Cerber Ransomware | Grouped Behavior
Try VMRay Analyzer
Monitored Processes
Behavior Information - Grouped by Category
Process #1: 199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe
(Host: 548, Network: 0)
+
Information Value
ID #1
File Name c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe
Command Line "C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe"
Initial Working Directory C:\Users\hJrD1KOKY DS8lUjv\Desktop
Monitor Start Time: 00:00:26, Reason: Analysis Target
Unmonitor End Time: 00:00:46, Reason: Terminated
Monitor Duration 00:00:20
OS Process Information
+
Information Value
PID 0x9c4
Parent PID 0x2f8 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username 1R6PFH\hJrD1KOKY DS8lUjv
Groups
  • 1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000e04f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9C8
0x 9D4
0x 9D8
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001a0000 0x001a0000 0x001a1fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000001c0000 0x001c0000 0x001c1fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001e0000 0x001e0000 0x001e0fff Pagefile Backed Memory Readable True False False
setupapi.dll.mui 0x001f0000 0x001fcfff Memory Mapped File Readable, Writable False False False
pagefile_0x0000000000200000 0x00200000 0x00200fff Pagefile Backed Memory Readable True False False
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory Readable, Writable True False False
private_0x0000000000290000 0x00290000 0x002cffff Private Memory Readable, Writable True False False
cversions.1.db 0x002d0000 0x002d3fff Memory Mapped File Readable True False False
pagefile_0x00000000002d0000 0x002d0000 0x002d2fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000002d0000 0x002d0000 0x002d2fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000002d0000 0x002d0000 0x002dbfff Pagefile Backed Memory Readable True False False
pagefile_0x00000000002d0000 0x002d0000 0x002dbfff Pagefile Backed Memory Readable True False False
underglaze.dll 0x002d0000 0x002defff Memory Mapped File Readable, Writable, Executable True True False
pagefile_0x00000000002e0000 0x002e0000 0x002e0fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory Readable, Writable True False False
private_0x00000000003f0000 0x003f0000 0x003f0fff Private Memory Readable, Writable True False False
199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe 0x00400000 0x0042dfff Memory Mapped File Readable, Writable, Executable True True False
locale.nls 0x00430000 0x00496fff Memory Mapped File Readable False False False
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000c.db 0x004a0000 0x004c3fff Memory Mapped File Readable True False False
private_0x00000000004d0000 0x004d0000 0x0050ffff Private Memory Readable, Writable True False False
private_0x0000000000540000 0x00540000 0x0054ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000550000 0x00550000 0x006d7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000006e0000 0x006e0000 0x00860fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000870000 0x00870000 0x01c6ffff Pagefile Backed Memory Readable True False False
private_0x0000000001c70000 0x01c70000 0x01e3ffff Private Memory Readable, Writable True False False
pagefile_0x0000000001c70000 0x01c70000 0x01d4efff Pagefile Backed Memory Readable True False False
private_0x0000000001e00000 0x01e00000 0x01e3ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x01e40000 0x0210efff Memory Mapped File Readable False False False
private_0x0000000002110000 0x02110000 0x0220ffff Private Memory Readable, Writable True False False
private_0x0000000002210000 0x02210000 0x02310fff Private Memory Readable, Writable True False False
private_0x0000000002210000 0x02210000 0x02310fff Private Memory Readable, Writable True False False
private_0x0000000002210000 0x02210000 0x02310fff Private Memory Readable, Writable True False False
private_0x0000000002210000 0x02210000 0x02310fff Private Memory Readable, Writable True False False
private_0x0000000002210000 0x02210000 0x0230ffff Private Memory Readable, Writable True False False
private_0x0000000002310000 0x02310000 0x02410fff Private Memory Readable, Writable True False False
private_0x0000000002310000 0x02310000 0x02410fff Private Memory Readable, Writable True False False
private_0x0000000002310000 0x02310000 0x02410fff Private Memory Readable, Writable True False False
private_0x0000000002310000 0x02310000 0x02b10fff Private Memory Readable, Writable True False False
private_0x0000000002b20000 0x02b20000 0x02c6ffff Private Memory Readable, Writable True False False
private_0x0000000002b20000 0x02b20000 0x02bd0fff Private Memory Readable, Writable True False False
private_0x0000000002c60000 0x02c60000 0x02c6ffff Private Memory Readable, Writable True False False
system.dll 0x10000000 0x10005fff Memory Mapped File Readable, Writable, Executable True True False
uxtheme.dll 0x74910000 0x7498ffff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x749a0000 0x749fbfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x74a00000 0x74a3efff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x74c70000 0x74c90fff Memory Mapped File Readable, Writable, Executable False False False
propsys.dll 0x74ca0000 0x74d94fff Memory Mapped File Readable, Writable, Executable False False False
shfolder.dll 0x74da0000 0x74da4fff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x74db0000 0x74db8fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x74dc0000 0x74f5dfff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x75060000 0x75067fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75090000 0x7509bfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x750a0000 0x750fffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x75100000 0x75109fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x75110000 0x75128fff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x75130000 0x75141fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75150000 0x751effff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75200000 0x75e49fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75e50000 0x75fabfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x75fb0000 0x76006fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76050000 0x760ecfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x760f0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76180000 0x7624bfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76360000 0x763eefff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x763f0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x764e0000 0x7653ffff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76540000 0x765ebfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x765f0000 0x766effff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76bb0000 0x76cbffff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x76d50000 0x76eecfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x76fe0000 0x77025fff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x77030000 0x77056fff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x77060000 0x770a4fff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x770b0000 0x77132fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077140000 0x77140000 0x77239fff Private Memory Readable, Writable, Executable True False False
private_0x0000000077240000 0x77240000 0x7735efff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x77360000 0x77508fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77540000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\hjrd1k~1\appdata\local\temp\nsc1ab0.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\hjrd1k~1\appdata\local\temp\nsx1ae1.tmp 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\hjrd1k~1\appdata\local\temp\nsx1ae1.tmp\system.dll 11.00 KB (11264 bytes) MD5: b8992e497d57001ddf100f9c397fcef5
SHA1: e26ddf101a2ec5027975d2909306457c6f61cfbd
SHA256: 98bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b
False
c:\users\hjrd1k~1\appdata\local\temp\weltprostatectomy 194.13 KB (198787 bytes) MD5: 3ea29ee46b72c64cc3c76754a857f76b
SHA1: e4cdc788eb40ee773908427e4a0d7c0be7aaf3ea
SHA256: d541518a91d01e36975affe36768723b47e566567c9f067343551e48c52e66fd
False
c:\users\hjrd1k~1\appdata\local\temp\underglaze.dll 46.50 KB (47616 bytes) MD5: c28cf21b99b9df891a73ac7f066b9258
SHA1: 77d569d08a04ede2e0501538ccaeedf3bb54116e
SHA256: 1c48c706b99f5985c608df7e1d347536758436500d81ac928cc8443020ee9f6b
False
Host Behavior
File (203)
+
Operation Filename Additional Information Success Count Logfile
CREATE c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_ARCHIVE True 1
Fn
CREATE c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp desired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_TEMPORARY, FILE_FLAG_DELETE_ON_CLOSE True 1
Fn
CREATE c:\users\hjrd1k~1\appdata\local\temp\nsx1ae1.tmp\system.dll desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_NEW True 1
Fn
CREATE c:\users\hjrd1k~1\appdata\local\temp\nsx1ae1.tmp\system.dll desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_NEW, file_attributes = FILE_ATTRIBUTE_ARCHIVE, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED False 7
Fn
CREATE c:\users\hjrd1k~1\appdata\local\temp\weltprostatectomy desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS True 1
Fn
CREATE c:\users\hjrd1k~1\appdata\local\temp\underglaze.dll desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS True 1
Fn
CREATE c:\users\hjrd1k~1\appdata\local\temp\weltprostatectomy desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_DIRECTORY, FILE_ATTRIBUTE_DEVICE True 1
Fn
CREATE_DIR c:\users\hjrd1k~1\appdata\local\temp False 1
Fn
CREATE_DIR c:\users False 2
Fn
CREATE_DIR c:\users\hjrd1k~1 False 2
Fn
CREATE_DIR c:\users\hjrd1k~1\appdata False 2
Fn
CREATE_DIR c:\users\hjrd1k~1\appdata\local False 2
Fn
CREATE_DIR c:\users\hjrd1k~1\appdata\local\temp False 2
Fn
CREATE_DIR c:\users\hjrd1k~1\appdata\local\temp\nsx1ae1.tmp True 1
Fn
CREATE_TMPFILE c:\users\hjrd1k~1\appdata\local\temp\nsc1ab0.tmp path = C:\Users\HJRD1K~1\AppData\Local\Temp\, prefix = nsc True 1
Fn
CREATE_TMPFILE c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp path = C:\Users\HJRD1K~1\AppData\Local\Temp\, prefix = nss True 1
Fn
CREATE_TMPFILE c:\users\hjrd1k~1\appdata\local\temp\nsx1ae1.tmp path = C:\Users\HJRD1K~1\AppData\Local\Temp, prefix = nsx True 1
Fn
OPEN STD_INPUT_HANDLE True 1
Fn
OPEN STD_OUTPUT_HANDLE True 1
Fn
OPEN STD_ERROR_HANDLE True 1
Fn
READ c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe size = 512 True 66
Fn
Data
READ c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe size = 32768 True 7
Fn
Data
READ c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe size = 4813 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe size = 4 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe size = 16384 True 14
Fn
Data
READ c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp size = 4 True 4
Fn
Data
READ c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp size = 7450 True 1
Fn
Data
READ c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp size = 11264 True 1
Fn
Data
READ c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp size = 16384 True 14
Fn
Data
READ c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp size = 2179 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe size = 5297 True 1
Fn
Data
READ c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp size = 14848 True 1
Fn
Data
READ STD_OUTPUT_HANDLE size = 198787 True 1
Fn
Data
WRITE c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp size = 32768 True 1
Fn
Data
WRITE c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp size = 910 True 1
Fn
Data
WRITE c:\users\hjrd1k~1\appdata\local\temp\nsx1ae1.tmp\system.dll size = 11264 True 1
Fn
Data
WRITE c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp size = 16163 True 3
Fn
Data
WRITE c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp size = 16174 True 1
Fn
Data
WRITE c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp size = 16153 True 1
Fn
Data
WRITE c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp size = 16170 True 1
Fn
Data
WRITE c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp size = 16157 True 1
Fn
Data
WRITE c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp size = 16168 True 1
Fn
Data
WRITE c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp size = 16154 True 1
Fn
Data
WRITE c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp size = 16175 True 1
Fn
Data
WRITE c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp size = 16167 True 1
Fn
Data
WRITE c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp size = 17105 True 1
Fn
Data
WRITE STD_OUTPUT_HANDLE size = 16384 True 14
Fn
Data
WRITE STD_OUTPUT_HANDLE size = 2179 True 1
Fn
Data
WRITE c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp size = 28527 True 1
Fn
Data
WRITE c:\users\hjrd1k~1\appdata\local\temp\nss1ac1.tmp size = 17748 True 1
Fn
Data
WRITE STD_OUTPUT_HANDLE size = 14848 True 1
Fn
Data
FIND C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe True 1
Fn
FIND C:\Users\HJRD1K~1\AppData\Local\Temp\nsx1AE1.tmp True 1
Fn
FIND C:\Users True 2
Fn
FIND C:\Users\HJRD1K~1 True 2
Fn
FIND C:\Users\HJRD1K~1\AppData True 2
Fn
FIND C:\Users\HJRD1K~1\AppData\Local True 2
Fn
FIND C:\Users\HJRD1K~1\AppData\Local\Temp True 2
Fn
FIND C:\Users\HJRD1K~1\AppData\Local\Temp\nsx1AE1.tmp\System.dll False 1
Fn
FIND C:\Users\HJRD1K~1\AppData\Local\Temp\nsx1AE1.tmp\System.dll True 7
Fn
FIND C:\Users\HJRD1K~1\AppData\Local\Temp\WeltProstatectomy False 2
Fn
FIND C:\Users\HJRD1K~1\AppData\Local\Temp\underglaze.dll False 2
Fn
DELETE c:\users\hjrd1k~1\appdata\local\temp\nsc1ab0.tmp True 1
Fn
DELETE c:\users\hjrd1k~1\appdata\local\temp\nsx1ae1.tmp True 1
Fn
Process (2)
+
Operation Process Name Additional Information Success Count Logfile
CREATE "C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" os_tid = 0x9e4, os_pid = 0x9e0, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
SET_CURDIR c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe os_pid = 0x9c4, new_path_name = c:\users\hjrd1k~1\appdata\local\temp True 1
Fn
Memory (10)
+
Operation Address Additional Information Success Count Logfile
ALLOC 0x400000 process_name = "C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" , os_pid = 0x9e0, size = 237568, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE True 1
Fn
READ 0x7efde008 process_name = "C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" , os_pid = 0x9e0, size = 4 True 1
Fn
Data
WRITE 0x400000 process_name = "C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" , os_pid = 0x9e0, size = 1024 True 1
Fn
Data
WRITE 0x400000 process_name = "C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" , os_pid = 0x9e0, size = 0 False 1
Fn
WRITE 0x438000 process_name = "C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" , os_pid = 0x9e0, size = 5120 True 1
Fn
Data
WRITE 0x437000 process_name = "C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" , os_pid = 0x9e0, size = 512 True 1
Fn
Data
WRITE 0x414000 process_name = "C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" , os_pid = 0x9e0, size = 135168 True 1
Fn
Data
WRITE 0x412000 process_name = "C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" , os_pid = 0x9e0, size = 8192 True 1
Fn
Data
WRITE 0x401000 process_name = "C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" , os_pid = 0x9e0, size = 68608 True 1
Fn
Data
WRITE 0x7efde008 process_name = "C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" , os_pid = 0x9e0, size = 4 True 1
Fn
Data
Thread (3)
+
Operation Process Name Additional Information Success Count Logfile
RESUME c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe os_tid = 0x9e4, os_pid = 0x9e0 True 1
Fn
GET_CONTEXT c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe os_tid = 0x9e4, os_pid = 0x9e0 True 1
Fn
SET_CONTEXT c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe os_tid = 0x9e4, os_pid = 0x9e0 True 1
Fn
Module (81)
+
Operation Module Additional Information Success Count Logfile
LOAD SHFOLDER base_address = 0x74da0000 True 1
Fn
LOAD C:\Users\HJRD1K~1\AppData\Local\Temp\nsx1AE1.tmp\System.dll base_address = 0x10000000 True 1
Fn
LOAD C:\Users\HJRD1K~1\AppData\Local\Temp\underglaze False 1
Fn
GET_HANDLE SHFOLDER base_address = 0x0 False 1
Fn
GET_HANDLE c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe base_address = 0x400000 True 1
Fn
GET_HANDLE c:\windows\syswow64\kernel32.dll base_address = 0x76bb0000 True 15
Fn
GET_HANDLE C:\Users\HJRD1K~1\AppData\Local\Temp\nsx1AE1.tmp\System.dll base_address = 0x0 False 1
Fn
GET_HANDLE c:\users\hjrd1k~1\appdata\local\temp\nsx1ae1.tmp\system.dll base_address = 0x10000000 True 7
Fn
GET_HANDLE C:\Users\HJRD1K~1\AppData\Local\Temp\underglaze base_address = 0x0 False 1
Fn
GET_HANDLE c:\windows\syswow64\ntdll.dll base_address = 0x77540000 True 2
Fn
UNMAP "C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe" os_pid = 0x9e0, base_address = 0x400000 True 1
Fn
GET_FILENAME SHFOLDER file_name = C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe True 1
Fn
GET_FILENAME C:\Users\HJRD1K~1\AppData\Local\Temp\underglaze file_name = C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\shfolder.dll function = SHGetFolderPathA, address = 0x74da1528 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = GetUserDefaultUILanguage, address = 0x76bc44ab True 1
Fn
GET_PROC_ADDRESS c:\users\hjrd1k~1\appdata\local\temp\nsx1ae1.tmp\system.dll function = Call, address = 0x100016bd True 7
Fn
GET_PROC_ADDRESS c:\users\hjrd1k~1\appdata\local\temp\nsx1ae1.tmp\system.dll function = Alloc, address = 0x10001000 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = CreateProcess, address = 0x0 False 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = CreateProcessA, address = 0x76bc1072 True 2
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = SetEnvironmentVariableA, address = 0x76bce331 True 2
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = SetEnvironmentVariableAA, address = 0x0 False 2
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = FlsAlloc, address = 0x76bc4f2b True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = FlsGetValue, address = 0x76bc1252 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = FlsSetValue, address = 0x76bc4208 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = FlsFree, address = 0x76bc359f True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = EncodePointer, address = 0x77580fcb True 8
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = DecodePointer, address = 0x77579d35 True 3
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address = 0x76bc1856 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address = 0x76bc33a0 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = ExitProcess, address = 0x76bc7a10 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = LocalAlloc, address = 0x76bc168c True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = lstrlenA, address = 0x76bc5a4b True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\ntdll.dll function = RtlDecompressBuffer, address = 0x775ffded True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address = 0x76bc51a1 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = VirtualAllocEx, address = 0x76bdd9b0 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = GetThreadContext, address = 0x76be79d4 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = ReadProcessMemory, address = 0x76bdcfcc True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\ntdll.dll function = NtUnmapViewOfSection, address = 0x7755fc70 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = WriteProcessMemory, address = 0x76bdd9e0 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = SetThreadContext, address = 0x76c45393 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = ResumeThread, address = 0x76bc43ef True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = Sleep, address = 0x76bc10ff True 1
Fn
Window (249)
+
Operation Window Name Additional Information Success Count Logfile
FIND Start False 125
Fn
FIND Start True 124
Fn
Process #2: 199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe
(Host: 1881, Network: 0)
+
Information Value
ID #2
File Name c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe
Command Line "C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe"
Initial Working Directory C:\Users\hJrD1KOKY DS8lUjv\Desktop
Monitor Start Time: 00:00:39, Reason: Child Process
Unmonitor End Time: 00:02:26, Reason: Terminated by Timeout
Monitor Duration 00:01:47
OS Process Information
+
Information Value
PID 0x9e0
Parent PID 0x9c4 (c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username 1R6PFH\hJrD1KOKY DS8lUjv
Groups
  • 1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000e04f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9E4
0x A58
0x A5C
0x A60
0x A64
0x AF4
0x AFC
0x B00
0x B8C
0x B90
0x B94
0x B98
0x BCC
0x BD8
0x BE4
0x 914
0x 918
0x 880
0x 8CC
0x 208
0x 238
0x 7EC
0x A24
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001a0000 0x001a0000 0x001a1fff Pagefile Backed Memory Readable True False False
locale.nls 0x001b0000 0x00216fff Memory Mapped File Readable False False False
setupapi.dll.mui 0x00220000 0x0022cfff Memory Mapped File Readable, Writable False False False
rsaenh.dll 0x00230000 0x0026bfff Memory Mapped File Readable False False False
rsaenh.dll 0x00230000 0x0026bfff Memory Mapped File Readable False False False
rsaenh.dll 0x00230000 0x0026bfff Memory Mapped File Readable False False False
rsaenh.dll 0x00230000 0x0026bfff Memory Mapped File Readable False False False
rsaenh.dll 0x00230000 0x0026bfff Memory Mapped File Readable False False False
c_1251.nls 0x00230000 0x00240fff Memory Mapped File Readable False False False
pagefile_0x0000000000250000 0x00250000 0x00250fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000250000 0x00250000 0x00250fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000250000 0x00250000 0x00250fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000250000 0x00250000 0x00250fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000250000 0x00250000 0x00250fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000250000 0x00250000 0x00250fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000250000 0x00250000 0x00250fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000260000 0x00260000 0x00260fff Pagefile Backed Memory Readable True False False
private_0x0000000000270000 0x00270000 0x002affff Private Memory Readable, Writable True False False
private_0x00000000002b0000 0x002b0000 0x0032ffff Private Memory Readable, Writable True False False
private_0x0000000000330000 0x00330000 0x0036ffff Private Memory Readable, Writable True False False
private_0x0000000000370000 0x00370000 0x003affff Private Memory Readable, Writable True False False
private_0x00000000003b0000 0x003b0000 0x003effff Private Memory Readable, Writable True False False
pagefile_0x00000000003f0000 0x003f0000 0x003f1fff Pagefile Backed Memory Readable True False False
199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe 0x00400000 0x0042dfff Memory Mapped File Readable, Writable, Executable True True False
private_0x0000000000400000 0x00400000 0x00439fff Private Memory Readable, Writable, Executable True False False
pagefile_0x0000000000440000 0x00440000 0x0051efff Pagefile Backed Memory Readable True False False
private_0x0000000000520000 0x00520000 0x0052ffff Private Memory Readable, Writable True False False
windowsshell.manifest 0x00530000 0x00530fff Memory Mapped File Readable False False False
pagefile_0x0000000000530000 0x00530000 0x00530fff Pagefile Backed Memory Readable True False False
private_0x0000000000540000 0x00540000 0x0063ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000640000 0x00640000 0x007c7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000007d0000 0x007d0000 0x00950fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000960000 0x00960000 0x01d5ffff Pagefile Backed Memory Readable True False False
private_0x0000000001d60000 0x01d60000 0x01e5ffff Private Memory Readable, Writable True False False
private_0x0000000001e60000 0x01e60000 0x01e9ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x01ea0000 0x0216efff Memory Mapped File Readable False False False
private_0x0000000002170000 0x02170000 0x0229ffff Private Memory Readable, Writable True False False
private_0x0000000002170000 0x02170000 0x0224ffff Private Memory Readable, Writable True False False
private_0x0000000002170000 0x02170000 0x021affff Private Memory Readable, Writable True False False
pagefile_0x00000000021b0000 0x021b0000 0x021b1fff Pagefile Backed Memory Readable True False False
cversions.1.db 0x021c0000 0x021c3fff Memory Mapped File Readable True False False
pagefile_0x00000000021c0000 0x021c0000 0x021c1fff Pagefile Backed Memory Readable True False False
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000c.db 0x021d0000 0x021f3fff Memory Mapped File Readable True False False
pagefile_0x0000000002200000 0x02200000 0x02200fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000002210000 0x02210000 0x0224ffff Private Memory Readable, Writable True False False
cversions.2.db 0x02250000 0x02253fff Memory Mapped File Readable True False False
private_0x0000000002260000 0x02260000 0x0229ffff Private Memory Readable, Writable True False False
private_0x00000000022a0000 0x022a0000 0x0242ffff Private Memory Readable, Writable True False False
private_0x00000000022a0000 0x022a0000 0x0240ffff Private Memory Readable, Writable True False False
private_0x00000000022a0000 0x022a0000 0x0239ffff Private Memory Readable, Writable True False False
private_0x00000000022a0000 0x022a0000 0x023affff Private Memory Readable, Writable True False False
private_0x00000000022a0000 0x022a0000 0x023bffff Private Memory Readable, Writable True False False
kernel32.dll.mui 0x022a0000 0x0235ffff Memory Mapped File Readable, Writable False False False
shell32.dll.mui 0x02360000 0x023bbfff Memory Mapped File Readable, Writable False False False
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000a.db 0x023c0000 0x023effff Memory Mapped File Readable True False False
cversions.2.db 0x023f0000 0x023f3fff Memory Mapped File Readable True False False
cversions.2.db 0x02400000 0x02403fff Memory Mapped File Readable True False False
{40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db 0x02410000 0x02410fff Memory Mapped File Readable True False False
wordpad.exe.mui 0x02420000 0x0242cfff Memory Mapped File Readable, Writable False False False
wordpad.exe.mui 0x02420000 0x0242cfff Memory Mapped File Readable, Writable False False False
private_0x0000000002420000 0x02420000 0x02420fff Private Memory Readable, Writable True False False
private_0x0000000002430000 0x02430000 0x0262ffff Private Memory Readable, Writable True False False
private_0x0000000002630000 0x02630000 0x0282ffff Private Memory Readable, Writable True False False
private_0x0000000002830000 0x02830000 0x02a2ffff Private Memory Readable, Writable True False False
private_0x0000000002a30000 0x02a30000 0x02c2ffff Private Memory Readable, Writable True False False
private_0x0000000002c30000 0x02c30000 0x02e2ffff Private Memory Readable, Writable True False False
private_0x0000000002e30000 0x02e30000 0x02f30fff Private Memory Readable, Writable True False False
private_0x0000000002e30000 0x02e30000 0x02f30fff Private Memory Readable, Writable True False False
private_0x0000000002e30000 0x02e30000 0x02f30fff Private Memory Readable, Writable True False False
private_0x0000000002e30000 0x02e30000 0x0302ffff Private Memory Readable, Writable True False False
private_0x0000000003030000 0x03030000 0x0312ffff Private Memory Readable, Writable True False False
private_0x0000000003130000 0x03130000 0x03230fff Private Memory Readable, Writable True False False
private_0x0000000003130000 0x03130000 0x03230fff Private Memory Readable, Writable True False False
private_0x0000000003130000 0x03130000 0x03230fff Private Memory Readable, Writable True False False
private_0x0000000003130000 0x03130000 0x03230fff Private Memory Readable, Writable True False False
private_0x0000000003130000 0x03130000 0x03230fff Private Memory Readable, Writable True False False
private_0x0000000003130000 0x03130000 0x03230fff Private Memory Readable, Writable True False False
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x03130000 0x03195fff Memory Mapped File Readable True False False
private_0x00000000031a0000 0x031a0000 0x032a0fff Private Memory Readable, Writable True False False
private_0x00000000031a0000 0x031a0000 0x032a0fff Private Memory Readable, Writable True False False
private_0x00000000031a0000 0x031a0000 0x032a0fff Private Memory Readable, Writable True False False
private_0x00000000031a0000 0x031a0000 0x032a0fff Private Memory Readable, Writable True False False
private_0x00000000031a0000 0x031a0000 0x032a0fff Private Memory Readable, Writable True False False
private_0x00000000031a0000 0x031a0000 0x032a0fff Private Memory Readable, Writable True False False
private_0x00000000031a0000 0x031a0000 0x032a0fff Private Memory Readable, Writable True False False
private_0x00000000031a0000 0x031a0000 0x032a0fff Private Memory Readable, Writable True False False
private_0x00000000031a0000 0x031a0000 0x032a0fff Private Memory Readable, Writable True False False
private_0x00000000031a0000 0x031a0000 0x032a0fff Private Memory Readable, Writable True False False
private_0x00000000031a0000 0x031a0000 0x032a0fff Private Memory Readable, Writable True False False
private_0x00000000031a0000 0x031a0000 0x032a0fff Private Memory Readable, Writable True False False
wordpad.exe 0x031a0000 0x035aefff Memory Mapped File Readable, Writable, Executable False False False
wordpad.exe 0x031a0000 0x035aefff Memory Mapped File Readable, Writable, Executable False False False
private_0x00000000031a0000 0x031a0000 0x0329ffff Private Memory Readable, Writable True False False
private_0x00000000032a0000 0x032a0000 0x033a0fff Private Memory Readable, Writable True False False
private_0x00000000032a0000 0x032a0000 0x033a0fff Private Memory Readable, Writable True False False
private_0x00000000032a0000 0x032a0000 0x033a0fff Private Memory Readable, Writable True False False
private_0x00000000032a0000 0x032a0000 0x033a0fff Private Memory Readable, Writable True False False
private_0x00000000032a0000 0x032a0000 0x033a0fff Private Memory Readable, Writable True False False
private_0x00000000032a0000 0x032a0000 0x033a0fff Private Memory Readable, Writable True False False
private_0x00000000032a0000 0x032a0000 0x033a0fff Private Memory Readable, Writable True False False
private_0x00000000032a0000 0x032a0000 0x033a0fff Private Memory Readable, Writable True False False
private_0x00000000032a0000 0x032a0000 0x033a0fff Private Memory Readable, Writable True False False
private_0x00000000032a0000 0x032a0000 0x033a0fff Private Memory Readable, Writable True False False
private_0x00000000032a0000 0x032a0000 0x033a0fff Private Memory Readable, Writable True False False
private_0x00000000032a0000 0x032a0000 0x033a0fff Private Memory Readable, Writable True False False
private_0x00000000032a0000 0x032a0000 0x033a0fff Private Memory Readable, Writable True False False
private_0x00000000032a0000 0x032a0000 0x033a0fff Private Memory Readable, Writable True False False
private_0x00000000032a0000 0x032a0000 0x033a0fff Private Memory Readable, Writable True False False
private_0x00000000032a0000 0x032a0000 0x033a0fff Private Memory Readable, Writable True False False
private_0x00000000032a0000 0x032a0000 0x033a0fff Private Memory Readable, Writable True False False
private_0x00000000032a0000 0x032a0000 0x033a0fff Private Memory Readable, Writable True False False
private_0x00000000032a0000 0x032a0000 0x0349ffff Private Memory Readable, Writable True False False
private_0x00000000034a0000 0x034a0000 0x034dffff Private Memory Readable, Writable True False False
private_0x00000000034e0000 0x034e0000 0x036dffff Private Memory Readable, Writable True False False
private_0x00000000036e0000 0x036e0000 0x0376ffff Private Memory Readable, Writable True False False
private_0x00000000036e0000 0x036e0000 0x0371ffff Private Memory Readable, Writable True False False
private_0x00000000036e0000 0x036e0000 0x0371ffff Private Memory Readable, Writable True False False
private_0x00000000036e0000 0x036e0000 0x0371ffff Private Memory Readable, Writable True False False
private_0x0000000003720000 0x03720000 0x03720fff Private Memory Readable, Writable True False False
private_0x0000000003730000 0x03730000 0x0376ffff Private Memory Readable, Writable True False False
staticcache.dat 0x03770000 0x0409ffff Memory Mapped File Readable False False False
private_0x00000000040a0000 0x040a0000 0x041fffff Private Memory Readable, Writable True False False
private_0x00000000040a0000 0x040a0000 0x0411ffff Private Memory Readable, Writable True False False
private_0x0000000004120000 0x04120000 0x04120fff Private Memory Readable, Writable True False False
private_0x0000000004130000 0x04130000 0x0432ffff Private Memory Readable, Writable True False False
private_0x0000000004130000 0x04130000 0x0426ffff Private Memory Readable, Writable True False False
pagefile_0x0000000004130000 0x04130000 0x04137fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000004130000 0x04130000 0x04137fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000004130000 0x04130000 0x04137fff Pagefile Backed Memory Readable True False False
private_0x0000000004130000 0x04130000 0x0416ffff Private Memory Readable, Writable True False False
pagefile_0x0000000004130000 0x04130000 0x04130fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000004140000 0x04140000 0x04141fff Pagefile Backed Memory Readable True False False
oleaccrc.dll 0x04150000 0x04150fff Memory Mapped File Readable False False False
msttsdecwrp.dll 0x04150000 0x0415afff Memory Mapped File Readable False False False
pagefile_0x0000000004150000 0x04150000 0x04150fff Pagefile Backed Memory Readable True False False
private_0x0000000004160000 0x04160000 0x04161fff Private Memory Readable, Writable, Executable True False False
cversions.2.db 0x04170000 0x04173fff Memory Mapped File Readable True False False
propsys.dll.mui 0x04180000 0x0418dfff Memory Mapped File Readable, Writable False False False
pagefile_0x0000000004190000 0x04190000 0x04190fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000041a0000 0x041a0000 0x041dffff Private Memory Readable, Writable True False False
private_0x00000000041a0000 0x041a0000 0x041dffff Private Memory Readable, Writable True False False
private_0x00000000041e0000 0x041e0000 0x0421ffff Private Memory Readable, Writable True False False
private_0x00000000041f0000 0x041f0000 0x041fffff Private Memory Readable, Writable True False False
private_0x0000000004200000 0x04200000 0x043fffff Private Memory Readable, Writable True False False
stdole2.tlb 0x04220000 0x04223fff Memory Mapped File Readable False False False
wdmaud.drv.mui 0x04220000 0x04220fff Memory Mapped File Readable, Writable False False False
mmdevapi.dll.mui 0x04230000 0x04230fff Memory Mapped File Readable, Writable False False False
private_0x0000000004240000 0x04240000 0x0424ffff Private Memory Readable, Writable True False False
private_0x0000000004240000 0x04240000 0x04241fff Private Memory Readable, Writable True False False
pagefile_0x0000000004250000 0x04250000 0x04250fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000004260000 0x04260000 0x0426ffff Private Memory Readable, Writable True False False
private_0x0000000004270000 0x04270000 0x0446ffff Private Memory Readable, Writable True False False
private_0x0000000004400000 0x04400000 0x048f1fff Private Memory Readable, Writable True False False
private_0x0000000004470000 0x04470000 0x0466ffff Private Memory Readable, Writable True False False
private_0x0000000004470000 0x04470000 0x04961fff Private Memory Readable, Writable True False False
private_0x0000000004470000 0x04470000 0x0466ffff Private Memory Readable, Writable True False False
private_0x0000000004470000 0x04470000 0x0466ffff Private Memory Readable, Writable True False False
private_0x0000000004670000 0x04670000 0x0483ffff Private Memory Readable, Writable True False False
private_0x0000000004670000 0x04670000 0x0476ffff Private Memory Readable, Writable True False False
private_0x0000000004770000 0x04770000 0x047affff Private Memory Readable, Writable True False False
private_0x00000000047b0000 0x047b0000 0x047effff Private Memory Readable, Writable True False False
private_0x00000000047f0000 0x047f0000 0x047f0fff Private Memory Readable, Writable True False False
private_0x0000000004830000 0x04830000 0x0483ffff Private Memory Readable, Writable True False False
private_0x0000000004840000 0x04840000 0x04a3ffff Private Memory Readable, Writable True False False
private_0x0000000004900000 0x04900000 0x049fffff Private Memory Readable, Writable True False False
tmpb9dc.bmp 0x04970000 0x04e61fff Memory Mapped File Readable True False False
private_0x0000000004970000 0x04970000 0x04e61fff Private Memory Readable, Writable True False False
m1033dsk.tts 0x04a40000 0x04c91fff Memory Mapped File Readable False False False
pagefile_0x0000000004ca0000 0x04ca0000 0x0509ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000004e70000 0x04e70000 0x05361fff Private Memory Readable, Writable True False False
private_0x0000000004e70000 0x04e70000 0x05361fff Private Memory Readable, Writable True False False
private_0x00000000050a0000 0x050a0000 0x053a8fff Private Memory Readable, Writable True False False
private_0x00000000053b0000 0x053b0000 0x055affff Private Memory Readable, Writable True False False
private_0x00000000055b0000 0x055b0000 0x059b1fff Private Memory Readable, Writable True False False
private_0x00000000059c0000 0x059c0000 0x05bbffff Private Memory Readable, Writable True False False
private_0x0000000005bc0000 0x05bc0000 0x05dbffff Private Memory Readable, Writable True False False
winsta.dll 0x72470000 0x72498fff Memory Mapped File Readable, Writable, Executable False False False
midimap.dll 0x724a0000 0x724a6fff Memory Mapped File Readable, Writable, Executable False False False
msacm32.drv 0x724b0000 0x724b7fff Memory Mapped File Readable, Writable, Executable False False False
audioses.dll 0x724c0000 0x724f5fff Memory Mapped File Readable, Writable, Executable False False False
ksuser.dll 0x72500000 0x72503fff Memory Mapped File Readable, Writable, Executable False False False
wdmaud.drv 0x72510000 0x7253ffff Memory Mapped File Readable, Writable, Executable False False False
avrt.dll 0x72580000 0x72586fff Memory Mapped File Readable, Writable, Executable False False False
shfolder.dll 0x72d00000 0x72d04fff Memory Mapped File Readable, Writable, Executable False False False
msttscommon.dll 0x72d10000 0x72d1afff Memory Mapped File Readable, Writable, Executable False False False
msttsfrontendenu.dll 0x72d20000 0x72d65fff Memory Mapped File Readable, Writable, Executable False False False
msttsengine.dll 0x72d70000 0x72d97fff Memory Mapped File Readable, Writable, Executable False False False
mmdevapi.dll 0x72da0000 0x72dd8fff Memory Mapped File Readable, Writable, Executable False False False
msdmo.dll 0x72ea0000 0x72eaafff Memory Mapped File Readable, Writable, Executable False False False
msacm32.dll 0x72eb0000 0x72ec3fff Memory Mapped File Readable, Writable, Executable False False False
winmm.dll 0x72ed0000 0x72f01fff Memory Mapped File Readable, Writable, Executable False False False
sapi.dll 0x72f90000 0x730b9fff Memory Mapped File Readable, Writable, Executable False False False
d3d9.dll 0x73b40000 0x73d02fff Memory Mapped File Readable, Writable, Executable False False False
ieproxy.dll 0x73d20000 0x73d4afff Memory Mapped File Readable, Writable, Executable False False False
sxs.dll 0x73d50000 0x73daefff Memory Mapped File Readable, Writable, Executable False False False
photobase.dll 0x73dc0000 0x73dcbfff Memory Mapped File Readable, Writable, Executable False False False
oleacc.dll 0x73dd0000 0x73e0bfff Memory Mapped File Readable, Writable, Executable False False False
slc.dll 0x73e10000 0x73e19fff Memory Mapped File Readable, Writable, Executable False False False
d3d8thk.dll 0x73e20000 0x73e25fff Memory Mapped File Readable, Writable, Executable False False False
wtsapi32.dll 0x73e30000 0x73e3cfff Memory Mapped File Readable, Writable, Executable False False False
wtsapi32.dll 0x73e30000 0x73e3cfff Memory Mapped File Readable, Writable, Executable False False False
photoviewer.dll 0x73e70000 0x73fd5fff Memory Mapped File Readable, Writable, Executable False False False
apphelp.dll 0x74040000 0x7408bfff Memory Mapped File Readable, Writable, Executable False False False
windowscodecs.dll 0x74650000 0x7474afff Memory Mapped File Readable, Writable, Executable False False False
searchfolder.dll 0x74750000 0x747effff Memory Mapped File Readable, Writable, Executable False False False
propsys.dll 0x747f0000 0x748e4fff Memory Mapped File Readable, Writable, Executable False False False
dwmapi.dll 0x748f0000 0x74902fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x74910000 0x7498ffff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x749a0000 0x749fbfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x74a00000 0x74a3efff Memory Mapped File Readable, Writable, Executable False False False
iconcodecservice.dll 0x74a40000 0x74a45fff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x74a50000 0x74a70fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x74a80000 0x74c1dfff Memory Mapped File Readable, Writable, Executable False False False
fastprox.dll 0x74b20000 0x74bb5fff Memory Mapped File Readable, Writable, Executable False False False
fastprox.dll 0x74b20000 0x74bb5fff Memory Mapped File Readable, Writable, Executable False False False
fastprox.dll 0x74b20000 0x74bb5fff Memory Mapped File Readable, Writable, Executable False False False
ntdsapi.dll 0x74b50000 0x74b67fff Memory Mapped File Readable, Writable, Executable False False False
ntdsapi.dll 0x74b50000 0x74b67fff Memory Mapped File Readable, Writable, Executable False False False
ntdsapi.dll 0x74b50000 0x74b67fff Memory Mapped File Readable, Writable, Executable False False False
fastprox.dll 0x74b70000 0x74c05fff Memory Mapped File Readable, Writable, Executable False False False
fastprox.dll 0x74b70000 0x74c05fff Memory Mapped File Readable, Writable, Executable False False False
fastprox.dll 0x74b70000 0x74c05fff Memory Mapped File Readable, Writable, Executable False False False
wbemcomn.dll 0x74bc0000 0x74c1bfff Memory Mapped File Readable, Writable, Executable False False False
wbemcomn.dll 0x74bc0000 0x74c1bfff Memory Mapped File Readable, Writable, Executable False False False
wbemcomn.dll 0x74bc0000 0x74c1bfff Memory Mapped File Readable, Writable, Executable False False False
wbemsvc.dll 0x74c10000 0x74c1efff Memory Mapped File Readable, Writable, Executable False False False
wbemsvc.dll 0x74c10000 0x74c1efff Memory Mapped File Readable, Writable, Executable False False False
wbemsvc.dll 0x74c10000 0x74c1efff Memory Mapped File Readable, Writable, Executable False False False
rpcrtremote.dll 0x74c20000 0x74c2dfff Memory Mapped File Readable, Writable, Executable False False False
wbemcomn.dll 0x74c30000 0x74c8bfff Memory Mapped File Readable, Writable, Executable False False False
wbemcomn.dll 0x74c30000 0x74c8bfff Memory Mapped File Readable, Writable, Executable False False False
wbemcomn.dll 0x74c30000 0x74c8bfff Memory Mapped File Readable, Writable, Executable False False False
linkinfo.dll 0x74c30000 0x74c38fff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x74c40000 0x74c4afff Memory Mapped File Readable, Writable, Executable False False False
wshtcpip.dll 0x74c50000 0x74c54fff Memory Mapped File Readable, Writable, Executable False False False
ntdsapi.dll 0x74c60000 0x74c77fff Memory Mapped File Readable, Writable, Executable False False False
ntdsapi.dll 0x74c60000 0x74c77fff Memory Mapped File Readable, Writable, Executable False False False
ntdsapi.dll 0x74c60000 0x74c77fff Memory Mapped File Readable, Writable, Executable False False False
mswsock.dll 0x74c60000 0x74c9bfff Memory Mapped File Readable, Writable, Executable False False False
wbemprox.dll 0x74c80000 0x74c89fff Memory Mapped File Readable, Writable, Executable False False False
wbemprox.dll 0x74c80000 0x74c89fff Memory Mapped File Readable, Writable, Executable False False False
wbemprox.dll 0x74c80000 0x74c89fff Memory Mapped File Readable, Writable, Executable False False False
wbemprox.dll 0x74c90000 0x74c99fff Memory Mapped File Readable, Writable, Executable False False False
wbemsvc.dll 0x74c90000 0x74c9efff Memory Mapped File Readable, Writable, Executable False False False
wbemprox.dll 0x74c90000 0x74c99fff Memory Mapped File Readable, Writable, Executable False False False
wbemsvc.dll 0x74c90000 0x74c9efff Memory Mapped File Readable, Writable, Executable False False False
wbemprox.dll 0x74c90000 0x74c99fff Memory Mapped File Readable, Writable, Executable False False False
wbemsvc.dll 0x74c90000 0x74c9efff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x74ca0000 0x74cdafff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x74ce0000 0x74cf5fff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x74d00000 0x74d08fff Memory Mapped File Readable, Writable, Executable False False False
powrprof.dll 0x74d10000 0x74d34fff Memory Mapped File Readable, Writable, Executable False False False
samcli.dll 0x74d40000 0x74d4efff Memory Mapped File Readable, Writable, Executable False False False
wkscli.dll 0x74d50000 0x74d5efff Memory Mapped File Readable, Writable, Executable False False False
srvcli.dll 0x74d60000 0x74d78fff Memory Mapped File Readable, Writable, Executable False False False
netutils.dll 0x74d80000 0x74d88fff Memory Mapped File Readable, Writable, Executable False False False
netapi32.dll 0x74d90000 0x74da0fff Memory Mapped File Readable, Writable, Executable False False False
mpr.dll 0x74db0000 0x74dc1fff Memory Mapped File Readable, Writable, Executable False False False
gdiplus.dll 0x74dd0000 0x74f5ffff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x75060000 0x75067fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75090000 0x7509bfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x750a0000 0x750fffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x75100000 0x75109fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x75110000 0x75128fff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x75130000 0x75141fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75150000 0x751effff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x751f0000 0x751fbfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75200000 0x75e49fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75e50000 0x75fabfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x75fb0000 0x76006fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x76010000 0x76044fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76050000 0x760ecfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x760f0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76180000 0x7624bfff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x76250000 0x76344fff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x76350000 0x76355fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76360000 0x763eefff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x763f0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x764e0000 0x7653ffff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76540000 0x765ebfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x765f0000 0x766effff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x76720000 0x76855fff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x76860000 0x76a5afff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x76a60000 0x76b7cfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76bb0000 0x76cbffff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x76d50000 0x76eecfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x76fe0000 0x77025fff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x77030000 0x77056fff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x77060000 0x770a4fff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x770b0000 0x77132fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077140000 0x77140000 0x77239fff Private Memory Readable, Writable, Executable True False False
private_0x0000000077240000 0x77240000 0x7735efff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x77360000 0x77508fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77540000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007ef92000 0x7ef92000 0x7ef94fff Private Memory Readable, Writable True False False
private_0x000000007ef95000 0x7ef95000 0x7ef97fff Private Memory Readable, Writable True False False
private_0x000000007ef98000 0x7ef98000 0x7ef9afff Private Memory Readable, Writable True False False
private_0x000000007ef9b000 0x7ef9b000 0x7ef9dfff Private Memory Readable, Writable True False False
private_0x000000007ef9b000 0x7ef9b000 0x7ef9dfff Private Memory Readable, Writable True False False
private_0x000000007ef9b000 0x7ef9b000 0x7ef9dfff Private Memory Readable, Writable True False False
private_0x000000007ef9e000 0x7ef9e000 0x7efa0fff Private Memory Readable, Writable True False False
private_0x000000007ef9e000 0x7ef9e000 0x7efa0fff Private Memory Readable, Writable True False False
private_0x000000007ef9e000 0x7ef9e000 0x7efa0fff Private Memory Readable, Writable True False False
private_0x000000007efa1000 0x7efa1000 0x7efa3fff Private Memory Readable, Writable True False False
private_0x000000007efa4000 0x7efa4000 0x7efa6fff Private Memory Readable, Writable True False False
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe 0x9c8 address = 0x400000, size = 1024 True 1
Fn
Data
Modify Memory c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe 0x9c8 address = 0x438000, size = 5120 True 1
Fn
Data
Modify Memory c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe 0x9c8 address = 0x437000, size = 512 True 1
Fn
Data
Modify Memory c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe 0x9c8 address = 0x414000, size = 135168 True 1
Fn
Data
Modify Memory c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe 0x9c8 address = 0x412000, size = 8192 True 1
Fn
Data
Modify Memory c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe 0x9c8 address = 0x401000, size = 68608 True 1
Fn
Data
Modify Memory c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe 0x9c8 address = 0x7efde008, size = 4 True 1
Fn
Data
Modify Control Flow c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe 0x9c8 os_thread_id = 0x9e4 True 1
Fn
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft\speech\files\userlexicons\sp_8886b512a0c8413698af6a90c3ce8910.dat 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\hjrd1koky ds8lujv\documents\mk1qeyh-ob.87b1 73.28 KB (75035 bytes) MD5: 4c10f0168f3b02e9141d59de4e1d0e15
SHA1: 5a444a6894ef56f9563e3d003aea3462f40d3704
SHA256: acf797de243ab8d35839fa040da4cd725d1e5cca7e9f6f7263dce57be0e94954
False
c:\users\hjrd1koky ds8lujv\documents\_read_this_file_oy87az4_.hta 74.96 KB (76756 bytes) MD5: f7f337f3990f508f408de7d1eb406c25
SHA1: bc8fb21fc8e99a025ff5257be717e9cd9e099ab2
SHA256: 3b5db7edeae403f4cb3e0d4500ef6c6f17a2da01411cbedd584b1fc2794df342
False
c:\users\hjrd1koky ds8lujv\documents\_read_this_file_sna5m_.txt 1.31 KB (1337 bytes) MD5: 2833e6543ea2ea5b81f63a1b6d6a832a
SHA1: 9130c4ab860fcda421cf56372491ab3f1901dccd
SHA256: a44098297ee6f900f25696ef91ada5e19c3a3e3f00276a0e239b36fb20850341
False
c:\users\hjrd1koky ds8lujv\documents\_read_this_file_gwjrx_.jpeg 212.32 KB (217414 bytes) MD5: d9c206a13f332e13b83c6da60f44b2c3
SHA1: 5d68e9e078073f0b5ca8d19613e301c1b3a8287b
SHA256: b48ca40156c2c9424d270cbeae0b5efd72eb5125bec85088b785afb12d320c4b
False
c:\users\hjrd1koky ds8lujv\documents\mcjgdc9uzh.87b1 55.62 KB (56953 bytes) MD5: 4b8adffa3a05089e860070930df0bbb4
SHA1: 49503f85337dc8a95723801f4593eccfe89ec503
SHA256: cdacb76afcb791e7aaa3678af9ef79d7954e959f98b9c90231b03ba8def0780f
False
c:\users\hjrd1koky ds8lujv\documents\wzrlp-viqf.87b1 68.60 KB (70250 bytes) MD5: 8cd6d2be6322010cbaf49993b3fcc83c
SHA1: b58109eea23dd22e630795c4a4e8924d1911e240
SHA256: 7ff6030be999e27d22bb21ddf66f4567676f9d05c10e97e390a4866e719d194a
False
c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft\speech\files\userlexicons\sp_8886b512a0c8413698af6a90c3ce8910.dat 0.92 KB (940 bytes) MD5: 9ed60b54a6e0241b17b7374ccd806cf2
SHA1: 304d806ce0a579520566c7f20da3e87c63141ee8
SHA256: 6fa15f84277575a6479466590ffa4c9d7e3a537e18cebb28c8bf908416d86a29
False
c:\users\hjrd1koky ds8lujv\documents\5t950ijtgp.87b1 87.83 KB (89936 bytes) MD5: c776b1e64d090bf233740c86d4593d04
SHA1: 4af7687c4e0542ce59e04b1e5033a9b31b30d65a
SHA256: 308c86b083470945364e9a305b4f41cf1bb9cb024711394a0af9c46735d08313
False
c:\users\hjrd1koky ds8lujv\documents\3-rxwcu45h.87b1 52.85 KB (54114 bytes) MD5: 01a056c15cb169473e14633714c6b417
SHA1: 116c47a9d48821490ca66ad9fb398e643f7b3c6c
SHA256: a837725cd9d36c974d0d97bf4a07dc504ac0f98709caa5daca544b891d051f87
False
c:\users\hjrd1koky ds8lujv\documents\6ruskhssp7.87b1 8.26 KB (8457 bytes) MD5: aa8125924efe88742156fa6259dee81c
SHA1: 6e89849a684cd7ad434e812cb465d7e42e77d5e2
SHA256: f938728aec5f0df975bf9e48d563c5350f21662e7549d782262ddf027f147094
False
c:\users\hjrd1koky ds8lujv\documents\o-syix25yo.87b1 86.99 KB (89073 bytes) MD5: be07a1ed3e9fd566763194e0aa4d7beb
SHA1: 21b2746e03236e599718217024f7676ee2071bc3
SHA256: 3daf3968b4a3237b6de88af84ab2bae79feb3c6126340dec306c3b393f0e9947
False
c:\users\hjrd1koky ds8lujv\documents\feqr8sill4.87b1 68.31 KB (69948 bytes) MD5: a8734a5f1b95185aa76a4790692f3e0c
SHA1: e17b03b664d559efe912b9722224c34370396837
SHA256: 7caa186363cff7d613e379d47656c7bd4780d8344b6642bd1544966add1a49dd
False
c:\users\hjrd1koky ds8lujv\documents\kfgfxkxkom.87b1 25.54 KB (26155 bytes) MD5: 86f18f04b4afccb136f9a77ea94b83a8
SHA1: bfb36bfa1792142d767eaf847157f8aafcd0564a
SHA256: 7e663508034a7737a19c98921f2f6c4f8b735fb400d5bb51ad4f8ad9ce3c710f
False
c:\users\hjrd1koky ds8lujv\documents\bc32lqwvc8.87b1 4.86 KB (4977 bytes) MD5: d8c53d657b5738fdc4bfee84846bb49d
SHA1: ac912237dc6f37b10a78f44899265146716de631
SHA256: 28dd3ba9c48f73de72b64d2f529ae3e0591a77455d91e5e47170cb9b82895710
False
c:\users\hjrd1koky ds8lujv\documents\4lllybc7sv.87b1 25.20 KB (25804 bytes) MD5: 9bc9ca7a29c0a029cd892ad5238a751e
SHA1: 710ac7bdca207d25f9e19c680f3b8c84544e4fc1
SHA256: 1c066455c8526a83c02c95c66b1e3e809476102752f87a7226cb931f598b53cb
False
c:\users\hjrd1koky ds8lujv\documents\53btro0x1v.87b1 13.97 KB (14306 bytes) MD5: 14e28e545cae88ba3254622636e0f3fc
SHA1: 6a48daa2b71835cd1b918b2ef1b7130e7246ba3f
SHA256: a058d96d0fc0bcf0b2f0567a476217584b605b004bd17e67698b1d52df50cea3
False
c:\users\hjrd1koky ds8lujv\desktop\rfhurs7sso.87b1 91.52 KB (93713 bytes) MD5: 242b80450958cc21a66cd95664ca7a56
SHA1: dcf7394d752938154e2735da66346ef87b5d04e2
SHA256: 8f8675069075df930da51c4dda4f4b42b4a936e2c02967723e9ed3ec000630d8
False
c:\users\hjrd1koky ds8lujv\desktop\9lvsdwjl5r.87b1 64.62 KB (66166 bytes) MD5: 190bf22610881f88218e688a14e23848
SHA1: 170072a838eacd7f55b70b835841c39f792d2c38
SHA256: c295e1eebf59820562d02be3df1968d8c6dd1aea7168f96cc750098e3d302a77
False
c:\users\hjrd1koky ds8lujv\desktop\lhnlle1mra.87b1 63.65 KB (65182 bytes) MD5: 3736eee89088291efa1a57af1ea59219
SHA1: 3cac4833b2aee81a58a53048efc5d395e5baab3d
SHA256: 4c79b89e89efcb8df933a6b1a9269a0f0818f1e9cb05b5c57ec0a576e77a3fe1
False
c:\users\hjrd1koky ds8lujv\desktop\chbopzauxb.87b1 54.06 KB (55354 bytes) MD5: ef3b01980aac5f6a6bc7187e90e16d48
SHA1: e62f9de41953bf56e59cd40c2b4374316b9ffb71
SHA256: cd5878c1e802fc4a287739cae20e3995de14716afce7b4b1db30abb848f689ba
False
c:\users\hjrd1koky ds8lujv\desktop\72wdecdose.87b1 12.09 KB (12380 bytes) MD5: a9c8bc62358ecdd09b3bb9f7af658d86
SHA1: b6f74fe681bb0f279fe3bc8897bebdcfeede768d
SHA256: ac520174432f4e91f38089eeadad5c9995912857c114693099963268b9b9201b
False
c:\users\hjrd1koky ds8lujv\desktop\0ly1wwj-os.87b1 70.74 KB (72441 bytes) MD5: f1a0aa1e145408cbb71f8b346bde5953
SHA1: f3793ce77dc6d6a032ff74f60ecada19d346dab9
SHA256: f675c824db2daf04c4ae46004e329d3402db172e3f438d317d27d09cae8c9675
False
c:\users\hjrd1koky ds8lujv\desktop\c2tneqkoop.87b1 32.54 KB (33318 bytes) MD5: 81dc47ec8da44dfe5eaab125b8fb73c9
SHA1: 9faac82646de31f9bbff121c1e4321faab092780
SHA256: 966114724db95d8dae5ff03f14732559f32349e5b3596f2ab985d9dbeefb0991
False
c:\users\hjrd1koky ds8lujv\desktop\-pnznezwur.87b1 8.37 KB (8575 bytes) MD5: 9c71f9fc0b2702e53abe6b1af542e3b1
SHA1: 60a3aefdcc45d541c49b37b0a06ed8fdb50cc73d
SHA256: 8654976d3d92b92b13cfb3c63b5f7907b23bb79a03c280b4da5feb34ce5ba092
False
c:\users\hjrd1koky ds8lujv\desktop\pwebptr7kd.87b1 46.79 KB (47908 bytes) MD5: 75953340e30b4b8cf2e6aae1f83d6e7a
SHA1: bb8a98393eac07de567781e96ae18f97bc888962
SHA256: 17e6cb049d9193351c4976a7a99ca6f581a705a5c6aecdd29628ae27d41b65d2
False
c:\users\hjrd1koky ds8lujv\desktop\0giaekeqpv.87b1 35.55 KB (36399 bytes) MD5: 2f6154d1d89ba330fd6dc62a846efeef
SHA1: 19972f5d7a3c10d60202c297eb7f7d80de66db62
SHA256: 0895d3920b2fa9f46eb6e5e749b4b1ee25ad426aeb493ed1aa3f6d41748218a6
False
c:\users\hjrd1koky ds8lujv\desktop\-pnrexrevr.87b1 63.06 KB (64571 bytes) MD5: 59b1f0939875ff081e368dd9374b5f74
SHA1: b6b91940caa81756e0f3b67d1cc320e7c69b2670
SHA256: a9bcc755b5e8a1b2e556f6405408b4152e0cf795bc038bd6976707ab89d5e214
False
c:\users\hjrd1koky ds8lujv\desktop\iqit9zczod.87b1 68.56 KB (70204 bytes) MD5: 2ad357a4bbf046cc8db0ec99d5914e10
SHA1: f8f34bd7644df09688618461312c5c76c02e2426
SHA256: 0c926ce1ef061e38aac15aaad4addd6826063774c6e2a2b9b537aa2fca44ee1d
False
Modified Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\hjrd1koky ds8lujv\documents\0ym30ah1p2 o.pptx 73.28 KB (75035 bytes) MD5: 4c10f0168f3b02e9141d59de4e1d0e15
SHA1: 5a444a6894ef56f9563e3d003aea3462f40d3704
SHA256: acf797de243ab8d35839fa040da4cd725d1e5cca7e9f6f7263dce57be0e94954
False
c:\users\hjrd1koky ds8lujv\documents\2dffhfqbe.xlsx 55.62 KB (56953 bytes) MD5: 4b8adffa3a05089e860070930df0bbb4
SHA1: 49503f85337dc8a95723801f4593eccfe89ec503
SHA256: cdacb76afcb791e7aaa3678af9ef79d7954e959f98b9c90231b03ba8def0780f
False
c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx 68.60 KB (70250 bytes) MD5: 8cd6d2be6322010cbaf49993b3fcc83c
SHA1: b58109eea23dd22e630795c4a4e8924d1911e240
SHA256: 7ff6030be999e27d22bb21ddf66f4567676f9d05c10e97e390a4866e719d194a
False
Host Behavior
File (1014)
+
Operation Filename Additional Information Success Count Logfile
CREATE c:\users\hjrd1k~1\appdata\local\temp\6017762e\5ca4.tmp desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING False 1
Fn
CREATE c:\users\hjrd1koky ds8lujv\documents\0ym30ah1p2 o.pptx desired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = OPEN_EXISTING True 1
Fn
CREATE c:\users\hjrd1koky ds8lujv\documents\_read_this_file_oy87az4_.hta desired_access = GENERIC_WRITE, create_disposition = CREATE_NEW, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED True 1
Fn
CREATE c:\users\hjrd1koky ds8lujv\documents\_read_this_file_sna5m_.txt desired_access = GENERIC_WRITE, create_disposition = CREATE_NEW, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED True 1
Fn
CREATE c:\users\hjrd1koky ds8lujv\documents\_read_this_file_gwjrx_.jpeg desired_access = GENERIC_WRITE, create_disposition = CREATE_NEW, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED True 1
Fn
CREATE c:\users\hjrd1koky ds8lujv\documents\2dffhfqbe.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = OPEN_EXISTING True 1
Fn
CREATE c:\users\hjrd1koky ds8lujv\documents\_read_this_file_oy87az4_.hta desired_access = GENERIC_WRITE, create_disposition = CREATE_NEW, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED False 1
Fn
CREATE c:\users\hjrd1koky ds8lujv\documents\_read_this_file_sna5m_.txt desired_access = GENERIC_WRITE, create_disposition = CREATE_NEW, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED False 1
Fn
CREATE c:\users\hjrd1koky ds8lujv\documents\_read_this_file_gwjrx_.jpeg desired_access = GENERIC_WRITE, create_disposition = CREATE_NEW, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_ATTRIBUTE_NOT_CONTENT_INDEXED False 1
Fn
CREATE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = OPEN_EXISTING True 1
Fn
CREATE_DIR c:\users\hjrd1k~1\appdata\local\temp\6017762e True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\mk1qeyh-ob.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\0ym30ah1p2 o.pptx True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\mcjgdc9uzh.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\2dffhfqbe.xlsx True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\wzrlp-viqf.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\vy9me4vcgy.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\4zylz8nvl.docx True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\5t950ijtgp.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\5748pkeb4u6jrpogsd6.pptx True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\3-rxwcu45h.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\9zd kfwq-ltsr bt.pptx True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\6ruskhssp7.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\cnklxafszhozzrocc.xlsx True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\o-syix25yo.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\dagtlz9umh4kpe_.docx True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\ub7sqjzikr.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\f86pb83io_tkban1xrq.xlsx True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\feqr8sill4.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\g5vj.csv True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\kfgfxkxkom.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\hex3_ifrkmddsx.pptx True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\bc32lqwvc8.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\iti916p.docx True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\xku0mxjiqd.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\k_4d.docx True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\4lllybc7sv.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\n5qgjtqzhp-rooywyw.ods True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\ptenoxu0wv.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\pf0i6vc9bsb8qyde05.xlsx True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\of0hi57jnr.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\sf dxs.docx True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\qstzackcas.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\tduxrvybwwlj5-r.odt True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\53btro0x1v.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\yanz8lfrp.pptx True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\v8hw1zhluq.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\9dbrybjoudhnlbv3.ppt True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\aevh0dz\3f9zwalgsc.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\aevh0dz\6_xzrioom0c2n5m4619-.odp True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\aevh0dz\d4wcraacr0.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\aevh0dz\pcjlckgfzbc5et.odt True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\aevh0dz\i1njmp67n1.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\aevh0dz\pnzi-xajxne4eb73.odt True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\aevh0dz\_esg\j2ut2epxgw.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\aevh0dz\_esg\5r8uljqif.xls True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\hl1esuqlhc.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\glxfc.ppt True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\nvlt6hhl8ezh5vb-pbw1\vz9jirxbis.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\nvlt6hhl8ezh5vb-pbw1\h5 hy6tvuyt.docx True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\nvlt6hhl8ezh5vb-pbw1\8hxr0ftbjx.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\nvlt6hhl8ezh5vb-pbw1\nyft_mipyw.odt True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\nvlt6hhl8ezh5vb-pbw1\qzr2ggbmex.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\nvlt6hhl8ezh5vb-pbw1\tgriqsh_nf.odt True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\06uohzs8yyosupo_9o\p0-pneyqst.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\06uohzs8yyosupo_9o\rb7eoznm5_z1z1qgn1vr.ods True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\x9hko2pw3n.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\mcj3mfiflkkjv 4n7.odt True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\mpjeznbqsh\rfvdkvoqb4.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\mpjeznbqsh\0nr4blvtulmaxi q0zl.pps True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\mpjeznbqsh\efwmoeva8l.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\mpjeznbqsh\4e vaxuu-fkwdlca08.odt True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\mpjeznbqsh\m_paqapiijrmm0wvr\sv5essfdnb.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\mpjeznbqsh\m_paqapiijrmm0wvr\lrwzqbrkfym_lya2j.csv True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\mpjeznbqsh\svtfdbsz7s.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\mpjeznbqsh\q8hv3etm5rchja2kzp.csv True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\mpjeznbqsh\njq2014luc.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\mpjeznbqsh\vbojiv-ug95.odp True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\mpjeznbqsh\cqrpipy0zz.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\mpjeznbqsh\zdtc.odp True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\rky7vzipgi.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\osz7f.xls True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\bsy9stedtm.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\l5nqs z6.docx True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\documents\vbbs4ocxu7.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\documents\zfhxlx9t8ojbbvjhh.docx True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\rfhurs7sso.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\0ee7y22oyidj0hfv.png True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\uqc5salb7s.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\6lqcuaymafbrlvvi.gif True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\9lvsdwjl5r.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\94lbtspxw0_4ce.avi True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\lhnlle1mra.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\9_xhb6hs_.gif True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\wbb1nyns3p.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\bwilg97bej1t.jpg True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\chbopzauxb.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\f7dnw.docx True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\veywf8wha8.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\h-zt.wav True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\72wdecdose.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\hbamswsug_ajwgp47e.wav True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\0ly1wwj-os.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\hkjvu.bmp True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\gwt-58hjfg.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\hmgv.pptx True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\c2tneqkoop.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\ik_q57btt5wemnzymbni.gif True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\di0j78nei8.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\jqe4wnyiy3ydj.pps True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\-pnznezwur.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\ljuosc6fhnajjfuwrl.mp4 True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\upuwmuujmx.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\llua7ex4.mkv True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\pwebptr7kd.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\mekcloizgioyi8rulz.jpg True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\dxdyezvful.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\mtg2 qgc3se.swf True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\vht8oxtuze.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\rmcih-tnqh86ajeu.bmp True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\vpvlgzp8bf.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\vyzfvvaz8d5x4mdvz.rtf True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\x5cctkx i\aedmpdy8pf.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\x5cctkx i\oxu n.mp3 True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\x5cctkx i\tvetgsqfbn.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\x5cctkx i\ufo2czma7o.gif True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\x5cctkx i\epkv1ui7jc.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\x5cctkx i\ulp1gtl5ewpicpm1maeo.m4a True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\x5cctkx i\yftdfezaul.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\x5cctkx i\wi3v-oc4.mp3 True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\0giaekeqpv.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\xinkpyccah_mlh.doc True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\-pnrexrevr.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\ynnruglllfovw evj0ja.mp3 True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\gd2xehcq-b.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\yxmcgxxs0ug.ots True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\iqit9zczod.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\zhllws.m4a True 1
Fn
MOVE c:\users\hjrd1koky ds8lujv\desktop\gv3qqjxq43.87b1 source_file_name = c:\users\hjrd1koky ds8lujv\desktop\_dol71dzxmdgahnese.jpg True 1
Fn
READ c:\users\hjrd1koky ds8lujv\documents\0ym30ah1p2 o.pptx size = 60 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\0ym30ah1p2 o.pptx size = 72751 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\2dffhfqbe.xlsx size = 60 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\2dffhfqbe.xlsx size = 54675 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 60 True 63
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 67952 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 95491 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 87638 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 51822 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 6163 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 86783 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 69157 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 67682 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 23867 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 2703 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 99286 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 23510 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 81752 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 10409 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 18804 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 12028 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 37907 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 20082 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 13762 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 42968 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 21203 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 21930 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 31089 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 76434 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 19648 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 15645 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 3912 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 46734 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 71251 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 55457 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 13173 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 50570 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 17171 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 92781 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 13061 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 68202 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 91423 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 71419 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 63880 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 62906 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 80841 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 53084 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 14449 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 10086 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 70173 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 60204 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 31020 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 32004 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 6281 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 11243 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 45614 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 37531 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 43850 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 27732 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 74488 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 63389 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 74141 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 55132 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 34113 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 62273 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 61022 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 67934 True 1
Fn
Data
READ c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 83711 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\0ym30ah1p2 o.pptx size = 72751 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\0ym30ah1p2 o.pptx size = 60 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\0ym30ah1p2 o.pptx size = 66 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\0ym30ah1p2 o.pptx size = 110 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\0ym30ah1p2 o.pptx size = 256 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\_read_this_file_oy87az4_.hta size = 76756 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\_read_this_file_sna5m_.txt size = 1337 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\_read_this_file_gwjrx_.jpeg size = 217414 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\2dffhfqbe.xlsx size = 54675 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\2dffhfqbe.xlsx size = 60 True 2
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\2dffhfqbe.xlsx size = 110 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\2dffhfqbe.xlsx size = 256 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 67952 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 60 True 68
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 80 True 8
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 110 True 63
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 256 True 63
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 95491 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 87638 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 51822 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 74 True 4
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 6163 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 76 True 9
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 86783 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 72 True 6
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 69157 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 67682 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 48 True 3
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 23867 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 70 True 2
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 2703 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 56 True 3
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 99286 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 50 True 6
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 23510 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 81752 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 78 True 2
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 10409 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 54 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 18804 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 12028 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 37907 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 20082 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 13762 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 68 True 3
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 42968 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 21203 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 58 True 3
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 21930 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 31089 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 64 True 2
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 76434 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 19648 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 15645 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 3912 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 46734 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 71251 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 55457 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 13173 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 50570 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 62 True 3
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 17171 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 92781 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 13061 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 68202 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 91423 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 71419 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 63880 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 62906 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 80841 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 53084 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 52 True 2
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 14449 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 10086 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 70173 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 60204 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 31020 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 32004 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 66 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 6281 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 11243 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 45614 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 37531 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 43850 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 27732 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 74488 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 63389 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 74141 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 55132 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 34113 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 62273 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 61022 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 67934 True 1
Fn
Data
WRITE c:\users\hjrd1koky ds8lujv\documents\4sbwm903uzhcnxlzbwa.xlsx size = 83711 True 1
Fn
Data
FIND C:\test\cerber_debug.txt False 1
Fn
FIND C:\Program Files (x86)\Windows Defender\* True 1
Fn
FIND C:\Program Files (x86)\Windows Defender\en-US\* True 1
Fn
FIND C:\Users True 2
Fn
FIND C:\Users\HJRD1K~1 True 2
Fn
FIND C:\Users\HJRD1K~1\AppData True 2
Fn
FIND C:\Users\HJRD1K~1\AppData\Local True 2
Fn
FIND C:\Users\HJRD1K~1\AppData\Local\Temp True 2
Fn
FIND C:\Users\HJRD1K~1\AppData\Local\Temp\6017762e False 1
Fn
FIND C:\Users\HJRD1K~1\AppData\Local\Temp\6017762e True 1
Fn
FIND c: True 1
Fn
FIND c:\* True 1
Fn
FIND c:\$recycle.bin\ True 1
Fn
FIND c:\boot\ True 1
Fn
FIND c:\perflogs\ True 2
Fn
FIND c:\program files\ True 2
Fn
FIND c:\program files (x86)\ True 2
Fn
FIND c:\programdata\ True 1
Fn
FIND c:\recovery\ True 1
Fn
FIND c:\system volume information\ True 1
Fn
FIND c:\users\ True 2
Fn
FIND c:\users\* True 1
Fn
FIND c:\users\default\ True 1
Fn
FIND c:\users\hjrd1koky ds8lujv\ True 1
Fn
FIND c:\users\public\ True 2
Fn
FIND c:\users\public\* True 1
Fn
FIND c:\users\public\desktop\ True 1
Fn
FIND c:\users\public\documents\ True 2
Fn
FIND c:\users\public\documents\* True 1
Fn
FIND c:\users\public\downloads\ True 2
Fn
FIND c:\users\public\downloads\* True 1
Fn
FIND c:\users\public\favorites\ True 1
Fn
FIND c:\users\public\libraries\ True 1
Fn
FIND c:\users\public\music\ True 2
Fn
FIND c:\users\public\music\* True 1
Fn
FIND c:\users\public\music\sample music\ True 1
Fn
FIND c:\users\public\pictures\ True 2
Fn
FIND c:\users\public\pictures\* True 1
Fn
FIND c:\users\public\pictures\sample pictures\ True 1
Fn
FIND c:\users\public\recorded tv\ True 2
Fn
FIND c:\users\public\recorded tv\* True 1
Fn
FIND c:\users\public\recorded tv\sample media\ True 2
Fn
FIND c:\users\public\recorded tv\sample media\* True 1
Fn
FIND c:\users\public\videos\ True 2
Fn
FIND c:\users\public\videos\* True 1
Fn
FIND c:\users\public\videos\sample videos\ True 1
Fn
FIND c:\windows\ True 2
Fn
FIND c:\program files (x86)\bitcoin False 1
Fn
FIND c:\program files (x86)\bitcoin\* False 1
Fn
FIND c:\programdata\bitcoin False 1
Fn
FIND c:\programdata\bitcoin\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\bitcoin False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\bitcoin\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\bitcoin False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\bitcoin\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\bitcoin False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\bitcoin\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\bitcoin False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\bitcoin\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\bitcoin False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\bitcoin\* False 1
Fn
FIND c:\program files (x86)\excel False 1
Fn
FIND c:\program files (x86)\excel\* False 1
Fn
FIND c:\programdata\excel False 1
Fn
FIND c:\programdata\excel\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\excel False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\excel\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\excel False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\excel\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\excel False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\excel\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\excel False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\excel\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\excel False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\excel\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\excel False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\excel\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\excel False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\excel\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\excel False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\excel\* False 1
Fn
FIND c:\program files (x86)\microsoft sql server False 1
Fn
FIND c:\program files (x86)\microsoft sql server\* False 1
Fn
FIND c:\programdata\microsoft sql server False 1
Fn
FIND c:\programdata\microsoft sql server\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\microsoft sql server False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\microsoft sql server\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft sql server False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft sql server\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\microsoft sql server False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\microsoft sql server\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\microsoft sql server False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\microsoft sql server\* False 1
Fn
FIND c:\program files (x86)\microsoft\excel False 1
Fn
FIND c:\program files (x86)\microsoft\excel\* False 1
Fn
FIND c:\programdata\microsoft\excel False 1
Fn
FIND c:\programdata\microsoft\excel\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\excel False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\excel\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft\excel False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft\excel\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\microsoft\excel False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\microsoft\excel\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\microsoft\excel False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\microsoft\excel\* False 1
Fn
FIND c:\program files (x86)\microsoft\microsoft sql server False 1
Fn
FIND c:\program files (x86)\microsoft\microsoft sql server\* False 1
Fn
FIND c:\programdata\microsoft\microsoft sql server False 1
Fn
FIND c:\programdata\microsoft\microsoft sql server\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\microsoft sql server False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\microsoft sql server\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft\microsoft sql server False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft\microsoft sql server\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\microsoft\microsoft sql server False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\microsoft\microsoft sql server\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\microsoft\microsoft sql server False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\microsoft\microsoft sql server\* False 1
Fn
FIND c:\program files (x86)\microsoft\office False 1
Fn
FIND c:\program files (x86)\microsoft\office\* False 1
Fn
FIND c:\programdata\microsoft\office False 1
Fn
FIND c:\programdata\microsoft\office\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\office False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\office\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft\office False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft\office\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\microsoft\office False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\microsoft\office\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\microsoft\office False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\microsoft\office\* False 1
Fn
FIND c:\program files (x86)\microsoft\onenote False 1
Fn
FIND c:\program files (x86)\microsoft\onenote\* False 1
Fn
FIND c:\programdata\microsoft\onenote False 1
Fn
FIND c:\programdata\microsoft\onenote\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\onenote False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\onenote\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft\onenote False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft\onenote\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\microsoft\onenote False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\microsoft\onenote\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\microsoft\onenote False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\microsoft\onenote\* False 1
Fn
FIND c:\program files (x86)\microsoft\outlook False 1
Fn
FIND c:\program files (x86)\microsoft\outlook\* False 1
Fn
FIND c:\programdata\microsoft\outlook False 1
Fn
FIND c:\programdata\microsoft\outlook\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\outlook False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\outlook\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft\outlook False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft\outlook\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\microsoft\outlook False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\microsoft\outlook\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\microsoft\outlook False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\microsoft\outlook\* False 1
Fn
FIND c:\program files (x86)\microsoft\powerpoint False 1
Fn
FIND c:\program files (x86)\microsoft\powerpoint\* False 1
Fn
FIND c:\programdata\microsoft\powerpoint False 1
Fn
FIND c:\programdata\microsoft\powerpoint\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\powerpoint False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\powerpoint\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft\powerpoint False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft\powerpoint\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\microsoft\powerpoint False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\microsoft\powerpoint\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\microsoft\powerpoint False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\microsoft\powerpoint\* False 1
Fn
FIND c:\program files (x86)\microsoft\word False 1
Fn
FIND c:\program files (x86)\microsoft\word\* False 1
Fn
FIND c:\programdata\microsoft\word False 1
Fn
FIND c:\programdata\microsoft\word\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\word False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\word\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft\word False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft\word\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\microsoft\word False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\microsoft\word\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\microsoft\word False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\microsoft\word\* False 1
Fn
FIND c:\program files (x86)\office False 1
Fn
FIND c:\program files (x86)\office\* False 1
Fn
FIND c:\programdata\office False 1
Fn
FIND c:\programdata\office\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\office False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\office\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\office False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\office\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\office False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\office\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\office False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\office\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\office False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\office\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\office False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\office\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\office False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\office\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\office False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\office\* False 1
Fn
FIND c:\program files (x86)\onenote False 1
Fn
FIND c:\program files (x86)\onenote\* False 1
Fn
FIND c:\programdata\onenote False 1
Fn
FIND c:\programdata\onenote\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\onenote False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\onenote\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\onenote False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\onenote\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\onenote False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\onenote\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\onenote False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\onenote\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\onenote False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\onenote\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\onenote False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\onenote\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\onenote False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\onenote\* False 1
Fn
FIND c:\program files (x86)\outlook False 1
Fn
FIND c:\program files (x86)\outlook\* False 1
Fn
FIND c:\programdata\outlook False 1
Fn
FIND c:\programdata\outlook\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\outlook False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\outlook\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\outlook False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\outlook\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\outlook False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\outlook\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\outlook False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\outlook\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\outlook False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\outlook\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\outlook False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\outlook\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\outlook False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\outlook\* False 1
Fn
FIND c:\program files (x86)\powerpoint False 1
Fn
FIND c:\program files (x86)\powerpoint\* False 1
Fn
FIND c:\programdata\powerpoint False 1
Fn
FIND c:\programdata\powerpoint\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\powerpoint False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\powerpoint\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\powerpoint False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\powerpoint\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\powerpoint False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\powerpoint\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\powerpoint False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\powerpoint\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\powerpoint False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\powerpoint\* False 1
Fn
FIND c:\program files (x86)\steam False 1
Fn
FIND c:\program files (x86)\steam\* False 1
Fn
FIND c:\programdata\steam False 1
Fn
FIND c:\programdata\steam\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\steam False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\steam\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\steam False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\steam\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\steam False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\steam\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\steam False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\steam\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\steam False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\steam\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\steam False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\steam\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\steam False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\steam\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\steam False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\steam\* False 1
Fn
FIND c:\program files (x86)\the bat! False 1
Fn
FIND c:\program files (x86)\the bat!\* False 1
Fn
FIND c:\programdata\the bat! False 1
Fn
FIND c:\programdata\the bat!\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\the bat! False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\the bat!\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat! False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\the bat! False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\the bat!\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\the bat! False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\the bat!\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\the bat! False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\the bat!\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\the bat! False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\the bat!\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\the bat! False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\the bat!\* False 1
Fn
FIND c:\program files (x86)\thunderbird False 1
Fn
FIND c:\program files (x86)\thunderbird\* False 1
Fn
FIND c:\programdata\thunderbird False 1
Fn
FIND c:\programdata\thunderbird\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\thunderbird False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\thunderbird\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\thunderbird False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\thunderbird\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\thunderbird False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\thunderbird\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\thunderbird False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\thunderbird\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\thunderbird False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\thunderbird\* False 1
Fn
FIND c:\program files (x86)\word False 1
Fn
FIND c:\program files (x86)\word\* False 1
Fn
FIND c:\programdata\word False 1
Fn
FIND c:\programdata\word\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\word False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\roaming\word\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\word False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\roaming\word\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\word False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\roaming\word\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\word False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\roaming\word\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\word False 1
Fn
FIND c:\windows\system32\config\systemprofile\appdata\local\word\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\word False 1
Fn
FIND c:\windows\serviceprofiles\localservice\appdata\local\word\* False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\word False 1
Fn
FIND c:\windows\serviceprofiles\networkservice\appdata\local\word\* False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\word False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\appdata\local\word\* False 1
Fn
FIND c:\windows\system32\config\systemprofile\documents False 1
Fn
FIND c:\windows\system32\config\systemprofile\documents\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\documents True 1
Fn
FIND c:\windows\serviceprofiles\localservice\documents\* True 1
Fn
FIND c:\windows\serviceprofiles\networkservice\documents True 1
Fn
FIND c:\windows\serviceprofiles\networkservice\documents\* True 1
Fn
FIND c:\users\hjrd1koky ds8lujv\documents True 1
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\* True 1
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\ True 2
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\* True 1
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\aevh0dz\ True 2
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\aevh0dz\* True 1
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\aevh0dz\unhr9cplg597sd\ True 2
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\aevh0dz\unhr9cplg597sd\* True 1
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\aevh0dz\_esg\ True 2
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\aevh0dz\_esg\* True 1
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\ True 2
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\* True 1
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\nvlt6hhl8ezh5vb-pbw1\ True 2
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\nvlt6hhl8ezh5vb-pbw1\* True 1
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\ True 2
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\* True 1
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\06uohzs8yyosupo_9o\ True 2
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\06uohzs8yyosupo_9o\* True 1
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\mpjeznbqsh\ True 2
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\mpjeznbqsh\* True 1
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\mpjeznbqsh\m_paqapiijrmm0wvr\ True 2
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\y_ x b91e5l69f16\cvm6dg8vo9rur1hai\xotnwhe5ev\mpjeznbqsh\m_paqapiijrmm0wvr\* True 1
Fn
FIND c:\windows\system32\config\systemprofile\desktop False 1
Fn
FIND c:\windows\system32\config\systemprofile\desktop\* False 1
Fn
FIND c:\windows\serviceprofiles\localservice\desktop True 1
Fn
FIND c:\windows\serviceprofiles\localservice\desktop\* True 1
Fn
FIND c:\windows\serviceprofiles\networkservice\desktop True 1
Fn
FIND c:\windows\serviceprofiles\networkservice\desktop\* True 1
Fn
FIND c:\users\hjrd1koky ds8lujv\desktop True 1
Fn
FIND c:\users\hjrd1koky ds8lujv\desktop\* True 1
Fn
FIND c:\users\hjrd1koky ds8lujv\desktop\aszm5dcdns\ True 2
Fn
FIND c:\users\hjrd1koky ds8lujv\desktop\aszm5dcdns\* True 1
Fn
FIND c:\users\hjrd1koky ds8lujv\desktop\x5cctkx i\ True 2
Fn
FIND c:\users\hjrd1koky ds8lujv\desktop\x5cctkx i\* True 1
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\Mk1qEyh-OB.87b1 False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\mCjGDC9uzH.87b1 False 1
Fn
FIND c:\users\hjrd1koky ds8lujv\documents\wZrLP-viqF.87b1 False 1
Fn
Process (7)
+
Operation Process Name Additional Information Success Count Logfile
CREATE C:\Windows\system32\netsh.exe advfirewall set allprofiles state on creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE False 1
Fn
CREATE c:\users\hjrd1koky ds8lujv\desktop\_READ_THIS_FILE_SOESZC_.hta operation = open, current_directory = c:\users\hjrd1koky ds8lujv\desktop, show_window = SW_SHOWNORMAL True 1
Fn
CREATE c:\users\hjrd1koky ds8lujv\desktop\_READ_THIS_FILE_6LJV87LC_.txt operation = open, current_directory = c:\users\hjrd1koky ds8lujv\desktop, show_window = SW_SHOWNORMAL True 1
Fn
CREATE c:\users\hjrd1koky ds8lujv\desktop\_READ_THIS_FILE_4FCM_.jpeg operation = open, current_directory = c:\users\hjrd1koky ds8lujv\desktop, show_window = SW_SHOWNORMAL True 1
Fn
OPEN_TOKEN c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe os_pid = 0x9e0, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION True 2
Fn
TERMINATE True 1
Fn
Module (34)
+
Operation Module Additional Information Success Count Logfile
LOAD advapi32.dll base_address = 0x75150000 True 1
Fn
LOAD crypt32.dll base_address = 0x76a60000 True 1
Fn
LOAD gdi32.dll base_address = 0x760f0000 True 1
Fn
LOAD gdiplus.dll base_address = 0x74dd0000 True 1
Fn
LOAD kernel32.dll base_address = 0x76bb0000 True 1
Fn
LOAD NTDLL base_address = 0x77540000 True 6
Fn
LOAD mpr.dll base_address = 0x74db0000 True 1
Fn
LOAD netapi32.dll base_address = 0x74d90000 True 1
Fn
LOAD SAMCLI base_address = 0x74d40000 True 2
Fn
LOAD NETUTILS base_address = 0x74d80000 True 1
Fn
LOAD ntdll.dll base_address = 0x77540000 True 1
Fn
LOAD ole32.dll base_address = 0x75e50000 True 1
Fn
LOAD oleaut32.dll base_address = 0x76360000 True 1
Fn
LOAD powrprof.dll base_address = 0x74d10000 True 1
Fn
LOAD shell32.dll base_address = 0x75200000 True 1
Fn
LOAD shlwapi.dll base_address = 0x75fb0000 True 1
Fn
LOAD urlmon.dll base_address = 0x76720000 True 1
Fn
LOAD user32.dll base_address = 0x765f0000 True 1
Fn
LOAD version.dll base_address = 0x74d00000 True 1
Fn
LOAD ws2_32.dll base_address = 0x76010000 True 1
Fn
GET_HANDLE c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe base_address = 0x400000 True 1
Fn
GET_HANDLE c:\windows\syswow64\advapi32.dll base_address = 0x75150000 True 3
Fn
GET_FILENAME C:\Users\hJrD1KOKY DS8lUjv\Desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\advapi32.dll function = CryptDestroyKey, address = 0x7515c51a True 3
Fn
Com (781)
+
Operation Class Interface Additional Information Success Count Logfile
CREATE WbemLocator IWbemLocator cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD, CLSCTX_NO_FAILURE_LOG True 6
Fn
CREATE ShellLink IShellLinkW cls_context = CLSCTX_INPROC_SERVER True 149
Fn
CREATE SpVoice ISpVoice cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
QUERY ShellLink IShellLinkW new_interface = IPersistFile, True 149
Fn
METHOD WbemLocator IWbemLocator new_interface = IWbemServices, method = ConnectServer True 6
Fn
METHOD WbemLocator IWbemServices new_interface = IEnumWbemClassObject, method = ExecQuery True 6
Fn
METHOD WbemLocator IEnumWbemClassObject method = Next False 6
Fn
METHOD WbemLocator IEnumWbemClassObject new_interface = IWbemClassObject, method = Next True 1
Fn
METHOD WbemLocator IWbemClassObject method = Get True 2
Fn
METHOD ShellLink IPersistFile method = Load True 149
Fn
METHOD ShellLink IShellLinkW method = GetPath True 149
Fn
METHOD ShellLink IShellLinkW method = GetIDList True 149
Fn
METHOD IStream method = RemoteSeek True 1
Fn
METHOD IStream method = Stat True 1
Fn
METHOD IStream method = RemoteRead True 1
Fn
METHOD SpVoice ISpVoice method = Speak True 4
Fn
METHOD SpVoice ISpVoice method = Speak False 1
Fn
Registry (3)
+
Operation Key Additional Information Success Count Logfile
OPEN_KEY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography True 1
Fn
READ_VALUE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography value_name = MachineGuid True 1
Fn
READ_VALUE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography value_name = MachineGuid, data_ident_out = 54 True 1
Fn
Window (1)
+
Operation Window Name Additional Information Success Count Logfile
CREATE class_name = J+bqdi[rGb6HCcT-8l-^%VO^6(olFew6YP)q0gqJ}2A*mE=o92=Gekrdw#lv4>x6tcIs{c[2-}gkge)yQOYE5NbO(%--Jv($43(C}TZ^<82{hZ)K@PGvPbmCX&vnK o+!~^@23>=jS!^L0MF$&6f<Cq}ywzLhZ0wCyo)KJdq0H}KY{9!DlhkE5T{rZ=aAZ)ikFP)~x0<Z48TvtAzH[-Be-rK~u(&3&+zJ@ 6cA+HDwpCrf7KTF71h6$Stc3W&jA, x_coordinate = 1, y_coordinate = 1, width = 1, height = 1, window_parameter = 0 True 1
Fn
Keyboard (2)
+
Operation Virtual Key Code Additional Information Success Count Logfile
GET_INFO KB_LOCALE_ID True 2
Fn
System (38)
+
Operation Information Success Count Logfile
SLEEP duration = 1 milliseconds (0.001 seconds) True 38
Fn
Mutex (1)
+
Operation Name Additional Information Success Count Logfile
CREATE shell.{0835FA03-68AC-09B6-0CE4-703246A746AB} initial_owner = 0 True 1
Fn
Process #3: netsh.exe
(Host: 45, Network: 0)
+
Information Value
ID #3
File Name c:\windows\syswow64\netsh.exe
Command Line C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
Initial Working Directory C:\Users\hJrD1KOKY DS8lUjv\Desktop
Monitor Start Time: 00:00:51, Reason: Child Process
Unmonitor End Time: 00:01:09, Reason: Terminated
Monitor Duration 00:00:18
OS Process Information
+
Information Value
PID 0xa00
Parent PID 0x9e0 (c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username 1R6PFH\hJrD1KOKY DS8lUjv
Groups
  • 1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000e04f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A04
0x A14
0x A18
0x A1C
0x A20
0x A24
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
netsh.exe.mui 0x00030000 0x00034fff Memory Mapped File Readable, Writable False False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False
locale.nls 0x00070000 0x000d6fff Memory Mapped File Readable False False False
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False
pagefile_0x0000000000100000 0x00100000 0x00101fff Pagefile Backed Memory Readable True False False
odbcint.dll.mui 0x00110000 0x0011afff Memory Mapped File Readable, Writable False False False
private_0x0000000000120000 0x00120000 0x0015ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000160000 0x00160000 0x00161fff Pagefile Backed Memory Readable True False False
private_0x0000000000170000 0x00170000 0x0023ffff Private Memory Readable, Writable True False False
private_0x0000000000170000 0x00170000 0x001effff Private Memory Readable, Writable True False False
mfc42u.dll.mui 0x001f0000 0x001f7fff Memory Mapped File Readable, Writable False False False
private_0x0000000000200000 0x00200000 0x0023ffff Private Memory Readable, Writable True False False
setupapi.dll.mui 0x00240000 0x0024cfff Memory Mapped File Readable, Writable False False False
private_0x0000000000250000 0x00250000 0x0025ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000260000 0x00260000 0x00260fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000270000 0x00270000 0x00271fff Pagefile Backed Memory Readable True False False
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000380000 0x00380000 0x00507fff Pagefile Backed Memory Readable True False False
private_0x0000000000510000 0x00510000 0x0054ffff Private Memory Readable, Writable True False False
crypt32.dll.mui 0x00550000 0x00558fff Memory Mapped File Readable, Writable False False False
private_0x0000000000560000 0x00560000 0x005dffff Private Memory Readable, Writable True False False
pagefile_0x00000000005e0000 0x005e0000 0x00760fff Pagefile Backed Memory Readable True False False
fwcfg.dll.mui 0x00770000 0x00780fff Memory Mapped File Readable, Writable False False False
pagefile_0x0000000000790000 0x00790000 0x00790fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000007a0000 0x007a0000 0x007a0fff Pagefile Backed Memory Readable True False False
dhcpqec.dll.mui 0x007b0000 0x007b1fff Memory Mapped File Readable, Writable False False False
private_0x00000000007c0000 0x007c0000 0x008bffff Private Memory Readable, Writable True False False
private_0x00000000008c0000 0x008c0000 0x0098ffff Private Memory Readable, Writable True False False
private_0x00000000008c0000 0x008c0000 0x0093ffff Private Memory Readable, Writable True False False
private_0x00000000008c0000 0x008c0000 0x0091ffff Private Memory Readable, Writable True False False
p2pnetsh.dll.mui 0x008c0000 0x008c9fff Memory Mapped File Readable, Writable False False False
private_0x00000000008e0000 0x008e0000 0x0091ffff Private Memory Readable, Writable True False False
private_0x0000000000930000 0x00930000 0x0093ffff Private Memory Readable, Writable True False False
private_0x0000000000950000 0x00950000 0x0098ffff Private Memory Readable, Writable True False False
private_0x0000000000990000 0x00990000 0x00a8ffff Private Memory Readable, Writable True False False
private_0x0000000000a90000 0x00a90000 0x00acffff Private Memory Readable, Writable True False False
netsh.exe 0x00b00000 0x00b1afff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000000b20000 0x00b20000 0x01f1ffff Pagefile Backed Memory Readable True False False
private_0x0000000001f20000 0x01f20000 0x01ffffff Private Memory Readable, Writable True False False
private_0x0000000001f20000 0x01f20000 0x01f9ffff Private Memory Readable, Writable True False False
private_0x0000000001fc0000 0x01fc0000 0x01ffffff Private Memory Readable, Writable True False False
sortdefault.nls 0x02000000 0x022cefff Memory Mapped File Readable False False False
private_0x00000000022d0000 0x022d0000 0x0243ffff Private Memory Readable, Writable True False False
private_0x00000000022d0000 0x022d0000 0x0237ffff Private Memory Readable, Writable True False False
private_0x00000000023b0000 0x023b0000 0x023effff Private Memory Readable, Writable True False False
private_0x0000000002400000 0x02400000 0x0243ffff Private Memory Readable, Writable True False False
private_0x0000000002450000 0x02450000 0x0248ffff Private Memory Readable, Writable True False False
private_0x00000000024b0000 0x024b0000 0x024effff Private Memory Readable, Writable True False False
private_0x0000000002530000 0x02530000 0x0262ffff Private Memory Readable, Writable True False False
private_0x0000000002630000 0x02630000 0x0282ffff Private Memory Readable, Writable True False False
pagefile_0x0000000002630000 0x02630000 0x0270efff Pagefile Backed Memory Readable True False False
private_0x0000000002730000 0x02730000 0x0276ffff Private Memory Readable, Writable True False False
private_0x0000000002770000 0x02770000 0x027affff Private Memory Readable, Writable True False False
private_0x0000000002810000 0x02810000 0x0282ffff Private Memory Readable, Writable True False False
private_0x0000000002850000 0x02850000 0x0288ffff Private Memory Readable, Writable True False False
private_0x0000000002910000 0x02910000 0x02a0ffff Private Memory Readable, Writable True False False
private_0x0000000002a90000 0x02a90000 0x02acffff Private Memory Readable, Writable True False False
private_0x0000000002b60000 0x02b60000 0x02c5ffff Private Memory Readable, Writable True False False
private_0x0000000002d60000 0x02d60000 0x02e5ffff Private Memory Readable, Writable True False False
private_0x0000000002f40000 0x02f40000 0x0303ffff Private Memory Readable, Writable True False False
bcryptprimitives.dll 0x73900000 0x7393cfff Memory Mapped File Readable, Writable, Executable False False False
gpapi.dll 0x73940000 0x73955fff Memory Mapped File Readable, Writable, Executable False False False
rpcrtremote.dll 0x73960000 0x7396dfff Memory Mapped File Readable, Writable, Executable False False False
qagent.dll 0x73970000 0x7399dfff Memory Mapped File Readable, Writable, Executable False False False
peerdistsh.dll 0x739a0000 0x73a44fff Memory Mapped File Readable, Writable, Executable False False False
wlanhlp.dll 0x73a50000 0x73a66fff Memory Mapped File Readable, Writable, Executable False False False
wlanutil.dll 0x73a70000 0x73a75fff Memory Mapped File Readable, Writable, Executable False False False
wlanapi.dll 0x73a80000 0x73a95fff Memory Mapped File Readable, Writable, Executable False False False
wlancfg.dll 0x73aa0000 0x73acdfff Memory Mapped File Readable, Writable, Executable False False False
p2pcollab.dll 0x73ad0000 0x73b37fff Memory Mapped File Readable, Writable, Executable False False False
p2p.dll 0x73b40000 0x73b77fff Memory Mapped File Readable, Writable, Executable False False False
p2pnetsh.dll 0x73b80000 0x73ba4fff Memory Mapped File Readable, Writable, Executable False False False
polstore.dll 0x73bb0000 0x73bf5fff Memory Mapped File Readable, Writable, Executable False False False
adsldpc.dll 0x73c00000 0x73c33fff Memory Mapped File Readable, Writable, Executable False False False
activeds.dll 0x73c40000 0x73c74fff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x73c80000 0x73c8afff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x73c90000 0x73ca6fff Memory Mapped File Readable, Writable, Executable False False False
nshipsec.dll 0x73cb0000 0x73d08fff Memory Mapped File Readable, Writable, Executable False False False
logoncli.dll 0x73d20000 0x73d41fff Memory Mapped File Readable, Writable, Executable False False False
certcli.dll 0x73d50000 0x73da5fff Memory Mapped File Readable, Writable, Executable False False False
napmontr.dll 0x73db0000 0x73dd8fff Memory Mapped File Readable, Writable, Executable False False False
eappprxy.dll 0x73de0000 0x73df0fff Memory Mapped File Readable, Writable, Executable False False False
onex.dll 0x73e00000 0x73e33fff Memory Mapped File Readable, Writable, Executable False False False
eappcfg.dll 0x73e40000 0x73e6efff Memory Mapped File Readable, Writable, Executable False False False
atl.dll 0x73e70000 0x73e83fff Memory Mapped File Readable, Writable, Executable False False False
dot3api.dll 0x73e90000 0x73ea9fff Memory Mapped File Readable, Writable, Executable False False False
dot3cfg.dll 0x73eb0000 0x73ec6fff Memory Mapped File Readable, Writable, Executable False False False
rpcnsh.dll 0x73ed0000 0x73edafff Memory Mapped File Readable, Writable, Executable False False False
nlaapi.dll 0x73ee0000 0x73eeffff Memory Mapped File Readable, Writable, Executable False False False
netshell.dll 0x73ef0000 0x74154fff Memory Mapped File Readable, Writable, Executable False False False
hnetmon.dll 0x74160000 0x74166fff Memory Mapped File Readable, Writable, Executable False False False
webio.dll 0x74170000 0x741befff Memory Mapped File Readable, Writable, Executable False False False
winhttp.dll 0x741c0000 0x74217fff Memory Mapped File Readable, Writable, Executable False False False
whhelper.dll 0x74220000 0x74226fff Memory Mapped File Readable, Writable, Executable False False False
dnsapi.dll 0x74230000 0x74273fff Memory Mapped File Readable, Writable, Executable False False False
netiohlp.dll 0x74280000 0x742abfff Memory Mapped File Readable, Writable, Executable False False False
devrtl.dll 0x742b0000 0x742bdfff Memory Mapped File Readable, Writable, Executable False False False
nci.dll 0x742c0000 0x742d5fff Memory Mapped File Readable, Writable, Executable False False False
ifmon.dll 0x742e0000 0x742e8fff Memory Mapped File Readable, Writable, Executable False False False
winipsec.dll 0x742f0000 0x74303fff Memory Mapped File Readable, Writable, Executable False False False
bcrypt.dll 0x74310000 0x74326fff Memory Mapped File Readable, Writable, Executable False False False
authfwcfg.dll 0x74330000 0x74383fff Memory Mapped File Readable, Writable, Executable False False False
firewallapi.dll 0x74390000 0x74405fff Memory Mapped File Readable, Writable, Executable False False False
fwcfg.dll 0x74410000 0x74420fff Memory Mapped File Readable, Writable, Executable False False False
httpapi.dll 0x74430000 0x7443afff Memory Mapped File Readable, Writable, Executable False False False
nshhttp.dll 0x74440000 0x74449fff Memory Mapped File Readable, Writable, Executable False False False
mswsock.dll 0x74450000 0x7448bfff Memory Mapped File Readable, Writable, Executable False False False
ws2help.dll 0x74490000 0x74492fff Memory Mapped File Readable, Writable, Executable False False False
wshelper.dll 0x744a0000 0x744a6fff Memory Mapped File Readable, Writable, Executable False False False
wevtapi.dll 0x744b0000 0x744f1fff Memory Mapped File Readable, Writable, Executable False False False
qutil.dll 0x74500000 0x74516fff Memory Mapped File Readable, Writable, Executable False False False
dhcpqec.dll 0x74520000 0x74536fff Memory Mapped File Readable, Writable, Executable False False False
dhcpcsvc6.dll 0x74540000 0x7454cfff Memory Mapped File Readable, Writable, Executable False False False
dhcpcsvc.dll 0x74550000 0x74561fff Memory Mapped File Readable, Writable, Executable False False False
dhcpcmonitor.dll 0x74570000 0x74575fff Memory Mapped File Readable, Writable, Executable False False False
slc.dll 0x74580000 0x74589fff Memory Mapped File Readable, Writable, Executable False False False
nshwfp.dll 0x74590000 0x74633fff Memory Mapped File Readable, Writable, Executable False False False
odbcint.dll 0x74640000 0x74677fff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x74680000 0x7469bfff Memory Mapped File Readable, Writable, Executable False False False
odbc32.dll 0x746a0000 0x7472bfff Memory Mapped File Readable, Writable, Executable False False False
mfc42u.dll 0x74730000 0x7484efff Memory Mapped File Readable, Writable, Executable False False False
fwpuclnt.dll 0x74850000 0x74887fff Memory Mapped File Readable, Writable, Executable False False False
rasapi32.dll 0x74890000 0x748e1fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x74910000 0x7498ffff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x749a0000 0x749fbfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x74a00000 0x74a3efff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x74a40000 0x74a46fff Memory Mapped File Readable, Writable, Executable False False False
rasman.dll 0x74a50000 0x74a64fff Memory Mapped File Readable, Writable, Executable False False False
mprapi.dll 0x74a70000 0x74a98fff Memory Mapped File Readable, Writable, Executable False False False
rasmontr.dll 0x74aa0000 0x74acdfff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x74ad0000 0x74c6dfff Memory Mapped File Readable, Writable, Executable False False False
credui.dll 0x74c70000 0x74c9afff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x74ca0000 0x74cdafff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x74ce0000 0x74cf5fff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x74d00000 0x74d08fff Memory Mapped File Readable, Writable, Executable False False False
wkscli.dll 0x74d50000 0x74d5efff Memory Mapped File Readable, Writable, Executable False False False
srvcli.dll 0x74d60000 0x74d78fff Memory Mapped File Readable, Writable, Executable False False False
netutils.dll 0x74d80000 0x74d88fff Memory Mapped File Readable, Writable, Executable False False False
netapi32.dll 0x74d90000 0x74da0fff Memory Mapped File Readable, Writable, Executable False False False
mpr.dll 0x74db0000 0x74dc1fff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x75060000 0x75067fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75090000 0x7509bfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x750a0000 0x750fffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x75100000 0x75109fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x75110000 0x75128fff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x75130000 0x75141fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75150000 0x751effff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x751f0000 0x751fbfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75200000 0x75e49fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75e50000 0x75fabfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x75fb0000 0x76006fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x76010000 0x76044fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76050000 0x760ecfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x760f0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76180000 0x7624bfff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x76350000 0x76355fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76360000 0x763eefff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x763f0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x764e0000 0x7653ffff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76540000 0x765ebfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x765f0000 0x766effff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x76a60000 0x76b7cfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76bb0000 0x76cbffff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x76d50000 0x76eecfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x76fe0000 0x77025fff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x77030000 0x77056fff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x77060000 0x770a4fff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x770b0000 0x77132fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077140000 0x77140000 0x77239fff Private Memory Readable, Writable, Executable True False False
private_0x0000000077240000 0x77240000 0x7735efff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x77360000 0x77508fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77540000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Host Behavior
File (4)
+
Operation Filename Additional Information Success Count Logfile
OPEN STD_OUTPUT_HANDLE True 2
Fn
WRITE STD_OUTPUT_HANDLE size = 5 True 1
Fn
Data
WRITE STD_OUTPUT_HANDLE size = 2 True 1
Fn
Data
Module (40)
+
Operation Module Additional Information Success Count Logfile
LOAD RASMONTR.DLL base_address = 0x74aa0000 True 1
Fn
LOAD NSHWFP.DLL base_address = 0x74590000 True 1
Fn
LOAD DHCPCMONITOR.DLL base_address = 0x74570000 True 1
Fn
LOAD WSHELPER.DLL base_address = 0x744a0000 True 1
Fn
LOAD NSHHTTP.DLL base_address = 0x74440000 True 1
Fn
LOAD FWCFG.DLL base_address = 0x74410000 True 1
Fn
LOAD AUTHFWCFG.DLL base_address = 0x74330000 True 1
Fn
LOAD IFMON.DLL base_address = 0x742e0000 True 1
Fn
LOAD NETIOHLP.DLL base_address = 0x74280000 True 1
Fn
LOAD WHHELPER.DLL base_address = 0x74220000 True 1
Fn
LOAD HNETMON.DLL base_address = 0x74160000 True 1
Fn
LOAD RPCNSH.DLL base_address = 0x73ed0000 True 1
Fn
LOAD DOT3CFG.DLL base_address = 0x73eb0000 True 1
Fn
LOAD NAPMONTR.DLL base_address = 0x73db0000 True 1
Fn
LOAD NSHIPSEC.DLL base_address = 0x73cb0000 True 1
Fn
LOAD P2PNETSH.DLL base_address = 0x73b80000 True 1
Fn
LOAD WLANCFG.DLL base_address = 0x73aa0000 True 1
Fn
LOAD PEERDISTSH.DLL base_address = 0x739a0000 True 1
Fn
LOAD kernel32.dll base_address = 0x76bb0000 True 1
Fn
GET_HANDLE c:\windows\syswow64\netsh.exe base_address = 0xb00000 True 2
Fn
GET_PROC_ADDRESS c:\windows\syswow64\rasmontr.dll function = InitHelperDll, address = 0x74ab6cb9 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\nshwfp.dll function = InitHelperDll, address = 0x745ebbb2 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\dhcpcmonitor.dll function = InitHelperDll, address = 0x74571cd4 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\wshelper.dll function = InitHelperDll, address = 0x744a157b True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\nshhttp.dll function = InitHelperDll, address = 0x74441b47 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\fwcfg.dll function = InitHelperDll, address = 0x74412a30 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\authfwcfg.dll function = InitHelperDll, address = 0x74334420 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\ifmon.dll function = InitHelperDll, address = 0x742e17a3 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\netiohlp.dll function = InitHelperDll, address = 0x74296e4b True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\whhelper.dll function = InitHelperDll, address = 0x74221c99 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\hnetmon.dll function = InitHelperDll, address = 0x7416200c True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\rpcnsh.dll function = InitHelperDll, address = 0x73ed2f94 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\dot3cfg.dll function = InitHelperDll, address = 0x73eba31d True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\napmontr.dll function = InitHelperDll, address = 0x73dbc7d5 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\nshipsec.dll function = InitHelperDll, address = 0x73cb6910 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\p2pnetsh.dll function = InitHelperDll, address = 0x73b838e5 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\wlancfg.dll function = InitHelperDll, address = 0x73aac7d8 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\peerdistsh.dll function = InitHelperDll, address = 0x73a1c796 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = SetThreadUILanguage, address = 0x76bda84f True 1
Fn
Registry (1)
+
Operation Key Additional Information Success Count Logfile
OPEN_KEY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Process #4: svchost.exe
+
Information Value
ID #4
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k netsvcs
Initial Working Directory C:\Windows\system32
Monitor Start Time: 00:00:58, Reason: RPC Server
Unmonitor End Time: 00:02:26, Reason: Terminated by Timeout
Monitor Duration 00:01:28
Remarks No high level activity detected in monitored regions
OS Process Information
+
Information Value
PID 0x35c
Parent PID 0x1c0 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Groups
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT SERVICE\BDESVC (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\BITS (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\CertPropSvc (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\EapHost (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\hkmsvc (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\IKEEXT (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\iphlpsvc (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\LanmanServer (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\MMCSS (ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • NT SERVICE\MSiSCSI (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\RasAuto (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\RasMan (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\RemoteAccess (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\Schedule (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\SCPolicySvc (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\SENS (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\SessionEnv (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\SharedAccess (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\ShellHWDetection (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\wercplsupport (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\Winmgmt (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\wuauserv (ENABLED_BY_DEFAULT, OWNER)
  • NT AUTHORITY\Logon Session 00000000:0000c9af (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (ENABLED_BY_DEFAULT, ENABLED, OWNER)
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 7FC
0x 7F0
0x 7D8
0x 5E0
0x 420
0x 41C
0x 764
0x 744
0x 740
0x 73C
0x 738
0x 6E0
0x 6DC
0x 6C8
0x 6C4
0x 6C0
0x 6B0
0x 6AC
0x 6A4
0x 690
0x 68C
0x 678
0x 66C
0x 4F8
0x 4A0
0x 49C
0x 48C
0x 488
0x 484
0x 164
0x 178
0x 3E8
0x 3E0
0x 3D4
0x 37C
0x 378
0x 374
0x 370
0x 368
0x 360
0x A68
0x A6C
0x BEC
0x BF0
0x BF4
0x BF8
0x BFC
0x 480
0x 494
0x 4B0
0x 81C
0x 834
0x 844
0x 854
0x 864
0x 874
0x 600
0x BC
0x 5C0
0x 9C0
0x 9D0
0x 10C
0x 1B0
0x 9D8
0x 9D4
0x 9C8
0x 4C4
0x 9A4
0x 1FC
0x 63C
0x 69C
0x 52C
0x A0C
0x 724
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
svchost.exe.mui 0x00020000 0x00020fff Memory Mapped File Readable, Writable False False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory Readable, Writable True False False
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory Readable, Writable True False False
private_0x00000000000e0000 0x000e0000 0x0015ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000160000 0x00160000 0x00160fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000170000 0x00170000 0x00170fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000180000 0x00180000 0x00180fff Pagefile Backed Memory Readable True False False
gpsvc.dll.mui 0x00190000 0x0019afff Memory Mapped File Readable, Writable False False False
setupapi.dll.mui 0x001a0000 0x001acfff Memory Mapped File Readable, Writable False False False
taskcomp.dll.mui 0x001b0000 0x001b3fff Memory Mapped File Readable, Writable False False False
schedsvc.dll.mui 0x001c0000 0x001c9fff Memory Mapped File Readable, Writable False False False
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory Readable, Writable True False False
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory Readable, Writable True False False
private_0x00000000003d0000 0x003d0000 0x003d0fff Private Memory Readable, Writable True False False
pagefile_0x00000000003e0000 0x003e0000 0x003e1fff Pagefile Backed Memory Readable True False False
cversions.2.db 0x003f0000 0x003f3fff Memory Mapped File Readable True False False
pagefile_0x0000000000400000 0x00400000 0x00401fff Pagefile Backed Memory Readable True False False
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000a.db 0x00410000 0x0043ffff Memory Mapped File Readable True False False
private_0x0000000000440000 0x00440000 0x0044ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000450000 0x00450000 0x005d7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000005e0000 0x005e0000 0x00760fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000770000 0x00770000 0x0082ffff Pagefile Backed Memory Readable True False False
cversions.2.db 0x00830000 0x00833fff Memory Mapped File Readable True False False
propsys.dll.mui 0x00840000 0x0084dfff Memory Mapped File Readable, Writable False False False
vsstrace.dll.mui 0x00850000 0x00857fff Memory Mapped File Readable, Writable False False False
private_0x0000000000860000 0x00860000 0x008dffff Private Memory Readable, Writable True False False
private_0x0000000000860000 0x00860000 0x00860fff Private Memory Readable, Writable True False False
pagefile_0x0000000000870000 0x00870000 0x00870fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000880000 0x00880000 0x00880fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000008e0000 0x008e0000 0x008e0fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000008f0000 0x008f0000 0x0096ffff Private Memory Readable, Writable True False False
firewallapi.dll.mui 0x00970000 0x0098bfff Memory Mapped File Readable, Writable False False False
pagefile_0x0000000000990000 0x00990000 0x00990fff Pagefile Backed Memory Readable True False False
private_0x00000000009a0000 0x009a0000 0x00a1ffff Private Memory Readable, Writable True False False
wshtcpip.dll.mui 0x00a20000 0x00a20fff Memory Mapped File Readable, Writable False False False
private_0x0000000000a30000 0x00a30000 0x00aaffff Private Memory Readable, Writable True False False
wship6.dll.mui 0x00ab0000 0x00ab0fff Memory Mapped File Readable, Writable False False False
nci.dll.mui 0x00ac0000 0x00ac0fff Memory Mapped File Readable, Writable False False False
private_0x0000000000af0000 0x00af0000 0x00b6ffff Private Memory Readable, Writable True False False
private_0x0000000000b90000 0x00b90000 0x00c0ffff Private Memory Readable, Writable True False False
private_0x0000000000c30000 0x00c30000 0x00caffff Private Memory Readable, Writable True False False
sortdefault.nls 0x00cb0000 0x00f7efff Memory Mapped File Readable False False False
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x00f80000 0x00fe5fff Memory Mapped File Readable True False False
private_0x0000000000ff0000 0x00ff0000 0x0106ffff Private Memory Readable, Writable True False False
private_0x0000000001090000 0x01090000 0x0110ffff Private Memory Readable, Writable True False False
private_0x0000000001130000 0x01130000 0x011affff Private Memory Readable, Writable True False False
private_0x00000000011c0000 0x011c0000 0x0123ffff Private Memory Readable, Writable True False False
private_0x0000000001280000 0x01280000 0x0128ffff Private Memory Readable, Writable True False False
private_0x00000000012c0000 0x012c0000 0x0133ffff Private Memory Readable, Writable True False False
private_0x0000000001370000 0x01370000 0x013effff Private Memory Readable, Writable True False False
private_0x0000000001380000 0x01380000 0x013fffff Private Memory Readable, Writable True False False
private_0x00000000013f0000 0x013f0000 0x0146ffff Private Memory Readable, Writable True False False
private_0x0000000001400000 0x01400000 0x0147ffff Private Memory Readable, Writable True False False
private_0x0000000001430000 0x01430000 0x014affff Private Memory Readable, Writable True False False
private_0x00000000014c0000 0x014c0000 0x0153ffff Private Memory Readable, Writable True False False
private_0x0000000001560000 0x01560000 0x015dffff Private Memory Readable, Writable True False False
private_0x00000000015b0000 0x015b0000 0x0162ffff Private Memory Readable, Writable True False False
private_0x00000000015f0000 0x015f0000 0x0166ffff Private Memory Readable, Writable True False False
private_0x0000000001690000 0x01690000 0x0170ffff Private Memory Readable, Writable True False False
private_0x0000000001710000 0x01710000 0x0178ffff Private Memory Readable, Writable True False False
private_0x00000000017d0000 0x017d0000 0x0184ffff Private Memory Readable, Writable True False False
private_0x00000000018a0000 0x018a0000 0x0191ffff Private Memory Readable, Writable True False False
private_0x0000000001980000 0x01980000 0x0198ffff Private Memory Readable, Writable True False False
private_0x0000000001990000 0x01990000 0x01a0ffff Private Memory Readable, Writable True False False
private_0x0000000001a70000 0x01a70000 0x01aeffff Private Memory Readable, Writable True False False
private_0x0000000001af0000 0x01af0000 0x01b6ffff Private Memory Readable, Writable True False False
private_0x0000000001bb0000 0x01bb0000 0x01c2ffff Private Memory Readable, Writable True False False
private_0x0000000001c30000 0x01c30000 0x01d2ffff Private Memory Readable, Writable True False False
private_0x0000000001d30000 0x01d30000 0x01e2ffff Private Memory Readable, Writable True False False
private_0x0000000001e50000 0x01e50000 0x01ecffff Private Memory Readable, Writable True False False
private_0x0000000001f10000 0x01f10000 0x01f1ffff Private Memory Readable, Writable True False False
private_0x0000000001f40000 0x01f40000 0x01fbffff Private Memory Readable, Writable True False False
private_0x0000000001fd0000 0x01fd0000 0x0204ffff Private Memory Readable, Writable True False False
private_0x00000000020a0000 0x020a0000 0x0211ffff Private Memory Readable, Writable True False False
private_0x0000000002160000 0x02160000 0x021dffff Private Memory Readable, Writable True False False
private_0x00000000021e0000 0x021e0000 0x0225ffff Private Memory Readable, Writable True False False
private_0x0000000002260000 0x02260000 0x022dffff Private Memory Readable, Writable True False False
private_0x0000000002270000 0x02270000 0x022effff Private Memory Readable, Writable True False False
private_0x0000000002350000 0x02350000 0x023cffff Private Memory Readable, Writable True False False
private_0x0000000002420000 0x02420000 0x0249ffff Private Memory Readable, Writable True False False
private_0x0000000002430000 0x02430000 0x024affff Private Memory Readable, Writable True False False
pagefile_0x00000000024c0000 0x024c0000 0x025bffff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000025c0000 0x025c0000 0x0263ffff Private Memory Readable, Writable True False False
private_0x0000000002660000 0x02660000 0x026dffff Private Memory Readable, Writable True False False
private_0x00000000026e0000 0x026e0000 0x0275ffff Private Memory Readable, Writable True False False
private_0x0000000002790000 0x02790000 0x0280ffff Private Memory Readable, Writable True False False
private_0x0000000002830000 0x02830000 0x028affff Private Memory Readable, Writable True False False
private_0x00000000028b0000 0x028b0000 0x029affff Private Memory Readable, Writable True False False
private_0x00000000029d0000 0x029d0000 0x02a4ffff Private Memory Readable, Writable True False False
private_0x00000000029d0000 0x029d0000 0x02a4ffff Private Memory Readable, Writable True False False
private_0x0000000002aa0000 0x02aa0000 0x02aaffff Private Memory Readable, Writable True False False
private_0x0000000002ab0000 0x02ab0000 0x02baffff Private Memory Readable, Writable True False False
private_0x0000000002c20000 0x02c20000 0x02c2ffff Private Memory Readable, Writable True False False
private_0x0000000002c30000 0x02c30000 0x02caffff Private Memory Readable, Writable True False False
private_0x0000000002d10000 0x02d10000 0x02d8ffff Private Memory Readable, Writable True False False
private_0x0000000002d90000 0x02d90000 0x02e0ffff Private Memory Readable, Writable True False False
private_0x0000000002e10000 0x02e10000 0x02e8ffff Private Memory Readable, Writable True False False
private_0x0000000002e30000 0x02e30000 0x02eaffff Private Memory Readable, Writable True False False
private_0x0000000002ec0000 0x02ec0000 0x02fbffff Private Memory Readable, Writable True False False
private_0x0000000003000000 0x03000000 0x0307ffff Private Memory Readable, Writable True False False
private_0x0000000003080000 0x03080000 0x030fffff Private Memory Readable, Writable True False False
private_0x00000000030c0000 0x030c0000 0x0313ffff Private Memory Readable, Writable True False False
private_0x0000000003120000 0x03120000 0x0319ffff Private Memory Readable, Writable True False False
private_0x0000000003140000 0x03140000 0x031bffff Private Memory Readable, Writable True False False
private_0x00000000031c0000 0x031c0000 0x033bffff Private Memory Readable, Writable True False False
private_0x0000000003240000 0x03240000 0x032bffff Private Memory Readable, Writable True False False
private_0x0000000003430000 0x03430000 0x034affff Private Memory Readable, Writable True False False
private_0x00000000034e0000 0x034e0000 0x0355ffff Private Memory Readable, Writable True False False
private_0x00000000035a0000 0x035a0000 0x0361ffff Private Memory Readable, Writable True False False
private_0x0000000003620000 0x03620000 0x0369ffff Private Memory Readable, Writable True False False
private_0x00000000036a0000 0x036a0000 0x0389ffff Private Memory Readable, Writable True False False
private_0x0000000003900000 0x03900000 0x0397ffff Private Memory Readable, Writable True False False
private_0x0000000003910000 0x03910000 0x0398ffff Private Memory Readable, Writable True False False
private_0x0000000003980000 0x03980000 0x039fffff Private Memory Readable, Writable True False False
private_0x00000000039f0000 0x039f0000 0x03a6ffff Private Memory Readable, Writable True False False
private_0x0000000003a10000 0x03a10000 0x03a8ffff Private Memory Readable, Writable True False False
private_0x0000000003ab0000 0x03ab0000 0x03b2ffff Private Memory Readable, Writable True False False
private_0x0000000003af0000 0x03af0000 0x03b6ffff Private Memory Readable, Writable True False False
private_0x0000000003bb0000 0x03bb0000 0x03c2ffff Private Memory Readable, Writable True False False
private_0x0000000003c30000 0x03c30000 0x03caffff Private Memory Readable, Writable True False False
private_0x0000000003cb0000 0x03cb0000 0x03daffff Private Memory Readable, Writable True False False
private_0x0000000003e10000 0x03e10000 0x03e8ffff Private Memory Readable, Writable True False False
private_0x0000000003e90000 0x03e90000 0x03f0ffff Private Memory Readable, Writable True False False
private_0x0000000003e90000 0x03e90000 0x03f8ffff Private Memory Readable, Writable True False False
private_0x0000000003f40000 0x03f40000 0x03fbffff Private Memory Readable, Writable True False False
private_0x0000000004000000 0x04000000 0x0407ffff Private Memory Readable, Writable True False False
private_0x0000000004170000 0x04170000 0x041effff Private Memory Readable, Writable True False False
private_0x0000000004200000 0x04200000 0x0427ffff Private Memory Readable, Writable True False False
private_0x0000000004290000 0x04290000 0x0430ffff Private Memory Readable, Writable True False False
user32.dll 0x77140000 0x77239fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x77240000 0x7735efff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77360000 0x77508fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x77520000 0x77526fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
svchost.exe 0xff7f0000 0xff7fafff Memory Mapped File Readable, Writable, Executable False False False
wups.dll 0x7fef4800000 0x7fef480cfff Memory Mapped File Readable, Writable, Executable False False False
mspatcha.dll 0x7fef4810000 0x7fef481efff Memory Mapped File Readable, Writable, Executable False False False
wuaueng.dll 0x7fef4820000 0x7fef4a7ffff Memory Mapped File Readable, Writable, Executable False False False
cabinet.dll 0x7fef4a80000 0x7fef4a9afff Memory Mapped File Readable, Writable, Executable False False False
qmgr.dll 0x7fef51e0000 0x7fef52b1fff Memory Mapped File Readable, Writable, Executable False False False
esent.dll 0x7fef52c0000 0x7fef5539fff Memory Mapped File Readable, Writable, Executable False False False
upnp.dll 0x7fef5740000 0x7fef5784fff Memory Mapped File Readable, Writable, Executable False False False
spfileq.dll 0x7fef5bf0000 0x7fef5c0afff Memory Mapped File Readable, Writable, Executable False False False
tcpipcfg.dll 0x7fef5cd0000 0x7fef5d11fff Memory Mapped File Readable, Writable, Executable False False False
rascfg.dll 0x7fef5d20000 0x7fef5d39fff Memory Mapped File Readable, Writable, Executable False False False
ncprov.dll 0x7fef6380000 0x7fef6395fff Memory Mapped File Readable, Writable, Executable False False False
appinfo.dll 0x7fef63a0000 0x7fef63b4fff Memory Mapped File Readable, Writable, Executable False False False
mprapi.dll 0x7fef7860000 0x7fef7899fff Memory Mapped File Readable, Writable, Executable False False False
winspool.drv 0x7fef7f30000 0x7fef7fa0fff Memory Mapped File Readable, Writable, Executable False False False
ndiscapcfg.dll 0x7fef80f0000 0x7fef80fefff Memory Mapped File Readable, Writable, Executable False False False
npmproxy.dll 0x7fef8170000 0x7fef817bfff Memory Mapped File Readable, Writable, Executable False False False
bitsigd.dll 0x7fef8370000 0x7fef8381fff Memory Mapped File Readable, Writable, Executable False False False
bitsperf.dll 0x7fef8390000 0x7fef8399fff Memory Mapped File Readable, Writable, Executable False False False
rasadhlp.dll 0x7fef84f0000 0x7fef84f7fff Memory Mapped File Readable, Writable, Executable False False False
wbemess.dll 0x7fef8500000 0x7fef857dfff Memory Mapped File Readable, Writable, Executable False False False
ncobjapi.dll 0x7fef8580000 0x7fef8595fff Memory Mapped File Readable, Writable, Executable False False False
wmiprvsd.dll 0x7fef85a0000 0x7fef865bfff Memory Mapped File Readable, Writable, Executable False False False
repdrvfs.dll 0x7fef8660000 0x7fef86d2fff Memory Mapped File Readable, Writable, Executable False False False
wmiutils.dll 0x7fef86e0000 0x7fef8705fff Memory Mapped File Readable, Writable, Executable False False False
netprofm.dll 0x7fef8710000 0x7fef8783fff Memory Mapped File Readable, Writable, Executable False False False
hnetcfg.dll 0x7fef8790000 0x7fef87fafff Memory Mapped File Readable, Writable, Executable False False False
wbemsvc.dll 0x7fef8800000 0x7fef8813fff Memory Mapped File Readable, Writable, Executable False False False
esscli.dll 0x7fef8820000 0x7fef888efff Memory Mapped File Readable, Writable, Executable False False False
wbemcore.dll 0x7fef8890000 0x7fef89befff Memory Mapped File Readable, Writable, Executable False False False
nci.dll 0x7fef89c0000 0x7fef89d9fff Memory Mapped File Readable, Writable, Executable False False False
netcfgx.dll 0x7fef89e0000 0x7fef8a63fff Memory Mapped File Readable, Writable, Executable False False False
resutils.dll 0x7fef8a70000 0x7fef8a88fff Memory Mapped File Readable, Writable, Executable False False False
clusapi.dll 0x7fef8a90000 0x7fef8adffff Memory Mapped File Readable, Writable, Executable False False False
sscore.dll 0x7fef8ae0000 0x7fef8ae7fff Memory Mapped File Readable, Writable, Executable False False False
wbemprox.dll 0x7fef8af0000 0x7fef8afefff Memory Mapped File Readable, Writable, Executable False False False
ntdsapi.dll 0x7fef8b00000 0x7fef8b26fff Memory Mapped File Readable, Writable, Executable False False False
fastprox.dll 0x7fef8b30000 0x7fef8c11fff Memory Mapped File Readable, Writable, Executable False False False
browser.dll 0x7fef8c60000 0x7fef8c84fff Memory Mapped File Readable, Writable, Executable False False False
srvsvc.dll 0x7fef8c90000 0x7fef8cccfff Memory Mapped File Readable, Writable, Executable False False False
wdscore.dll 0x7fef8cd0000 0x7fef8d16fff Memory Mapped File Readable, Writable, Executable False False False
sqmapi.dll 0x7fef8d20000 0x7fef8d61fff Memory Mapped File Readable, Writable, Executable False False False
rtutils.dll 0x7fef8d70000 0x7fef8d80fff Memory Mapped File Readable, Writable, Executable False False False
iphlpsvc.dll 0x7fef8d90000 0x7fef8e21fff Memory Mapped File Readable, Writable, Executable False False False
wbemcomn.dll 0x7fef8e30000 0x7fef8eb5fff Memory Mapped File Readable, Writable, Executable False False False
wmisvc.dll 0x7fef8ec0000 0x7fef8efffff Memory Mapped File Readable, Writable, Executable False False False
vsstrace.dll 0x7fef90e0000 0x7fef90f6fff Memory Mapped File Readable, Writable, Executable False False False
vssapi.dll 0x7fef9100000 0x7fef92affff Memory Mapped File Readable, Writable, Executable False False False
tschannel.dll 0x7fef95d0000 0x7fef95d8fff Memory Mapped File Readable, Writable, Executable False False False
taskcomp.dll 0x7fef9fa0000 0x7fefa016fff Memory Mapped File Readable, Writable, Executable False False False
actxprxy.dll 0x7fefa070000 0x7fefa15dfff Memory Mapped File Readable, Writable, Executable False False False
ktmw32.dll 0x7fefa160000 0x7fefa169fff Memory Mapped File Readable, Writable, Executable False False False
schedsvc.dll 0x7fefa170000 0x7fefa281fff Memory Mapped File Readable, Writable, Executable False False False
wiarpc.dll 0x7fefa290000 0x7fefa29efff Memory Mapped File Readable, Writable, Executable False False False
fvecerts.dll 0x7fefa2a0000 0x7fefa2a8fff Memory Mapped File Readable, Writable, Executable False False False
tbs.dll 0x7fefa2b0000 0x7fefa2b8fff Memory Mapped File Readable, Writable, Executable False False False
fveapi.dll 0x7fefa2c0000 0x7fefa315fff Memory Mapped File Readable, Writable, Executable False False False
shsvcs.dll 0x7fefa320000 0x7fefa37dfff Memory Mapped File Readable, Writable, Executable False False False
dhcpcsvc.dll 0x7fefa380000 0x7fefa397fff Memory Mapped File Readable, Writable, Executable False False False
dhcpcsvc6.dll 0x7fefa3a0000 0x7fefa3b0fff Memory Mapped File Readable, Writable, Executable False False False
fwpuclnt.dll 0x7fefa3d0000 0x7fefa422fff Memory Mapped File Readable, Writable, Executable False False False
sens.dll 0x7fefad70000 0x7fefad83fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x7fefad90000 0x7fefad9afff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x7fefada0000 0x7fefadc6fff Memory Mapped File Readable, Writable, Executable False False False
es.dll 0x7fefadd0000 0x7fefae36fff Memory Mapped File Readable, Writable, Executable False False False
slc.dll 0x7fefae50000 0x7fefae5afff Memory Mapped File Readable, Writable, Executable False False False
dsrole.dll 0x7fefae60000 0x7fefae6bfff Memory Mapped File Readable, Writable, Executable False False False
themeservice.dll 0x7fefae70000 0x7fefae7ffff Memory Mapped File Readable, Writable, Executable False False False
atl.dll 0x7fefae80000 0x7fefae98fff Memory Mapped File Readable, Writable, Executable False False False
profsvc.dll 0x7fefaea0000 0x7fefaed6fff Memory Mapped File Readable, Writable, Executable False False False
nlaapi.dll 0x7fefaf20000 0x7fefaf34fff Memory Mapped File Readable, Writable, Executable False False False
gpsvc.dll 0x7fefaf40000 0x7fefb001fff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x7fefb220000 0x7fefb24cfff Memory Mapped File Readable, Writable, Executable False False False
mmcss.dll 0x7fefb250000 0x7fefb26cfff Memory Mapped File Readable, Writable, Executable False False False
avrt.dll 0x7fefb270000 0x7fefb278fff Memory Mapped File Readable, Writable, Executable False False False
webio.dll 0x7fefb3c0000 0x7fefb423fff Memory Mapped File Readable, Writable, Executable False False False
winhttp.dll 0x7fefb430000 0x7fefb4a0fff Memory Mapped File Readable, Writable, Executable False False False
samcli.dll 0x7fefb4b0000 0x7fefb4c3fff Memory Mapped File Readable, Writable, Executable False False False
wkscli.dll 0x7fefb4d0000 0x7fefb4e4fff Memory Mapped File Readable, Writable, Executable False False False
netutils.dll 0x7fefb4f0000 0x7fefb4fbfff Memory Mapped File Readable, Writable, Executable False False False
netapi32.dll 0x7fefb500000 0x7fefb515fff Memory Mapped File Readable, Writable, Executable False False False
ssdpapi.dll 0x7fefb530000 0x7fefb540fff Memory Mapped File Readable, Writable, Executable False False False
wtsapi32.dll 0x7fefb630000 0x7fefb640fff Memory Mapped File Readable, Writable, Executable False False False
xmllite.dll 0x7fefb790000 0x7fefb7c4fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x7fefbc00000 0x7fefbc55fff Memory Mapped File Readable, Writable, Executable False False False
propsys.dll 0x7fefbc60000 0x7fefbd8bfff Memory Mapped File Readable, Writable, Executable False False False
samlib.dll 0x7fefbd90000 0x7fefbdacfff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x7fefbde0000 0x7fefbfd3fff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x7fefc470000 0x7fefc47bfff Memory Mapped File Readable, Writable, Executable False False False
firewallapi.dll 0x7fefc480000 0x7fefc53afff Memory Mapped File Readable, Writable, Executable False False False
wshtcpip.dll 0x7fefc540000 0x7fefc546fff Memory Mapped File Readable, Writable, Executable False False False
gpapi.dll 0x7fefc630000 0x7fefc64afff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x7fefc650000 0x7fefc66dfff Memory Mapped File Readable, Writable, Executable False False False
devrtl.dll 0x7fefc670000 0x7fefc681fff Memory Mapped File Readable, Writable, Executable False False False
spinf.dll 0x7fefc690000 0x7fefc6aefff Memory Mapped File Readable, Writable, Executable False False False
ubpm.dll 0x7fefc760000 0x7fefc798fff Memory Mapped File Readable, Writable, Executable False False False
credssp.dll 0x7fefc7a0000 0x7fefc7a9fff Memory Mapped File Readable, Writable, Executable False False False
pcwum.dll 0x7fefc7b0000 0x7fefc7bcfff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x7fefc8a0000 0x7fefc8e6fff Memory Mapped File Readable, Writable, Executable False False False
logoncli.dll 0x7fefc990000 0x7fefc9bffff Memory Mapped File Readable, Writable, Executable False False False
dnsapi.dll 0x7fefc9c0000 0x7fefca1afff Memory Mapped File Readable, Writable, Executable False False False
wship6.dll 0x7fefcb30000 0x7fefcb36fff Memory Mapped File Readable, Writable, Executable False False False
mswsock.dll 0x7fefcb40000 0x7fefcb94fff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x7fefcba0000 0x7fefcbb6fff Memory Mapped File Readable, Writable, Executable False False False
netjoin.dll 0x7fefccb0000 0x7fefcce1fff Memory Mapped File Readable, Writable, Executable False False False
wmsgapi.dll 0x7fefccf0000 0x7fefccf7fff Memory Mapped File Readable, Writable, Executable False False False
sysntfy.dll 0x7fefcd00000 0x7fefcd09fff Memory Mapped File Readable, Writable, Executable False False False
authz.dll 0x7fefcd90000 0x7fefcdbefff Memory Mapped File Readable, Writable, Executable False False False
wevtapi.dll 0x7fefcdd0000 0x7fefce3cfff Memory Mapped File Readable, Writable, Executable False False False
cryptdll.dll 0x7fefce40000 0x7fefce53fff Memory Mapped File Readable, Writable, Executable False False False
srvcli.dll 0x7fefd0a0000 0x7fefd0c2fff Memory Mapped File Readable, Writable, Executable False False False
secur32.dll 0x7fefd140000 0x7fefd14afff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x7fefd170000 0x7fefd194fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x7fefd1a0000 0x7fefd1aefff Memory Mapped File Readable, Writable, Executable False False False
sxs.dll 0x7fefd1b0000 0x7fefd240fff Memory Mapped File Readable, Writable, Executable False False False
winsta.dll 0x7fefd250000 0x7fefd28cfff Memory Mapped File Readable, Writable, Executable False False False
rpcrtremote.dll 0x7fefd290000 0x7fefd2a3fff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x7fefd2b0000 0x7fefd2befff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x7fefd350000 0x7fefd35efff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x7fefd360000 0x7fefd4c6fff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x7fefd4d0000 0x7fefd505fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x7fefd510000 0x7fefd57afff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x7fefd620000 0x7fefd639fff Memory Mapped File Readable, Writable, Executable False False False
wintrust.dll 0x7fefd640000 0x7fefd679fff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x7fefd680000 0x7fefd687fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x7fefd8f0000 0x7fefd8fdfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x7fefda30000 0x7fefdb06fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x7fefdb10000 0x7fefdbd8fff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x7fefdbe0000 0x7fefdc78fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x7fefde80000 0x7fefdf1efff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x7fefdf20000 0x7fefe122fff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x7fefe130000 0x7fefe181fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x7fefe190000 0x7fefe1dcfff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x7fefe200000 0x7fefe22dfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x7fefe230000 0x7fefe296fff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x7fefe340000 0x7feff0c7fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x7feff0d0000 0x7feff140fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x7feff150000 0x7feff22afff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x7feff230000 0x7feff338fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x7feff340000 0x7feff46cfff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x7feff470000 0x7feff646fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x7feff650000 0x7feff66efff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x7feff680000 0x7feff680fff Memory Mapped File Readable, Writable, Executable False False False
private_0x000007fffff5a000 0x7fffff5a000 0x7fffff5bfff Private Memory Readable, Writable True False False
private_0x000007fffff5c000 0x7fffff5c000 0x7fffff5dfff Private Memory Readable, Writable True False False
private_0x000007fffff5e000 0x7fffff5e000 0x7fffff5ffff Private Memory Readable, Writable True False False
private_0x000007fffff60000 0x7fffff60000 0x7fffff61fff Private Memory Readable, Writable True False False
private_0x000007fffff62000 0x7fffff62000 0x7fffff63fff Private Memory Readable, Writable True False False
private_0x000007fffff64000 0x7fffff64000 0x7fffff65fff Private Memory Readable, Writable True False False
private_0x000007fffff66000 0x7fffff66000 0x7fffff67fff Private Memory Readable, Writable True False False
private_0x000007fffff68000 0x7fffff68000 0x7fffff69fff Private Memory Readable, Writable True False False
private_0x000007fffff6a000 0x7fffff6a000 0x7fffff6bfff Private Memory Readable, Writable True False False
private_0x000007fffff6c000 0x7fffff6c000 0x7fffff6dfff Private Memory Readable, Writable True False False
private_0x000007fffff6e000 0x7fffff6e000 0x7fffff6ffff Private Memory Readable, Writable True False False
private_0x000007fffff70000 0x7fffff70000 0x7fffff71fff Private Memory Readable, Writable True False False
private_0x000007fffff72000 0x7fffff72000 0x7fffff73fff Private Memory Readable, Writable True False False
private_0x000007fffff72000 0x7fffff72000 0x7fffff73fff Private Memory Readable, Writable True False False
private_0x000007fffff74000 0x7fffff74000 0x7fffff75fff Private Memory Readable, Writable True False False
private_0x000007fffff74000 0x7fffff74000 0x7fffff75fff Private Memory Readable, Writable True False False
private_0x000007fffff76000 0x7fffff76000 0x7fffff77fff Private Memory Readable, Writable True False False
private_0x000007fffff78000 0x7fffff78000 0x7fffff79fff Private Memory Readable, Writable True False False
private_0x000007fffff78000 0x7fffff78000 0x7fffff79fff Private Memory Readable, Writable True False False
private_0x000007fffff7a000 0x7fffff7a000 0x7fffff7bfff Private Memory Readable, Writable True False False
private_0x000007fffff7a000 0x7fffff7a000 0x7fffff7bfff Private Memory Readable, Writable True False False
private_0x000007fffff7c000 0x7fffff7c000 0x7fffff7dfff Private Memory Readable, Writable True False False
private_0x000007fffff7c000 0x7fffff7c000 0x7fffff7dfff Private Memory Readable, Writable True False False
private_0x000007fffff7e000 0x7fffff7e000 0x7fffff7ffff Private Memory Readable, Writable True False False
private_0x000007fffff80000 0x7fffff80000 0x7fffff81fff Private Memory Readable, Writable True False False
private_0x000007fffff80000 0x7fffff80000 0x7fffff81fff Private Memory Readable, Writable True False False
private_0x000007fffff82000 0x7fffff82000 0x7fffff83fff Private Memory Readable, Writable True False False
private_0x000007fffff84000 0x7fffff84000 0x7fffff85fff Private Memory Readable, Writable True False False
private_0x000007fffff84000 0x7fffff84000 0x7fffff85fff Private Memory Readable, Writable True False False
private_0x000007fffff86000 0x7fffff86000 0x7fffff87fff Private Memory Readable, Writable True False False
private_0x000007fffff88000 0x7fffff88000 0x7fffff89fff Private Memory Readable, Writable True False False
private_0x000007fffff88000 0x7fffff88000 0x7fffff89fff Private Memory Readable, Writable True False False
private_0x000007fffff8a000 0x7fffff8a000 0x7fffff8bfff Private Memory Readable, Writable True False False
private_0x000007fffff8a000 0x7fffff8a000 0x7fffff8bfff Private Memory Readable, Writable True False False
private_0x000007fffff8c000 0x7fffff8c000 0x7fffff8dfff Private Memory Readable, Writable True False False
private_0x000007fffff8e000 0x7fffff8e000 0x7fffff8ffff Private Memory Readable, Writable True False False
private_0x000007fffff8e000 0x7fffff8e000 0x7fffff8ffff Private Memory Readable, Writable True False False
private_0x000007fffff90000 0x7fffff90000 0x7fffff91fff Private Memory Readable, Writable True False False
private_0x000007fffff92000 0x7fffff92000 0x7fffff93fff Private Memory Readable, Writable True False False
private_0x000007fffff92000 0x7fffff92000 0x7fffff93fff Private Memory Readable, Writable True False False
private_0x000007fffff94000 0x7fffff94000 0x7fffff95fff Private Memory Readable, Writable True False False
private_0x000007fffff96000 0x7fffff96000 0x7fffff97fff Private Memory Readable, Writable True False False
private_0x000007fffff98000 0x7fffff98000 0x7fffff99fff Private Memory Readable, Writable True False False
private_0x000007fffff9a000 0x7fffff9a000 0x7fffff9bfff Private Memory Readable, Writable True False False
private_0x000007fffff9c000 0x7fffff9c000 0x7fffff9dfff Private Memory Readable, Writable True False False
private_0x000007fffff9e000 0x7fffff9e000 0x7fffff9ffff Private Memory Readable, Writable True False False
private_0x000007fffffa0000 0x7fffffa0000 0x7fffffa1fff Private Memory Readable, Writable True False False
private_0x000007fffffa2000 0x7fffffa2000 0x7fffffa3fff Private Memory Readable, Writable True False False
private_0x000007fffffa2000 0x7fffffa2000 0x7fffffa3fff Private Memory Readable, Writable True False False
private_0x000007fffffa4000 0x7fffffa4000 0x7fffffa5fff Private Memory Readable, Writable True False False
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory Readable, Writable True False False
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory Readable, Writable True False False
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory Readable, Writable True False False
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory Readable, Writable True False False
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory Readable, Writable True False False
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory Readable, Writable True False False
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory Readable, Writable True False False
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory Readable, Writable True False False
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory Readable, Writable True False False
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdbfff Private Memory Readable, Writable True False False
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory Readable, Writable True False False
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True False False
Token Modifications
+
Action Attribute Value
Token attribute value added Enabled Privileges SeManageVolumePrivilege
Token attribute value removed Enabled Privileges SeManageVolumePrivilege
Process #5: netsh.exe
(Host: 27, Network: 0)
+
Information Value
ID #5
File Name c:\windows\syswow64\netsh.exe
Command Line C:\Windows\system32\netsh.exe advfirewall reset
Initial Working Directory C:\Users\hJrD1KOKY DS8lUjv\Desktop
Monitor Start Time: 00:01:08, Reason: Child Process
Unmonitor End Time: 00:01:11, Reason: Terminated
Monitor Duration 00:00:03
OS Process Information
+
Information Value
PID 0xa2c
Parent PID 0x9e0 (c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username 1R6PFH\hJrD1KOKY DS8lUjv
Groups
  • 1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000e04f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A30
0x A40
0x A44
0x A48
0x A4C
0x A50
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
netsh.exe.mui 0x00030000 0x00034fff Memory Mapped File Readable, Writable False False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True False False
pagefile_0x00000000000a0000 0x000a0000 0x000a0fff Pagefile Backed Memory Readable True False False
locale.nls 0x000b0000 0x00116fff Memory Mapped File Readable False False False
private_0x0000000000120000 0x00120000 0x00120fff Private Memory Readable, Writable True False False
private_0x0000000000130000 0x00130000 0x00130fff Private Memory Readable, Writable True False False
pagefile_0x0000000000140000 0x00140000 0x00141fff Pagefile Backed Memory Readable True False False
odbcint.dll.mui 0x00150000 0x0015afff Memory Mapped File Readable, Writable False False False
pagefile_0x0000000000160000 0x00160000 0x00161fff Pagefile Backed Memory Readable True False False
mfc42u.dll.mui 0x00170000 0x00177fff Memory Mapped File Readable, Writable False False False
setupapi.dll.mui 0x00180000 0x0018cfff Memory Mapped File Readable, Writable False False False
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory Readable True False False
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory Readable, Writable True False False
private_0x00000000002a0000 0x002a0000 0x002effff Private Memory Readable, Writable True False False
pagefile_0x00000000002a0000 0x002a0000 0x002a1fff Pagefile Backed Memory Readable True False False
private_0x00000000002b0000 0x002b0000 0x002effff Private Memory Readable, Writable True False False
private_0x00000000002f0000 0x002f0000 0x0033ffff Private Memory Readable, Writable True False False
crypt32.dll.mui 0x002f0000 0x002f8fff Memory Mapped File Readable, Writable False False False
private_0x0000000000300000 0x00300000 0x0033ffff Private Memory Readable, Writable True False False
private_0x0000000000340000 0x00340000 0x003bffff Private Memory Readable, Writable True False False
private_0x00000000003c0000 0x003c0000 0x0043ffff Private Memory Readable, Writable True False False
fwcfg.dll.mui 0x003c0000 0x003d0fff Memory Mapped File Readable, Writable False False False
pagefile_0x00000000003e0000 0x003e0000 0x003e0fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000003f0000 0x003f0000 0x003f0fff Pagefile Backed Memory Readable True False False
private_0x0000000000400000 0x00400000 0x0043ffff Private Memory Readable, Writable True False False
p2pnetsh.dll.mui 0x00440000 0x00449fff Memory Mapped File Readable, Writable False False False
private_0x0000000000460000 0x00460000 0x0055ffff Private Memory Readable, Writable True False False
private_0x0000000000560000 0x00560000 0x005dffff Private Memory Readable, Writable True False False
private_0x0000000000620000 0x00620000 0x0062ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000630000 0x00630000 0x007b7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000007c0000 0x007c0000 0x00940fff Pagefile Backed Memory Readable True False False
private_0x0000000000950000 0x00950000 0x00a4ffff Private Memory Readable, Writable True False False
private_0x0000000000a50000 0x00a50000 0x00bfffff Private Memory Readable, Writable True False False
private_0x0000000000a50000 0x00a50000 0x00a9ffff Private Memory Readable, Writable True False False
private_0x0000000000ae0000 0x00ae0000 0x00b1ffff Private Memory Readable, Writable True False False
private_0x0000000000b40000 0x00b40000 0x00b7ffff Private Memory Readable, Writable True False False
private_0x0000000000bc0000 0x00bc0000 0x00bfffff Private Memory Readable, Writable True False False
sortdefault.nls 0x00c00000 0x00ecefff Memory Mapped File Readable False False False
private_0x0000000000ed0000 0x00ed0000 0x0105ffff Private Memory Readable, Writable True False False
private_0x0000000000ed0000 0x00ed0000 0x00f0ffff Private Memory Readable, Writable True False False
private_0x0000000000f20000 0x00f20000 0x0101ffff Private Memory Readable, Writable True False False
private_0x0000000001050000 0x01050000 0x0105ffff Private Memory Readable, Writable True False False
private_0x0000000001090000 0x01090000 0x010affff Private Memory Readable, Writable True False False
pagefile_0x00000000010b0000 0x010b0000 0x0118efff Pagefile Backed Memory Readable True False False
private_0x0000000001190000 0x01190000 0x011cffff Private Memory Readable, Writable True False False
private_0x00000000011d0000 0x011d0000 0x0120ffff Private Memory Readable, Writable True False False
private_0x0000000001210000 0x01210000 0x0124ffff Private Memory Readable, Writable True False False
private_0x00000000012b0000 0x012b0000 0x012effff Private Memory Readable, Writable True False False
private_0x00000000012f0000 0x012f0000 0x0132ffff Private Memory Readable, Writable True False False
private_0x0000000001350000 0x01350000 0x0138ffff Private Memory Readable, Writable True False False
private_0x00000000014c0000 0x014c0000 0x014fffff Private Memory Readable, Writable True False False
private_0x0000000001530000 0x01530000 0x0162ffff Private Memory Readable, Writable True False False
private_0x0000000001640000 0x01640000 0x0167ffff Private Memory Readable, Writable True False False
netsh.exe 0x01740000 0x0175afff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000001760000 0x01760000 0x02b5ffff Pagefile Backed Memory Readable True False False
private_0x0000000002c20000 0x02c20000 0x02d1ffff Private Memory Readable, Writable True False False
private_0x0000000002e60000 0x02e60000 0x02f5ffff Private Memory Readable, Writable True False False
private_0x0000000002ff0000 0x02ff0000 0x030effff Private Memory Readable, Writable True False False
bcryptprimitives.dll 0x738e0000 0x7391cfff Memory Mapped File Readable, Writable, Executable False False False
gpapi.dll 0x73920000 0x73935fff Memory Mapped File Readable, Writable, Executable False False False
qagent.dll 0x73960000 0x7398dfff Memory Mapped File Readable, Writable, Executable False False False
peerdistsh.dll 0x73990000 0x73a34fff Memory Mapped File Readable, Writable, Executable False False False
wlanhlp.dll 0x73a40000 0x73a56fff Memory Mapped File Readable, Writable, Executable False False False
wlanapi.dll 0x73a60000 0x73a75fff Memory Mapped File Readable, Writable, Executable False False False
rpcrtremote.dll 0x73a80000 0x73a8dfff Memory Mapped File Readable, Writable, Executable False False False
wlanutil.dll 0x73a90000 0x73a95fff Memory Mapped File Readable, Writable, Executable False False False
netshell.dll 0x73aa0000 0x73d04fff Memory Mapped File Readable, Writable, Executable False False False
wlancfg.dll 0x73d20000 0x73d4dfff Memory Mapped File Readable, Writable, Executable False False False
p2pcollab.dll 0x73d50000 0x73db7fff Memory Mapped File Readable, Writable, Executable False False False
p2p.dll 0x73dc0000 0x73df7fff Memory Mapped File Readable, Writable, Executable False False False
p2pnetsh.dll 0x73e00000 0x73e24fff Memory Mapped File Readable, Writable, Executable False False False
polstore.dll 0x73e30000 0x73e75fff Memory Mapped File Readable, Writable, Executable False False False
adsldpc.dll 0x73e80000 0x73eb3fff Memory Mapped File Readable, Writable, Executable False False False
activeds.dll 0x73ec0000 0x73ef4fff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x73f00000 0x73f0afff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x73f10000 0x73f26fff Memory Mapped File Readable, Writable, Executable False False False
logoncli.dll 0x73f30000 0x73f51fff Memory Mapped File Readable, Writable, Executable False False False
nshipsec.dll 0x73f60000 0x73fb8fff Memory Mapped File Readable, Writable, Executable False False False
certcli.dll 0x73fc0000 0x74015fff Memory Mapped File Readable, Writable, Executable False False False
napmontr.dll 0x74020000 0x74048fff Memory Mapped File Readable, Writable, Executable False False False
eappprxy.dll 0x74050000 0x74060fff Memory Mapped File Readable, Writable, Executable False False False
onex.dll 0x74070000 0x740a3fff Memory Mapped File Readable, Writable, Executable False False False
eappcfg.dll 0x740b0000 0x740defff Memory Mapped File Readable, Writable, Executable False False False
atl.dll 0x740e0000 0x740f3fff Memory Mapped File Readable, Writable, Executable False False False
dot3api.dll 0x74100000 0x74119fff Memory Mapped File Readable, Writable, Executable False False False
dot3cfg.dll 0x74120000 0x74136fff Memory Mapped File Readable, Writable, Executable False False False
rpcnsh.dll 0x74140000 0x7414afff Memory Mapped File Readable, Writable, Executable False False False
nlaapi.dll 0x74150000 0x7415ffff Memory Mapped File Readable, Writable, Executable False False False
winhttp.dll 0x74160000 0x741b7fff Memory Mapped File Readable, Writable, Executable False False False
hnetmon.dll 0x741c0000 0x741c6fff Memory Mapped File Readable, Writable, Executable False False False
webio.dll 0x741d0000 0x7421efff Memory Mapped File Readable, Writable, Executable False False False
dnsapi.dll 0x74220000 0x74263fff Memory Mapped File Readable, Writable, Executable False False False
netiohlp.dll 0x74270000 0x7429bfff Memory Mapped File Readable, Writable, Executable False False False
nci.dll 0x742a0000 0x742b5fff Memory Mapped File Readable, Writable, Executable False False False
whhelper.dll 0x742c0000 0x742c6fff Memory Mapped File Readable, Writable, Executable False False False
devrtl.dll 0x742d0000 0x742ddfff Memory Mapped File Readable, Writable, Executable False False False
winipsec.dll 0x742e0000 0x742f3fff Memory Mapped File Readable, Writable, Executable False False False
bcrypt.dll 0x74300000 0x74316fff Memory Mapped File Readable, Writable, Executable False False False
authfwcfg.dll 0x74320000 0x74373fff Memory Mapped File Readable, Writable, Executable False False False
firewallapi.dll 0x74380000 0x743f5fff Memory Mapped File Readable, Writable, Executable False False False
fwcfg.dll 0x74400000 0x74410fff Memory Mapped File Readable, Writable, Executable False False False
httpapi.dll 0x74420000 0x7442afff Memory Mapped File Readable, Writable, Executable False False False
ifmon.dll 0x74430000 0x74438fff Memory Mapped File Readable, Writable, Executable False False False
mswsock.dll 0x74440000 0x7447bfff Memory Mapped File Readable, Writable, Executable False False False
ws2help.dll 0x74480000 0x74482fff Memory Mapped File Readable, Writable, Executable False False False
nshhttp.dll 0x74490000 0x74499fff Memory Mapped File Readable, Writable, Executable False False False
wevtapi.dll 0x744a0000 0x744e1fff Memory Mapped File Readable, Writable, Executable False False False
qutil.dll 0x744f0000 0x74506fff Memory Mapped File Readable, Writable, Executable False False False
dhcpqec.dll 0x74510000 0x74526fff Memory Mapped File Readable, Writable, Executable False False False
dhcpcsvc6.dll 0x74530000 0x7453cfff Memory Mapped File Readable, Writable, Executable False False False
wshelper.dll 0x74540000 0x74546fff Memory Mapped File Readable, Writable, Executable False False False
nshwfp.dll 0x74550000 0x745f3fff Memory Mapped File Readable, Writable, Executable False False False
odbcint.dll 0x74600000 0x74637fff Memory Mapped File Readable, Writable, Executable False False False
dhcpcsvc.dll 0x74640000 0x74651fff Memory Mapped File Readable, Writable, Executable False False False
dhcpcmonitor.dll 0x74660000 0x74665fff Memory Mapped File Readable, Writable, Executable False False False
slc.dll 0x74670000 0x74679fff Memory Mapped File Readable, Writable, Executable False False False
odbc32.dll 0x74680000 0x7470bfff Memory Mapped File Readable, Writable, Executable False False False
mfc42u.dll 0x74710000 0x7482efff Memory Mapped File Readable, Writable, Executable False False False
rasapi32.dll 0x74830000 0x74881fff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x74890000 0x748abfff Memory Mapped File Readable, Writable, Executable False False False
fwpuclnt.dll 0x748b0000 0x748e7fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x74910000 0x7498ffff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x749a0000 0x749fbfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x74a00000 0x74a3efff Memory Mapped File Readable, Writable, Executable False False False
mprapi.dll 0x74a40000 0x74a68fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x74a70000 0x74a76fff Memory Mapped File Readable, Writable, Executable False False False
rasman.dll 0x74a80000 0x74a94fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x74aa0000 0x74c3dfff Memory Mapped File Readable, Writable, Executable False False False
credui.dll 0x74c40000 0x74c6afff Memory Mapped File Readable, Writable, Executable False False False
rasmontr.dll 0x74c70000 0x74c9dfff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x74ca0000 0x74cdafff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x74ce0000 0x74cf5fff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x74d00000 0x74d08fff Memory Mapped File Readable, Writable, Executable False False False
wkscli.dll 0x74d50000 0x74d5efff Memory Mapped File Readable, Writable, Executable False False False
srvcli.dll 0x74d60000 0x74d78fff Memory Mapped File Readable, Writable, Executable False False False
netutils.dll 0x74d80000 0x74d88fff Memory Mapped File Readable, Writable, Executable False False False
netapi32.dll 0x74d90000 0x74da0fff Memory Mapped File Readable, Writable, Executable False False False
mpr.dll 0x74db0000 0x74dc1fff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x75060000 0x75067fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75090000 0x7509bfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x750a0000 0x750fffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x75100000 0x75109fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x75110000 0x75128fff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x75130000 0x75141fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75150000 0x751effff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x751f0000 0x751fbfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75200000 0x75e49fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75e50000 0x75fabfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x75fb0000 0x76006fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x76010000 0x76044fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76050000 0x760ecfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x760f0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76180000 0x7624bfff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x76350000 0x76355fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76360000 0x763eefff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x763f0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x764e0000 0x7653ffff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76540000 0x765ebfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x765f0000 0x766effff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x76a60000 0x76b7cfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76bb0000 0x76cbffff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x76d50000 0x76eecfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x76fe0000 0x77025fff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x77030000 0x77056fff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x77060000 0x770a4fff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x770b0000 0x77132fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077140000 0x77140000 0x77239fff Private Memory Readable, Writable, Executable True False False
private_0x0000000077240000 0x77240000 0x7735efff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x77360000 0x77508fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77540000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Host Behavior
File (3)
+
Operation Filename Additional Information Success Count Logfile
OPEN STD_OUTPUT_HANDLE True 1
Fn
WRITE STD_OUTPUT_HANDLE size = 5 True 1
Fn
Data
WRITE STD_OUTPUT_HANDLE size = 2 True 1
Fn
Data
Module (23)
+
Operation Module Additional Information Success Count Logfile
LOAD RASMONTR.DLL base_address = 0x74c70000 True 1
Fn
LOAD NSHWFP.DLL base_address = 0x74550000 True 1
Fn
LOAD DHCPCMONITOR.DLL base_address = 0x74660000 True 1
Fn
LOAD kernel32.dll base_address = 0x76bb0000 True 1
Fn
GET_HANDLE c:\windows\syswow64\netsh.exe base_address = 0x1740000 True 2
Fn
GET_PROC_ADDRESS c:\windows\syswow64\rasmontr.dll function = InitHelperDll, address = 0x74c86cb9 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\nshwfp.dll function = InitHelperDll, address = 0x745abbb2 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\dhcpcmonitor.dll function = InitHelperDll, address = 0x74661cd4 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\wshelper.dll function = InitHelperDll, address = 0x7454157b True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\fwcfg.dll function = InitHelperDll, address = 0x74402a30 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\authfwcfg.dll function = InitHelperDll, address = 0x74324420 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\ifmon.dll function = InitHelperDll, address = 0x744317a3 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\netiohlp.dll function = InitHelperDll, address = 0x74286e4b True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\whhelper.dll function = InitHelperDll, address = 0x742c1c99 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\hnetmon.dll function = InitHelperDll, address = 0x741c200c True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\dot3cfg.dll function = InitHelperDll, address = 0x7412a31d True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\napmontr.dll function = InitHelperDll, address = 0x7402c7d5 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\nshipsec.dll function = InitHelperDll, address = 0x73f66910 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\p2pnetsh.dll function = InitHelperDll, address = 0x73e038e5 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\wlancfg.dll function = InitHelperDll, address = 0x73d2c7d8 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\peerdistsh.dll function = InitHelperDll, address = 0x73a0c796 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = SetThreadUILanguage, address = 0x76bda84f True 1
Fn
Registry (1)
+
Operation Key Additional Information Success Count Logfile
OPEN_KEY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Process #6: netsh.exe
(Host: 27, Network: 0)
+
Information Value
ID #6
File Name c:\windows\syswow64\netsh.exe
Command Line C:\Windows\system32\netsh.exe advfirewall firewall add rule name="00EYALeZGh" dir=out action=block program="C:\Program Files (x86)\Windows Defender\boxed.exe"
Initial Working Directory C:\Users\hJrD1KOKY DS8lUjv\Desktop
Monitor Start Time: 00:01:11, Reason: Child Process
Unmonitor End Time: 00:01:13, Reason: Terminated
Monitor Duration 00:00:02
OS Process Information
+
Information Value
PID 0xa70
Parent PID 0x9e0 (c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username 1R6PFH\hJrD1KOKY DS8lUjv
Groups
  • 1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000e04f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A74
0x A84
0x A88
0x A8C
0x A90
0x A94
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
netsh.exe.mui 0x00030000 0x00034fff Memory Mapped File Readable, Writable False False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory Readable, Writable True False False
pagefile_0x00000000000a0000 0x000a0000 0x000a0fff Pagefile Backed Memory Readable True False False
private_0x00000000000b0000 0x000b0000 0x000b0fff Private Memory Readable, Writable True False False
private_0x00000000000c0000 0x000c0000 0x0013ffff Private Memory Readable, Writable True False False
locale.nls 0x00140000 0x001a6fff Memory Mapped File Readable False False False
private_0x00000000001b0000 0x001b0000 0x001b0fff Private Memory Readable, Writable True False False
pagefile_0x00000000001c0000 0x001c0000 0x001c1fff Pagefile Backed Memory Readable True False False
odbcint.dll.mui 0x001d0000 0x001dafff Memory Mapped File Readable, Writable False False False
pagefile_0x00000000001e0000 0x001e0000 0x001e1fff Pagefile Backed Memory Readable True False False
mfc42u.dll.mui 0x001f0000 0x001f7fff Memory Mapped File Readable, Writable False False False
setupapi.dll.mui 0x00200000 0x0020cfff Memory Mapped File Readable, Writable False False False
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000310000 0x00310000 0x00310fff Pagefile Backed Memory Readable True False False
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory Readable, Writable True False False
private_0x0000000000420000 0x00420000 0x0049ffff Private Memory Readable, Writable True False False
private_0x00000000004a0000 0x004a0000 0x0056ffff Private Memory Readable, Writable True False False
private_0x00000000004a0000 0x004a0000 0x004cffff Private Memory Readable, Writable True False False
pagefile_0x00000000004a0000 0x004a0000 0x004a1fff Pagefile Backed Memory Readable True False False
crypt32.dll.mui 0x004b0000 0x004b8fff Memory Mapped File Readable, Writable False False False
private_0x00000000004c0000 0x004c0000 0x004cffff Private Memory Readable, Writable True False False
fwcfg.dll.mui 0x004d0000 0x004e0fff Memory Mapped File Readable, Writable False False False
private_0x00000000004f0000 0x004f0000 0x0052ffff Private Memory Readable, Writable True False False
private_0x0000000000530000 0x00530000 0x0056ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000570000 0x00570000 0x00570fff Pagefile Backed Memory Readable True False False
private_0x0000000000580000 0x00580000 0x0058ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000590000 0x00590000 0x00717fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000720000 0x00720000 0x008a0fff Pagefile Backed Memory Readable True False False
private_0x00000000008b0000 0x008b0000 0x00abffff Private Memory Readable, Writable True False False
private_0x00000000008b0000 0x008b0000 0x00a3ffff Private Memory Readable, Writable True False False
private_0x00000000008b0000 0x008b0000 0x009affff Private Memory Readable, Writable True False False
pagefile_0x00000000009b0000 0x009b0000 0x009b0fff Pagefile Backed Memory Readable True False False
p2pnetsh.dll.mui 0x009c0000 0x009c9fff Memory Mapped File Readable, Writable False False False
private_0x0000000000a00000 0x00a00000 0x00a3ffff Private Memory Readable, Writable True False False
private_0x0000000000a80000 0x00a80000 0x00abffff Private Memory Readable, Writable True False False
private_0x0000000000ac0000 0x00ac0000 0x00c0ffff Private Memory Readable, Writable True False False
private_0x0000000000ae0000 0x00ae0000 0x00b1ffff Private Memory Readable, Writable True False False
private_0x0000000000ba0000 0x00ba0000 0x00bbffff Private Memory Readable, Writable True False False
private_0x0000000000bd0000 0x00bd0000 0x00c0ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x00c10000 0x00edefff Memory Mapped File Readable False False False
private_0x0000000000f10000 0x00f10000 0x00f4ffff Private Memory Readable, Writable True False False
private_0x0000000000f70000 0x00f70000 0x00faffff Private Memory Readable, Writable True False False
private_0x0000000000fb0000 0x00fb0000 0x00feffff Private Memory Readable, Writable True False False
private_0x0000000001030000 0x01030000 0x0106ffff Private Memory Readable, Writable True False False
private_0x0000000001070000 0x01070000 0x011effff Private Memory Readable, Writable True False False
pagefile_0x0000000001070000 0x01070000 0x0114efff Pagefile Backed Memory Readable True False False
private_0x00000000011e0000 0x011e0000 0x011effff Private Memory Readable, Writable True False False
private_0x0000000001280000 0x01280000 0x012bffff Private Memory Readable, Writable True False False
private_0x00000000012d0000 0x012d0000 0x013cffff Private Memory Readable, Writable True False False
private_0x00000000013d0000 0x013d0000 0x0140ffff Private Memory Readable, Writable True False False
private_0x0000000001410000 0x01410000 0x0144ffff Private Memory Readable, Writable True False False
private_0x0000000001460000 0x01460000 0x0149ffff Private Memory Readable, Writable True False False
private_0x0000000001510000 0x01510000 0x0154ffff Private Memory Readable, Writable True False False
private_0x0000000001550000 0x01550000 0x0164ffff Private Memory Readable, Writable True False False
netsh.exe 0x01650000 0x0166afff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000001670000 0x01670000 0x02a6ffff Pagefile Backed Memory Readable True False False
private_0x0000000002a70000 0x02a70000 0x02b6ffff Private Memory Readable, Writable True False False
private_0x0000000002bd0000 0x02bd0000 0x02ccffff Private Memory Readable, Writable True False False
private_0x0000000002e00000 0x02e00000 0x02efffff Private Memory Readable, Writable True False False
bcryptprimitives.dll 0x737c0000 0x737fcfff Memory Mapped File Readable, Writable, Executable False False False
gpapi.dll 0x73800000 0x73815fff Memory Mapped File Readable, Writable, Executable False False False
qagent.dll 0x73820000 0x7384dfff Memory Mapped File Readable, Writable, Executable False False False
peerdistsh.dll 0x73850000 0x738f4fff Memory Mapped File Readable, Writable, Executable False False False
wlanhlp.dll 0x73900000 0x73916fff Memory Mapped File Readable, Writable, Executable False False False
wlanutil.dll 0x73920000 0x73925fff Memory Mapped File Readable, Writable, Executable False False False
wlanapi.dll 0x73930000 0x73945fff Memory Mapped File Readable, Writable, Executable False False False
wlancfg.dll 0x73950000 0x7397dfff Memory Mapped File Readable, Writable, Executable False False False
p2pcollab.dll 0x73980000 0x739e7fff Memory Mapped File Readable, Writable, Executable False False False
p2p.dll 0x739f0000 0x73a27fff Memory Mapped File Readable, Writable, Executable False False False
p2pnetsh.dll 0x73a30000 0x73a54fff Memory Mapped File Readable, Writable, Executable False False False
polstore.dll 0x73a60000 0x73aa5fff Memory Mapped File Readable, Writable, Executable False False False
adsldpc.dll 0x73ab0000 0x73ae3fff Memory Mapped File Readable, Writable, Executable False False False
activeds.dll 0x73af0000 0x73b24fff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x73b30000 0x73b3afff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x73b40000 0x73b56fff Memory Mapped File Readable, Writable, Executable False False False
logoncli.dll 0x73b60000 0x73b81fff Memory Mapped File Readable, Writable, Executable False False False
nshipsec.dll 0x73b90000 0x73be8fff Memory Mapped File Readable, Writable, Executable False False False
certcli.dll 0x73bf0000 0x73c45fff Memory Mapped File Readable, Writable, Executable False False False
napmontr.dll 0x73c50000 0x73c78fff Memory Mapped File Readable, Writable, Executable False False False
eappprxy.dll 0x73c80000 0x73c90fff Memory Mapped File Readable, Writable, Executable False False False
onex.dll 0x73ca0000 0x73cd3fff Memory Mapped File Readable, Writable, Executable False False False
eappcfg.dll 0x73ce0000 0x73d0efff Memory Mapped File Readable, Writable, Executable False False False
atl.dll 0x73d20000 0x73d33fff Memory Mapped File Readable, Writable, Executable False False False
dot3api.dll 0x73d40000 0x73d59fff Memory Mapped File Readable, Writable, Executable False False False
dot3cfg.dll 0x73d60000 0x73d76fff Memory Mapped File Readable, Writable, Executable False False False
rpcnsh.dll 0x73d80000 0x73d8afff Memory Mapped File Readable, Writable, Executable False False False
nlaapi.dll 0x73d90000 0x73d9ffff Memory Mapped File Readable, Writable, Executable False False False
netshell.dll 0x73da0000 0x74004fff Memory Mapped File Readable, Writable, Executable False False False
hnetmon.dll 0x74010000 0x74016fff Memory Mapped File Readable, Writable, Executable False False False
webio.dll 0x74020000 0x7406efff Memory Mapped File Readable, Writable, Executable False False False
winhttp.dll 0x74070000 0x740c7fff Memory Mapped File Readable, Writable, Executable False False False
whhelper.dll 0x740d0000 0x740d6fff Memory Mapped File Readable, Writable, Executable False False False
dnsapi.dll 0x740e0000 0x74123fff Memory Mapped File Readable, Writable, Executable False False False
netiohlp.dll 0x74130000 0x7415bfff Memory Mapped File Readable, Writable, Executable False False False
devrtl.dll 0x74160000 0x7416dfff Memory Mapped File Readable, Writable, Executable False False False
nci.dll 0x74170000 0x74185fff Memory Mapped File Readable, Writable, Executable False False False
ifmon.dll 0x74190000 0x74198fff Memory Mapped File Readable, Writable, Executable False False False
winipsec.dll 0x741a0000 0x741b3fff Memory Mapped File Readable, Writable, Executable False False False
bcrypt.dll 0x741c0000 0x741d6fff Memory Mapped File Readable, Writable, Executable False False False
authfwcfg.dll 0x741e0000 0x74233fff Memory Mapped File Readable, Writable, Executable False False False
firewallapi.dll 0x74240000 0x742b5fff Memory Mapped File Readable, Writable, Executable False False False
fwcfg.dll 0x742c0000 0x742d0fff Memory Mapped File Readable, Writable, Executable False False False
httpapi.dll 0x742e0000 0x742eafff Memory Mapped File Readable, Writable, Executable False False False
nshhttp.dll 0x742f0000 0x742f9fff Memory Mapped File Readable, Writable, Executable False False False
mswsock.dll 0x74300000 0x7433bfff Memory Mapped File Readable, Writable, Executable False False False
ws2help.dll 0x74340000 0x74342fff Memory Mapped File Readable, Writable, Executable False False False
wshelper.dll 0x74350000 0x74356fff Memory Mapped File Readable, Writable, Executable False False False
wevtapi.dll 0x74360000 0x743a1fff Memory Mapped File Readable, Writable, Executable False False False
qutil.dll 0x743b0000 0x743c6fff Memory Mapped File Readable, Writable, Executable False False False
dhcpqec.dll 0x743d0000 0x743e6fff Memory Mapped File Readable, Writable, Executable False False False
dhcpcsvc6.dll 0x743f0000 0x743fcfff Memory Mapped File Readable, Writable, Executable False False False
dhcpcsvc.dll 0x74400000 0x74411fff Memory Mapped File Readable, Writable, Executable False False False
dhcpcmonitor.dll 0x74420000 0x74425fff Memory Mapped File Readable, Writable, Executable False False False
slc.dll 0x74430000 0x74439fff Memory Mapped File Readable, Writable, Executable False False False
nshwfp.dll 0x74440000 0x744e3fff Memory Mapped File Readable, Writable, Executable False False False
odbcint.dll 0x744f0000 0x74527fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x74530000 0x74536fff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x74540000 0x7455bfff Memory Mapped File Readable, Writable, Executable False False False
odbc32.dll 0x74560000 0x745ebfff Memory Mapped File Readable, Writable, Executable False False False
mfc42u.dll 0x745f0000 0x7470efff Memory Mapped File Readable, Writable, Executable False False False
fwpuclnt.dll 0x74710000 0x74747fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x74750000 0x748edfff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x74910000 0x7498ffff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x749a0000 0x749fbfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x74a00000 0x74a3efff Memory Mapped File Readable, Writable, Executable False False False
rasman.dll 0x74a40000 0x74a54fff Memory Mapped File Readable, Writable, Executable False False False
rasapi32.dll 0x74a60000 0x74ab1fff Memory Mapped File Readable, Writable, Executable False False False
mprapi.dll 0x74ac0000 0x74ae8fff Memory Mapped File Readable, Writable, Executable False False False
rasmontr.dll 0x74af0000 0x74b1dfff Memory Mapped File Readable, Writable, Executable False False False
rpcrtremote.dll 0x74c20000 0x74c2dfff Memory Mapped File Readable, Writable, Executable False False False
credui.dll 0x74c30000 0x74c5afff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x74ca0000 0x74cdafff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x74ce0000 0x74cf5fff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x74d00000 0x74d08fff Memory Mapped File Readable, Writable, Executable False False False
wkscli.dll 0x74d50000 0x74d5efff Memory Mapped File Readable, Writable, Executable False False False
srvcli.dll 0x74d60000 0x74d78fff Memory Mapped File Readable, Writable, Executable False False False
netutils.dll 0x74d80000 0x74d88fff Memory Mapped File Readable, Writable, Executable False False False
netapi32.dll 0x74d90000 0x74da0fff Memory Mapped File Readable, Writable, Executable False False False
mpr.dll 0x74db0000 0x74dc1fff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x75060000 0x75067fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75090000 0x7509bfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x750a0000 0x750fffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x75100000 0x75109fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x75110000 0x75128fff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x75130000 0x75141fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75150000 0x751effff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x751f0000 0x751fbfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75200000 0x75e49fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75e50000 0x75fabfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x75fb0000 0x76006fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x76010000 0x76044fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76050000 0x760ecfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x760f0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76180000 0x7624bfff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x76350000 0x76355fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76360000 0x763eefff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x763f0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x764e0000 0x7653ffff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76540000 0x765ebfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x765f0000 0x766effff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x76a60000 0x76b7cfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76bb0000 0x76cbffff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x76d50000 0x76eecfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x76fe0000 0x77025fff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x77030000 0x77056fff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x77060000 0x770a4fff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x770b0000 0x77132fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077140000 0x77140000 0x77239fff Private Memory Readable, Writable, Executable True False False
private_0x0000000077240000 0x77240000 0x7735efff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x77360000 0x77508fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77540000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Host Behavior
File (3)
+
Operation Filename Additional Information Success Count Logfile
OPEN STD_OUTPUT_HANDLE True 1
Fn
WRITE STD_OUTPUT_HANDLE size = 5 True 1
Fn
Data
WRITE STD_OUTPUT_HANDLE size = 2 True 1
Fn
Data
Module (23)
+
Operation Module Additional Information Success Count Logfile
LOAD RASMONTR.DLL base_address = 0x74af0000 True 1
Fn
LOAD NSHWFP.DLL base_address = 0x74440000 True 1
Fn
LOAD DHCPCMONITOR.DLL base_address = 0x74420000 True 1
Fn
LOAD kernel32.dll base_address = 0x76bb0000 True 1
Fn
GET_HANDLE c:\windows\syswow64\netsh.exe base_address = 0x1650000 True 2
Fn
GET_PROC_ADDRESS c:\windows\syswow64\rasmontr.dll function = InitHelperDll, address = 0x74b06cb9 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\nshwfp.dll function = InitHelperDll, address = 0x7449bbb2 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\dhcpcmonitor.dll function = InitHelperDll, address = 0x74421cd4 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\wshelper.dll function = InitHelperDll, address = 0x7435157b True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\fwcfg.dll function = InitHelperDll, address = 0x742c2a30 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\authfwcfg.dll function = InitHelperDll, address = 0x741e4420 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\ifmon.dll function = InitHelperDll, address = 0x741917a3 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\netiohlp.dll function = InitHelperDll, address = 0x74146e4b True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\whhelper.dll function = InitHelperDll, address = 0x740d1c99 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\hnetmon.dll function = InitHelperDll, address = 0x7401200c True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\dot3cfg.dll function = InitHelperDll, address = 0x73d6a31d True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\napmontr.dll function = InitHelperDll, address = 0x73c5c7d5 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\nshipsec.dll function = InitHelperDll, address = 0x73b96910 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\p2pnetsh.dll function = InitHelperDll, address = 0x73a338e5 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\wlancfg.dll function = InitHelperDll, address = 0x7395c7d8 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\peerdistsh.dll function = InitHelperDll, address = 0x738cc796 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = SetThreadUILanguage, address = 0x76bda84f True 1
Fn
Registry (1)
+
Operation Key Additional Information Success Count Logfile
OPEN_KEY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Process #7: netsh.exe
(Host: 27, Network: 0)
+
Information Value
ID #7
File Name c:\windows\syswow64\netsh.exe
Command Line C:\Windows\system32\netsh.exe advfirewall firewall add rule name="BmhPp0CJ13" dir=out action=block program="C:\Program Files (x86)\Windows Defender\eyes-mali-mistress-winter.exe"
Initial Working Directory C:\Users\hJrD1KOKY DS8lUjv\Desktop
Monitor Start Time: 00:01:12, Reason: Child Process
Unmonitor End Time: 00:01:15, Reason: Terminated
Monitor Duration 00:00:03
OS Process Information
+
Information Value
PID 0xa9c
Parent PID 0x9e0 (c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username 1R6PFH\hJrD1KOKY DS8lUjv
Groups
  • 1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000e04f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AA0
0x AB0
0x AB4
0x AB8
0x ABC
0x AC0
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
netsh.exe.mui 0x00030000 0x00034fff Memory Mapped File Readable, Writable False False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000160000 0x00160000 0x00160fff Pagefile Backed Memory Readable True False False
locale.nls 0x00170000 0x001d6fff Memory Mapped File Readable False False False
private_0x00000000001e0000 0x001e0000 0x001e0fff Private Memory Readable, Writable True False False
private_0x00000000001f0000 0x001f0000 0x0022ffff Private Memory Readable, Writable True False False
private_0x0000000000230000 0x00230000 0x00230fff Private Memory Readable, Writable True False False
pagefile_0x0000000000240000 0x00240000 0x00241fff Pagefile Backed Memory Readable True False False
odbcint.dll.mui 0x00250000 0x0025afff Memory Mapped File Readable, Writable False False False
pagefile_0x0000000000260000 0x00260000 0x00261fff Pagefile Backed Memory Readable True False False
mfc42u.dll.mui 0x00270000 0x00277fff Memory Mapped File Readable, Writable False False False
setupapi.dll.mui 0x00280000 0x0028cfff Memory Mapped File Readable, Writable False False False
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory Readable True False False
private_0x00000000002a0000 0x002a0000 0x0031ffff Private Memory Readable, Writable True False False
private_0x0000000000320000 0x00320000 0x0035ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000320000 0x00320000 0x00321fff Pagefile Backed Memory Readable True False False
fwcfg.dll.mui 0x00330000 0x00340fff Memory Mapped File Readable, Writable False False False
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory Readable, Writable True False False
crypt32.dll.mui 0x00360000 0x00368fff Memory Mapped File Readable, Writable False False False
pagefile_0x0000000000370000 0x00370000 0x00370fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000380000 0x00380000 0x00380fff Pagefile Backed Memory Readable True False False
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000490000 0x00490000 0x00617fff Pagefile Backed Memory Readable True False False
p2pnetsh.dll.mui 0x00620000 0x00629fff Memory Mapped File Readable, Writable False False False
private_0x0000000000640000 0x00640000 0x0064ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000650000 0x00650000 0x007d0fff Pagefile Backed Memory Readable True False False
private_0x00000000007e0000 0x007e0000 0x008dffff Private Memory Readable, Writable True False False
private_0x00000000007e0000 0x007e0000 0x0085ffff Private Memory Readable, Writable True False False
private_0x0000000000860000 0x00860000 0x0089ffff Private Memory Readable, Writable True False False
private_0x00000000008a0000 0x008a0000 0x008dffff Private Memory Readable, Writable True False False
private_0x00000000008e0000 0x008e0000 0x00afffff Private Memory Readable, Writable True False False
private_0x00000000008e0000 0x008e0000 0x009dffff Private Memory Readable, Writable True False False
private_0x00000000009e0000 0x009e0000 0x00a3ffff Private Memory Readable, Writable True False False
private_0x0000000000a90000 0x00a90000 0x00aaffff Private Memory Readable, Writable True False False
private_0x0000000000ac0000 0x00ac0000 0x00afffff Private Memory Readable, Writable True False False
private_0x0000000000b00000 0x00b00000 0x00cdffff Private Memory Readable, Writable True False False
private_0x0000000000b70000 0x00b70000 0x00baffff Private Memory Readable, Writable True False False
private_0x0000000000bb0000 0x00bb0000 0x00beffff Private Memory Readable, Writable True False False
private_0x0000000000c10000 0x00c10000 0x00c4ffff Private Memory Readable, Writable True False False
private_0x0000000000ca0000 0x00ca0000 0x00cdffff Private Memory Readable, Writable True False False
private_0x0000000000ce0000 0x00ce0000 0x00e9ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000ce0000 0x00ce0000 0x00dbefff Pagefile Backed Memory Readable True False False
private_0x0000000000df0000 0x00df0000 0x00e2ffff Private Memory Readable, Writable True False False
private_0x0000000000e60000 0x00e60000 0x00e9ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x00ea0000 0x0116efff Memory Mapped File Readable False False False
private_0x0000000001190000 0x01190000 0x011cffff Private Memory Readable, Writable True False False
private_0x0000000001220000 0x01220000 0x0125ffff Private Memory Readable, Writable True False False
private_0x0000000001270000 0x01270000 0x012affff Private Memory Readable, Writable True False False
private_0x00000000012c0000 0x012c0000 0x012fffff Private Memory Readable, Writable True False False
private_0x00000000013e0000 0x013e0000 0x014dffff Private Memory Readable, Writable True False False
netsh.exe 0x015f0000 0x0160afff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000001610000 0x01610000 0x02a0ffff Pagefile Backed Memory Readable True False False
private_0x0000000002a70000 0x02a70000 0x02b6ffff Private Memory Readable, Writable True False False
private_0x0000000002bf0000 0x02bf0000 0x02c2ffff Private Memory Readable, Writable True False False
private_0x0000000002c50000 0x02c50000 0x02d4ffff Private Memory Readable, Writable True False False
private_0x0000000002e10000 0x02e10000 0x02e4ffff Private Memory Readable, Writable True False False
private_0x0000000002fd0000 0x02fd0000 0x030cffff Private Memory Readable, Writable True False False
private_0x0000000003190000 0x03190000 0x0328ffff Private Memory Readable, Writable True False False
bcryptprimitives.dll 0x73780000 0x737bcfff Memory Mapped File Readable, Writable, Executable False False False
qagent.dll 0x73800000 0x7382dfff Memory Mapped File Readable, Writable, Executable False False False
peerdistsh.dll 0x73830000 0x738d4fff Memory Mapped File Readable, Writable, Executable False False False
wlanhlp.dll 0x738e0000 0x738f6fff Memory Mapped File Readable, Writable, Executable False False False
gpapi.dll 0x73900000 0x73915fff Memory Mapped File Readable, Writable, Executable False False False
wlanapi.dll 0x73920000 0x73935fff Memory Mapped File Readable, Writable, Executable False False False
wlancfg.dll 0x73940000 0x7396dfff Memory Mapped File Readable, Writable, Executable False False False
p2pcollab.dll 0x73970000 0x739d7fff Memory Mapped File Readable, Writable, Executable False False False
p2p.dll 0x739e0000 0x73a17fff Memory Mapped File Readable, Writable, Executable False False False
p2pnetsh.dll 0x73a20000 0x73a44fff Memory Mapped File Readable, Writable, Executable False False False
polstore.dll 0x73a50000 0x73a95fff Memory Mapped File Readable, Writable, Executable False False False
netshell.dll 0x73aa0000 0x73d04fff Memory Mapped File Readable, Writable, Executable False False False
wlanutil.dll 0x73d20000 0x73d25fff Memory Mapped File Readable, Writable, Executable False False False
adsldpc.dll 0x73d30000 0x73d63fff Memory Mapped File Readable, Writable, Executable False False False
activeds.dll 0x73d70000 0x73da4fff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x73db0000 0x73dbafff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x73dc0000 0x73dd6fff Memory Mapped File Readable, Writable, Executable False False False
logoncli.dll 0x73de0000 0x73e01fff Memory Mapped File Readable, Writable, Executable False False False
nshipsec.dll 0x73e10000 0x73e68fff Memory Mapped File Readable, Writable, Executable False False False
certcli.dll 0x73e70000 0x73ec5fff Memory Mapped File Readable, Writable, Executable False False False
napmontr.dll 0x73ed0000 0x73ef8fff Memory Mapped File Readable, Writable, Executable False False False
eappprxy.dll 0x73f00000 0x73f10fff Memory Mapped File Readable, Writable, Executable False False False
onex.dll 0x73f20000 0x73f53fff Memory Mapped File Readable, Writable, Executable False False False
eappcfg.dll 0x73f60000 0x73f8efff Memory Mapped File Readable, Writable, Executable False False False
atl.dll 0x73f90000 0x73fa3fff Memory Mapped File Readable, Writable, Executable False False False
dot3api.dll 0x73fb0000 0x73fc9fff Memory Mapped File Readable, Writable, Executable False False False
dot3cfg.dll 0x73fd0000 0x73fe6fff Memory Mapped File Readable, Writable, Executable False False False
rpcnsh.dll 0x73ff0000 0x73ffafff Memory Mapped File Readable, Writable, Executable False False False
nlaapi.dll 0x74000000 0x7400ffff Memory Mapped File Readable, Writable, Executable False False False
winhttp.dll 0x74010000 0x74067fff Memory Mapped File Readable, Writable, Executable False False False
hnetmon.dll 0x74070000 0x74076fff Memory Mapped File Readable, Writable, Executable False False False
webio.dll 0x74080000 0x740cefff Memory Mapped File Readable, Writable, Executable False False False
dnsapi.dll 0x740d0000 0x74113fff Memory Mapped File Readable, Writable, Executable False False False
netiohlp.dll 0x74120000 0x7414bfff Memory Mapped File Readable, Writable, Executable False False False
nci.dll 0x74150000 0x74165fff Memory Mapped File Readable, Writable, Executable False False False
whhelper.dll 0x74170000 0x74176fff Memory Mapped File Readable, Writable, Executable False False False
devrtl.dll 0x74180000 0x7418dfff Memory Mapped File Readable, Writable, Executable False False False
winipsec.dll 0x74190000 0x741a3fff Memory Mapped File Readable, Writable, Executable False False False
bcrypt.dll 0x741b0000 0x741c6fff Memory Mapped File Readable, Writable, Executable False False False
authfwcfg.dll 0x741d0000 0x74223fff Memory Mapped File Readable, Writable, Executable False False False
firewallapi.dll 0x74230000 0x742a5fff Memory Mapped File Readable, Writable, Executable False False False
fwcfg.dll 0x742b0000 0x742c0fff Memory Mapped File Readable, Writable, Executable False False False
mswsock.dll 0x742d0000 0x7430bfff Memory Mapped File Readable, Writable, Executable False False False
wevtapi.dll 0x74310000 0x74351fff Memory Mapped File Readable, Writable, Executable False False False
ifmon.dll 0x74360000 0x74368fff Memory Mapped File Readable, Writable, Executable False False False
httpapi.dll 0x74370000 0x7437afff Memory Mapped File Readable, Writable, Executable False False False
nshhttp.dll 0x74380000 0x74389fff Memory Mapped File Readable, Writable, Executable False False False
ws2help.dll 0x74390000 0x74392fff Memory Mapped File Readable, Writable, Executable False False False
wshelper.dll 0x743a0000 0x743a6fff Memory Mapped File Readable, Writable, Executable False False False
dhcpqec.dll 0x743b0000 0x743c6fff Memory Mapped File Readable, Writable, Executable False False False
qutil.dll 0x743d0000 0x743e6fff Memory Mapped File Readable, Writable, Executable False False False
dhcpcsvc.dll 0x743f0000 0x74401fff Memory Mapped File Readable, Writable, Executable False False False
dhcpcmonitor.dll 0x74410000 0x74415fff Memory Mapped File Readable, Writable, Executable False False False
dhcpcsvc6.dll 0x74420000 0x7442cfff Memory Mapped File Readable, Writable, Executable False False False
nshwfp.dll 0x74430000 0x744d3fff Memory Mapped File Readable, Writable, Executable False False False
odbcint.dll 0x744e0000 0x74517fff Memory Mapped File Readable, Writable, Executable False False False
odbc32.dll 0x74520000 0x745abfff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x745b0000 0x7474dfff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x74750000 0x7476bfff Memory Mapped File Readable, Writable, Executable False False False
mfc42u.dll 0x74770000 0x7488efff Memory Mapped File Readable, Writable, Executable False False False
rasapi32.dll 0x74890000 0x748e1fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x74910000 0x7498ffff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x749a0000 0x749fbfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x74a00000 0x74a3efff Memory Mapped File Readable, Writable, Executable False False False
slc.dll 0x74a40000 0x74a49fff Memory Mapped File Readable, Writable, Executable False False False
fwpuclnt.dll 0x74a50000 0x74a87fff Memory Mapped File Readable, Writable, Executable False False False
mprapi.dll 0x74a90000 0x74ab8fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x74ac0000 0x74ac6fff Memory Mapped File Readable, Writable, Executable False False False
rasman.dll 0x74ad0000 0x74ae4fff Memory Mapped File Readable, Writable, Executable False False False
credui.dll 0x74af0000 0x74b1afff Memory Mapped File Readable, Writable, Executable False False False
rpcrtremote.dll 0x74c20000 0x74c2dfff Memory Mapped File Readable, Writable, Executable False False False
rasmontr.dll 0x74c30000 0x74c5dfff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x74ca0000 0x74cdafff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x74ce0000 0x74cf5fff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x74d00000 0x74d08fff Memory Mapped File Readable, Writable, Executable False False False
wkscli.dll 0x74d50000 0x74d5efff Memory Mapped File Readable, Writable, Executable False False False
srvcli.dll 0x74d60000 0x74d78fff Memory Mapped File Readable, Writable, Executable False False False
netutils.dll 0x74d80000 0x74d88fff Memory Mapped File Readable, Writable, Executable False False False
netapi32.dll 0x74d90000 0x74da0fff Memory Mapped File Readable, Writable, Executable False False False
mpr.dll 0x74db0000 0x74dc1fff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x75060000 0x75067fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75090000 0x7509bfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x750a0000 0x750fffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x75100000 0x75109fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x75110000 0x75128fff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x75130000 0x75141fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75150000 0x751effff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x751f0000 0x751fbfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75200000 0x75e49fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75e50000 0x75fabfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x75fb0000 0x76006fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x76010000 0x76044fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76050000 0x760ecfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x760f0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76180000 0x7624bfff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x76350000 0x76355fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76360000 0x763eefff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x763f0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x764e0000 0x7653ffff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76540000 0x765ebfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x765f0000 0x766effff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x76a60000 0x76b7cfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76bb0000 0x76cbffff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x76d50000 0x76eecfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x76fe0000 0x77025fff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x77030000 0x77056fff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x77060000 0x770a4fff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x770b0000 0x77132fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077140000 0x77140000 0x77239fff Private Memory Readable, Writable, Executable True False False
private_0x0000000077240000 0x77240000 0x7735efff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x77360000 0x77508fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77540000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Host Behavior
File (3)
+
Operation Filename Additional Information Success Count Logfile
OPEN STD_OUTPUT_HANDLE True 1
Fn
WRITE STD_OUTPUT_HANDLE size = 5 True 1
Fn
Data
WRITE STD_OUTPUT_HANDLE size = 2 True 1
Fn
Data
Module (23)
+
Operation Module Additional Information Success Count Logfile
LOAD RASMONTR.DLL base_address = 0x74c30000 True 1
Fn
LOAD NSHWFP.DLL base_address = 0x74430000 True 1
Fn
LOAD DHCPCMONITOR.DLL base_address = 0x74410000 True 1
Fn
LOAD kernel32.dll base_address = 0x76bb0000 True 1
Fn
GET_HANDLE c:\windows\syswow64\netsh.exe base_address = 0x15f0000 True 2
Fn
GET_PROC_ADDRESS c:\windows\syswow64\rasmontr.dll function = InitHelperDll, address = 0x74c46cb9 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\nshwfp.dll function = InitHelperDll, address = 0x7448bbb2 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\dhcpcmonitor.dll function = InitHelperDll, address = 0x74411cd4 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\wshelper.dll function = InitHelperDll, address = 0x743a157b True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\fwcfg.dll function = InitHelperDll, address = 0x742b2a30 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\authfwcfg.dll function = InitHelperDll, address = 0x741d4420 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\ifmon.dll function = InitHelperDll, address = 0x743617a3 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\netiohlp.dll function = InitHelperDll, address = 0x74136e4b True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\whhelper.dll function = InitHelperDll, address = 0x74171c99 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\hnetmon.dll function = InitHelperDll, address = 0x7407200c True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\dot3cfg.dll function = InitHelperDll, address = 0x73fda31d True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\napmontr.dll function = InitHelperDll, address = 0x73edc7d5 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\nshipsec.dll function = InitHelperDll, address = 0x73e16910 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\p2pnetsh.dll function = InitHelperDll, address = 0x73a238e5 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\wlancfg.dll function = InitHelperDll, address = 0x7394c7d8 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\peerdistsh.dll function = InitHelperDll, address = 0x738ac796 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = SetThreadUILanguage, address = 0x76bda84f True 1
Fn
Registry (1)
+
Operation Key Additional Information Success Count Logfile
OPEN_KEY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Process #8: netsh.exe
(Host: 27, Network: 0)
+
Information Value
ID #8
File Name c:\windows\syswow64\netsh.exe
Command Line C:\Windows\system32\netsh.exe advfirewall firewall add rule name="XyHyb1NtXB" dir=out action=block program="C:\Program Files (x86)\Windows Defender\pst-mine.exe"
Initial Working Directory C:\Users\hJrD1KOKY DS8lUjv\Desktop
Monitor Start Time: 00:01:14, Reason: Child Process
Unmonitor End Time: 00:01:17, Reason: Terminated
Monitor Duration 00:00:03
OS Process Information
+
Information Value
PID 0xac8
Parent PID 0x9e0 (c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username 1R6PFH\hJrD1KOKY DS8lUjv
Groups
  • 1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000e04f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x ACC
0x ADC
0x AE0
0x AE4
0x AE8
0x AEC
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
netsh.exe.mui 0x00030000 0x00034fff Memory Mapped File Readable, Writable False False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False
private_0x0000000000070000 0x00070000 0x00070fff Private Memory Readable, Writable True False False
private_0x0000000000080000 0x00080000 0x00080fff Private Memory Readable, Writable True False False
pagefile_0x0000000000090000 0x00090000 0x00091fff Pagefile Backed Memory Readable True False False
odbcint.dll.mui 0x000a0000 0x000aafff Memory Mapped File Readable, Writable False False False
private_0x00000000000b0000 0x000b0000 0x000effff Private Memory Readable, Writable True False False
pagefile_0x00000000000f0000 0x000f0000 0x000f1fff Pagefile Backed Memory Readable True False False
mfc42u.dll.mui 0x00100000 0x00107fff Memory Mapped File Readable, Writable False False False
setupapi.dll.mui 0x00110000 0x0011cfff Memory Mapped File Readable, Writable False False False
private_0x0000000000120000 0x00120000 0x0021ffff Private Memory Readable, Writable True False False
locale.nls 0x00220000 0x00286fff Memory Mapped File Readable False False False
private_0x0000000000290000 0x00290000 0x0030ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000002a0000 0x002a0000 0x002a1fff Pagefile Backed Memory Readable True False False
fwcfg.dll.mui 0x002b0000 0x002c0fff Memory Mapped File Readable, Writable False False False
private_0x00000000002d0000 0x002d0000 0x0030ffff Private Memory Readable, Writable True False False
crypt32.dll.mui 0x00310000 0x00318fff Memory Mapped File Readable, Writable False False False
pagefile_0x0000000000320000 0x00320000 0x00320fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000330000 0x00330000 0x00330fff Pagefile Backed Memory Readable True False False
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory Readable, Writable True False False
p2pnetsh.dll.mui 0x00350000 0x00359fff Memory Mapped File Readable, Writable False False False
private_0x0000000000360000 0x00360000 0x003dffff Private Memory Readable, Writable True False False
private_0x00000000003e0000 0x003e0000 0x0050ffff Private Memory Readable, Writable True False False
private_0x00000000003e0000 0x003e0000 0x0045ffff Private Memory Readable, Writable True False False
private_0x0000000000460000 0x00460000 0x004bffff Private Memory Readable, Writable True False False
private_0x00000000004d0000 0x004d0000 0x0050ffff Private Memory Readable, Writable True False False
private_0x0000000000520000 0x00520000 0x0061ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000620000 0x00620000 0x007a7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000007b0000 0x007b0000 0x00930fff Pagefile Backed Memory Readable True False False
private_0x0000000000940000 0x00940000 0x00a3ffff Private Memory Readable, Writable True False False
private_0x0000000000a40000 0x00a40000 0x00b4ffff Private Memory Readable, Writable True False False
private_0x0000000000a40000 0x00a40000 0x00a9ffff Private Memory Readable, Writable True False False
private_0x0000000000a70000 0x00a70000 0x00a8ffff Private Memory Readable, Writable True False False
private_0x0000000000a90000 0x00a90000 0x00a9ffff Private Memory Readable, Writable True False False
private_0x0000000000ad0000 0x00ad0000 0x00b0ffff Private Memory Readable, Writable True False False
private_0x0000000000b10000 0x00b10000 0x00b4ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x00b50000 0x00e1efff Memory Mapped File Readable False False False
private_0x0000000000e20000 0x00e20000 0x00f8ffff Private Memory Readable, Writable True False False
private_0x0000000000e80000 0x00e80000 0x00ebffff Private Memory Readable, Writable True False False
private_0x0000000000ee0000 0x00ee0000 0x00f1ffff Private Memory Readable, Writable True False False
private_0x0000000000f80000 0x00f80000 0x00f8ffff Private Memory Readable, Writable True False False
private_0x0000000000fd0000 0x00fd0000 0x0100ffff Private Memory Readable, Writable True False False
private_0x0000000001050000 0x01050000 0x0114ffff Private Memory Readable, Writable True False False
private_0x0000000001190000 0x01190000 0x011cffff Private Memory Readable, Writable True False False
private_0x00000000011d0000 0x011d0000 0x0120ffff Private Memory Readable, Writable True False False
pagefile_0x0000000001210000 0x01210000 0x012eefff Pagefile Backed Memory Readable True False False
private_0x0000000001340000 0x01340000 0x0137ffff Private Memory Readable, Writable True False False
private_0x00000000013a0000 0x013a0000 0x013dffff Private Memory Readable, Writable True False False
private_0x0000000001410000 0x01410000 0x0144ffff Private Memory Readable, Writable True False False
private_0x00000000014e0000 0x014e0000 0x0151ffff Private Memory Readable, Writable True False False
private_0x0000000001590000 0x01590000 0x015cffff Private Memory Readable, Writable True False False
netsh.exe 0x01690000 0x016aafff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x00000000016b0000 0x016b0000 0x02aaffff Pagefile Backed Memory Readable True False False
private_0x0000000002b20000 0x02b20000 0x02c1ffff Private Memory Readable, Writable True False False
private_0x0000000002c40000 0x02c40000 0x02d3ffff Private Memory Readable, Writable True False False
private_0x0000000002ed0000 0x02ed0000 0x02fcffff Private Memory Readable, Writable True False False
private_0x0000000003030000 0x03030000 0x0312ffff Private Memory Readable, Writable True False False
bcryptprimitives.dll 0x737c0000 0x737fcfff Memory Mapped File Readable, Writable, Executable False False False
gpapi.dll 0x73800000 0x73815fff Memory Mapped File Readable, Writable, Executable False False False
qagent.dll 0x73820000 0x7384dfff Memory Mapped File Readable, Writable, Executable False False False
peerdistsh.dll 0x73850000 0x738f4fff Memory Mapped File Readable, Writable, Executable False False False
wlanhlp.dll 0x73900000 0x73916fff Memory Mapped File Readable, Writable, Executable False False False
wlanutil.dll 0x73920000 0x73925fff Memory Mapped File Readable, Writable, Executable False False False
wlanapi.dll 0x73930000 0x73945fff Memory Mapped File Readable, Writable, Executable False False False
wlancfg.dll 0x73950000 0x7397dfff Memory Mapped File Readable, Writable, Executable False False False
p2pcollab.dll 0x73980000 0x739e7fff Memory Mapped File Readable, Writable, Executable False False False
p2p.dll 0x739f0000 0x73a27fff Memory Mapped File Readable, Writable, Executable False False False
p2pnetsh.dll 0x73a30000 0x73a54fff Memory Mapped File Readable, Writable, Executable False False False
polstore.dll 0x73a60000 0x73aa5fff Memory Mapped File Readable, Writable, Executable False False False
adsldpc.dll 0x73ab0000 0x73ae3fff Memory Mapped File Readable, Writable, Executable False False False
activeds.dll 0x73af0000 0x73b24fff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x73b30000 0x73b3afff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x73b40000 0x73b56fff Memory Mapped File Readable, Writable, Executable False False False
logoncli.dll 0x73b60000 0x73b81fff Memory Mapped File Readable, Writable, Executable False False False
nshipsec.dll 0x73b90000 0x73be8fff Memory Mapped File Readable, Writable, Executable False False False
certcli.dll 0x73bf0000 0x73c45fff Memory Mapped File Readable, Writable, Executable False False False
napmontr.dll 0x73c50000 0x73c78fff Memory Mapped File Readable, Writable, Executable False False False
eappprxy.dll 0x73c80000 0x73c90fff Memory Mapped File Readable, Writable, Executable False False False
onex.dll 0x73ca0000 0x73cd3fff Memory Mapped File Readable, Writable, Executable False False False
eappcfg.dll 0x73ce0000 0x73d0efff Memory Mapped File Readable, Writable, Executable False False False
atl.dll 0x73d20000 0x73d33fff Memory Mapped File Readable, Writable, Executable False False False
dot3api.dll 0x73d40000 0x73d59fff Memory Mapped File Readable, Writable, Executable False False False
dot3cfg.dll 0x73d60000 0x73d76fff Memory Mapped File Readable, Writable, Executable False False False
rpcnsh.dll 0x73d80000 0x73d8afff Memory Mapped File Readable, Writable, Executable False False False
nlaapi.dll 0x73d90000 0x73d9ffff Memory Mapped File Readable, Writable, Executable False False False
netshell.dll 0x73da0000 0x74004fff Memory Mapped File Readable, Writable, Executable False False False
hnetmon.dll 0x74010000 0x74016fff Memory Mapped File Readable, Writable, Executable False False False
webio.dll 0x74020000 0x7406efff Memory Mapped File Readable, Writable, Executable False False False
winhttp.dll 0x74070000 0x740c7fff Memory Mapped File Readable, Writable, Executable False False False
whhelper.dll 0x740d0000 0x740d6fff Memory Mapped File Readable, Writable, Executable False False False
dnsapi.dll 0x740e0000 0x74123fff Memory Mapped File Readable, Writable, Executable False False False
netiohlp.dll 0x74130000 0x7415bfff Memory Mapped File Readable, Writable, Executable False False False
devrtl.dll 0x74160000 0x7416dfff Memory Mapped File Readable, Writable, Executable False False False
nci.dll 0x74170000 0x74185fff Memory Mapped File Readable, Writable, Executable False False False
ifmon.dll 0x74190000 0x74198fff Memory Mapped File Readable, Writable, Executable False False False
winipsec.dll 0x741a0000 0x741b3fff Memory Mapped File Readable, Writable, Executable False False False
bcrypt.dll 0x741c0000 0x741d6fff Memory Mapped File Readable, Writable, Executable False False False
authfwcfg.dll 0x741e0000 0x74233fff Memory Mapped File Readable, Writable, Executable False False False
firewallapi.dll 0x74240000 0x742b5fff Memory Mapped File Readable, Writable, Executable False False False
fwcfg.dll 0x742c0000 0x742d0fff Memory Mapped File Readable, Writable, Executable False False False
httpapi.dll 0x742e0000 0x742eafff Memory Mapped File Readable, Writable, Executable False False False
nshhttp.dll 0x742f0000 0x742f9fff Memory Mapped File Readable, Writable, Executable False False False
mswsock.dll 0x74300000 0x7433bfff Memory Mapped File Readable, Writable, Executable False False False
ws2help.dll 0x74340000 0x74342fff Memory Mapped File Readable, Writable, Executable False False False
wshelper.dll 0x74350000 0x74356fff Memory Mapped File Readable, Writable, Executable False False False
wevtapi.dll 0x74360000 0x743a1fff Memory Mapped File Readable, Writable, Executable False False False
qutil.dll 0x743b0000 0x743c6fff Memory Mapped File Readable, Writable, Executable False False False
dhcpqec.dll 0x743d0000 0x743e6fff Memory Mapped File Readable, Writable, Executable False False False
dhcpcsvc6.dll 0x743f0000 0x743fcfff Memory Mapped File Readable, Writable, Executable False False False
dhcpcsvc.dll 0x74400000 0x74411fff Memory Mapped File Readable, Writable, Executable False False False
dhcpcmonitor.dll 0x74420000 0x74425fff Memory Mapped File Readable, Writable, Executable False False False
slc.dll 0x74430000 0x74439fff Memory Mapped File Readable, Writable, Executable False False False
nshwfp.dll 0x74440000 0x744e3fff Memory Mapped File Readable, Writable, Executable False False False
odbcint.dll 0x744f0000 0x74527fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x74530000 0x74536fff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x74540000 0x7455bfff Memory Mapped File Readable, Writable, Executable False False False
odbc32.dll 0x74560000 0x745ebfff Memory Mapped File Readable, Writable, Executable False False False
mfc42u.dll 0x745f0000 0x7470efff Memory Mapped File Readable, Writable, Executable False False False
fwpuclnt.dll 0x74710000 0x74747fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x74750000 0x748edfff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x74910000 0x7498ffff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x749a0000 0x749fbfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x74a00000 0x74a3efff Memory Mapped File Readable, Writable, Executable False False False
rasman.dll 0x74a40000 0x74a54fff Memory Mapped File Readable, Writable, Executable False False False
rasapi32.dll 0x74a60000 0x74ab1fff Memory Mapped File Readable, Writable, Executable False False False
mprapi.dll 0x74ac0000 0x74ae8fff Memory Mapped File Readable, Writable, Executable False False False
rasmontr.dll 0x74af0000 0x74b1dfff Memory Mapped File Readable, Writable, Executable False False False
rpcrtremote.dll 0x74c20000 0x74c2dfff Memory Mapped File Readable, Writable, Executable False False False
credui.dll 0x74c30000 0x74c5afff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x74ca0000 0x74cdafff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x74ce0000 0x74cf5fff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x74d00000 0x74d08fff Memory Mapped File Readable, Writable, Executable False False False
wkscli.dll 0x74d50000 0x74d5efff Memory Mapped File Readable, Writable, Executable False False False
srvcli.dll 0x74d60000 0x74d78fff Memory Mapped File Readable, Writable, Executable False False False
netutils.dll 0x74d80000 0x74d88fff Memory Mapped File Readable, Writable, Executable False False False
netapi32.dll 0x74d90000 0x74da0fff Memory Mapped File Readable, Writable, Executable False False False
mpr.dll 0x74db0000 0x74dc1fff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x75060000 0x75067fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75090000 0x7509bfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x750a0000 0x750fffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x75100000 0x75109fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x75110000 0x75128fff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x75130000 0x75141fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75150000 0x751effff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x751f0000 0x751fbfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75200000 0x75e49fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75e50000 0x75fabfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x75fb0000 0x76006fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x76010000 0x76044fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76050000 0x760ecfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x760f0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76180000 0x7624bfff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x76350000 0x76355fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76360000 0x763eefff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x763f0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x764e0000 0x7653ffff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76540000 0x765ebfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x765f0000 0x766effff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x76a60000 0x76b7cfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76bb0000 0x76cbffff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x76d50000 0x76eecfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x76fe0000 0x77025fff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x77030000 0x77056fff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x77060000 0x770a4fff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x770b0000 0x77132fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077140000 0x77140000 0x77239fff Private Memory Readable, Writable, Executable True False False
private_0x0000000077240000 0x77240000 0x7735efff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x77360000 0x77508fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77540000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Host Behavior
File (3)
+
Operation Filename Additional Information Success Count Logfile
OPEN STD_OUTPUT_HANDLE True 1
Fn
WRITE STD_OUTPUT_HANDLE size = 5 True 1
Fn
Data
WRITE STD_OUTPUT_HANDLE size = 2 True 1
Fn
Data
Module (23)
+
Operation Module Additional Information Success Count Logfile
LOAD RASMONTR.DLL base_address = 0x74af0000 True 1
Fn
LOAD NSHWFP.DLL base_address = 0x74440000 True 1
Fn
LOAD DHCPCMONITOR.DLL base_address = 0x74420000 True 1
Fn
LOAD kernel32.dll base_address = 0x76bb0000 True 1
Fn
GET_HANDLE c:\windows\syswow64\netsh.exe base_address = 0x1690000 True 2
Fn
GET_PROC_ADDRESS c:\windows\syswow64\rasmontr.dll function = InitHelperDll, address = 0x74b06cb9 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\nshwfp.dll function = InitHelperDll, address = 0x7449bbb2 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\dhcpcmonitor.dll function = InitHelperDll, address = 0x74421cd4 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\wshelper.dll function = InitHelperDll, address = 0x7435157b True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\fwcfg.dll function = InitHelperDll, address = 0x742c2a30 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\authfwcfg.dll function = InitHelperDll, address = 0x741e4420 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\ifmon.dll function = InitHelperDll, address = 0x741917a3 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\netiohlp.dll function = InitHelperDll, address = 0x74146e4b True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\whhelper.dll function = InitHelperDll, address = 0x740d1c99 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\hnetmon.dll function = InitHelperDll, address = 0x7401200c True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\dot3cfg.dll function = InitHelperDll, address = 0x73d6a31d True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\napmontr.dll function = InitHelperDll, address = 0x73c5c7d5 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\nshipsec.dll function = InitHelperDll, address = 0x73b96910 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\p2pnetsh.dll function = InitHelperDll, address = 0x73a338e5 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\wlancfg.dll function = InitHelperDll, address = 0x7395c7d8 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\peerdistsh.dll function = InitHelperDll, address = 0x738cc796 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = SetThreadUILanguage, address = 0x76bda84f True 1
Fn
Registry (1)
+
Operation Key Additional Information Success Count Logfile
OPEN_KEY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Process #9: mshta.exe
(Host: 1312, Network: 0)
+
Information Value
ID #9
File Name c:\windows\syswow64\mshta.exe
Command Line "C:\Windows\SysWOW64\mshta.exe" "C:\Users\hJrD1KOKY DS8lUjv\Desktop\_READ_THIS_FILE_SOESZC_.hta"
Initial Working Directory c:\users\hjrd1koky ds8lujv\desktop
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:02:26, Reason: Terminated by Timeout
Monitor Duration 00:00:48
OS Process Information
+
Information Value
PID 0xbd0
Parent PID 0x9e0 (c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username 1R6PFH\hJrD1KOKY DS8lUjv
Groups
  • 1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000e04f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BD4
0x 884
0x 8B8
0x 8BC
0x 8AC
0x 8C0
0x 8F8
0x 7A4
0x 334
0x 704
0x 314
0x 9C4
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
imm32.dll 0x00020000 0x0003dfff Memory Mapped File Readable False False False
imm32.dll 0x00020000 0x0003dfff Memory Mapped File Readable False False False
mshta.exe.mui 0x00020000 0x00020fff Memory Mapped File Readable, Writable False False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False
private_0x0000000000070000 0x00070000 0x000affff Private Memory Readable, Writable True False False
locale.nls 0x000b0000 0x00116fff Memory Mapped File Readable False False False
private_0x0000000000120000 0x00120000 0x00120fff Private Memory Readable, Writable True False False
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000140000 0x00140000 0x00140fff Private Memory Readable, Writable True False False
pagefile_0x0000000000150000 0x00150000 0x00150fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000160000 0x00160000 0x00160fff Pagefile Backed Memory Readable True False False
windowsshell.manifest 0x00170000 0x00170fff Memory Mapped File Readable False False False
windowsshell.manifest 0x00170000 0x00170fff Memory Mapped File Readable False False False
pagefile_0x0000000000170000 0x00170000 0x00170fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000180000 0x00180000 0x00181fff Pagefile Backed Memory Readable True False False
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000290000 0x00290000 0x00291fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000002b0000 0x002b0000 0x002cffff Private Memory Readable, Writable True False False
oleaccrc.dll 0x002d0000 0x002d0fff Memory Mapped File Readable False False False
pagefile_0x00000000002e0000 0x002e0000 0x002e0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000002e0000 0x002e0000 0x002e0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000002e0000 0x002e0000 0x002e0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000002e0000 0x002e0000 0x002e1fff Pagefile Backed Memory Readable True False False
urlmon.dll.mui 0x002f0000 0x002f7fff Memory Mapped File Readable, Writable False False False
private_0x0000000000300000 0x00300000 0x0030ffff Private Memory Readable, Writable True False False
rsaenh.dll 0x00310000 0x0034bfff Memory Mapped File Readable False False False
rsaenh.dll 0x00310000 0x0034bfff Memory Mapped File Readable False False False
rsaenh.dll 0x00310000 0x0034bfff Memory Mapped File Readable False False False
rsaenh.dll 0x00310000 0x0034bfff Memory Mapped File Readable False False False
rsaenh.dll 0x00310000 0x0034bfff Memory Mapped File Readable False False False
oleacc.dll 0x00310000 0x00348fff Memory Mapped File Readable False False False
index.dat 0x00310000 0x00317fff Memory Mapped File Readable, Writable True False False
index.dat 0x00320000 0x00323fff Memory Mapped File Readable, Writable True False False
index.dat 0x00320000 0x00327fff Memory Mapped File Readable, Writable True False False
index.dat 0x00330000 0x0033ffff Memory Mapped File Readable, Writable True False False
private_0x0000000000340000 0x00340000 0x00340fff Private Memory Readable, Writable True False False
private_0x0000000000350000 0x00350000 0x003cffff Private Memory Readable, Writable True False False
private_0x00000000003d0000 0x003d0000 0x0044ffff Private Memory Readable, Writable True False False
private_0x0000000000450000 0x00450000 0x00450fff Private Memory Readable, Writable True False False
private_0x0000000000460000 0x00460000 0x00460fff Private Memory Readable, Writable True False False
private_0x0000000000470000 0x00470000 0x00470fff Private Memory Readable, Writable True False False
private_0x0000000000480000 0x00480000 0x00480fff Private Memory Readable, Writable True False False
private_0x0000000000490000 0x00490000 0x0058ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000590000 0x00590000 0x0066efff Pagefile Backed Memory Readable True False False
private_0x0000000000670000 0x00670000 0x00670fff Private Memory Readable, Writable True False False
private_0x0000000000680000 0x00680000 0x0068ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000690000 0x00690000 0x00817fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000820000 0x00820000 0x009a0fff Pagefile Backed Memory Readable True False False
private_0x00000000009b0000 0x009b0000 0x009b0fff Private Memory Readable, Writable True False False
private_0x00000000009c0000 0x009c0000 0x009fffff Private Memory Readable, Writable True False False
private_0x0000000000a00000 0x00a00000 0x00a3ffff Private Memory Readable, Writable True False False
private_0x0000000000a40000 0x00a40000 0x00a40fff Private Memory Readable, Writable True False False
private_0x0000000000a50000 0x00a50000 0x00a50fff Private Memory Readable, Writable True False False
private_0x0000000000a60000 0x00a60000 0x00a9ffff Private Memory Readable, Writable True False False
mshta.exe 0x00aa0000 0x00aaefff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000000ab0000 0x00ab0000 0x01eaffff Pagefile Backed Memory Readable True False False
msxml3r.dll 0x01eb0000 0x01eb0fff Memory Mapped File Readable False False False
pagefile_0x0000000001ec0000 0x01ec0000 0x01ec1fff Pagefile Backed Memory Readable True False False
private_0x0000000001ee0000 0x01ee0000 0x01fdffff Private Memory Readable, Writable True False False
private_0x0000000001fe0000 0x01fe0000 0x0217ffff Private Memory Readable, Writable True False False
private_0x0000000001fe0000 0x01fe0000 0x0202ffff Private Memory Readable, Writable True False False
private_0x0000000002030000 0x02030000 0x0205ffff Private Memory Readable, Writable True False False
private_0x0000000002030000 0x02030000 0x0204ffff Private Memory - True False False
c_20127.nls 0x02050000 0x02060fff Memory Mapped File Readable False False False
private_0x0000000002080000 0x02080000 0x020bffff Private Memory Readable, Writable True False False
private_0x00000000020e0000 0x020e0000 0x0211ffff Private Memory Readable, Writable True False False
private_0x0000000002140000 0x02140000 0x0217ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x02180000 0x0244efff Memory Mapped File Readable False False False
private_0x0000000002450000 0x02450000 0x0254ffff Private Memory Readable, Writable True False False
private_0x0000000002580000 0x02580000 0x025bffff Private Memory Readable, Writable True False False
private_0x00000000025d0000 0x025d0000 0x026cffff Private Memory Readable, Writable True False False
private_0x00000000026e0000 0x026e0000 0x0271ffff Private Memory Readable, Writable True False False
index.dat 0x02720000 0x0275ffff Memory Mapped File Readable, Writable True True False
private_0x0000000002790000 0x02790000 0x027cffff Private Memory Readable, Writable True False False
private_0x00000000027d0000 0x027d0000 0x0287ffff Private Memory Readable, Writable True False False
private_0x00000000027e0000 0x027e0000 0x0281ffff Private Memory Readable, Writable True False False
private_0x0000000002820000 0x02820000 0x0285ffff Private Memory Readable, Writable True False False
private_0x0000000002870000 0x02870000 0x0287ffff Private Memory Readable, Writable True False False
private_0x0000000002880000 0x02880000 0x0297ffff Private Memory Readable, Writable True False False
private_0x0000000002980000 0x02980000 0x02a7ffff Private Memory Readable, Writable True False False
private_0x0000000002ab0000 0x02ab0000 0x02baffff Private Memory Readable, Writable True False False
ieframe.dll.mui 0x02bb0000 0x02cdffff Memory Mapped File Readable, Writable False False False
private_0x0000000002ce0000 0x02ce0000 0x02dcffff Private Memory Readable, Writable True False False
staticcache.dat 0x02dd0000 0x036fffff Memory Mapped File Readable False False False
private_0x0000000003700000 0x03700000 0x037fffff Private Memory Readable, Writable True False False
kernelbase.dll.mui 0x03800000 0x038bffff Memory Mapped File Readable, Writable False False False
private_0x00000000038d0000 0x038d0000 0x039cffff Private Memory Readable, Writable True False False
private_0x00000000039e0000 0x039e0000 0x03adffff Private Memory Readable, Writable True False False
private_0x0000000003ae0000 0x03ae0000 0x03bdffff Private Memory Readable, Writable True False False
private_0x0000000003be0000 0x03be0000 0x03dcffff Private Memory Readable, Writable True False False
private_0x0000000003be0000 0x03be0000 0x03d5ffff Private Memory Readable, Writable True False False
private_0x0000000003cd0000 0x03cd0000 0x03d0ffff Private Memory Readable, Writable True False False
private_0x0000000003d20000 0x03d20000 0x03d5ffff Private Memory Readable, Writable True False False
private_0x0000000003d90000 0x03d90000 0x03dcffff Private Memory Readable, Writable True False False
private_0x0000000003dd0000 0x03dd0000 0x041cffff Private Memory Readable, Writable True False False
private_0x0000000004200000 0x04200000 0x042fffff Private Memory Readable, Writable True False False
private_0x0000000004300000 0x04300000 0x044effff Private Memory Readable, Writable True False False
private_0x0000000004320000 0x04320000 0x0435ffff Private Memory Readable, Writable True False False
private_0x0000000004390000 0x04390000 0x0448ffff Private Memory Readable, Writable True False False
private_0x00000000044e0000 0x044e0000 0x044effff Private Memory Readable, Writable True False False
private_0x00000000045b0000 0x045b0000 0x046affff Private Memory Readable, Writable True False False
private_0x0000000004790000 0x04790000 0x0488ffff Private Memory Readable, Writable True False False
private_0x0000000004890000 0x04890000 0x0498ffff Private Memory Readable, Writable True False False
dhcpcsvc6.dll 0x72540000 0x7254cfff Memory Mapped File Readable, Writable, Executable False False False
dhcpcsvc.dll 0x72550000 0x72561fff Memory Mapped File Readable, Writable, Executable False False False
npmproxy.dll 0x72570000 0x72577fff Memory Mapped File Readable, Writable, Executable False False False
netprofm.dll 0x725f0000 0x72649fff Memory Mapped File Readable, Writable, Executable False False False
fwpuclnt.dll 0x72650000 0x72687fff Memory Mapped File Readable, Writable, Executable False False False
wship6.dll 0x72690000 0x72695fff Memory Mapped File Readable, Writable, Executable False False False
winrnr.dll 0x726a0000 0x726a7fff Memory Mapped File Readable, Writable, Executable False False False
pnrpnsp.dll 0x726b0000 0x726c1fff Memory Mapped File Readable, Writable, Executable False False False
napinsp.dll 0x726d0000 0x726dffff Memory Mapped File Readable, Writable, Executable False False False
rasadhlp.dll 0x726e0000 0x726e5fff Memory Mapped File Readable, Writable, Executable False False False
nlaapi.dll 0x726f0000 0x726fffff Memory Mapped File Readable, Writable, Executable False False False
sensapi.dll 0x72700000 0x72705fff Memory Mapped File Readable, Writable, Executable False False False
rtutils.dll 0x72710000 0x7271cfff Memory Mapped File Readable, Writable, Executable False False False
rasman.dll 0x72800000 0x72814fff Memory Mapped File Readable, Writable, Executable False False False
rasapi32.dll 0x72820000 0x72871fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x72880000 0x72886fff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x72890000 0x728abfff Memory Mapped File Readable, Writable, Executable False False False
dnsapi.dll 0x728b0000 0x728f3fff Memory Mapped File Readable, Writable, Executable False False False
msxml3.dll 0x72910000 0x72a42fff Memory Mapped File Readable, Writable, Executable False False False
jscript.dll 0x72de0000 0x72e91fff Memory Mapped File Readable, Writable, Executable True False False
mlang.dll 0x72f10000 0x72f3dfff Memory Mapped File Readable, Writable, Executable False False False
ieframe.dll 0x730c0000 0x73b3ffff Memory Mapped File Readable, Writable, Executable False False False
sxs.dll 0x73d50000 0x73daefff Memory Mapped File Readable, Writable, Executable False False False
msimtf.dll 0x73db0000 0x73dbafff Memory Mapped File Readable, Writable, Executable False False False
oleacc.dll 0x73dd0000 0x73e0bfff Memory Mapped File Readable, Writable, Executable False False False
msls31.dll 0x73e40000 0x73e69fff Memory Mapped File Readable, Writable, Executable False False False
mshtml.dll 0x74090000 0x74646fff Memory Mapped File Readable, Writable, Executable True False False
dwmapi.dll 0x748f0000 0x74902fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x74910000 0x7498ffff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x749a0000 0x749fbfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x74a00000 0x74a3efff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x74a50000 0x74a70fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x74a80000 0x74c1dfff Memory Mapped File Readable, Writable, Executable False False False
rpcrtremote.dll 0x74c20000 0x74c2dfff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x74c40000 0x74c4afff Memory Mapped File Readable, Writable, Executable False False False
wshtcpip.dll 0x74c50000 0x74c54fff Memory Mapped File Readable, Writable, Executable False False False
mswsock.dll 0x74c60000 0x74c9bfff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x74ca0000 0x74cdafff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x74ce0000 0x74cf5fff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x74d00000 0x74d08fff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x75060000 0x75067fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75090000 0x7509bfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x750a0000 0x750fffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x75100000 0x75109fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x75110000 0x75128fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75150000 0x751effff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x751f0000 0x751fbfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75200000 0x75e49fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75e50000 0x75fabfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x75fb0000 0x76006fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x76010000 0x76044fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76050000 0x760ecfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x760f0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76180000 0x7624bfff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x76250000 0x76344fff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x76350000 0x76355fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76360000 0x763eefff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x763f0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x764e0000 0x7653ffff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76540000 0x765ebfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x765f0000 0x766effff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x76720000 0x76855fff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x76860000 0x76a5afff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x76a60000 0x76b7cfff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76bb0000 0x76cbffff Memory Mapped File Readable, Writable, Executable False False False
normaliz.dll 0x76fd0000 0x76fd2fff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x76fe0000 0x77025fff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x77060000 0x770a4fff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x770b0000 0x77132fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077140000 0x77140000 0x77239fff Private Memory Readable, Writable, Executable True False False
private_0x0000000077240000 0x77240000 0x7735efff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x77360000 0x77508fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x77510000 0x77514fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77540000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007ef98000 0x7ef98000 0x7ef9afff Private Memory Readable, Writable True False False
private_0x000000007ef9b000 0x7ef9b000 0x7ef9dfff Private Memory Readable, Writable True False False
private_0x000000007ef9e000 0x7ef9e000 0x7efa0fff Private Memory Readable, Writable True False False
private_0x000000007efa1000 0x7efa1000 0x7efa3fff Private Memory Readable, Writable True False False
private_0x000000007efa4000 0x7efa4000 0x7efa6fff Private Memory Readable, Writable True False False
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Modified Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\hjrd1koky ds8lujv\appdata\roaming\microsoft\windows\ietldcache\index.dat 256.00 KB (262144 bytes) MD5: 523c9c2f0803c81fb5baf9ae734c5313
SHA1: 2bdb52c4b4920a39084818ab848a39bde4e6fe19
SHA256: 8f32b74a611bdcf55195007d815d1028c287d4068c1feea68061aeec9626455f
False
Host Behavior
File (6)
+
Operation Filename Additional Information Success Count Logfile
CREATE c:\users\hjrd1koky ds8lujv\desktop\_read_this_file_soeszc_.hta desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
OPEN STD_INPUT_HANDLE True 1
Fn
OPEN STD_OUTPUT_HANDLE True 1
Fn
OPEN STD_ERROR_HANDLE True 1
Fn
READ c:\users\hjrd1koky ds8lujv\desktop\_read_this_file_soeszc_.hta size = 4096 True 1
Fn
Data
FIND C:\Users\hJrD1KOKY DS8lUjv\Desktop\_READ_THIS_FILE_SOESZC_.hta True 1
Fn
Module (122)
+
Operation Module Additional Information Success Count Logfile
LOAD C:\Windows\SysWOW64\mshtml.dll base_address = 0x74090000 True 1
Fn
LOAD comctl32.dll base_address = 0x74a80000 True 1
Fn
LOAD OLEAUT32.dll base_address = 0x76360000 True 1
Fn
LOAD mshtml.dll base_address = 0x74090000 True 2
Fn
LOAD OLEACC.DLL base_address = 0x73dd0000 True 1
Fn
LOAD ieframe.dll base_address = 0x730c0000 True 2
Fn
LOAD IEFRAME.dll base_address = 0x730c0000 True 1
Fn
LOAD oleaut32.dll base_address = 0x76360000 True 1
Fn
LOAD ADVAPI32.dll base_address = 0x75150000 True 1
Fn
LOAD ole32.dll base_address = 0x75e50000 True 1
Fn
LOAD kernel32.dll base_address = 0x76bb0000 True 1
Fn
LOAD CRYPT32.dll base_address = 0x76a60000 True 1
Fn
GET_HANDLE c:\windows\syswow64\mshta.exe base_address = 0xaa0000 True 2
Fn
GET_HANDLE c:\windows\syswow64\kernel32.dll base_address = 0x76bb0000 True 5
Fn
GET_HANDLE c:\windows\syswow64\kernelbase.dll base_address = 0x76fe0000 True 26
Fn
GET_HANDLE c:\windows\syswow64\advapi32.dll base_address = 0x75150000 True 1
Fn
GET_HANDLE EXPLORER.EXE base_address = 0x0 False 1
Fn
GET_HANDLE IEXPLORE.EXE base_address = 0x0 False 1
Fn
GET_HANDLE c:\windows\syswow64\ole32.dll base_address = 0x75e50000 True 1
Fn
CREATE_MAPPING module_name = Local\!PrivacIE!SharedMem!Counter, maximum_size = 16, protection = PAGE_READWRITE True 1
Fn
MAP c:\windows\syswow64\mshta.exe os_pid = 0xbd0, module_name = Local\!PrivacIE!SharedMem!Counter, desired_access = FILE_MAP_WRITE, file_offset = 0, address = 0x130000 True 1
Fn
GET_FILENAME C:\Windows\SysWOW64\mshta.exe True 5
Fn
GET_FILENAME C:\Windows\SysWOW64\mshtml.dll file_name = C:\Windows\SysWOW64\mshtml.dll True 1
Fn
GET_FILENAME c:\windows\syswow64\mshta.exe file_name = C:\Windows\SysWOW64\mshta.exe True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = FlsAlloc, address = 0x76bc4f2b True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = FlsGetValue, address = 0x76bc1252 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = FlsSetValue, address = 0x76bc4208 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = FlsFree, address = 0x76bc359f True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernelbase.dll function = EncodePointer, address = 0x77580fcb True 9
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernelbase.dll function = DecodePointer, address = 0x77579d35 True 17
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionAndSpinCount, address = 0x76ff004f True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = HeapSetInformation, address = 0x76bc5651 True 2
Fn
GET_PROC_ADDRESS c:\windows\syswow64\advapi32.dll function = EventWrite, address = 0x775a0c59 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\advapi32.dll function = EventRegister, address = 0x7757f6ba True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\advapi32.dll function = EventUnregister, address = 0x77599241 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = RegisterApplicationRestart, address = 0x76beb53c True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\mshtml.dll function = RunHTMLApplication, address = 0x740ee710 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address = 0x77578456 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address = 0x775729f1 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = AcquireSRWLockShared, address = 0x77572560 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address = 0x775729ab True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockShared, address = 0x775725a9 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\oleaut32.dll function = 6, address = 0x76363e59 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\oleaut32.dll function = 7, address = 0x76364680 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\oleaut32.dll function = 8, address = 0x76363ed5 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\oleacc.dll function = LresultFromObject, address = 0x73dd2663 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\ieframe.dll function = 234, address = 0x73128ed9 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\oleaut32.dll function = 2, address = 0x76364642 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\oleaut32.dll function = VariantClear, address = 0x76363eae True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\advapi32.dll function = RegisterTraceGuidsA, address = 0x775a848f True 2
Fn
GET_PROC_ADDRESS c:\windows\syswow64\advapi32.dll function = RegOpenKeyExA, address = 0x75164907 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\advapi32.dll function = RegQueryValueExA, address = 0x751648ef True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\advapi32.dll function = RegCloseKey, address = 0x7516469d True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\ole32.dll function = CoGetObjectContext, address = 0x75e9632b True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\ole32.dll function = CoCreateInstance, address = 0x75e99d0b True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\kernel32.dll function = LCIDToLocaleName, address = 0x76beced4 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\oleaut32.dll function = 147, address = 0x76364c28 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\crypt32.dll function = CryptStringToBinaryW, address = 0x76a95f65 True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\uxtheme.dll function = 61, address = 0x749306fe True 1
Fn
GET_PROC_ADDRESS c:\windows\syswow64\uxtheme.dll function = DrawThemeBackground, address = 0x7492d464 True 1
Fn
Com (1056)
+
Operation Class Interface Additional Information Success Count Logfile
CREATE {3050F5C8-98B5-11CF-BB82-00AA00BDCE0B} IUnknown cls_context = CLSCTX_INPROC_SERVER True 1
Fn
CREATE {3050F5C8-98B5-11CF-BB82-00AA00BDCE0B} IClassFactory True 1
Fn
CREATE {3050F406-98B5-11CF-BB82-00AA00BDCE0B} IClassFactory True 4
Fn
CREATE CActiveIMMAppEx_Trident IActiveIMMApp cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD True 1
Fn
CREATE {275C23E2-3747-11D0-9FEA-00AA003F8646} {DCCFC164-2B38-11D2-B7EC-00C04F8F5D9A} cls_context = CLSCTX_INPROC_SERVER True 1
Fn
CREATE JScriptEngine5 IActiveScript cls_context = CLSCTX_INPROC_SERVER True 2
Fn
CREATE JScriptEngine5 IClassFactory True 2
Fn
CREATE StdGlobalInterfaceTable IGlobalInterfaceTable cls_context = CLSCTX_INPROC_SERVER True 1
Fn
CREATE {6C736DB1-BD94-11D0-8A23-00AA00B58E10} ISystemDebugEventFire cls_context = CLSCTX_INPROC_SERVER True 2
Fn
CREATE {3C374A40-BAE4-11CF-BF7D-00AA006946EE} IUrlHistoryStg cls_context = CLSCTX_INPROC_SERVER True 1
Fn
CREATE XMLHTTP30 IXMLHttpRequest cls_context = CLSCTX_INPROC_SERVER True 2
Fn
QUERY IInternetSecurityMgrSite new_interface = IServiceProvider True 8
Fn
QUERY IClassFactory new_interface = IClassFactory True 1
Fn
QUERY IClassFactory new_interface = IInternetProtocolInfo True 4
Fn
QUERY IMoniker new_interface = IUriContainer True 3
Fn
QUERY IUri new_interface = {50295B0C-6B79-4935-AED8-05D80EC86A60} True 12
Fn
QUERY IInternetProtocol new_interface = {53C84785-8425-4DC5-971B-E58D9C19F9B6} False 1
Fn
QUERY IInternetProtocol new_interface = IInternetProtocolEx True 1
Fn
QUERY IInternetBindInfo new_interface = {A3E015B7-A82C-4DCD-A150-569AEEED36AB} False 1
Fn
QUERY IInternetProtocol new_interface = {79EAC9D8-BAFA-11CE-8C82-00AA004BA90B} False 1
Fn
QUERY IInternetProtocol new_interface = {79EAC9D6-BAFA-11CE-8C82-00AA004BA90B} False 1
Fn
QUERY IUri new_interface = {50295B0C-6B79-4935-AED8-05D80EC86A60} True 148
Fn
QUERY JScriptEngine5 IClassFactory new_interface = IActiveScript, True 2
Fn
QUERY JScriptEngine5 IActiveScript new_interface = IActiveScript True 1
Fn
QUERY IUnknown new_interface = {0000001B-0000-0000-C000-000000000046} False 4
Fn
QUERY IUnknown new_interface = {00000003-0000-0000-C000-000000000046} False 4
Fn
QUERY IUrlHistoryStg new_interface = {0CD040B2-39BA-4CDF-96CF-C1929D3B9898} True 105
Fn
QUERY XMLHTTP30 IXMLHttpRequest new_interface = {CB5BDC81-93C1-11CF-8F20-00805F2CD064}, True 2
Fn
QUERY XMLHTTP30 IXMLHttpRequest new_interface = IObjectWithSite, True 2
Fn
QUERY IUnknown new_interface = IUnknown True 2
Fn
QUERY IUnknown new_interface = IServiceProvider True 4
Fn
QUERY IDispatch new_interface = IHTMLElement True 16
Fn
QUERY IUnknown new_interface = {2933BF81-7B36-11D2-B20E-00C04F983E60} False 2
Fn
QUERY IUnknown new_interface = {00000118-0000-0000-C000-000000000046} False 2
Fn
QUERY IUnknown new_interface = {00000000-0000-0000-C000-000000000046} False 1
Fn
METHOD IUri method = GetPropertyDWORD True 11
Fn
METHOD IInternetSecurityManager method = SetSecuritySite True 3
Fn
METHOD IInternetSecurityMgrSite method = AddRef False 261
Fn
METHOD IServiceProvider method = QueryService False 8
Fn
METHOD IInternetSecurityManager method = GetSecurityId True 11
Fn
METHOD IInternetProtocolInfo method = ParseUrl True 2
Fn
METHOD IInternetProtocolInfo method = ParseUrl False 2
Fn
METHOD IServiceProvider new_interface = IInternetSecurityManager, method = QueryService True 2
Fn
METHOD IMoniker method = GetDisplayName True 2
Fn
METHOD IUriContainer new_interface = IUri, method = GetIUri True 3
Fn
METHOD IUri method = AddRef False 21
Fn
METHOD IUri method = GetScheme True 21
Fn
METHOD IUri method = GetAbsoluteUri True 11
Fn
METHOD IUri method = GetScheme True 6
Fn
METHOD IUri method = GetAbsoluteUri True 1
Fn
METHOD IUri method = IsEqual True 3
Fn
METHOD IInternetSecurityManager method = GetSecurityId False 10
Fn
METHOD IInternetSecurityManager method = MapUrlToZone False 39
Fn
METHOD IInternetSecurityManager method = ProcessUrlAction True 37
Fn
METHOD IInternetSession method = RegisterNameSpace True 2
Fn
METHOD IMoniker method = IsSystemMoniker True 1
Fn
METHOD IInternetSession new_interface = IInternetProtocol, method = CreateBinding True 1
Fn
METHOD IInternetProtocol method = AddRef False 1
Fn
METHOD IInternetProtocol method = StartEx True 1
Fn
METHOD IInternetBindInfo method = GetBindInfo True 1
Fn
METHOD IInternetProtocolSink method = ReportProgress True 3
Fn
METHOD IInternetProtocolSink method = ReportData True 1
Fn
METHOD IInternetProtocolSink method = ReportResult True 1
Fn
METHOD IInternetProtocol method = Read True 20
Fn
METHOD CActiveIMMAppEx_Trident IActiveIMMApp method = FilterClientWindows True 1
Fn
METHOD CActiveIMMAppEx_Trident IActiveIMMApp method = OnDefWindowProc False 18
Fn
METHOD CActiveIMMAppEx_Trident IActiveIMMApp method = Activate True 1
Fn
METHOD CActiveIMMAppEx_Trident IActiveIMMApp method = OnDefWindowProc True 4
Fn
METHOD CActiveIMMAppEx_Trident IActiveIMMApp method = getContext True 1
Fn
METHOD CActiveIMMAppEx_Trident IActiveIMMApp method = AssociateContext True 1
Fn
METHOD IStream method = RemoteWrite True 22
Fn
METHOD IStream method = RemoteSeek True 2
Fn
METHOD IStream new_interface = IStream, method = Clone True 1
Fn
METHOD IStream method = RemoteRead True 23
Fn
METHOD IStream method = AddRef False 1
Fn
METHOD IInternetProtocol method = Read False 1
Fn
METHOD IInternetProtocol method = Terminate True 1
Fn
METHOD JScriptEngine5 IClassFactory new_interface = IActiveScript, method = CreateInstance True 2
Fn
METHOD JScriptEngine5 IActiveScript method = AddRef False 1
Fn
METHOD ISystemDebugEventFire method = BeginSession True 2
Fn
METHOD StdGlobalInterfaceTable IGlobalInterfaceTable method = RegisterInterfaceInGlobal True 1
Fn
METHOD ISystemDebugEventFire method = IsActive False 46
Fn
METHOD IUri method = GetSchemeName True 4
Fn
METHOD IInternetSecurityManager method = MapUrlToZone True 1
Fn
METHOD IUri method = GetPathAndQuery True 1
Fn
METHOD XMLHTTP30 IObjectWithSite method = SetSite True 1
Fn
METHOD IUnknown method = AddRef True 3
Fn
METHOD IServiceProvider method = QueryService False 4
Fn
METHOD IServiceProvider new_interface = IHTMLDocument2, method = QueryService True 2
Fn
METHOD IHTMLDocument2 new_interface = IHTMLElementCollection, method = get_all True 2
Fn
METHOD IHTMLElementCollection method = get_length True 2
Fn
METHOD IHTMLElementCollection new_interface = IDispatch, method = item True 16
Fn
METHOD IHTMLElement method = get_forms True 14
Fn
METHOD IHTMLElement new_interface = IHTMLElementCollection, method = get_forms True 2
Fn
METHOD IHTMLDocument2 method = get_url True 2
Fn
METHOD IHTMLDocument2 method = QueryService False 4
Fn
METHOD IHTMLDocument2 new_interface = IHTMLDocument2, method = QueryService True 2
Fn
METHOD IServiceProvider method = get_url True 2
Fn
METHOD IUnknown new_interface = IInternetHostSecurityManager, method = QueryService True 2
Fn
METHOD IServiceProvider method = AddRef False 3
Fn
METHOD XMLHTTP30 IXMLHttpRequest method = put_onreadystatechange True 2
Fn
METHOD XMLHTTP30 IXMLHttpRequest method = AddRef False 1
Fn
METHOD XMLHTTP30 IXMLHttpRequest method = open True 1
Fn
METHOD IDispatch method = Invoke True 2
Fn
METHOD XMLHTTP30 IXMLHttpRequest method = get_readyState True 6
Fn
METHOD IHTMLDocument2 method = AddRef False 1
Fn
METHOD XMLHTTP30 IXMLHttpRequest method = send True 1
Fn
METHOD IDispatch method = AddRef False 2
Fn
METHOD IUnknown method = QueryService False 2
Fn
METHOD IDispatch method = Invoke False 2
Fn
METHOD XMLHTTP30 IXMLHttpRequest method = get_status True 1
Fn
METHOD XMLHTTP30 IObjectWithSite method = SetSite False 1
Fn
METHOD XMLHTTP30 IXMLHttpRequest method = get_responseText True 1
Fn
METHOD CActiveIMMAppEx_Trident IActiveIMMApp method = AddRef False 1
Fn
Registry (69)
+
Operation Key Additional Information Success Count Logfile
CREATE_KEY HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings True 1
Fn
OPEN_KEY HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 True 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl False 1
Fn
OPEN_KEY HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl True 28
Fn
OPEN_KEY HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS True 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM False 1
Fn
OPEN_KEY HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup True 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER True 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME True 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 True 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ACTIVEX_INACTIVATE_MODE_REMOVAL_REVERT False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATAURI False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION False 1
Fn
OPEN_KEY HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SUBDOWNLOAD_LOCKDOWN True 1
Fn
READ_VALUE HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 data_ident_out = C:\Windows\SysWOW64\mshtml.dll True 1
Fn
READ_VALUE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer value_name = NoFileMenu False 1
Fn
READ_VALUE HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup value_name = Print_Background False 1
Fn
READ_VALUE HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 value_name = COM+Enabled, data_ident_out = 1 True 1
Fn
READ_VALUE HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings value_name = JITDebug, data_ident_out = 0 True 1
Fn
Window (8)
+
Operation Window Name Additional Information Success Count Logfile
CREATE class_name = HTML Application Host Window Class, x_coordinate = 0, y_coordinate = 0, width = 0, height = 0, window_parameter = 1952224896 True 1
Fn
CREATE window_name = , class_name = HTML Application Host Window Class, x_coordinate = 18446744071562067968, y_coordinate = 18446744071562067968, width = 18446744071562067968, height = 18446744071562067968, class_name = HTML Application Host Window Class, x_coordinate = 0, y_coordinate = 0, width = 0, height = 0, window_parameter = 1952224896 True 1
Fn
CREATE x_coordinate = 0, y_coordinate = 0, width = 0, height = 0, window_parameter = 0 True 1
Fn
CREATE x_coordinate = 0, y_coordinate = 0, width = 1064, height = 587, class_name = HTML Application Host Window Class, x_coordinate = 18446744071562067968, y_coordinate = 18446744071562067968, width = 18446744071562067968, height = 18446744071562067968, window_parameter = 4989592 True 1
Fn
SET_ATTRIBUTE class_name = HTML Application Host Window Class, x_coordinate = 18446744071562067968, y_coordinate = 18446744071562067968, width = 18446744071562067968, height = 18446744071562067968 True 1
Fn
SET_ATTRIBUTE x_coordinate = 0, y_coordinate = 0, width = 1064, height = 587 False 1
Fn
SET_ATTRIBUTE class_name = HTML Application Host Window Class, x_coordinate = 18446744071562067968, y_coordinate = 18446744071562067968, width = 18446744071562067968, height = 18446744071562067968 True 1
Fn
SET_ATTRIBUTE class_name = HTML Application Host Window Class, x_coordinate = 18446744071562067968, y_coordinate = 18446744071562067968, width = 18446744071562067968, height = 18446744071562067968 True 1
Fn
Keyboard (38)
+
Operation Virtual Key Code Additional Information Success Count Logfile
GET_INFO KB_LOCALE_ID True 2
Fn
READ VK_SHIFT result_out = 0 True 6
Fn
READ VK_CONTROL result_out = 0 True 6
Fn
READ VK_MENU result_out = 0 True 6
Fn
READ VK_LSHIFT result_out = 0 True 2
Fn
READ VK_LCONTROL result_out = 0 True 2
Fn
READ VK_LMENU result_out = 0 True 2
Fn
READ VK_LBUTTON result_out = 0 True 4
Fn
READ VK_RBUTTON result_out = 0 True 4
Fn
READ VK_MBUTTON result_out = 0 True 4
Fn
System (7)
+
Operation Information Success Count Logfile
GET_CURSOR x_out = 502, y_out = 693 True 4
Fn
SLEEP duration = 100 milliseconds (0.100 seconds) True 2
Fn
SLEEP duration = 0 milliseconds (0.000 seconds) True 1
Fn
Mutex (1)
+
Operation Name Additional Information Success Count Logfile
CREATE Local\!PrivacIE!SharedMemory!Mutex initial_owner = 0 True 1
Fn
Ini (5)
+
Operation Filename Additional Information Success Count Logfile
READ Win.ini section_name = windows, key_name = DragDelay, default_value = 20 True 1
Fn
READ Win.ini section_name = windows, key_name = DragScrollInset, default_value = 11 True 1
Fn
READ Win.ini section_name = windows, key_name = DragScrollDelay, default_value = 50 True 1
Fn
READ Win.ini section_name = windows, key_name = DragDelay, default_value = 200 True 1
Fn
READ Win.ini section_name = windows, key_name = DragScrollInterval, default_value = 50 True 1
Fn
Process #10: notepad.exe
+
Information Value
ID #10
File Name c:\windows\syswow64\notepad.exe
Command Line "C:\Windows\system32\NOTEPAD.EXE" C:\Users\hJrD1KOKY DS8lUjv\Desktop\_READ_THIS_FILE_6LJV87LC_.txt
Initial Working Directory c:\users\hjrd1koky ds8lujv\desktop
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:02:26, Reason: Terminated by Timeout
Monitor Duration 00:00:47
Remarks No high level activity detected in monitored regions
OS Process Information
+
Information Value
PID 0xbdc
Parent PID 0x9e0 (c:\users\hjrd1koky ds8lujv\desktop\199a4a2585c9fc855c5a694df318d153cd74e47fe4b8c667f25a822bfbb22bc6.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username 1R6PFH\hJrD1KOKY DS8lUjv
Groups
  • 1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000e04f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BE0
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
notepad.exe.mui 0x00020000 0x00022fff Memory Mapped File Readable, Writable False False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory Readable True False False
locale.nls 0x00070000 0x000d6fff Memory Mapped File Readable False False False
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False
pagefile_0x0000000000100000 0x00100000 0x00101fff Pagefile Backed Memory Readable True False False
private_0x0000000000120000 0x00120000 0x0015ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000160000 0x00160000 0x0023efff Pagefile Backed Memory Readable True False False
private_0x0000000000240000 0x00240000 0x0027ffff Private Memory Readable, Writable True False False
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory Readable, Writable True False False
private_0x00000000003a0000 0x003a0000 0x0041ffff Private Memory Readable, Writable True False False
private_0x0000000000540000 0x00540000 0x0063ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000640000 0x00640000 0x007c7fff Pagefile Backed Memory Readable True False False
private_0x00000000007e0000 0x007e0000 0x007effff Private Memory Readable, Writable True False False
pagefile_0x00000000007f0000 0x007f0000 0x00970fff Pagefile Backed Memory Readable True False False
private_0x0000000000b10000 0x00b10000 0x00b4ffff Private Memory Readable, Writable True False False
notepad.exe 0x00f20000 0x00f4ffff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000f50000 0x00f50000 0x0234ffff Pagefile Backed Memory Readable True False False
winspool.drv 0x73fe0000 0x74030fff Memory Mapped File Readable, Writable, Executable False False False
dwmapi.dll 0x748f0000 0x74902fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x74910000 0x7498ffff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x749a0000 0x749fbfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x74a00000 0x74a3efff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x74a80000 0x74c1dfff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x74d00000 0x74d08fff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x75060000 0x75067fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75090000 0x7509bfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x750a0000 0x750fffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x75100000 0x75109fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x75110000 0x75128fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75150000 0x751effff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75200000 0x75e49fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75e50000 0x75fabfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x75fb0000 0x76006fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76050000 0x760ecfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x760f0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76180000 0x7624bfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76360000 0x763eefff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x763f0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x764e0000 0x7653ffff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76540000 0x765ebfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x765f0000 0x766effff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76bb0000 0x76cbffff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x76f50000 0x76fcafff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x76fe0000 0x77025fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077140000 0x77140000 0x77239fff Private Memory Readable, Writable, Executable True False False
private_0x0000000077240000 0x77240000 0x7735efff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x77360000 0x77508fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77540000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Process #11: dllhost.exe
+
Information Value
ID #11
File Name c:\windows\syswow64\dllhost.exe
Command Line C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
Initial Working Directory C:\Windows\system32
Monitor Start Time: 00:01:42, Reason: RPC Server
Unmonitor End Time: 00:02:26, Reason: Terminated by Timeout
Monitor Duration 00:00:44
Remarks No high level activity detected in monitored regions
OS Process Information
+
Information Value
PID 0x808
Parent PID 0x240 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username 1R6PFH\hJrD1KOKY DS8lUjv
Groups
  • 1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000e04f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8B4
0x 8B0
0x 8A8
0x 8A4
0x 8A0
0x 824
0x 818
0x 8C4
0x 8E0
0x 8DC
0x 8D8
0x 8D4
0x 8D0
0x 900
0x 908
0x 90C
0x 904
0x 8FC
0x 8F4
0x 318
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
locale.nls 0x00060000 0x000c6fff Memory Mapped File Readable False False False
pagefile_0x00000000000d0000 0x000d0000 0x000d0fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000000e0000 0x000e0000 0x000e0fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000000f0000 0x000f0000 0x000f1fff Pagefile Backed Memory Readable True False False
oleaccrc.dll 0x00100000 0x00100fff Memory Mapped File Readable False False False
private_0x0000000000110000 0x00110000 0x00111fff Private Memory Readable, Writable, Executable True False False
pagefile_0x0000000000120000 0x00120000 0x00121fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000140000 0x00140000 0x0017ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000180000 0x00180000 0x00181fff Pagefile Backed Memory Readable True False False
private_0x0000000000190000 0x00190000 0x0019ffff Private Memory Readable, Writable True False False
private_0x00000000001a0000 0x001a0000 0x001a0fff Private Memory Readable, Writable, Executable True False False
cversions.2.db 0x001b0000 0x001b3fff Memory Mapped File Readable True False False
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000c.db 0x001c0000 0x001e3fff Memory Mapped File Readable True False False
private_0x00000000001f0000 0x001f0000 0x0022ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000230000 0x00230000 0x00230fff Pagefile Backed Memory Readable, Writable True False False
cversions.2.db 0x00240000 0x00243fff Memory Mapped File Readable True False False
setupapi.dll.mui 0x00250000 0x0025cfff Memory Mapped File Readable, Writable False False False
private_0x0000000000260000 0x00260000 0x0029ffff Private Memory Readable, Writable True False False
private_0x00000000002a0000 0x002a0000 0x002dffff Private Memory Readable, Writable True False False
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000a.db 0x002e0000 0x0030ffff Memory Mapped File Readable True False False
photoviewer.dll.mui 0x00310000 0x00314fff Memory Mapped File Readable, Writable False False False
private_0x0000000000320000 0x00320000 0x00320fff Private Memory Readable, Writable True False False
private_0x0000000000330000 0x00330000 0x0036ffff Private Memory Readable, Writable True False False
private_0x0000000000370000 0x00370000 0x00370fff Private Memory Readable, Writable True False False
private_0x0000000000380000 0x00380000 0x00380fff Private Memory Readable, Writable True False False
private_0x0000000000390000 0x00390000 0x00390fff Private Memory Readable, Writable True False False
private_0x00000000003a0000 0x003a0000 0x003a0fff Private Memory Readable, Writable True False False
private_0x00000000003b0000 0x003b0000 0x003b0fff Private Memory Readable, Writable True False False
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory Readable, Writable True False False
private_0x00000000003d0000 0x003d0000 0x0040ffff Private Memory Readable, Writable True False False
dllhost.exe 0x00410000 0x00414fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000420000 0x00420000 0x005a7fff Pagefile Backed Memory Readable True False False
private_0x00000000005b0000 0x005b0000 0x0062ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000630000 0x00630000 0x007b0fff Pagefile Backed Memory Readable True False False
private_0x00000000007c0000 0x007c0000 0x008bffff Private Memory Readable, Writable True False False
pagefile_0x00000000008c0000 0x008c0000 0x01cbffff Pagefile Backed Memory Readable True False False
private_0x0000000001cc0000 0x01cc0000 0x01cc0fff Private Memory Readable, Writable True False False
private_0x0000000001cd0000 0x01cd0000 0x01d0ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x01d10000 0x01fdefff Memory Mapped File Readable False False False
~pif2d6.tmp 0x01fe0000 0x01feffff Memory Mapped File Readable, Writable True False False
private_0x0000000001ff0000 0x01ff0000 0x0202ffff Private Memory Readable, Writable True False False
~pif2d6.tmp 0x02030000 0x0203ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02040000 0x0204ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02050000 0x0205ffff Memory Mapped File Readable, Writable True False False
private_0x0000000002060000 0x02060000 0x0209ffff Private Memory Readable, Writable True False False
~pif2d6.tmp 0x020a0000 0x020affff Memory Mapped File Readable, Writable True False False
private_0x00000000020b0000 0x020b0000 0x020effff Private Memory Readable, Writable True False False
~pif2d6.tmp 0x020f0000 0x020fffff Memory Mapped File Readable, Writable True False False
private_0x0000000002100000 0x02100000 0x0213ffff Private Memory Readable, Writable True False False
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x02140000 0x021a5fff Memory Mapped File Readable True False False
private_0x00000000021b0000 0x021b0000 0x021effff Private Memory Readable, Writable True False False
private_0x00000000021f0000 0x021f0000 0x0226ffff Private Memory Readable, Writable True False False
private_0x0000000002270000 0x02270000 0x022affff Private Memory Readable, Writable True False False
pagefile_0x00000000022b0000 0x022b0000 0x0238efff Pagefile Backed Memory Readable True False False
~pif2d6.tmp 0x02390000 0x0239ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x023a0000 0x023affff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x023b0000 0x023bffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x023c0000 0x023cffff Memory Mapped File Readable, Writable True False False
private_0x00000000023d0000 0x023d0000 0x0240ffff Private Memory Readable, Writable True False False
private_0x0000000002410000 0x02410000 0x0250ffff Private Memory Readable, Writable True False False
private_0x0000000002510000 0x02510000 0x0254ffff Private Memory Readable, Writable True False False
~pif2d6.tmp 0x02550000 0x0255ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02560000 0x0256ffff Memory Mapped File Readable, Writable True False False
private_0x0000000002570000 0x02570000 0x0257ffff Private Memory Readable, Writable True False False
private_0x0000000002580000 0x02580000 0x025bffff Private Memory Readable, Writable True False False
~pif2d6.tmp 0x025c0000 0x025cffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x025d0000 0x025dffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x025e0000 0x025effff Memory Mapped File Readable, Writable True False False
private_0x00000000025f0000 0x025f0000 0x0262ffff Private Memory Readable, Writable True False False
~pif2d6.tmp 0x025f0000 0x025fffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02600000 0x0260ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02610000 0x0261ffff Memory Mapped File Readable, Writable True False False
private_0x0000000002620000 0x02620000 0x0265ffff Private Memory Readable, Writable True False False
private_0x0000000002620000 0x02620000 0x02621fff Private Memory Readable, Writable True False False
srgb color space profile.icm 0x02630000 0x02630fff Memory Mapped File Readable False False False
srgb color space profile.icm 0x02640000 0x02640fff Memory Mapped File Readable False False False
srgb color space profile.icm 0x02650000 0x02650fff Memory Mapped File Readable False False False
~pif2d6.tmp 0x02660000 0x0266ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02670000 0x0267ffff Memory Mapped File Readable, Writable True False False
private_0x0000000002680000 0x02680000 0x026bffff Private Memory Readable, Writable True False False
private_0x00000000026c0000 0x026c0000 0x026fffff Private Memory Readable, Writable True False False
private_0x00000000026d0000 0x026d0000 0x0270ffff Private Memory Readable, Writable True False False
~pif2d6.tmp 0x02700000 0x0270ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02710000 0x0271ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02720000 0x0272ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02730000 0x0273ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02740000 0x0274ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02750000 0x0275ffff Memory Mapped File Readable, Writable True False False
private_0x0000000002760000 0x02760000 0x0279ffff Private Memory Readable, Writable True False False
private_0x00000000027a0000 0x027a0000 0x0289ffff Private Memory Readable, Writable True False False
~pif2d6.tmp 0x028a0000 0x028affff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x028b0000 0x028bffff Memory Mapped File Readable, Writable True False False
private_0x00000000028c0000 0x028c0000 0x028fffff Private Memory Readable, Writable True False False
~pif2d6.tmp 0x02900000 0x0290ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02910000 0x0291ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02920000 0x0292ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02930000 0x0293ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02940000 0x0294ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02950000 0x0295ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02960000 0x0296ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02970000 0x0297ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02980000 0x0298ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02990000 0x0299ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x029a0000 0x029affff Memory Mapped File Readable, Writable True False False
private_0x00000000029b0000 0x029b0000 0x029effff Private Memory Readable, Writable True False False
~pif2d6.tmp 0x029f0000 0x029fffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02a00000 0x02a0ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02a10000 0x02a1ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02a20000 0x02a2ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02a30000 0x02a3ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02a40000 0x02a4ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02a50000 0x02a5ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02a60000 0x02a6ffff Memory Mapped File Readable, Writable True False False
private_0x0000000002a70000 0x02a70000 0x02aaffff Private Memory Readable, Writable True False False
srgb color space profile.icm 0x02ab0000 0x02ab0fff Memory Mapped File Readable False False False
srgb color space profile.icm 0x02ac0000 0x02ac0fff Memory Mapped File Readable False False False
srgb color space profile.icm 0x02ad0000 0x02ad0fff Memory Mapped File Readable False False False
~pif74a.tmp 0x02ae0000 0x02aeffff Memory Mapped File Readable, Writable True False False
~pif74a.tmp 0x02af0000 0x02afffff Memory Mapped File Readable, Writable True False False
private_0x0000000002b00000 0x02b00000 0x02b17fff Private Memory Readable, Writable True False False
srgb color space profile.icm 0x02b20000 0x02b20fff Memory Mapped File Readable False False False
private_0x0000000002b30000 0x02b30000 0x02b4dfff Private Memory Readable, Writable True False False
srgb color space profile.icm 0x02b50000 0x02b50fff Memory Mapped File Readable False False False
private_0x0000000002b60000 0x02b60000 0x02b6afff Private Memory Readable, Writable True False False
~pif2d6.tmp 0x02b70000 0x02b7ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02b80000 0x02b8ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02b90000 0x02b9ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02ba0000 0x02baffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02bb0000 0x02bbffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02bc0000 0x02bcffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02bd0000 0x02bdffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02be0000 0x02beffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02bf0000 0x02bfffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02c00000 0x02c0ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02c10000 0x02c1ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02c20000 0x02c2ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02c30000 0x02c3ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02c40000 0x02c4ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02c50000 0x02c5ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02c60000 0x02c6ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02c70000 0x02c7ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02c80000 0x02c8ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02c90000 0x02c9ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02ca0000 0x02caffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02cb0000 0x02cbffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02cc0000 0x02ccffff Memory Mapped File Readable, Writable True False False
segoeuib.ttf 0x02cd0000 0x02d49fff Memory Mapped File Readable False False False
~pif2d6.tmp 0x02d50000 0x02d5ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02d60000 0x02d6ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02d70000 0x02d7ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02d80000 0x02d8ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02d90000 0x02d9ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02da0000 0x02daffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02db0000 0x02dbffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02dc0000 0x02dcffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02dd0000 0x02ddffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02de0000 0x02deffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02df0000 0x02dfffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02e00000 0x02e0ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02e10000 0x02e1ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02e20000 0x02e2ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02e30000 0x02e3ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02e40000 0x02e4ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02e50000 0x02e5ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02e60000 0x02e6ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02e70000 0x02e7ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02e80000 0x02e8ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02e90000 0x02e9ffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02ea0000 0x02eaffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02eb0000 0x02ebffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02ec0000 0x02ecffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02ed0000 0x02edffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02ee0000 0x02eeffff Memory Mapped File Readable, Writable True False False
~pif2d6.tmp 0x02ef0000 0x02efffff Memory Mapped File Readable, Writable True False False
private_0x0000000002f00000 0x02f00000 0x02f17fff Private Memory Readable, Writable True False False
private_0x0000000002f20000 0x02f20000 0x02f5ffff Private Memory Readable, Writable True False False
staticcache.dat 0x02f60000 0x0388ffff Memory Mapped File Readable False False False
segoeui.ttf 0x03890000 0x0390efff Memory Mapped File Readable False False False
private_0x0000000003910000 0x03910000 0x0394ffff Private Memory Readable, Writable True False False
private_0x0000000003950000 0x03950000 0x03967fff Private Memory Readable, Writable True False False
private_0x0000000003970000 0x03970000 0x03982fff Private Memory Readable, Writable True False False
private_0x0000000003990000 0x03990000 0x03995fff Private Memory Readable, Writable True False False
private_0x00000000039a0000 0x039a0000 0x039dffff Private Memory Readable, Writable True False False
private_0x00000000039e0000 0x039e0000 0x03a1ffff Private Memory Readable, Writable True False False
private_0x0000000003a20000 0x03a20000 0x03a52fff Private Memory Readable, Writable True False False
private_0x0000000003a60000 0x03a60000 0x03a9ffff Private Memory Readable, Writable True False False
private_0x0000000003aa0000 0x03aa0000 0x03b9ffff Private Memory Readable, Writable True False False
private_0x0000000003ba0000 0x03ba0000 0x03bdffff Private Memory Readable, Writable True False False
private_0x0000000003be0000 0x03be0000 0x03c1ffff Private Memory Readable, Writable True False False
private_0x0000000003c20000 0x03c20000 0x03c52fff Private Memory Readable, Writable True False False
private_0x0000000003c60000 0x03c60000 0x03c70fff Private Memory Readable, Writable True False False
private_0x0000000003c80000 0x03c80000 0x03c9dfff Private Memory Readable, Writable True False False
private_0x0000000003ca0000 0x03ca0000 0x03cdffff Private Memory Readable, Writable True False False
private_0x0000000003ce0000 0x03ce0000 0x03cf0fff Private Memory Readable, Writable True False False
private_0x0000000003d00000 0x03d00000 0x03d17fff Private Memory Readable, Writable True False False
cversions.2.db 0x03d20000 0x03d23fff Memory Mapped File Readable True False False
thumbcache.dll 0x727e0000 0x727f5fff Memory Mapped File Readable, Writable, Executable False False False
icm32.dll 0x72a50000 0x72a87fff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x72a90000 0x72aa6fff Memory Mapped File Readable, Writable, Executable False False False
mscms.dll 0x72ab0000 0x72b28fff Memory Mapped File Readable, Writable, Executable False False False
imagingengine.dll 0x72b30000 0x72cf9fff Memory Mapped File Readable, Writable, Executable False False False
actxprxy.dll 0x72f40000 0x72f8dfff Memory Mapped File Readable, Writable, Executable False False False
d3d9.dll 0x73b40000 0x73d02fff Memory Mapped File Readable, Writable, Executable False False False
ieproxy.dll 0x73d20000 0x73d4afff Memory Mapped File Readable, Writable, Executable False False False
photobase.dll 0x73dc0000 0x73dcbfff Memory Mapped File Readable, Writable, Executable False False False
oleacc.dll 0x73dd0000 0x73e0bfff Memory Mapped File Readable, Writable, Executable False False False
slc.dll 0x73e10000 0x73e19fff Memory Mapped File Readable, Writable, Executable False False False
d3d8thk.dll 0x73e20000 0x73e25fff Memory Mapped File Readable, Writable, Executable False False False
wtsapi32.dll 0x73e30000 0x73e3cfff Memory Mapped File Readable, Writable, Executable False False False
photoviewer.dll 0x73e70000 0x73fd5fff Memory Mapped File Readable, Writable, Executable False False False
windowscodecs.dll 0x74650000 0x7474afff Memory Mapped File Readable, Writable, Executable False False False
propsys.dll 0x747f0000 0x748e4fff Memory Mapped File Readable, Writable, Executable False False False
dwmapi.dll 0x748f0000 0x74902fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x74910000 0x7498ffff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x749a0000 0x749fbfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x74a00000 0x74a3efff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x74a50000 0x74a70fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x74a80000 0x74c1dfff Memory Mapped File Readable, Writable, Executable False False False
rpcrtremote.dll 0x74c20000 0x74c2dfff Memory Mapped File Readable, Writable, Executable False False False
linkinfo.dll 0x74c30000 0x74c38fff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x74c40000 0x74c4afff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x74ca0000 0x74cdafff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x74ce0000 0x74cf5fff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x74d00000 0x74d08fff Memory Mapped File Readable, Writable, Executable False False False
gdiplus.dll 0x74dd0000 0x74f5ffff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x75060000 0x75067fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75090000 0x7509bfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x750a0000 0x750fffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x75100000 0x75109fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x75110000 0x75128fff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x75130000 0x75141fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75150000 0x751effff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75200000 0x75e49fff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75e50000 0x75fabfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x75fb0000 0x76006fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76050000 0x760ecfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x760f0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76180000 0x7624bfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76360000 0x763eefff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x763f0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x764e0000 0x7653ffff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76540000 0x765ebfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x765f0000 0x766effff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76bb0000 0x76cbffff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x76d50000 0x76eecfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x76fe0000 0x77025fff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x77030000 0x77056fff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x77060000 0x770a4fff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x770b0000 0x77132fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077140000 0x77140000 0x77239fff Private Memory Readable, Writable, Executable True False False
private_0x0000000077240000 0x77240000 0x7735efff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x77360000 0x77508fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x77510000 0x77514fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77540000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007ef98000 0x7ef98000 0x7ef9afff Private Memory Readable, Writable True False False
private_0x000000007ef9b000 0x7ef9b000 0x7ef9dfff Private Memory Readable, Writable True False False
private_0x000000007ef9e000 0x7ef9e000 0x7efa0fff Private Memory Readable, Writable True False False
private_0x000000007efa1000 0x7efa1000 0x7efa3fff Private Memory Readable, Writable True False False
private_0x000000007efa4000 0x7efa4000 0x7efa6fff Private Memory Readable, Writable True False False
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Process #12: dllhost.exe
+
Information Value
ID #12
File Name c:\windows\syswow64\dllhost.exe
Command Line C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
Initial Working Directory C:\Windows\system32
Monitor Start Time: 00:01:51, Reason: RPC Server
Unmonitor End Time: 00:02:26, Reason: Terminated by Timeout
Monitor Duration 00:00:35
Remarks No high level activity detected in monitored regions
OS Process Information
+
Information Value
PID 0x8ec
Parent PID 0x240 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username 1R6PFH\hJrD1KOKY DS8lUjv
Groups
  • 1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000e04f (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 204
0x 120
0x 300
0x 304
0x 898
0x 8E8
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000070000 0x00070000 0x00070fff Pagefile Backed Memory Readable True False False
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory Readable, Writable True False False
locale.nls 0x00110000 0x00176fff Memory Mapped File Readable False False False
private_0x00000000001b0000 0x001b0000 0x001effff Private Memory Readable, Writable True False False
private_0x00000000001f0000 0x001f0000 0x0022ffff Private Memory Readable, Writable True False False
private_0x0000000000240000 0x00240000 0x0024ffff Private Memory Readable, Writable True False False
private_0x0000000000250000 0x00250000 0x0028ffff Private Memory Readable, Writable True False False
private_0x00000000002a0000 0x002a0000 0x002dffff Private Memory Readable, Writable True False False
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory Readable, Writable True False False
dllhost.exe 0x00410000 0x00414fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000420000 0x00420000 0x005a7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000005b0000 0x005b0000 0x00730fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000740000 0x00740000 0x01b3ffff Pagefile Backed Memory Readable True False False
private_0x0000000001b80000 0x01b80000 0x01bbffff Private Memory Readable, Writable True False False
private_0x0000000001bf0000 0x01bf0000 0x01c2ffff Private Memory Readable, Writable True False False
private_0x0000000001c60000 0x01c60000 0x01c9ffff Private Memory Readable, Writable True False False
private_0x0000000001d10000 0x01d10000 0x01d4ffff Private Memory Readable, Writable True False False
private_0x0000000001db0000 0x01db0000 0x01deffff Private Memory Readable, Writable True False False
sortdefault.nls 0x01df0000 0x020befff Memory Mapped File Readable False False False
private_0x0000000002130000 0x02130000 0x0216ffff Private Memory Readable, Writable True False False
private_0x00000000021f0000 0x021f0000 0x0222ffff Private Memory Readable, Writable True False False
private_0x0000000002270000 0x02270000 0x022affff Private Memory Readable, Writable True False False
private_0x0000000002320000 0x02320000 0x0235ffff Private Memory Readable, Writable True False False
pagefile_0x0000000002360000 0x02360000 0x0243efff Pagefile Backed Memory Readable True False False
avrt.dll 0x72580000 0x72586fff Memory Mapped File Readable, Writable, Executable False False False
mfplat.dll 0x72590000 0x725e8fff Memory Mapped File Readable, Writable, Executable False False False
wmspdmod.dll 0x72720000 0x727d7fff Memory Mapped File Readable, Writable, Executable False False False
msttsdecwrp.dll 0x72900000 0x7290dfff Memory Mapped File Readable, Writable, Executable False False False
msdmo.dll 0x72ea0000 0x72eaafff Memory Mapped File Readable, Writable, Executable False False False
sxs.dll 0x73d50000 0x73daefff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x74910000 0x7498ffff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x749a0000 0x749fbfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x74a00000 0x74a3efff Memory Mapped File Readable, Writable, Executable False False False
rpcrtremote.dll 0x74c20000 0x74c2dfff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x74ca0000 0x74cdafff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x74ce0000 0x74cf5fff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x75060000 0x75067fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75090000 0x7509bfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x750a0000 0x750fffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x75100000 0x75109fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x75110000 0x75128fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x75150000 0x751effff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75e50000 0x75fabfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x75fb0000 0x76006fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x76010000 0x76044fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76050000 0x760ecfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x760f0000 0x7617ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76180000 0x7624bfff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x76350000 0x76355fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x76360000 0x763eefff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x763f0000 0x764dffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x764e0000 0x7653ffff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76540000 0x765ebfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x765f0000 0x766effff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76bb0000 0x76cbffff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x76fe0000 0x77025fff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x770b0000 0x77132fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077140000 0x77140000 0x77239fff Private Memory Readable, Writable, Executable True False False
private_0x0000000077240000 0x77240000 0x7735efff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x77360000 0x77508fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77540000 0x776bffff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Process #13: svchost.exe
+
Information Value
ID #13
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k LocalService
Initial Working Directory C:\Windows\system32
Monitor Start Time: 00:01:53, Reason: RPC Server
Unmonitor End Time: 00:02:26, Reason: Terminated by Timeout
Monitor Duration 00:00:33
Remarks No high level activity detected in monitored regions
OS Process Information
+
Information Value
PID 0x3ec
Parent PID 0x1c0 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Local Service
Groups
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\SERVICE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT SERVICE\EventSystem (ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • NT SERVICE\fdPHost (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\lltdsvc (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\netprofm (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\nsi (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\sppuinotify (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\SstpSvc (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\THREADORDER (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\W32Time (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\WdiServiceHost (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\WebClient (ENABLED_BY_DEFAULT, OWNER)
  • NT SERVICE\WinHttpAutoProxySvc (ENABLED_BY_DEFAULT, OWNER)
  • NT AUTHORITY\Logon Session 00000000:0000db54 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID, OWNER)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeSystemtimePrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B6C
0x 5D8
0x 754
0x 75C
0x 748
0x 734
0x 72C
0x 71C
0x 6EC
0x 6E8
0x 618
0x 138
0x 128
0x E8
0x 3F8
0x 3F0
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
svchost.exe.mui 0x00020000 0x00020fff Memory Mapped File Readable, Writable False False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory Readable, Writable True False False
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory Readable, Writable True False False
pagefile_0x00000000000e0000 0x000e0000 0x000e0fff Pagefile Backed Memory Readable True False False
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory Readable, Writable True False False
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory Readable, Writable True False False
es.dll 0x00270000 0x00280fff Memory Mapped File Readable False False False
stdole2.tlb 0x00290000 0x00293fff Memory Mapped File Readable False False False
pagefile_0x00000000002a0000 0x002a0000 0x002a1fff Pagefile Backed Memory Readable True False False
netprofm.dll.mui 0x002b0000 0x002b1fff Memory Mapped File Readable, Writable False False False
private_0x00000000002c0000 0x002c0000 0x002c0fff Private Memory Readable, Writable True False False
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory Readable, Writable True False False
pagefile_0x00000000003d0000 0x003d0000 0x0048ffff Pagefile Backed Memory Readable True False False
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory Readable, Writable True False False
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory Readable, Writable True False False
private_0x0000000000550000 0x00550000 0x0055ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000560000 0x00560000 0x006e7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000006f0000 0x006f0000 0x00870fff Pagefile Backed Memory Readable True False False
private_0x0000000000880000 0x00880000 0x008fffff Private Memory Readable, Writable True False False
private_0x0000000000900000 0x00900000 0x0097ffff Private Memory Readable, Writable True False False
private_0x00000000009e0000 0x009e0000 0x009effff Private Memory Readable, Writable True False False
private_0x0000000000a20000 0x00a20000 0x00a9ffff Private Memory Readable, Writable True False False
private_0x0000000000ab0000 0x00ab0000 0x00b2ffff Private Memory Readable, Writable True False False
private_0x0000000000c20000 0x00c20000 0x00d1ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x00d30000 0x00ffefff Memory Mapped File Readable False False False
private_0x0000000001000000 0x01000000 0x010fffff Private Memory Readable, Writable True False False
private_0x0000000001120000 0x01120000 0x0119ffff Private Memory Readable, Writable True False False
private_0x0000000001290000 0x01290000 0x0130ffff Private Memory Readable, Writable True False False
private_0x0000000001310000 0x01310000 0x0138ffff Private Memory Readable, Writable True False False
private_0x00000000013d0000 0x013d0000 0x0144ffff Private Memory Readable, Writable True False False
private_0x00000000014f0000 0x014f0000 0x0156ffff Private Memory Readable, Writable True False False
private_0x0000000001580000 0x01580000 0x015fffff Private Memory Readable, Writable True False False
private_0x0000000001650000 0x01650000 0x016cffff Private Memory Readable, Writable True False False
private_0x00000000016d0000 0x016d0000 0x017cffff Private Memory Readable, Writable True False False
private_0x0000000001800000 0x01800000 0x0187ffff Private Memory Readable, Writable True False False
kernelbase.dll.mui 0x01880000 0x0193ffff Memory Mapped File Readable, Writable False False False
private_0x00000000019b0000 0x019b0000 0x01a2ffff Private Memory Readable, Writable True False False
private_0x0000000001aa0000 0x01aa0000 0x01b1ffff Private Memory Readable, Writable True False False
private_0x0000000001b20000 0x01b20000 0x01d1ffff Private Memory Readable, Writable True False False
private_0x0000000001e20000 0x01e20000 0x01e9ffff Private Memory Readable, Writable True False False
private_0x0000000001ec0000 0x01ec0000 0x01f3ffff Private Memory Readable, Writable True False False
private_0x0000000001fa0000 0x01fa0000 0x0201ffff Private Memory Readable, Writable True False False
private_0x0000000002150000 0x02150000 0x021cffff Private Memory Readable, Writable True False False
sfc.dll 0x75070000 0x75072fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x77140000 0x77239fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x77240000 0x7735efff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77360000 0x77508fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
svchost.exe 0xff7f0000 0xff7fafff Memory Mapped File Readable, Writable, Executable False False False
vmictimeprovider.dll 0x7fef5d40000 0x7fef5d57fff Memory Mapped File Readable, Writable, Executable False False False
w32time.dll 0x7fef5d60000 0x7fef5dbffff Memory Mapped File Readable, Writable, Executable False False False
npmproxy.dll 0x7fef8170000 0x7fef817bfff Memory Mapped File Readable, Writable, Executable False False False
perftrack.dll 0x7fef81c0000 0x7fef8297fff Memory Mapped File Readable, Writable, Executable False False False
rasadhlp.dll 0x7fef84f0000 0x7fef84f7fff Memory Mapped File Readable, Writable, Executable False False False
netprofm.dll 0x7fef8710000 0x7fef8783fff Memory Mapped File Readable, Writable, Executable False False False
wer.dll 0x7fef9c70000 0x7fef9cebfff Memory Mapped File Readable, Writable, Executable False False False
dhcpcsvc.dll 0x7fefa380000 0x7fefa397fff Memory Mapped File Readable, Writable, Executable False False False
dhcpcsvc6.dll 0x7fefa3a0000 0x7fefa3b0fff Memory Mapped File Readable, Writable, Executable False False False
fwpuclnt.dll 0x7fefa3d0000 0x7fefa422fff Memory Mapped File Readable, Writable, Executable False False False
nsisvc.dll 0x7fefa500000 0x7fefa509fff Memory Mapped File Readable, Writable, Executable False False False
winrnr.dll 0x7fefad20000 0x7fefad2afff Memory Mapped File Readable, Writable, Executable False False False
pnrpnsp.dll 0x7fefad30000 0x7fefad48fff Memory Mapped File Readable, Writable, Executable False False False
napinsp.dll 0x7fefad50000 0x7fefad64fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x7fefad90000 0x7fefad9afff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x7fefada0000 0x7fefadc6fff Memory Mapped File Readable, Writable, Executable False False False
es.dll 0x7fefadd0000 0x7fefae36fff Memory Mapped File Readable, Writable, Executable False False False
dsrole.dll 0x7fefae60000 0x7fefae6bfff Memory Mapped File Readable, Writable, Executable False False False
nlaapi.dll 0x7fefaf20000 0x7fefaf34fff Memory Mapped File Readable, Writable, Executable False False False
aepic.dll 0x7fefb360000 0x7fefb371fff Memory Mapped File Readable, Writable, Executable False False False
webio.dll 0x7fefb3c0000 0x7fefb423fff Memory Mapped File Readable, Writable, Executable False False False
winhttp.dll 0x7fefb430000 0x7fefb4a0fff Memory Mapped File Readable, Writable, Executable False False False
sfc_os.dll 0x7fefb520000 0x7fefb52ffff Memory Mapped File Readable, Writable, Executable False False False
wdi.dll 0x7fefb550000 0x7fefb568fff Memory Mapped File Readable, Writable, Executable False False False
dwmapi.dll 0x7fefb7d0000 0x7fefb7e7fff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x7fefc470000 0x7fefc47bfff Memory Mapped File Readable, Writable, Executable False False False
wshtcpip.dll 0x7fefc540000 0x7fefc546fff Memory Mapped File Readable, Writable, Executable False False False
gpapi.dll 0x7fefc630000 0x7fefc64afff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x7fefc650000 0x7fefc66dfff Memory Mapped File Readable, Writable, Executable False False False
credssp.dll 0x7fefc7a0000 0x7fefc7a9fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x7fefc8a0000 0x7fefc8e6fff Memory Mapped File Readable, Writable, Executable False False False
logoncli.dll 0x7fefc990000 0x7fefc9bffff Memory Mapped File Readable, Writable, Executable False False False
dnsapi.dll 0x7fefc9c0000 0x7fefca1afff Memory Mapped File Readable, Writable, Executable False False False
wship6.dll 0x7fefcb30000 0x7fefcb36fff Memory Mapped File Readable, Writable, Executable False False False
mswsock.dll 0x7fefcb40000 0x7fefcb94fff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x7fefcba0000 0x7fefcbb6fff Memory Mapped File Readable, Writable, Executable False False False
cryptdll.dll 0x7fefce40000 0x7fefce53fff Memory Mapped File Readable, Writable, Executable False False False
secur32.dll 0x7fefd140000 0x7fefd14afff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x7fefd170000 0x7fefd194fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x7fefd1a0000 0x7fefd1aefff Memory Mapped File Readable, Writable, Executable False False False
sxs.dll 0x7fefd1b0000 0x7fefd240fff Memory Mapped File Readable, Writable, Executable False False False
rpcrtremote.dll 0x7fefd290000 0x7fefd2a3fff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x7fefd2b0000 0x7fefd2befff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x7fefd510000 0x7fefd57afff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x7fefd680000 0x7fefd687fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x7fefd8f0000 0x7fefd8fdfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x7fefda30000 0x7fefdb06fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x7fefdb10000 0x7fefdbd8fff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x7fefdbe0000 0x7fefdc78fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x7fefde80000 0x7fefdf1efff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x7fefdf20000 0x7fefe122fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x7fefe190000 0x7fefe1dcfff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x7fefe200000 0x7fefe22dfff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x7fefe230000 0x7fefe296fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x7feff0d0000 0x7feff140fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x7feff150000 0x7feff22afff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x7feff230000 0x7feff338fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x7feff340000 0x7feff46cfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x7feff650000 0x7feff66efff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x7feff680000 0x7feff680fff Memory Mapped File Readable, Writable, Executable False False False
private_0x000007fffff98000 0x7fffff98000 0x7fffff99fff Private Memory Readable, Writable True False False
private_0x000007fffff9a000 0x7fffff9a000 0x7fffff9bfff Private Memory Readable, Writable True False False
private_0x000007fffff9c000 0x7fffff9c000 0x7fffff9dfff Private Memory Readable, Writable True False False
private_0x000007fffff9e000 0x7fffff9e000 0x7fffff9ffff Private Memory Readable, Writable True False False
private_0x000007fffffa0000 0x7fffffa0000 0x7fffffa1fff Private Memory Readable, Writable True False False
private_0x000007fffffa2000 0x7fffffa2000 0x7fffffa3fff Private Memory Readable, Writable True False False
private_0x000007fffffa4000 0x7fffffa4000 0x7fffffa5fff Private Memory Readable, Writable True False False
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory Readable, Writable True False False
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory Readable, Writable True False False
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory Readable, Writable True False False
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory Readable, Writable True False False
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory Readable True False False
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory Readable, Writable True False False
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory Readable, Writable True False False
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory Readable, Writable True False False
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory Readable, Writable True False False
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory Readable, Writable True False False
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory Readable, Writable True False False
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy".



    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image