0x02d90000	0x02e0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002e10000	0x02e10000	0x02f0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002f20000	0x02f20000	0x02f5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002f90000	0x02f90000	0x0300ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003010000	0x03010000	0x0340ffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
spoolsv.exe	0xff820000	0xff8abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
win32spl.dll	0x7fef7960000	0x7fef7a1cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winprint.dll	0x7fef7e10000	0x7fef7e1dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fdpnp.dll	0x7fef7f30000	0x7fef7f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fundisc.dll	0x7fef7f40000	0x7fef7f72fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
webservices.dll	0x7fef7f80000	0x7fef809efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsdapi.dll	0x7fef80a0000	0x7fef8130fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsdmon.dll	0x7fef8140000	0x7fef8179fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wls0wndh.dll	0x7fef8180000	0x7fef8186fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usbmon.dll	0x7fef89d0000	0x7fef89defff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msxml6.dll	0x7fef89e0000	0x7fef8bd1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsnmp32.dll	0x7fef8be0000	0x7fef8bf3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
snmpapi.dll	0x7fef8c00000	0x7fef8c0afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
tcpmon.dll	0x7fef8c10000	0x7fef8c43fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fxsmon.dll	0x7fef8c50000	0x7fef8c5dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
printisolationproxy.dll	0x7fef8c60000	0x7fef8c6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x7fef8c70000	0x7fef8ce0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
spoolss.dll	0x7fef8cf0000	0x7fef8d01fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
localspl.dll	0x7fef8d10000	0x7fef8dfdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
umb.dll	0x7fef8e00000	0x7fef8e12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasadhlp.dll	0x7fef8f10000	0x7fef8f17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fwpuclnt.dll	0x7fefb240000	0x7fefb292fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefb390000	0x7fefb39afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x7fefb3a0000	0x7fefb3c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb480000	0x7fefb48afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dsrole.dll	0x7fefb490000	0x7fefb49bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefb4b0000	0x7fefb4c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x7fefb880000	0x7fefb8abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefbd50000	0x7fefbd60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcbc0000	0x7fefcbcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
firewallapi.dll	0x7fefcbd0000	0x7fefcc8afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x7fefcc90000	0x7fefcc96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7fefcd80000	0x7fefcd9afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefcda0000	0x7fefcdbdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devrtl.dll	0x7fefcdc0000	0x7fefcdd1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
spinf.dll	0x7fefcde0000	0x7fefcdfefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcef0000	0x7fefcef9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x7fefd110000	0x7fefd16afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd280000	0x7fefd286fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd290000	0x7fefd2e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x7fefd7f0000	0x7fefd812fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd890000	0x7fefd89afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd8c0000	0x7fefd8e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefd9a0000	0x7fefd9dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd9e0000	0x7fefd9f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda00000	0x7fefda0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdaa0000	0x7fefdaaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefdab0000	0x7fefdac9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefdb40000	0x7fefdb75fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x7fefdb80000	0x7fefdbb9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdbc0000	0x7fefdd26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feff0b0000	0x7feff0b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7feff0c0000	0x7feff296fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff340000	0x7feff416fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff890000	0x7feff928fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feffa50000	0x7feffc52fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feffc60000	0x7feffcd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feffd50000	0x7feffd9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff9c000	0x7fffff9c000	0x7fffff9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions
For performance reasons, the remaining 15 entries are omitted. The remaining entries can be found in flog.txt.

Process #40: svchost.exe'

Information	Value
ID	#40
File Name	c:\windows\system32\svchost.exe
Command Line	C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x47c
Parent PID	0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\Local Service
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\BFE (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\DPS (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\MpsSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\pla (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\WwanSvc (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:0000f98a (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID, OWNER) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\WRITE RESTRICTED (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 564 0x 548 0x 53C 0x 538 0x 4B8 0x 49C 0x 48C 0x 488 0x 484 0x 480 0x 604 0x 65C 0x 6A4 0x 6AC 0x 6C0 0x 6C4 0x 6C8 0x 6CC 0x 6DC 0x 15C 0x 114 0x 474 0x 4C8 0x 504 0x 550

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x0017ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000180000	0x00180000	0x00181fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000210000	0x00210000	0x0030ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000310000	0x00310000	0x00310fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000320000	0x00320000	0x00320fff	Private Memory	Readable, Writable	Region Actions
firewallapi.dll.mui	0x00330000	0x0034bfff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000350000	0x00350000	0x0044ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000450000	0x00450000	0x005d7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005e0000	0x005e0000	0x005e0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005f0000	0x005f0000	0x005f0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000600000	0x00600000	0x00600fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000610000	0x00610000	0x0061ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000620000	0x00620000	0x007a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007b0000	0x007b0000	0x00ba2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000bb0000	0x00bb0000	0x00bb0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000bb0000	0x00bb0000	0x00bb7fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000bc0000	0x00bc0000	0x00bc3fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000bd0000	0x00bd0000	0x00bd3fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000be0000	0x00be0000	0x00be3fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000bf0000	0x00bf0000	0x00bf3fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c00000	0x00c00000	0x00c03fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c10000	0x00c10000	0x00c13fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c20000	0x00c20000	0x00c20fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c30000	0x00c30000	0x00caffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000cb0000	0x00cb0000	0x00cb0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000cc0000	0x00cc0000	0x00cc0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000cd0000	0x00cd0000	0x00cd0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ce0000	0x00ce0000	0x00d5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d60000	0x00d60000	0x00d60fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d70000	0x00d70000	0x00d82fff	Private Memory	-	Region Actions
servicemodelevents.dll.mui	0x00d70000	0x00d7afff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000db0000	0x00db0000	0x00e2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e90000	0x00e90000	0x00f0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f60000	0x00f60000	0x00fdffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x00fe0000	0x012aefff	Memory Mapped File	Readable	Region Actions
private_0x0000000001300000	0x01300000	0x0137ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001380000	0x01380000	0x013fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001430000	0x01430000	0x014affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000014e0000	0x014e0000	0x0155ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001570000	0x01570000	0x015effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001600000	0x01600000	0x0167ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000016b0000	0x016b0000	0x0172ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001740000	0x01740000	0x017bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001820000	0x01820000	0x0189ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000018a0000	0x018a0000	0x0199ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000019d0000	0x019d0000	0x01a4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001a60000	0x01a60000	0x01adffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001af0000	0x01af0000	0x01b6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001c20000	0x01c20000	0x01c9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001cc0000	0x01cc0000	0x01d3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d60000	0x01d60000	0x01ddffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001de0000	0x01de0000	0x01edffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
svchost.exe	0xff3b0000	0xff3bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
snmptrap.exe	0xffaa0000	0xffaa7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
snmptrap.exe	0xffcd0000	0xffcd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
snmptrap.exe	0xfff40000	0xfff47fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
peerdistsh.dll	0x7fef71b0000	0x7fef7267fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
peerdistsh.dll	0x7fef7230000	0x7fef72e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
peerdistsh.dll	0x7fef72a0000	0x7fef7357fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
peerdistsh.dll	0x7fef7360000	0x7fef7417fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
peerdistsh.dll	0x7fef7360000	0x7fef7417fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscms.dll	0x7fef75a0000	0x7fef763bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
servicemodelevents.dll	0x7fef75b0000	0x7fef75b1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscms.dll	0x7fef7640000	0x7fef76dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pcasvc.dll	0x7fef7660000	0x7fef7691fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pcasvc.dll	0x7fef76a0000	0x7fef76d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pcasvc.dll	0x7fef76a0000	0x7fef76d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wdi.dll	0x7fef76c0000	0x7fef76d8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpssvc.dll	0x7fef9290000	0x7fef935dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bfe.dll	0x7fefadd0000	0x7fefae7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
servicemodelevents.dll	0x7fefae80000	0x7fefae81fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x7fefb1f0000	0x7fefb207fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc6.dll	0x7fefb210000	0x7fefb220fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fwpuclnt.dll	0x7fefb240000	0x7fefb292fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcore.dll	0x7fefb310000	0x7fefb360fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x7fefb390000	0x7fefb39afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x7fefb3a0000	0x7fefb3c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lmhsvc.dll	0x7fefb3d0000	0x7fefb3d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb480000	0x7fefb48afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskschd.dll	0x7fefb640000	0x7fefb766fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wfapigp.dll	0x7fefbc40000	0x7fefbc49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dps.dll	0x7fefbca0000	0x7fefbccbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefc9f0000	0x7fefca1cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcbc0000	0x7fefcbcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
firewallapi.dll	0x7fefcbd0000	0x7fefcc8afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x7fefcc90000	0x7fefcc96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x7fefcd80000	0x7fefcd9afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefcda0000	0x7fefcdbdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credssp.dll	0x7fefcef0000	0x7fefcef9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pcwum.dll	0x7fefcf00000	0x7fefcf0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x7fefd280000	0x7fefd286fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x7fefd290000	0x7fefd2e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
authz.dll	0x7fefd4e0000	0x7fefd50efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x7fefd890000	0x7fefd89afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd8c0000	0x7fefd8e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd9e0000	0x7fefd9f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda00000	0x7fefda0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefdb40000	0x7fefdb75fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x7fefdea0000	0x7fefdef1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feff0b0000	0x7feff0b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff340000	0x7feff416fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff890000	0x7feff928fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feffa50000	0x7feffc52fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feffc60000	0x7feffcd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feffd50000	0x7feffd9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffff94000	0x7fffff94000	0x7fffff95fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff96000	0x7fffff96000	0x7fffff97fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff98000	0x7fffff98000	0x7fffff99fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9a000	0x7fffff9a000	0x7fffff9bfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9c000	0x7fffff9c000	0x7fffff9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffff9e000	0x7fffff9e000	0x7fffff9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa0000	0x7fffffa0000	0x7fffffa1fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa2000	0x7fffffa2000	0x7fffffa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions
For performance reasons, the remaining 45 entries are omitted. The remaining entries can be found in flog.txt.

Process #41: taskhost.exe'

Information	Value
ID	#41
File Name	c:\windows\system32\taskhost.exe
Command Line	"taskhost.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x4a0
Parent PID	0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ef1e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 510 0x 50C 0x 4E0 0x 4DC 0x 4D0 0x 4C0 0x 4AC 0x 4A4 0x 5D8 0x 5FC 0x 600 0x 61C 0x 6E0 0x 540 0x 50C

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00040000	0x000a6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000b0000	0x000b0000	0x000b1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000160000	0x00160000	0x0025ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000260000	0x00260000	0x00260fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000270000	0x00270000	0x00270fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000280000	0x00280000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x0038ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000390000	0x00390000	0x00517fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000520000	0x00520000	0x006a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006b0000	0x006b0000	0x01aaffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001ab0000	0x01ab0000	0x01ea2fff	Pagefile Backed Memory	Readable	Region Actions
sptip.dll	0x01eb0000	0x01ecefff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000001eb0000	0x01eb0000	0x01eb1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
msutb.dll.mui	0x01ec0000	0x01ec1fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000001ed0000	0x01ed0000	0x01f4ffff	Private Memory	Readable, Writable	Region Actions
input.dll	0x01f50000	0x01f8cfff	Memory Mapped File	Readable	Region Actions
input.dll	0x01f50000	0x01f8cfff	Memory Mapped File	Readable	Region Actions
tiptsf.dll	0x01f50000	0x01fcafff	Memory Mapped File	Readable	Region Actions
tabletextservice.dll	0x01f50000	0x01fabfff	Memory Mapped File	Readable	Region Actions
tabletextservice.dll	0x01f50000	0x01fabfff	Memory Mapped File	Readable	Region Actions
private_0x0000000001f50000	0x01f50000	0x01f8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f90000	0x01f90000	0x01f90fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001fa0000	0x01fa0000	0x01fa0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001fb0000	0x01fb0000	0x01fb2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001ff0000	0x01ff0000	0x0206ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002070000	0x02070000	0x0214efff	Pagefile Backed Memory	Readable	Region Actions
rsaenh.dll	0x02150000	0x02194fff	Memory Mapped File	Readable	Region Actions
private_0x00000000021a0000	0x021a0000	0x0221ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002230000	0x02230000	0x022affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000022b0000	0x022b0000	0x0231ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002350000	0x02350000	0x023cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002410000	0x02410000	0x0248ffff	Private Memory	Readable, Writable	Region Actions
kernelbase.dll.mui	0x02490000	0x0254ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000024b0000	0x024b0000	0x0252ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002590000	0x02590000	0x0260ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000025e0000	0x025e0000	0x0265ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002690000	0x02690000	0x0270ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002710000	0x02710000	0x0278ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002790000	0x02790000	0x0280ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002860000	0x02860000	0x028dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000028e0000	0x028e0000	0x02b2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002910000	0x02910000	0x0298ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002930000	0x02930000	0x029affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002990000	0x02990000	0x02a0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ab0000	0x02ab0000	0x02b2ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x02b30000	0x02dfefff	Memory Mapped File	Readable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
taskhost.exe	0xff940000	0xff953fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
certenroll.dll	0x7fef4540000	0x7fef4725fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
npmproxy.dll	0x7fef5620000	0x7fef562bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netprofm.dll	0x7fef5a30000	0x7fef5aa3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
certcli.dll	0x7fef6e00000	0x7fef6e73fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pautoenr.dll	0x7fef6fc0000	0x7fef6fcffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dimsjob.dll	0x7fef6fd0000	0x7fef6fddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msutb.dll	0x7fefa840000	0x7fefa87cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctfmonitor.dll	0x7fefa880000	0x7fefa88afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
hotstartuseragent.dll	0x7fefa890000	0x7fefa89afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
playsndsrv.dll	0x7fefad90000	0x7fefada7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x7fefaeb0000	0x7fefaeeafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefb480000	0x7fefb48afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dsrole.dll	0x7fefb490000	0x7fefb49bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefb4b0000	0x7fefb4c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x7fefb550000	0x7fefb564fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskschd.dll	0x7fefb640000	0x7fefb766fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x7fefbd50000	0x7fefbd60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefbef0000	0x7fefbf07fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc320000	0x7fefc375fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefcff0000	0x7fefd036fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd2f0000	0x7fefd306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd8c0000	0x7fefd8e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x7fefd9a0000	0x7fefd9dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd9e0000	0x7fefd9f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdaa0000	0x7fefdaaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdbc0000	0x7fefdd26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x7fefdea0000	0x7fefdef1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feff0b0000	0x7feff0b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff340000	0x7feff416fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff890000	0x7feff928fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feffa50000	0x7feffc52fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feffc60000	0x7feffcd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #42: userinit.exe'

Information	Value
ID	#42
File Name	c:\windows\system32\userinit.exe
Command Line	C:\Windows\system32\userinit.exe
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x4d4
Parent PID	0x1b4 (c:\windows\system32\winlogon.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ef1e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 4D8 0x 424 0x 370

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00051fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000060000	0x00060000	0x00060fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x0017ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00210000	0x00276fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000280000	0x00280000	0x0037ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003a0000	0x003a0000	0x003affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003b0000	0x003b0000	0x00537fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000540000	0x00540000	0x006c0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006d0000	0x006d0000	0x01acffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001ad0000	0x01ad0000	0x01ec2fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001ed0000	0x01ed0000	0x01faefff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002070000	0x02070000	0x020effff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
userinit.exe	0xff2f0000	0xff2fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefbef0000	0x7fefbf07fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc320000	0x7fefc375fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefcda0000	0x7fefcdbdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefda00000	0x7fefda0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdaa0000	0x7fefdaaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdbc0000	0x7fefdd26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #43: dwm.exe'

Information	Value
ID	#43
File Name	c:\windows\system32\dwm.exe
Command Line	"C:\Windows\system32\Dwm.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x4e4
Parent PID	0x33c (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ef1e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 4F8 0x 4EC 0x 4E8 0x 7E8 0x 730

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000030000	0x00030000	0x000affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000b0000	0x000b0000	0x000b3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c1fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x000d0000	0x00136fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00141fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000160000	0x00160000	0x00160fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x001effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x001fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000200000	0x00200000	0x00200fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000210000	0x00210000	0x00210fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000280000	0x00280000	0x0037ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000380000	0x00380000	0x00507fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000510000	0x00510000	0x00690fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006a0000	0x006a0000	0x01a9ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001aa0000	0x01aa0000	0x01e92fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001ea0000	0x01ea0000	0x01f9ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001fa0000	0x01fa0000	0x0207efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002100000	0x02100000	0x0217ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002180000	0x02180000	0x0227ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000022f0000	0x022f0000	0x0236ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x02400000	0x026cefff	Memory Mapped File	Readable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77c70000	0x77c76fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
dwm.exe	0xff4d0000	0xff4f2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dxgi.dll	0x7fefaa70000	0x7fefab16fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d10_1core.dll	0x7fefab20000	0x7fefab74fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d10_1.dll	0x7fefab80000	0x7fefabb3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmcore.dll	0x7fefabc0000	0x7fefad51fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmredir.dll	0x7fefad60000	0x7fefad86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windowscodecs.dll	0x7fefbd80000	0x7fefbea9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefbef0000	0x7fefbf07fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc320000	0x7fefc375fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcbc0000	0x7fefcbcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdaa0000	0x7fefdaaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x7fefdb80000	0x7fefdbb9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdbc0000	0x7fefdd26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feffa50000	0x7feffc52fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #44: explorer.exe'

Information	Value
ID	#44
File Name	c:\windows\explorer.exe
Command Line	C:\Windows\Explorer.EXE
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x4f0
Parent PID	0x4d4 (c:\windows\system32\userinit.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ef1e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 584 0x 580 0x 57C 0x 578 0x 574 0x 568 0x 55C 0x 554 0x 534 0x 528 0x 524 0x 520 0x 51C 0x 518 0x 514 0x 500 0x 4F4 0x 5B8 0x 5CC 0x 5D0 0x 5D4 0x 618 0x 624 0x 63C 0x 654 0x 660 0x 684 0x 6B4 0x 6E4 0x 6E8 0x 6EC 0x 6FC 0x 710 0x 718 0x 720 0x 738 0x 42C 0x 758

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00021fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00100fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x0011ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000120000	0x00120000	0x0015ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000160000	0x00160000	0x00161fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000170000	0x00170000	0x00170fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000180000	0x00180000	0x00181fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000190000	0x00190000	0x001a7fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x0034ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000350000	0x00350000	0x0036bfff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000370000	0x00370000	0x00372fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000380000	0x00380000	0x00384fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000390000	0x00390000	0x003bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003c0000	0x003c0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003d0000	0x003d0000	0x003d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003e0000	0x003e0000	0x004dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004e0000	0x004e0000	0x00667fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000670000	0x00670000	0x007f0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000800000	0x00800000	0x01bfffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001c00000	0x01c00000	0x01ff2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002000000	0x02000000	0x0200ffff	Private Memory	-	Region Actions
private_0x0000000002010000	0x02010000	0x0201ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002020000	0x02020000	0x0202ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002030000	0x02030000	0x0203ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002040000	0x02040000	0x020bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000020c0000	0x020c0000	0x0219efff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000021a0000	0x021a0000	0x021fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002200000	0x02200000	0x0226bfff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002270000	0x02270000	0x0227ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002280000	0x02280000	0x022fffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x02300000	0x025cefff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000025d0000	0x025d0000	0x025d1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000025e0000	0x025e0000	0x0265ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002660000	0x02660000	0x02661fff	Pagefile Backed Memory	Readable	Region Actions
comctl32.dll.mui	0x02670000	0x02672fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000002680000	0x02680000	0x02680fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002690000	0x02690000	0x026abfff	Private Memory	Readable, Writable	Region Actions
private_0x00000000026b0000	0x026b0000	0x026b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000026c0000	0x026c0000	0x026c8fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000026d0000	0x026d0000	0x027cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000027d0000	0x027d0000	0x027dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000027e0000	0x027e0000	0x027effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000027f0000	0x027f0000	0x027fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002800000	0x02800000	0x0280ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002810000	0x02810000	0x0281ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002820000	0x02820000	0x0291ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002920000	0x02920000	0x0292ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002930000	0x02930000	0x02931fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002940000	0x02940000	0x02940fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002950000	0x02950000	0x02950fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002960000	0x02960000	0x02967fff	Private Memory	Readable, Writable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db	0x02970000	0x0299ffff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000029a0000	0x029a0000	0x029a0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cversions.2.db	0x029b0000	0x029b3fff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x029c0000	0x029c3fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000029d0000	0x029d0000	0x029d1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000029e0000	0x029e0000	0x029effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029f0000	0x029f0000	0x02aeffff	Private Memory	Readable, Writable	Region Actions
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db	0x02af0000	0x02b1ffff	Memory Mapped File	Readable	Region Actions
private_0x0000000002b20000	0x02b20000	0x02b9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ba0000	0x02ba0000	0x02c9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ca0000	0x02ca0000	0x02e9ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002ea0000	0x02ea0000	0x031e2fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000031f0000	0x031f0000	0x031f1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000003200000	0x03200000	0x03203fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003210000	0x03210000	0x03213fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003220000	0x03220000	0x03220fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003230000	0x03230000	0x03230fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003240000	0x03240000	0x032bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000032c0000	0x032c0000	0x032c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000032d0000	0x032d0000	0x032d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000032e0000	0x032e0000	0x032e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000032f0000	0x032f0000	0x0336ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003370000	0x03370000	0x03370fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003380000	0x03380000	0x03380fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003390000	0x03390000	0x03390fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000033a0000	0x033a0000	0x0341ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000003420000	0x03420000	0x03420fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000003430000	0x03430000	0x03431fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x03440000	0x03443fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000003450000	0x03450000	0x03451fff	Pagefile Backed Memory	Readable	Region Actions
{40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db	0x03460000	0x03460fff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x03470000	0x03473fff	Memory Mapped File	Readable	Region Actions
private_0x0000000003480000	0x03480000	0x03480fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003490000	0x03490000	0x03490fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000034a0000	0x034a0000	0x034a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000034b0000	0x034b0000	0x034b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000034c0000	0x034c0000	0x034c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000034d0000	0x034d0000	0x0354ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003550000	0x03550000	0x03550fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003560000	0x03560000	0x03560fff	Private Memory	Readable, Writable	Region Actions
{3978ea0a-1c7e-4449-8ae1-e1265f039002}.2.ver0x0000000000000003.db	0x03570000	0x03570fff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x03580000	0x03583fff	Memory Mapped File	Readable	Region Actions
private_0x0000000003590000	0x03590000	0x0360ffff	Private Memory	Readable, Writable	Region Actions
staticcache.dat	0x03610000	0x03f3ffff	Memory Mapped File	Readable	Region Actions
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x03f40000	0x03fa5fff	Memory Mapped File	Readable	Region Actions
{4e36ea69-73d1-4458-9d16-50f8e31a69a0}.2.ver0x0000000000000001.db	0x03fb0000	0x03fb0fff	Memory Mapped File	Readable	Region Actions
private_0x0000000003fc0000	0x03fc0000	0x0400ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004040000	0x04040000	0x040bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004140000	0x04140000	0x041bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004270000	0x04270000	0x042effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000042f0000	0x042f0000	0x0436ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000043a0000	0x043a0000	0x0441ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004490000	0x04490000	0x0450ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004510000	0x04510000	0x0458ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000046a0000	0x046a0000	0x0471ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000047b0000	0x047b0000	0x0482ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004880000	0x04880000	0x048fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004aa0000	0x04aa0000	0x04b1ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000004b20000	0x04b20000	0x04d1ffff	Private Memory	Readable, Writable	Region Actions
atl90.dll	0x742b0000	0x742defff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcp90.dll	0x742e0000	0x743b2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr90.dll	0x743c0000	0x74462fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
explorer.exe	0xff440000	0xff6fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
tiptsf.dll	0x7fef8190000	0x7fef820efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msls31.dll	0x7fef8210000	0x7fef824afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msftedit.dll	0x7fef8250000	0x7fef8315fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msi.dll	0x7fef8320000	0x7fef8635fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msiltcfg.dll	0x7fef8640000	0x7fef8648fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wer.dll	0x7fef8650000	0x7fef86cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gameux.dll	0x7fef86d0000	0x7fef8972fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
linkinfo.dll	0x7fef8980000	0x7fef898bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shdocvw.dll	0x7fef8990000	0x7fef89c3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
actxprxy.dll	0x7fef8e20000	0x7fef8f0dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
timedate.cpl	0x7fef8f20000	0x7fef8fa2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
themeui.dll	0x7fef8fb0000	0x7fef9281fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iconcodecservice.dll	0x7fef9360000	0x7fef9367fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntshrui.dll	0x7fef9370000	0x7fef93effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscapi.dll	0x7fef93f0000	0x7fef93fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscdll.dll	0x7fef9400000	0x7fef940bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscui.dll	0x7fef9410000	0x7fef948dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
grooveintlresource.dll	0x7fef9490000	0x7fef9cf3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
office.odf	0x7fef9d00000	0x7fefa119fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
For performance reasons, the remaining 338 entries are omitted. The remaining entries can be found in flog.txt.

Process #45: bcssync.exe'

Information	Value
ID	#45
File Name	c:\program files\microsoft office\office14\bcssync.exe
Command Line	"C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x588
Parent PID	0x4f0 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ef1e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 58C

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00042fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000070000	0x00070000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00170000	0x001d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000001e0000	0x001e0000	0x001e1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000230000	0x00230000	0x0023ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x0038ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000390000	0x00390000	0x0048ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000490000	0x00490000	0x0049ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004a0000	0x004a0000	0x0059ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005a0000	0x005a0000	0x00727fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000730000	0x00730000	0x008b0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000008c0000	0x008c0000	0x01cbffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001cc0000	0x01cc0000	0x01dbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e10000	0x01e10000	0x01e1ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001e20000	0x01e20000	0x01efefff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001f30000	0x01f30000	0x01faffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001fe0000	0x01fe0000	0x0205ffff	Private Memory	Readable, Writable, Executable	Region Actions
msvcr90.dll	0x743c0000	0x74462fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77c70000	0x77c76fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
bcssync.exe	0x13fb10000	0x13fb2efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoreei.dll	0x7fef7e20000	0x7fef7eb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoree.dll	0x7fef7ec0000	0x7fef7f2efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc320000	0x7fefc375fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefc500000	0x7fefc6f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7fefe320000	0x7feff0a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff340000	0x7feff416fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feffa50000	0x7feffc52fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feffc60000	0x7feffcd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #46: runonce.exe'

Information	Value
ID	#46
File Name	c:\windows\syswow64\runonce.exe
Command Line	C:\Windows\SysWOW64\runonce.exe /Run6432
Initial Working Directory	C:\Windows\SysWOW64\
Monitor	Start Time: 00:01:03, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:47
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x590
Parent PID	0x4f0 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ef1e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 594 0x 5B0 0x 5BC 0x 5E0 0x 668

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00031fff	Pagefile Backed Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
runonce.exe.mui	0x000e0000	0x000e0fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000110000	0x00110000	0x00110fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x00121fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000130000	0x00130000	0x0015ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000160000	0x00160000	0x001dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001e0000	0x001e0000	0x001e1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001f0000	0x001f0000	0x001f0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000200000	0x00200000	0x00200fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
cversions.1.db	0x00250000	0x00253fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000250000	0x00250000	0x00252fff	Pagefile Backed Memory	Readable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db	0x00260000	0x0028ffff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000290000	0x00290000	0x00290fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000002a0000	0x002a0000	0x002dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002e0000	0x002e0000	0x002e3fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002f0000	0x002f0000	0x002fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000300000	0x00300000	0x0033ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000340000	0x00340000	0x00357fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000360000	0x00360000	0x00360fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000370000	0x00370000	0x0037ffff	Private Memory	-	Region Actions
private_0x0000000000380000	0x00380000	0x0038ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000390000	0x00390000	0x0039ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003a0000	0x003a0000	0x003dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003e0000	0x003e0000	0x003effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x003fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x0040ffff	Private Memory	-	Region Actions
private_0x0000000000410000	0x00410000	0x0041ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000420000	0x00420000	0x0042ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000430000	0x00430000	0x0043ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000440000	0x00440000	0x0044ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000450000	0x00450000	0x0048ffff	Private Memory	Readable, Writable	Region Actions
runonce.exe	0x00490000	0x0049efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000004a0000	0x004a0000	0x0057efff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x00580000	0x00583fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000590000	0x00590000	0x0068ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000690000	0x00690000	0x00817fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000820000	0x00820000	0x009a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000009b0000	0x009b0000	0x01daffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001db0000	0x01db0000	0x01f9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001db0000	0x01db0000	0x01deffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x01df0000	0x01e2bfff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x01df0000	0x01e2bfff	Memory Mapped File	Readable	Region Actions
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db	0x01df0000	0x01e1ffff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x01e20000	0x01e23fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001e30000	0x01e30000	0x01e6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e70000	0x01e70000	0x01f1ffff	Private Memory	Readable, Writable	Region Actions
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x01e70000	0x01ed5fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000001ee0000	0x01ee0000	0x01ee0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000001f10000	0x01f10000	0x01f1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f60000	0x01f60000	0x01f9ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01fa0000	0x0226efff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002270000	0x02270000	0x02662fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002670000	0x02670000	0x02770fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000026a0000	0x026a0000	0x026dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000026e0000	0x026e0000	0x028cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000026e0000	0x026e0000	0x0289ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000026e0000	0x026e0000	0x027dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002860000	0x02860000	0x0289ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000028c0000	0x028c0000	0x028cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002950000	0x02950000	0x0298ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002aa0000	0x02aa0000	0x02adffff	Private Memory	Readable, Writable	Region Actions
atl90.dll	0x738d0000	0x738fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcp90.dll	0x73900000	0x7398dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr90.dll	0x73990000	0x73a32fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
grooveex.dll	0x73a40000	0x73e48fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x73e50000	0x73e9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x73ea0000	0x73eaafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x73eb0000	0x73ed0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x73ee0000	0x73fd4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73fe0000	0x7405ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x74060000	0x741fdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74200000	0x74207fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74210000	0x7426bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74270000	0x742aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
office.odf	0x74f30000	0x75349fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
office.odf	0x75350000	0x75769fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x75770000	0x757aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x757b0000	0x757c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x757e0000	0x757ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x757f0000	0x7584ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x75850000	0x759ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75ad0000	0x75c05fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75c50000	0x75d3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75d40000	0x75d96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75da0000	0x75de5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75df0000	0x75efffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75f00000	0x760fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76100000	0x7615ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x761e0000	0x76262fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x76270000	0x76296fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x762a0000	0x7632ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x76330000	0x76341fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x76350000	0x7635bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x76360000	0x7647cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76480000	0x7651cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76520000	0x765aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x765b0000	0x771f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77200000	0x772abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x772e0000	0x772f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77300000	0x77309fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x77370000	0x774cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x774d0000	0x7756ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x77570000	0x77664fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x77670000	0x7773bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x77740000	0x77784fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77790000	0x7788ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077890000	0x77890000	0x77989fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000077990000	0x77990000	0x77aaefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c90000	0x77e0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Process #47: dllhost.exe'

Information	Value
ID	#47
File Name	c:\windows\system32\dllhost.exe
Command Line	C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:14, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:36
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x628
Parent PID	0x25c (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ef1e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 62C 0x 644 0x 664 0x 66C 0x 670 0x 674 0x 694

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00040000	0x000a6fff	Memory Mapped File	Readable	Region Actions
imm32.dll	0x000b0000	0x000d8fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000b0000	0x000b0000	0x000b0fff	Private Memory	Readable, Writable	Region Actions
rpcss.dll	0x000c0000	0x0013cfff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d0fff	Pagefile Backed Memory	Readable	Region Actions
rsaenh.dll	0x000e0000	0x00124fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00100fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000110000	0x00110000	0x00111fff	Pagefile Backed Memory	Readable	Region Actions
windowsshell.manifest	0x00120000	0x00120fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000130000	0x00130000	0x00131fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000190000	0x00190000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x003effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x0038ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003e0000	0x003e0000	0x003effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x004effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004f0000	0x004f0000	0x00677fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000680000	0x00680000	0x00800fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000810000	0x00810000	0x01c0ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001c90000	0x01c90000	0x01d8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e50000	0x01e50000	0x01f4ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01f50000	0x0221efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002220000	0x02220000	0x0232ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023c0000	0x023c0000	0x024bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002590000	0x02590000	0x0268ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002720000	0x02720000	0x0281ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002820000	0x02820000	0x028fefff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002900000	0x02900000	0x02abffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002900000	0x02900000	0x029fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ab0000	0x02ab0000	0x02abffff	Private Memory	Readable, Writable	Region Actions
ksuser.dll	0x738c0000	0x738c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77c70000	0x77c76fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
dllhost.exe	0xff4e0000	0xff4e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mf.dll	0x7fef6be0000	0x7fef6fd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mfplat.dll	0x7fef72f0000	0x7fef735bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
photometadatahandler.dll	0x7fef76e0000	0x7fef774afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fef7750000	0x7fef77effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
actxprxy.dll	0x7fef8e20000	0x7fef8f0dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x7fefa7e0000	0x7fefa836fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
thumbcache.dll	0x7fefaf20000	0x7fefaf3efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefb4b0000	0x7fefb4c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
avrt.dll	0x7fefb870000	0x7fefb878fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windowscodecs.dll	0x7fefbd80000	0x7fefbea9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc320000	0x7fefc375fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc380000	0x7fefc4abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefc500000	0x7fefc6f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcbc0000	0x7fefcbcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefcff0000	0x7fefd036fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd2f0000	0x7fefd306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd9e0000	0x7fefd9f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7fefe320000	0x7feff0a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feff0b0000	0x7feff0b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff340000	0x7feff416fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff890000	0x7feff928fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feffa50000	0x7feffc52fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feffc60000	0x7feffcd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feffd50000	0x7feffd9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #48: reader_sl.exe'

Information	Value
ID	#48
File Name	c:\program files (x86)\adobe\reader 10.0\reader\reader_sl.exe
Command Line	"C:\Program Files (x86)\Adobe\Reader 10.0\Reader\reader_sl.exe"
Initial Working Directory	C:\Windows\SysWOW64\
Monitor	Start Time: 00:01:15, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:35
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x678
Parent PID	0x590 (c:\windows\syswow64\runonce.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ef1e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 67C 0x 6A0 0x 74C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001b0000	0x001b0000	0x003bffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x001b0000	0x00216fff	Memory Mapped File	Readable	Region Actions
imm32.dll	0x00220000	0x0023dfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000220000	0x00220000	0x00220fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000230000	0x00230000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x002affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002b0000	0x002b0000	0x002effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000340000	0x00340000	0x003bffff	Private Memory	Readable, Writable	Region Actions
reader_sl.exe	0x00400000	0x00409fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000410000	0x00410000	0x0069ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000410000	0x00410000	0x00597fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005a0000	0x005a0000	0x0069ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000006a0000	0x006a0000	0x00820fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000830000	0x00830000	0x01c2ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001c30000	0x01c30000	0x01d9ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001c30000	0x01c30000	0x01d0efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001d60000	0x01d60000	0x01d9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001da0000	0x01da0000	0x01e9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ea0000	0x01ea0000	0x01f9ffff	Private Memory	Readable, Writable	Region Actions
msvcp90.dll	0x73900000	0x7398dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr90.dll	0x73990000	0x73a32fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73fe0000	0x7405ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74200000	0x74207fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74210000	0x7426bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74270000	0x742aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x75750000	0x75762fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x757e0000	0x757ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x757f0000	0x7584ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75c50000	0x75d3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75d40000	0x75d96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75da0000	0x75de5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75df0000	0x75efffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76100000	0x7615ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x762a0000	0x7632ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76480000	0x7651cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x765b0000	0x771f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77200000	0x772abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x772e0000	0x772f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77300000	0x77309fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x774d0000	0x7756ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x77670000	0x7773bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77790000	0x7788ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077890000	0x77890000	0x77989fff	Private Memory	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077990000	0x77990000	0x77aaefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c90000	0x77e0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Process #49: adobearm.exe'

Information	Value
ID	#49
File Name	c:\program files (x86)\common files\adobe\arm\1.0\adobearm.exe
Command Line	"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
Initial Working Directory	C:\Windows\SysWOW64\
Monitor	Start Time: 00:01:16, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:34
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x688
Parent PID	0x590 (c:\windows\syswow64\runonce.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ef1e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 68C 0x 6F0 0x 6F8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
imm32.dll	0x00020000	0x0003dfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
windowsshell.manifest	0x000e0000	0x000e0fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00100fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x001bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x0017ffff	Private Memory	Readable, Writable	Region Actions
tzres.dll	0x00150000	0x00150fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000160000	0x00160000	0x00166fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000170000	0x00170000	0x0017ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000180000	0x00180000	0x00181fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001bffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000220000	0x00220000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000230000	0x00230000	0x002affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003d0000	0x003d0000	0x0063ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003d0000	0x003d0000	0x00557fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005c0000	0x005c0000	0x0063ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000640000	0x00640000	0x0092ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000640000	0x00640000	0x007c0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000830000	0x00830000	0x0092ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000930000	0x00930000	0x00b1ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000930000	0x00930000	0x00a0efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000ae0000	0x00ae0000	0x00b1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000b20000	0x00b20000	0x00c1ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000c20000	0x00c20000	0x01012fff	Pagefile Backed Memory	Readable	Region Actions
adobearm.exe	0x01040000	0x01129fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000001130000	0x01130000	0x0252ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x02530000	0x027fefff	Memory Mapped File	Readable	Region Actions
private_0x0000000002800000	0x02800000	0x02924fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002830000	0x02830000	0x0286ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a10000	0x02a10000	0x02b0ffff	Private Memory	Readable, Writable	Region Actions
uxtheme.dll	0x73fe0000	0x7405ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74200000	0x74207fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74210000	0x7426bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74270000	0x742aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75310000	0x7531afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x75320000	0x75336fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oledlg.dll	0x75340000	0x7535bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x75360000	0x754fdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x75500000	0x75508fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msi.dll	0x75510000	0x7574ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x75770000	0x757c0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x757e0000	0x757ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x757f0000	0x7584ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75ad0000	0x75c05fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x75c40000	0x75c44fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75c50000	0x75d3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75d40000	0x75d96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75da0000	0x75de5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75df0000	0x75efffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75f00000	0x760fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76100000	0x7615ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x76160000	0x761dafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x762a0000	0x7632ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x76350000	0x7635bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x76360000	0x7647cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76480000	0x7651cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76520000	0x765aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x765b0000	0x771f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77200000	0x772abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x772b0000	0x772dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x772e0000	0x772f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77300000	0x77309fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x77370000	0x774cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x774d0000	0x7756ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x77570000	0x77664fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x77670000	0x7773bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77790000	0x7788ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077890000	0x77890000	0x77989fff	Private Memory	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077990000	0x77990000	0x77aaefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c90000	0x77e0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Process #50: jusched.exe'

Information	Value
ID	#50
File Name	c:\program files (x86)\common files\java\java update\jusched.exe
Command Line	"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
Initial Working Directory	C:\Windows\SysWOW64\
Monitor	Start Time: 00:01:16, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:34
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x698
Parent PID	0x590 (c:\windows\syswow64\runonce.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ef1e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 69C 0x 6B0

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x0003ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x0003ffff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001b0000	0x001b0000	0x0038ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x001b0000	0x00216fff	Memory Mapped File	Readable	Region Actions
imm32.dll	0x00220000	0x0023dfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000220000	0x00220000	0x00220fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000230000	0x00230000	0x0030efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000310000	0x00310000	0x0038ffff	Private Memory	Readable, Writable	Region Actions
jusched.exe	0x00400000	0x00440fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000450000	0x00450000	0x006affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000450000	0x00450000	0x0056ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005b0000	0x005b0000	0x006affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000006b0000	0x006b0000	0x00837fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000840000	0x00840000	0x009c0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000009d0000	0x009d0000	0x01dcffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001dd0000	0x01dd0000	0x01fbffff	Private Memory	Readable, Writable	Region Actions
uxtheme.dll	0x73fe0000	0x7405ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74200000	0x74207fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74210000	0x7426bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74270000	0x742aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x757e0000	0x757ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x757f0000	0x7584ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x75ad0000	0x75c05fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75c50000	0x75d3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75d40000	0x75d96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75da0000	0x75de5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75df0000	0x75efffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75f00000	0x760fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76100000	0x7615ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x762a0000	0x7632ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x76350000	0x7635bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x76360000	0x7647cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76480000	0x7651cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76520000	0x765aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x765b0000	0x771f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77200000	0x772abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x772e0000	0x772f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77300000	0x77309fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x77370000	0x774cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x774d0000	0x7756ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x77570000	0x77664fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x77670000	0x7773bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77790000	0x7788ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077890000	0x77890000	0x77989fff	Private Memory	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077990000	0x77990000	0x77aaefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c90000	0x77e0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Process #51: taskhost.exe'

Information	Value
ID	#51
File Name	c:\windows\system32\taskhost.exe
Command Line	taskhost.exe SYSTEM
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:26, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:24
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x7ec
Parent PID	0x1d8 (c:\windows\system32\services.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 7F0 0x 5CC 0x 5D4 0x 58C 0x 588 0x 344 0x 328

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00040000	0x000a6fff	Memory Mapped File	Readable	Region Actions
imm32.dll	0x000b0000	0x000d8fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000b0000	0x000b0000	0x000b1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00102fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000110000	0x00110000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002a0000	0x002a0000	0x0039ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003a0000	0x003a0000	0x004bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003a0000	0x003a0000	0x0045ffff	Pagefile Backed Memory	Readable	Region Actions
rsaenh.dll	0x00460000	0x004a4fff	Memory Mapped File	Readable	Region Actions
private_0x00000000004b0000	0x004b0000	0x004bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004c0000	0x004c0000	0x00647fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000650000	0x00650000	0x007d0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007e0000	0x007e0000	0x00bd2fff	Pagefile Backed Memory	Readable	Region Actions
rpcss.dll	0x00be0000	0x00c5cfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000c20000	0x00c20000	0x00c9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ca0000	0x00ca0000	0x00d3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d60000	0x00d60000	0x00ddffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000df0000	0x00df0000	0x00e6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e70000	0x00e70000	0x00f8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000fb0000	0x00fb0000	0x0102ffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01030000	0x012fefff	Memory Mapped File	Readable	Region Actions
private_0x00000000013d0000	0x013d0000	0x0144ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001460000	0x01460000	0x014dffff	Private Memory	Readable, Writable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
taskhost.exe	0xff940000	0xff953fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
certenroll.dll	0x7fef4350000	0x7fef4535fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
npmproxy.dll	0x7fef5620000	0x7fef562bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netprofm.dll	0x7fef5a30000	0x7fef5aa3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
certcli.dll	0x7fef6d30000	0x7fef6da3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pautoenr.dll	0x7fef6fb0000	0x7fef6fbffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dimsjob.dll	0x7fef6fd0000	0x7fef6fddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dsrole.dll	0x7fefb490000	0x7fefb49bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefb4b0000	0x7fefb4c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x7fefb550000	0x7fefb564fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskschd.dll	0x7fefb640000	0x7fefb766fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefcff0000	0x7fefd036fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd2f0000	0x7fefd306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefd8c0000	0x7fefd8e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd9e0000	0x7fefd9f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x7fefdaa0000	0x7fefdaaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x7fefdbc0000	0x7fefdd26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x7fefdea0000	0x7fefdef1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feff0b0000	0x7feff0b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff340000	0x7feff416fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff890000	0x7feff928fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feffa50000	0x7feffc52fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feffc60000	0x7feffcd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #52: cmd.exe

(Host: 51, Network: 0)

Information	Value
ID	#52
File Name	c:\windows\system32\cmd.exe
Command Line	C:\Windows\system32\cmd.exe /C Start "" "C:\Windows\dispci.exe" -id 1550063777 && exit
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:30, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:20

OS Process Information

Information	Value
PID	0x338
Parent PID	0x444 (c:\windows\system32\taskeng.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\BDESVC (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\BITS (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\CertPropSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\EapHost (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\hkmsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\IKEEXT (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\iphlpsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\LanmanServer (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\MMCSS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\MSiSCSI (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasAuto (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasMan (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RemoteAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Schedule (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SCPolicySvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SENS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SessionEnv (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SharedAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\ShellHWDetection (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\wercplsupport (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Winmgmt (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\wuauserv (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:0000ce9f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER)
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 5C8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
imm32.dll	0x000c0000	0x000e8fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x0017ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000180000	0x00180000	0x00186fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00191fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000001a0000	0x001a0000	0x001a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x002affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002b0000	0x002b0000	0x002b0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000360000	0x00360000	0x0045ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000460000	0x00460000	0x005fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000460000	0x00460000	0x0055ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005f0000	0x005f0000	0x005fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000600000	0x00600000	0x00787fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000790000	0x00790000	0x00910fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000920000	0x00920000	0x00c62fff	Pagefile Backed Memory	Readable	Region Actions
cmd.exe	0x4a850000	0x4a8a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
winbrand.dll	0x7fef6fb0000	0x7fef6fb7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

File (10)

Operation	Filename	Additional Information	Count	Logfile
Get Info	C:\Windows\system32	type = file_attributes	1	Fn
Get Info	C:\Windows\System32	type = file_attributes	1	Fn
Open	STD_OUTPUT_HANDLE	-	4	Fn
Open	STD_INPUT_HANDLE	-	3	Fn
Open	STD_ERROR_HANDLE	-	1	Fn

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\dispci.exe	os_pid = 0x34c, creation_flags = CREATE_NEW_CONSOLE, CREATE_UNICODE_ENVIRONMENT, CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL		1	Fn

Thread (1)

Operation	Process	Additional Information	Success	Count	Logfile
Resume	c:\windows\system32\svchost.exe	os_tid = 0x5c8		1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\cmd.exe	base_address = 0x4a850000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x77990000	2	Fn
Get Filename	-	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x779a6d40	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CopyFileExW, address_out = 0x779a23d0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsDebuggerPresent, address_out = 0x77998290	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x779a17e0	1	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2017-10-25 15:17:45 (UTC)		1	Fn
Get Time	type = Ticks, time = 34788		1	Fn

Environment (12)

Operation	Additional Information	Count	Logfile
Get Environment String	-	4	Fn Data
Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	2	Fn
Get Environment String	name = PROMPT	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = PROMPT, value = $P$G	1	Fn
Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn

Process #54: dispci.exe

(Host: 1896, Network: 0)

Information	Value
ID	#54
File Name	c:\windows\dispci.exe
Command Line	"C:\Windows\dispci.exe" -id 1550063777
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:31, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:19

OS Process Information

Information	Value
PID	0x34c
Parent PID	0x338 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\BDESVC (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\BITS (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\CertPropSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\EapHost (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\hkmsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\IKEEXT (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\iphlpsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\LanmanServer (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\MMCSS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\MSiSCSI (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasAuto (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasMan (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RemoteAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Schedule (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SCPolicySvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SENS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SessionEnv (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SharedAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\ShellHWDetection (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\wercplsupport (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Winmgmt (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\wuauserv (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:0000ce9f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER)
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 350 0x 5F4 0x 680 0x 5BC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x0003ffff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
imm32.dll	0x000e0000	0x000fdfff	Memory Mapped File	Readable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00101fff	Private Memory	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x00110000	0x0014bfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000110000	0x00110000	0x00110fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000120000	0x00120000	0x00120fff	Private Memory	Readable, Writable, Executable	Region Actions
tzres.dll	0x00130000	0x00130fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000130000	0x00130000	0x00130fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00146fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000150000	0x00150000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x002affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x001cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001d0000	0x001d0000	0x001d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000230000	0x00230000	0x002affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002c0000	0x002c0000	0x003bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003c0000	0x003c0000	0x0055ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000560000	0x00560000	0x006e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006f0000	0x006f0000	0x007affff	Pagefile Backed Memory	Readable	Region Actions
dispci.exe	0x00810000	0x00869fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000870000	0x00870000	0x009f0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000a00000	0x00a00000	0x00bfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a20000	0x00a20000	0x00a5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ab0000	0x00ab0000	0x00aeffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000bf0000	0x00bf0000	0x00bfffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x00c00000	0x00ecefff	Memory Mapped File	Readable	Region Actions
private_0x0000000000f10000	0x00f10000	0x0100ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001060000	0x01060000	0x0115ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001160000	0x01160000	0x01552fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001570000	0x01570000	0x0166ffff	Private Memory	Readable, Writable	Region Actions
wow64cpu.dll	0x74200000	0x74207fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74210000	0x7426bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74270000	0x742aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscapi.dll	0x755c0000	0x755cafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x755d0000	0x755dafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x755e0000	0x7561afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x75620000	0x75635fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x75640000	0x75658fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x75770000	0x7577efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x75780000	0x75790fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x757b0000	0x757b8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x757e0000	0x757ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x757f0000	0x7584ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x75c40000	0x75c44fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75c50000	0x75d3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75d40000	0x75d96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75da0000	0x75de5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75df0000	0x75efffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76100000	0x7615ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x762a0000	0x7632ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x76350000	0x7635bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x76360000	0x7647cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76480000	0x7651cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x765b0000	0x771f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77200000	0x772abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x772e0000	0x772f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77300000	0x77309fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x77370000	0x774cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x774d0000	0x7756ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x77670000	0x7773bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77790000	0x7788ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077890000	0x77890000	0x77989fff	Private Memory	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077990000	0x77990000	0x77aaefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c90000	0x77e0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

File (16)

Operation	Filename	Additional Information	Count	Logfile
Create	\\.\dcrypt	-	2	Fn
Create	\\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1)	desired_access = SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	\\.\PhysicalDrive0	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	2	Fn
Create	\\.\PhysicalDrive0	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Get Info	STD_INPUT_HANDLE	type = file_type	1	Fn
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Get Info	STD_ERROR_HANDLE	type = file_type	1	Fn
Get Info	C:\Windows\cscc.dat	type = file_attributes	1	Fn
Open	STD_INPUT_HANDLE	-	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Read	\\.\PhysicalDrive0	size = 512, size_out = 512	1	Fn Data
Write	\\.\PhysicalDrive0	size = 21504	1	Fn Data
Write	\\.\PhysicalDrive0	size = 512	1	Fn Data

Process (4)

Operation	Process	Additional Information	Count	Logfile
Create	C:\Windows\system32\cmd.exe	os_pid = 0x5f8, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
Create	C:\Windows\system32\cmd.exe	os_pid = 0x650, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
Create	C:\Windows\system32\cmd.exe	os_pid = 0x69c, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
Create	C:\Windows\system32\cmd.exe	os_pid = 0x6fc, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x75df0000	3	Fn
Get Filename	-	process_name = c:\windows\dispci.exe, file_name_orig = C:\Windows\dispci.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsAlloc, address_out = 0x75e04f2b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsGetValue, address_out = 0x75e01252	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsSetValue, address_out = 0x75e04208	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsFree, address_out = 0x75e0359f	1	Fn

Driver (1849)

Operation	Driver	Additional Information	Count	Logfile
Control	\\.\dcrypt	control_code = 0x220040	2	Fn Data
Control	\\.\dcrypt	control_code = 0x22001c	895	Fn Data
Control	\\.\dcrypt	control_code = 0x220060	3	Fn
Control	\\.\dcrypt	control_code = 0x220020	1	Fn Data
Control	\\.\dcrypt	control_code = 0x220058	1	Fn
Control	\\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1)	control_code = 0x70048	1	Fn
Control	\\.\GLOBALROOT\ArcName\multi(0)disk(0)rdisk(0)partition(1)	control_code = 0x2d1080	1	Fn
Control	\\.\PhysicalDrive0	control_code = 0x70000	2	Fn
Control	\\.\PhysicalDrive0	control_code = 0x700a0	2	Fn
Control	\\.\PhysicalDrive0	control_code = 0x70000	1	Fn
Control	\\.\dcrypt	control_code = 0x220028	1	Fn Data
Control	\\.\dcrypt	control_code = 0x220064	2	Fn
Control	\\.\dcrypt	control_code = 0x22003c	43	Fn Data
Control	\\.\dcrypt	control_code = 0x220034	893	Fn Data
Control	\\.\dcrypt	control_code = 0x220034	1	Fn

Keyboard (2)

Operation	Additional Information	Success	Count	Logfile
Get Info	type = KB_CODEPAGE, result_out = 437		2	Fn

System (5)

Operation	Additional Information	Count	Logfile
Get Time	type = System Time, time = 2017-10-25 15:17:46 (UTC)	1	Fn
Get Time	type = Ticks, time = 35365	1	Fn
Get Time	type = Ticks, time = 35412	1	Fn
Get Time	type = Local Time, time = 2017-10-26 02:17:46 (Local Time)	1	Fn
Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn

Environment (5)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		1	Fn Data
Get Environment String	name = ComSpec, result_out = C:\Windows\system32\cmd.exe		4	Fn

Process #56: cmd.exe

(Host: 55, Network: 0)

Information	Value
ID	#56
File Name	c:\windows\syswow64\cmd.exe
Command Line	/c schtasks /Delete /F /TN rhaegal
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:31, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:19

OS Process Information

Information	Value
PID	0x5f8
Parent PID	0x34c (c:\windows\dispci.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\BDESVC (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\BITS (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\CertPropSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\EapHost (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\hkmsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\IKEEXT (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\iphlpsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\LanmanServer (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\MMCSS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\MSiSCSI (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasAuto (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasMan (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RemoteAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Schedule (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SCPolicySvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SENS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SessionEnv (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SharedAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\ShellHWDetection (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\wercplsupport (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Winmgmt (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\wuauserv (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:0000ce9f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER)
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 638

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x0012ffff	Private Memory	Readable, Writable	Region Actions
imm32.dll	0x00130000	0x0014dfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000130000	0x00130000	0x001effff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001f0000	0x001f0000	0x001f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000200000	0x00200000	0x00200fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000210000	0x00210000	0x0030ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000310000	0x00310000	0x0041ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000420000	0x00420000	0x005affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005b0000	0x005b0000	0x0070ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000710000	0x00710000	0x00897fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000008a0000	0x008a0000	0x00a20fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000a30000	0x00a30000	0x00d72fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x00d80000	0x0104efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x4a640000	0x4a68bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74200000	0x74207fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74210000	0x7426bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74270000	0x742aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x755b0000	0x755b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x757e0000	0x757ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x757f0000	0x7584ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75c50000	0x75d3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75da0000	0x75de5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75df0000	0x75efffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76100000	0x7615ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x762a0000	0x7632ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76480000	0x7651cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77200000	0x772abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x772e0000	0x772f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77300000	0x77309fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x774d0000	0x7756ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x77670000	0x7773bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77790000	0x7788ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077890000	0x77890000	0x77989fff	Private Memory	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077990000	0x77990000	0x77aaefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c90000	0x77e0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

File (10)

Operation	Filename	Additional Information	Count	Logfile
Get Info	C:\Windows\system32	type = file_attributes	1	Fn
Get Info	C:\Windows\System32	type = file_attributes	1	Fn
Open	STD_OUTPUT_HANDLE	-	5	Fn
Open	STD_INPUT_HANDLE	-	3	Fn

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\system32\schtasks.exe	os_pid = 0x72c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL		1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\syswow64\cmd.exe	base_address = 0x4a640000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x75df0000	2	Fn
Get Filename	-	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadUILanguage, address_out = 0x75e1a84f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x75e23b92	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x75e04a5d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x75e1a79d	1	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2017-10-25 15:17:50 (UTC)		1	Fn
Get Time	type = Ticks, time = 39171		1	Fn

Environment (17)

Operation	Additional Information	Count	Logfile
Get Environment String	-	6	Fn Data
Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	2	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	2	Fn
Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Set Environment String	name = COPYCMD	1	Fn
Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Set Environment String	name = =ExitCodeAscii	1	Fn

Process #57: cmd.exe

(Host: 55, Network: 0)

Information	Value
ID	#57
File Name	c:\windows\syswow64\cmd.exe
Command Line	/c schtasks /Delete /F /TN drogon
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:32, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:18

OS Process Information

Information	Value
PID	0x650
Parent PID	0x34c (c:\windows\dispci.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\BDESVC (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\BITS (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\CertPropSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\EapHost (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\hkmsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\IKEEXT (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\iphlpsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\LanmanServer (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\MMCSS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\MSiSCSI (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasAuto (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasMan (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RemoteAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Schedule (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SCPolicySvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SENS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SessionEnv (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SharedAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\ShellHWDetection (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\wercplsupport (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Winmgmt (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\wuauserv (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:0000ce9f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER)
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 4C4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
imm32.dll	0x00070000	0x0008dfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000b0000	0x000b0000	0x000effff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x000f0000	0x00156fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000190000	0x00190000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x004cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x0037ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000290000	0x00290000	0x0034ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000370000	0x00370000	0x0037ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000450000	0x00450000	0x004cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004d0000	0x004d0000	0x0078ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004d0000	0x004d0000	0x00657fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000690000	0x00690000	0x0078ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000790000	0x00790000	0x00910fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000920000	0x00920000	0x00c62fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x00c70000	0x00f3efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x4a640000	0x4a68bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74200000	0x74207fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74210000	0x7426bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74270000	0x742aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x755b0000	0x755b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x757e0000	0x757ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x757f0000	0x7584ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75c50000	0x75d3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75da0000	0x75de5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75df0000	0x75efffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76100000	0x7615ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x762a0000	0x7632ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76480000	0x7651cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77200000	0x772abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x772e0000	0x772f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77300000	0x77309fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x774d0000	0x7756ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x77670000	0x7773bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77790000	0x7788ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077890000	0x77890000	0x77989fff	Private Memory	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077990000	0x77990000	0x77aaefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c90000	0x77e0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

File (10)

Operation	Filename	Additional Information	Count	Logfile
Get Info	C:\Windows\system32	type = file_attributes	1	Fn
Get Info	C:\Windows\System32	type = file_attributes	1	Fn
Open	STD_OUTPUT_HANDLE	-	5	Fn
Open	STD_INPUT_HANDLE	-	3	Fn

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\system32\schtasks.exe	os_pid = 0x558, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL		1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\syswow64\cmd.exe	base_address = 0x4a640000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x75df0000	2	Fn
Get Filename	-	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadUILanguage, address_out = 0x75e1a84f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x75e23b92	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x75e04a5d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x75e1a79d	1	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2017-10-25 15:17:51 (UTC)		1	Fn
Get Time	type = Ticks, time = 40622		1	Fn

Environment (17)

Operation	Additional Information	Count	Logfile
Get Environment String	-	6	Fn Data
Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	2	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	2	Fn
Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Set Environment String	name = COPYCMD	1	Fn
Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Set Environment String	name = =ExitCodeAscii	1	Fn

Process #60: cmd.exe

(Host: 55, Network: 0)

Information	Value
ID	#60
File Name	c:\windows\syswow64\cmd.exe
Command Line	/c schtasks /Create /SC ONCE /TN viserion_1 /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:20:00
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:32, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:18

OS Process Information

Information	Value
PID	0x69c
Parent PID	0x34c (c:\windows\dispci.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\BDESVC (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\BITS (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\CertPropSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\EapHost (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\hkmsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\IKEEXT (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\iphlpsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\LanmanServer (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\MMCSS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\MSiSCSI (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasAuto (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasMan (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RemoteAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Schedule (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SCPolicySvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SENS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SessionEnv (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SharedAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\ShellHWDetection (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\wercplsupport (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Winmgmt (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\wuauserv (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:0000ce9f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER)
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 6B0

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000150000	0x00150000	0x0020ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000230000	0x00230000	0x0032ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000330000	0x00330000	0x004cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000330000	0x00330000	0x0042ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000450000	0x00450000	0x004cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004d0000	0x004d0000	0x006effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000006f0000	0x006f0000	0x00877fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000880000	0x00880000	0x00a00fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000a10000	0x00a10000	0x00d52fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x00d60000	0x0102efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x4a640000	0x4a68bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74200000	0x74207fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74210000	0x7426bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74270000	0x742aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x755b0000	0x755b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x757e0000	0x757ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x757f0000	0x7584ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75c50000	0x75d3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75da0000	0x75de5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75df0000	0x75efffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76100000	0x7615ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x762a0000	0x7632ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76480000	0x7651cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77200000	0x772abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x772e0000	0x772f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77300000	0x77309fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x774d0000	0x7756ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x77670000	0x7773bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77790000	0x7788ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077890000	0x77890000	0x77989fff	Private Memory	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077990000	0x77990000	0x77aaefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c90000	0x77e0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

File (10)

Operation	Filename	Additional Information	Count	Logfile
Get Info	C:\Windows\system32	type = file_attributes	1	Fn
Get Info	C:\Windows\System32	type = file_attributes	1	Fn
Open	STD_OUTPUT_HANDLE	-	5	Fn
Open	STD_INPUT_HANDLE	-	3	Fn

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\system32\schtasks.exe	os_pid = 0x684, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL		1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\syswow64\cmd.exe	base_address = 0x4a640000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x75df0000	2	Fn
Get Filename	-	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadUILanguage, address_out = 0x75e1a84f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x75e23b92	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x75e04a5d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x75e1a79d	1	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2017-10-25 15:17:50 (UTC)		1	Fn
Get Time	type = Ticks, time = 39546		1	Fn

Environment (17)

Operation	Additional Information	Count	Logfile
Get Environment String	-	6	Fn Data
Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	2	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	2	Fn
Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Set Environment String	name = COPYCMD	1	Fn
Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Set Environment String	name = =ExitCodeAscii	1	Fn

Process #62: cmd.exe

(Host: 55, Network: 0)

Information	Value
ID	#62
File Name	c:\windows\syswow64\cmd.exe
Command Line	/c schtasks /Delete /F /TN viserion_0
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:32, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:18

OS Process Information

Information	Value
PID	0x6fc
Parent PID	0x34c (c:\windows\dispci.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\BDESVC (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\BITS (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\CertPropSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\EapHost (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\hkmsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\IKEEXT (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\iphlpsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\LanmanServer (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\MMCSS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\MSiSCSI (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasAuto (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasMan (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RemoteAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Schedule (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SCPolicySvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SENS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SessionEnv (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SharedAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\ShellHWDetection (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\wercplsupport (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Winmgmt (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\wuauserv (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:0000ce9f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER)
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 6F0

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x0012ffff	Private Memory	Readable, Writable	Region Actions
imm32.dll	0x00070000	0x0008dfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000b0000	0x000b0000	0x0012ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00130000	0x00196fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001d0000	0x001d0000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000210000	0x00210000	0x002cffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000300000	0x00300000	0x003fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x0053ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000540000	0x00540000	0x0063ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000640000	0x00640000	0x007c7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007d0000	0x007d0000	0x00950fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000960000	0x00960000	0x00ca2fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x00cb0000	0x00f7efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x4a640000	0x4a68bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74200000	0x74207fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74210000	0x7426bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74270000	0x742aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x755b0000	0x755b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x757e0000	0x757ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x757f0000	0x7584ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75c50000	0x75d3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75da0000	0x75de5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75df0000	0x75efffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76100000	0x7615ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x762a0000	0x7632ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76480000	0x7651cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77200000	0x772abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x772e0000	0x772f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77300000	0x77309fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x774d0000	0x7756ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x77670000	0x7773bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77790000	0x7788ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077890000	0x77890000	0x77989fff	Private Memory	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077990000	0x77990000	0x77aaefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c90000	0x77e0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

File (10)

Operation	Filename	Additional Information	Count	Logfile
Get Info	C:\Windows\system32	type = file_attributes	1	Fn
Get Info	C:\Windows\System32	type = file_attributes	1	Fn
Open	STD_OUTPUT_HANDLE	-	5	Fn
Open	STD_INPUT_HANDLE	-	3	Fn

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\system32\schtasks.exe	os_pid = 0x644, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL		1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\syswow64\cmd.exe	base_address = 0x4a640000	1	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x75df0000	2	Fn
Get Filename	-	process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadUILanguage, address_out = 0x75e1a84f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address_out = 0x75e23b92	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x75e04a5d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x75e1a79d	1	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2017-10-25 15:17:50 (UTC)		1	Fn
Get Time	type = Ticks, time = 39234		1	Fn

Environment (17)

Operation	Additional Information	Count	Logfile
Get Environment String	-	6	Fn Data
Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	2	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	2	Fn
Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Set Environment String	name = COPYCMD	1	Fn
Set Environment String	name = =ExitCode, value = 00000001	1	Fn
Set Environment String	name = =ExitCodeAscii	1	Fn

Process #64: dllhost.exe'

Information	Value
ID	#64
File Name	c:\windows\system32\dllhost.exe
Command Line	C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:34, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:16
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x708
Parent PID	0x25c (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups	XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000ef1e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 740 0x 748 0x 610 0x 73C 0x 760 0x 778 0x 27C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00040000	0x000a6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000b0000	0x000b0000	0x001affff	Private Memory	Readable, Writable	Region Actions
imm32.dll	0x001b0000	0x001d8fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001b0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001c0000	0x001c0000	0x001c0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001d0000	0x001d0000	0x001d0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001e0000	0x001e0000	0x001e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x002effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002f0000	0x002f0000	0x0044ffff	Private Memory	Readable, Writable	Region Actions
rpcss.dll	0x002f0000	0x0036cfff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x002f0000	0x00334fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000002f0000	0x002f0000	0x003cefff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003d0000	0x003d0000	0x003d0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003e0000	0x003e0000	0x003e0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000003f0000	0x003f0000	0x003f1fff	Pagefile Backed Memory	Readable	Region Actions
windowsshell.manifest	0x00400000	0x00400fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000410000	0x00410000	0x00411fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000440000	0x00440000	0x0044ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000490000	0x00490000	0x0058ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000590000	0x00590000	0x00717fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000720000	0x00720000	0x008a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000008b0000	0x008b0000	0x01caffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001d70000	0x01d70000	0x01e6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001eb0000	0x01eb0000	0x01faffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01fb0000	0x0227efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002280000	0x02280000	0x0237ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002400000	0x02400000	0x024fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002500000	0x02500000	0x025fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002640000	0x02640000	0x0273ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002740000	0x02740000	0x0296ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002740000	0x02740000	0x028dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000028f0000	0x028f0000	0x0296ffff	Private Memory	Readable, Writable	Region Actions
ksuser.dll	0x738c0000	0x738c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77c70000	0x77c76fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
dllhost.exe	0xffa30000	0xffa36fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mf.dll	0x7fef4330000	0x7fef4720fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fef6c40000	0x7fef6cdffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
photometadatahandler.dll	0x7fef6e10000	0x7fef6e7afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mfplat.dll	0x7fef72f0000	0x7fef735bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
actxprxy.dll	0x7fef8e20000	0x7fef8f0dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x7fefa7e0000	0x7fefa836fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
thumbcache.dll	0x7fefaf20000	0x7fefaf3efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefb4b0000	0x7fefb4c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
avrt.dll	0x7fefb870000	0x7fefb878fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windowscodecs.dll	0x7fefbd80000	0x7fefbea9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefc320000	0x7fefc375fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefc380000	0x7fefc4abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefc500000	0x7fefc6f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefcbc0000	0x7fefcbcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefcff0000	0x7fefd036fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefd2f0000	0x7fefd306fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefd8f0000	0x7fefd8fefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd9e0000	0x7fefd9f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefdad0000	0x7fefdb3afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefddd0000	0x7fefde98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefdf00000	0x7fefe008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe010000	0x7fefe01dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefe150000	0x7fefe16efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe170000	0x7fefe19dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7fefe320000	0x7feff0a7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x7feff0b0000	0x7feff0b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff340000	0x7feff416fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7feff420000	0x7feff4fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff500000	0x7feff62cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7feff890000	0x7feff928fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7feff9b0000	0x7feffa4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feffa50000	0x7feffc52fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7feffc60000	0x7feffcd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7feffce0000	0x7feffd46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x7feffd50000	0x7feffd9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feffdd0000	0x7feffdd0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd5fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffda000	0x7fffffda000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #65: schtasks.exe

(Host: 25, Network: 0)

Information	Value
ID	#65
File Name	c:\windows\syswow64\schtasks.exe
Command Line	schtasks /Delete /F /TN rhaegal
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:37, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:13

OS Process Information

Information	Value
PID	0x72c
Parent PID	0x5f8 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\BDESVC (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\BITS (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\CertPropSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\EapHost (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\hkmsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\IKEEXT (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\iphlpsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\LanmanServer (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\MMCSS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\MSiSCSI (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasAuto (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasMan (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RemoteAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Schedule (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SCPolicySvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SENS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SessionEnv (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SharedAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\ShellHWDetection (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\wercplsupport (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Winmgmt (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\wuauserv (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:0000ce9f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER)
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 714 0x 66C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x0003ffff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
imm32.dll	0x000e0000	0x000fdfff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
schtasks.exe.mui	0x00100000	0x00111fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000120000	0x00120000	0x00120fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000130000	0x00130000	0x00130fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00140fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000150000	0x00150000	0x00150fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000170000	0x00170000	0x001affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000230000	0x00230000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000270000	0x00270000	0x0032ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000330000	0x00330000	0x003affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003b0000	0x003b0000	0x0056ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000570000	0x00570000	0x006f7fff	Pagefile Backed Memory	Readable	Region Actions
schtasks.exe	0x00710000	0x0073dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000740000	0x00740000	0x008c0fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x008d0000	0x00b9efff	Memory Mapped File	Readable	Region Actions
private_0x0000000000bc0000	0x00bc0000	0x00bfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c20000	0x00c20000	0x00c5ffff	Private Memory	Readable, Writable	Region Actions
wow64cpu.dll	0x74200000	0x74207fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74210000	0x7426bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74270000	0x742aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskschd.dll	0x75510000	0x7558cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x75590000	0x75598fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x755a0000	0x755a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x757e0000	0x757ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x757f0000	0x7584ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75c50000	0x75d3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75d40000	0x75d96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75da0000	0x75de5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75df0000	0x75efffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76100000	0x7615ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x761e0000	0x76262fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x762a0000	0x7632ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76480000	0x7651cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76520000	0x765aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77200000	0x772abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x772e0000	0x772f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77300000	0x77309fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x77370000	0x774cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x774d0000	0x7756ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x77670000	0x7773bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77790000	0x7788ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077890000	0x77890000	0x77989fff	Private Memory	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077990000	0x77990000	0x77aaefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c90000	0x77e0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

COM (3)

Operation	Class	Interface	Additional Information	Count	Logfile
Create	TaskScheduler	ITaskService	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Execute	TaskScheduler	ITaskService	method_name = Connect	1	Fn
Execute	TaskScheduler	ITaskService	method_name = GetFolder, path = 0, new_interface = ITaskFolder	1	Fn

File (5)

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	3	Fn
Write	STD_OUTPUT_HANDLE	size = 64	1	Fn Data

Module (14)

Operation	Module	Additional Information	Count	Logfile
Load	VERSION.dll	base_address = 0x75590000	1	Fn
Load	API-MS-WIN-Service-Management-L1-1-0.dll	base_address = 0x772e0000	1	Fn
Load	API-MS-WIN-Service-winsvc-L1-1-0.dll	base_address = 0x772e0000	1	Fn
Get Handle	c:\windows\syswow64\schtasks.exe	base_address = 0x710000	1	Fn
Get Filename	-	process_name = c:\windows\syswow64\schtasks.exe, file_name_orig = C:\Windows\SysWOW64\schtasks.exe, size = 260	2	Fn
Get Address	c:\windows\syswow64\version.dll	function = GetFileVersionInfoSizeW, address_out = 0x755919d9	1	Fn
Get Address	c:\windows\syswow64\version.dll	function = GetFileVersionInfoW, address_out = 0x755919f4	1	Fn
Get Address	c:\windows\syswow64\version.dll	function = VerQueryValueW, address_out = 0x75591b51	1	Fn
Get Address	c:\windows\syswow64\sechost.dll	function = OpenSCManagerW, address_out = 0x772e63ad	1	Fn
Get Address	c:\windows\syswow64\sechost.dll	function = OpenServiceW, address_out = 0x772e714b	1	Fn
Get Address	c:\windows\syswow64\sechost.dll	function = QueryServiceStatus, address_out = 0x772e4e4b	1	Fn
Get Address	c:\windows\syswow64\sechost.dll	function = CloseServiceHandle, address_out = 0x772e4dc3	2	Fn

Service (3)

Operation	Additional Information	Count	Logfile
Get Info	service_name = Schedule	1	Fn
Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2017-10-25 15:17:54 (UTC)		1	Fn
Get Time	type = Ticks, time = 43009		1	Fn

Process #66: schtasks.exe

(Host: 23, Network: 0)

Information	Value
ID	#66
File Name	c:\windows\syswow64\schtasks.exe
Command Line	schtasks /Create /SC ONCE /TN viserion_1 /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:20:00
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:37, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:13

OS Process Information

Information	Value
PID	0x684
Parent PID	0x69c (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\BDESVC (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\BITS (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\CertPropSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\EapHost (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\hkmsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\IKEEXT (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\iphlpsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\LanmanServer (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\MMCSS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\MSiSCSI (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasAuto (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasMan (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RemoteAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Schedule (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SCPolicySvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SENS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SessionEnv (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SharedAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\ShellHWDetection (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\wercplsupport (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Winmgmt (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\wuauserv (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:0000ce9f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER)
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 674 0x 540

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
imm32.dll	0x000e0000	0x000fdfff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
schtasks.exe.mui	0x000f0000	0x00101fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x001cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x00150fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000160000	0x00160000	0x00160fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000170000	0x00170000	0x00170fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000180000	0x00180000	0x00180fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000230000	0x00230000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000270000	0x00270000	0x0032ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000340000	0x00340000	0x0037ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003a0000	0x003a0000	0x0041ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004f0000	0x004f0000	0x0052ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000550000	0x00550000	0x0064ffff	Private Memory	Readable, Writable	Region Actions
schtasks.exe	0x00710000	0x0073dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000740000	0x00740000	0x008c7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000008d0000	0x008d0000	0x00a50fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x00a60000	0x00d2efff	Memory Mapped File	Readable	Region Actions
wow64cpu.dll	0x74200000	0x74207fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74210000	0x7426bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74270000	0x742aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
xmllite.dll	0x754e0000	0x7550efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskschd.dll	0x75510000	0x7558cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x75590000	0x75598fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x755a0000	0x755a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x757e0000	0x757ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x757f0000	0x7584ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75c50000	0x75d3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75d40000	0x75d96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75da0000	0x75de5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75df0000	0x75efffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76100000	0x7615ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x761e0000	0x76262fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x762a0000	0x7632ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76480000	0x7651cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76520000	0x765aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77200000	0x772abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x772e0000	0x772f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77300000	0x77309fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x77370000	0x774cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x774d0000	0x7756ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x77670000	0x7773bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77790000	0x7788ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077890000	0x77890000	0x77989fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000077990000	0x77990000	0x77aaefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c90000	0x77e0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

COM (8)

Operation	Class	Interface	Additional Information	Count	Logfile
Create	TaskScheduler	ITaskService	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Execute	TaskScheduler	ITaskService	method_name = Connect, user = 1371624, domain = 7444814, password = 1	1	Fn
Execute	TaskScheduler	ITaskService	method_name = GetFolder, path = 0, new_interface = ITaskFolder	1	Fn
Execute	TaskScheduler	ITaskService	method_name = NewTask, new_interface = ITaskDefinition	1	Fn
Execute	TaskScheduler	ITaskDefinition	method_name = get_Actions, new_interface = IActionCollection	1	Fn
Execute	TaskScheduler	ITaskDefinition	method_name = get_Triggers, new_interface = ITriggerCollection	1	Fn
Execute	TaskScheduler	ITriggerCollection	method_name = Create, type = TASK_TRIGGER_TIME, new_interface = IDailyTrigger	1	Fn
Execute	TaskScheduler	IDailyTrigger	method_name = put_StartBoundary, start_boundary = 2017-10-26T02:20:00	1	Fn

File (5)

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	3	Fn
Write	STD_OUTPUT_HANDLE	size = 72	1	Fn Data

Module (11)

Operation	Module	Additional Information	Count	Logfile
Load	VERSION.dll	base_address = 0x75590000	1	Fn
Load	ADVAPI32.dll	base_address = 0x774d0000	1	Fn
Load	API-MS-Win-Security-SDDL-L1-1-0.dll	base_address = 0x772e0000	1	Fn
Get Handle	c:\windows\syswow64\schtasks.exe	base_address = 0x710000	1	Fn
Get Filename	-	process_name = c:\windows\syswow64\schtasks.exe, file_name_orig = C:\Windows\SysWOW64\schtasks.exe, size = 260	2	Fn
Get Address	c:\windows\syswow64\version.dll	function = GetFileVersionInfoSizeW, address_out = 0x755919d9	1	Fn
Get Address	c:\windows\syswow64\version.dll	function = GetFileVersionInfoW, address_out = 0x755919f4	1	Fn
Get Address	c:\windows\syswow64\version.dll	function = VerQueryValueW, address_out = 0x75591b51	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = GetUserNameW, address_out = 0x774e157a	1	Fn
Get Address	c:\windows\syswow64\sechost.dll	function = ConvertSidToStringSidW, address_out = 0x772ea901	1	Fn

System (5)

Operation	Additional Information	Count	Logfile
Get Time	type = System Time, time = 2017-10-25 15:17:55 (UTC)	1	Fn
Get Time	type = Ticks, time = 44585	1	Fn
Get Time	type = Local Time, time = 2017-10-26 02:17:57 (Local Time)	2	Fn
Get Time	type = Local Time, time = 2017-10-26 02:17:59 (Local Time)	1	Fn

Process #67: schtasks.exe

(Host: 25, Network: 0)

Information	Value
ID	#67
File Name	c:\windows\syswow64\schtasks.exe
Command Line	schtasks /Delete /F /TN drogon
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:38, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:12

OS Process Information

Information	Value
PID	0x558
Parent PID	0x650 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\BDESVC (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\BITS (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\CertPropSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\EapHost (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\hkmsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\IKEEXT (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\iphlpsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\LanmanServer (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\MMCSS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\MSiSCSI (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasAuto (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasMan (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RemoteAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Schedule (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SCPolicySvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SENS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SessionEnv (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SharedAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\ShellHWDetection (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\wercplsupport (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Winmgmt (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\wuauserv (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:0000ce9f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER)
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 670 0x 628

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
imm32.dll	0x00070000	0x0008dfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable, Writable	Region Actions
schtasks.exe.mui	0x00080000	0x00091fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000a0000	0x000a0000	0x000a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000b0000	0x000b0000	0x000b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000c0000	0x000c0000	0x0013ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00140fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000150000	0x00150000	0x00150fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000190000	0x00190000	0x001cffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x001d0000	0x00236fff	Memory Mapped File	Readable	Region Actions
private_0x00000000002a0000	0x002a0000	0x002dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002e0000	0x002e0000	0x0042ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000430000	0x00430000	0x0060ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000430000	0x00430000	0x005b7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000600000	0x00600000	0x0060ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000610000	0x00610000	0x006cffff	Pagefile Backed Memory	Readable	Region Actions
schtasks.exe	0x00710000	0x0073dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000740000	0x00740000	0x008c0fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x008d0000	0x00b9efff	Memory Mapped File	Readable	Region Actions
private_0x0000000000c30000	0x00c30000	0x00c6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c90000	0x00c90000	0x00ccffff	Private Memory	Readable, Writable	Region Actions
wow64cpu.dll	0x74200000	0x74207fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74210000	0x7426bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74270000	0x742aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskschd.dll	0x75510000	0x7558cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x75590000	0x75598fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x755a0000	0x755a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x757e0000	0x757ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x757f0000	0x7584ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75c50000	0x75d3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75d40000	0x75d96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75da0000	0x75de5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75df0000	0x75efffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76100000	0x7615ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x761e0000	0x76262fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x762a0000	0x7632ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76480000	0x7651cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76520000	0x765aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77200000	0x772abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x772e0000	0x772f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77300000	0x77309fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x77370000	0x774cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x774d0000	0x7756ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x77670000	0x7773bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77790000	0x7788ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77890000	0x77989fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077890000	0x77890000	0x77989fff	Private Memory	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077990000	0x77990000	0x77aaefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c90000	0x77e0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

COM (3)

Operation	Class	Interface	Additional Information	Count	Logfile
Create	TaskScheduler	ITaskService	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Execute	TaskScheduler	ITaskService	method_name = Connect	1	Fn
Execute	TaskScheduler	ITaskService	method_name = GetFolder, path = 0, new_interface = ITaskFolder	1	Fn

File (5)

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Open	STD_OUTPUT_HANDLE	-	3	Fn
Write	STD_OUTPUT_HANDLE	size = 63	1	Fn Data

Module (14)

Operation	Module	Additional Information	Count	Logfile
Load	VERSION.dll	base_address = 0x75590000	1	Fn
Load	API-MS-WIN-Service-Management-L1-1-0.dll	base_address = 0x772e0000	1	Fn
Load	API-MS-WIN-Service-winsvc-L1-1-0.dll	base_address = 0x772e0000	1	Fn
Get Handle	c:\windows\syswow64\schtasks.exe	base_address = 0x710000	1	Fn
Get Filename	-	process_name = c:\windows\syswow64\schtasks.exe, file_name_orig = C:\Windows\SysWOW64\schtasks.exe, size = 260	2	Fn
Get Address	c:\windows\syswow64\version.dll	function = GetFileVersionInfoSizeW, address_out = 0x755919d9	1	Fn
Get Address	c:\windows\syswow64\version.dll	function = GetFileVersionInfoW, address_out = 0x755919f4	1	Fn
Get Address	c:\windows\syswow64\version.dll	function = VerQueryValueW, address_out = 0x75591b51	1	Fn
Get Address	c:\windows\syswow64\sechost.dll	function = OpenSCManagerW, address_out = 0x772e63ad	1	Fn
Get Address	c:\windows\syswow64\sechost.dll	function = OpenServiceW, address_out = 0x772e714b	1	Fn
Get Address	c:\windows\syswow64\sechost.dll	function = QueryServiceStatus, address_out = 0x772e4e4b	1	Fn
Get Address	c:\windows\syswow64\sechost.dll	function = CloseServiceHandle, address_out = 0x772e4dc3	2	Fn

Service (3)

Operation	Additional Information	Count	Logfile
Get Info	service_name = Schedule	1	Fn
Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2017-10-25 15:17:55 (UTC)		1	Fn
Get Time	type = Ticks, time = 43898		1	Fn

Process #68: schtasks.exe

(Host: 30, Network: 0)

Information	Value
ID	#68
File Name	c:\windows\syswow64\schtasks.exe
Command Line	schtasks /Delete /F /TN viserion_0
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:38, Reason: Child Process
Unmonitor	End Time: 00:01:50, Reason: Terminated by Timeout
Monitor Duration	00:00:12

OS Process Information

Information	Value
PID	0x644
Parent PID	0x6fc (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	System (Elevated)
Username	NT AUTHORITY\SYSTEM
Groups	Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT SERVICE\BDESVC (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\BITS (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\CertPropSvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\EapHost (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\hkmsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\IKEEXT (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\iphlpsvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\LanmanServer (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\MMCSS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\MSiSCSI (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasAuto (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RasMan (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\RemoteAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Schedule (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SCPolicySvc (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SENS (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\SessionEnv (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\SharedAccess (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\ShellHWDetection (ENABLED_BY_DEFAULT, ENABLED, OWNER) NT SERVICE\wercplsupport (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\Winmgmt (ENABLED_BY_DEFAULT, OWNER) NT SERVICE\wuauserv (ENABLED_BY_DEFAULT, OWNER) NT AUTHORITY\Logon Session 00000000:0000ce9f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER)
Enabled Privileges	SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs	0x 664 0x 450

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x000affff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x000b0000	0x00116fff	Memory Mapped File	Readable	Region Actions
imm32.dll	0x00120000	0x0013dfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x001dffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001e0000	0x001e0000	0x001e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
schtasks.exe.mui	0x00230000	0x00241fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000260000	0x00260000	0x00260fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000270000	0x00270000	0x00270fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000280000	0x00280000	0x00280fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000310000	0x00310000	0x0038ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003a0000	0x003a0000	0x003dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000430000	0x00430000	0x0046ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000470000	0x00470000	0x0056ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000570000	0x00570000	0x0069ffff	Private Memory	Readable, Writable	Region Actions
kernelbase.dll.mui	0x00570000	0x0062ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000690000	0x00690000	0x0069ffff	Private Memory	Readable, Writable	Region Actions
schtasks.exe	0x00710000	0x0073dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000740000	0x00740000	0x008c7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000008d0000	0x008d0000	0x00a50fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x00a60000	0x00d2efff	Memory Mapped File	Readable	Region Actions
wow64cpu.dll	0x74200000	0x74207fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74210000	0x7426bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74270000	0x742aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskschd.dll	0x75510000	0x7558cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x75590000	0x75598fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x755a0000	0x755a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x757e0000	0x757ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x757f0000	0x7584ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75c50000	0x75d3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x75d40000	0x75d96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75da0000	0x75de5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75df0000	0x75efffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76100000	0x7615ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x761e0000	0x76262fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x762a0000	0x7632ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76480000	0x7651cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76520000	0x765aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77200000	0x772abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x772e0000	0x772f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77300000	0x77309fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x77370000	0x774cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x774d0000	0x7756ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x77670000	0x7773bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x77790000	0x7788ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077890000	0x77890000	0x77989fff	Private Memory	Readable, Writable, Executable	Region Actions
kernel32.dll	0x77990000	0x77aaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77ab0000	0x77c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77c90000	0x77e0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Host Behavior

COM (3)

Operation	Class	Interface	Additional Information	Count	Logfile
Create	TaskScheduler	ITaskService	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
Execute	TaskScheduler	ITaskService	method_name = Connect	1	Fn
Execute	TaskScheduler	ITaskService	method_name = GetFolder, path = 0, new_interface = ITaskFolder	1	Fn

File (10)

Operation	Filename	Additional Information	Count	Logfile
Get Info	STD_ERROR_HANDLE	type = file_type	2	Fn
Open	STD_ERROR_HANDLE	-	6	Fn
Write	STD_ERROR_HANDLE	size = 7	1	Fn Data
Write	STD_ERROR_HANDLE	size = 44	1	Fn Data

Module (14)

Operation	Module	Additional Information	Count	Logfile
Load	VERSION.dll	base_address = 0x75590000	1	Fn
Load	API-MS-WIN-Service-Management-L1-1-0.dll	base_address = 0x772e0000	1	Fn
Load	API-MS-WIN-Service-winsvc-L1-1-0.dll	base_address = 0x772e0000	1	Fn
Get Handle	c:\windows\syswow64\schtasks.exe	base_address = 0x710000	1	Fn
Get Filename	-	process_name = c:\windows\syswow64\schtasks.exe, file_name_orig = C:\Windows\SysWOW64\schtasks.exe, size = 260	2	Fn
Get Address	c:\windows\syswow64\version.dll	function = GetFileVersionInfoSizeW, address_out = 0x755919d9	1	Fn
Get Address	c:\windows\syswow64\version.dll	function = GetFileVersionInfoW, address_out = 0x755919f4	1	Fn
Get Address	c:\windows\syswow64\version.dll	function = VerQueryValueW, address_out = 0x75591b51	1	Fn
Get Address	c:\windows\syswow64\sechost.dll	function = OpenSCManagerW, address_out = 0x772e63ad	1	Fn
Get Address	c:\windows\syswow64\sechost.dll	function = OpenServiceW, address_out = 0x772e714b	1	Fn
Get Address	c:\windows\syswow64\sechost.dll	function = QueryServiceStatus, address_out = 0x772e4e4b	1	Fn
Get Address	c:\windows\syswow64\sechost.dll	function = CloseServiceHandle, address_out = 0x772e4dc3	2	Fn

Service (3)

Operation	Additional Information	Count	Logfile
Get Info	service_name = Schedule	1	Fn
Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2017-10-25 15:17:56 (UTC)		1	Fn
Get Time	type = Ticks, time = 45521		1	Fn