edb1ff25...3eb9 | Grouped Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 97/100
Target: win7_32_sp1 | exe
Classification: Trojan, Dropper, Pua

edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9 (SHA256)

OlympicDestroyer.exe

Windows Exe (x86-32)

Created at 2018-03-15 15:14:00

...

Notifications (1/1)

The overall sleep time of all monitored processes was truncated from "1 hour" to "10 seconds" to reveal dormant functionality.

Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0xa0c Analysis Target High (Elevated) olympicdestroyer.exe "C:\Users\EEBsYm5\Desktop\OlympicDestroyer.exe" -
#2 0xa18 Child Process High (Elevated) xtbrb.exe 123 \\.\pipe\DDC210D0-5FCE-4636-B79C-32457B89BBE4 #1
#3 0xa2c Child Process High (Elevated) ilvai.exe 123 \\.\pipe\7DE670E9-B7B8-48DA-BA85-FF4203050C88 #1
#4 0xa38 Child Process High (Elevated) _aaq.exe "C:\Users\EEBsYm5\AppData\Local\Temp\_aaq.exe" #1
#5 0xa54 Child Process High (Elevated) cmd.exe C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet #4
#6 0xb20 Child Process High (Elevated) vssadmin.exe c:\Windows\system32\vssadmin.exe delete shadows /all /quiet #5
#7 0xb3c Child Process High (Elevated) cmd.exe C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet #4
#8 0xb54 Child Process High (Elevated) wbadmin.exe wbadmin.exe delete catalog -quiet #7
#12 0xbec Child Process High (Elevated) cmd.exe C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no #4
#13 0xc04 Child Process High (Elevated) bcdedit.exe bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures #12
#14 0xc0c Child Process High (Elevated) bcdedit.exe bcdedit /set {default} recoveryenabled no #12
#15 0xc14 Child Process High (Elevated) cmd.exe C:\Windows\system32\cmd.exe /c wevtutil.exe cl System #4
#16 0xc2c Child Process High (Elevated) wevtutil.exe wevtutil.exe cl System #15
#17 0xc50 Child Process High (Elevated) cmd.exe C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security #4
#18 0xc68 Child Process High (Elevated) wevtutil.exe wevtutil.exe cl Security #17

Behavior Information - Grouped by Category

Process #1: olympicdestroyer.exe
556 0
»
Information Value
ID #1
File Name c:\users\eebsym5\desktop\olympicdestroyer.exe
Command Line "C:\Users\EEBsYm5\Desktop\OlympicDestroyer.exe"
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:26, Reason: Analysis Target
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:52
OS Process Information
»
Information Value
PID 0xa0c
Parent PID 0x608 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A10
0x A14
0x A40
0x A44
0x A4C
0x A50
0x A5C
0x A60
0x A6C
0x A74
0x A78
0x A7C
0x A98
0x B2C
0x B30
0x B34
0x A10
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x0012ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000130000 0x00130000 0x00133fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000140000 0x00140000 0x00140fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File Readable False False False -
private_0x00000000001c0000 0x001c0000 0x001c0fff Private Memory Readable, Writable True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001e0000 0x001e0000 0x001e0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory Readable, Writable True False False -
pagefile_0x00000000002f0000 0x002f0000 0x002f1fff Pagefile Backed Memory Readable True False False -
rsaenh.dll 0x00300000 0x0033bfff Memory Mapped File Readable False False False -
rpcss.dll 0x00300000 0x0035bfff Memory Mapped File Readable False False False -
pagefile_0x0000000000300000 0x00300000 0x00300fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000310000 0x00310000 0x00310fff Pagefile Backed Memory Readable True False False -
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000370000 0x00370000 0x00437fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000440000 0x00440000 0x00540fff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x00550000 0x0081efff Memory Mapped File Readable False False False -
private_0x0000000000820000 0x00820000 0x008dbfff Private Memory Readable, Writable True False False -
private_0x00000000008e0000 0x008e0000 0x0095ffff Private Memory Readable, Writable True False False -
private_0x0000000000980000 0x00980000 0x00a7ffff Private Memory Readable, Writable True False False -
private_0x0000000000a80000 0x00a80000 0x00b3bfff Private Memory Readable, Writable True False False -
private_0x0000000000b40000 0x00b40000 0x00c3ffff Private Memory Readable, Writable True False False -
private_0x0000000000c40000 0x00c40000 0x00e06fff Private Memory Readable, Writable True False False -
private_0x0000000000e10000 0x00e10000 0x00ebffff Private Memory Readable, Writable True False False -
private_0x0000000000ed0000 0x00ed0000 0x00fcffff Private Memory Readable, Writable True False False -
olympicdestroyer.exe 0x01020000 0x011eafff Memory Mapped File Readable, Writable, Executable True True False
...
pagefile_0x00000000011f0000 0x011f0000 0x01deffff Pagefile Backed Memory Readable True False False -
private_0x0000000001df0000 0x01df0000 0x01eeffff Private Memory Readable, Writable True False False -
private_0x0000000001ef0000 0x01ef0000 0x01feffff Private Memory Readable, Writable True False False -
private_0x0000000002000000 0x02000000 0x020fffff Private Memory Readable, Writable True False False -
private_0x0000000002100000 0x02100000 0x021fffff Private Memory Readable, Writable True False False -
private_0x0000000002290000 0x02290000 0x0238ffff Private Memory Readable, Writable True False False -
private_0x0000000002400000 0x02400000 0x024fffff Private Memory Readable, Writable True False False -
private_0x0000000002510000 0x02510000 0x0260ffff Private Memory Readable, Writable True False False -
private_0x0000000002610000 0x02610000 0x027effff Private Memory Readable, Writable True False False -
private_0x0000000002610000 0x02610000 0x0270ffff Private Memory Readable, Writable True False False -
private_0x0000000002670000 0x02670000 0x0276ffff Private Memory Readable, Writable True False False -
private_0x0000000002690000 0x02690000 0x0278ffff Private Memory Readable, Writable True False False -
private_0x0000000002710000 0x02710000 0x0280ffff Private Memory Readable, Writable True False False -
private_0x0000000002790000 0x02790000 0x028affff Private Memory Readable, Writable True False False -
private_0x00000000027b0000 0x027b0000 0x027effff Private Memory Readable, Writable True False False -
private_0x00000000028a0000 0x028a0000 0x028affff Private Memory Readable, Writable True False False -
private_0x0000000002950000 0x02950000 0x02a4ffff Private Memory Readable, Writable True False False -
private_0x00000000029c0000 0x029c0000 0x02abffff Private Memory Readable, Writable True False False -
private_0x0000000002bd0000 0x02bd0000 0x02ccffff Private Memory Readable, Writable True False False -
private_0x0000000002e70000 0x02e70000 0x02f6ffff Private Memory Readable, Writable True False False -
rasadhlp.dll 0x6f850000 0x6f855fff Memory Mapped File Readable, Writable, Executable False False False -
wbemprox.dll 0x708f0000 0x708f9fff Memory Mapped File Readable, Writable, Executable False False False -
wbemcomn.dll 0x709f0000 0x70a4bfff Memory Mapped File Readable, Writable, Executable False False False -
api-ms-win-core-synch-l1-2-0.dll 0x72db0000 0x72db2fff Memory Mapped File Readable, Writable, Executable False False False -
credui.dll 0x72f00000 0x72f2afff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x73fe0000 0x74017fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x74120000 0x74126fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x74130000 0x7414bfff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x74240000 0x7424ffff Memory Mapped File Readable, Writable, Executable False False False -
wkscli.dll 0x74790000 0x7479efff Memory Mapped File Readable, Writable, Executable False False False -
netutils.dll 0x747a0000 0x747a8fff Memory Mapped File Readable, Writable, Executable False False False -
netapi32.dll 0x747b0000 0x747c0fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x74880000 0x74887fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x74890000 0x748a1fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x748c0000 0x748cffff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x74eb0000 0x7504dfff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x75740000 0x7577afff Memory Mapped File Readable, Writable, Executable False False False -
logoncli.dll 0x757f0000 0x75811fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x75820000 0x75863fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x75960000 0x7599bfff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x759a0000 0x759b5fff Memory Mapped File Readable, Writable, Executable False False False -
srvcli.dll 0x75d70000 0x75d88fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75e20000 0x75e2bfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x75ec0000 0x75ecdfff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x75ed0000 0x75edafff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x762d0000 0x762d5fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x762e0000 0x762f8fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76300000 0x76356fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76700000 0x7679ffff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x767a0000 0x773e9fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x77510000 0x77544fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77550000 0x775f0fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x77600000 0x77682fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x77690000 0x7771efff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x77970000 0x77acbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory Readable, Writable True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory Readable, Writable True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory Readable, Writable True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory Readable, Writable True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory Readable, Writable True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory Readable, Writable True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory Readable, Writable True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory Readable, Writable True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory Readable, Writable True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory Readable, Writable True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\public\5712465812cbddbc332de65cbaaaf3eb 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\users\eebsym5\appdata\local\temp\_tqo.exe 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\users\eebsym5\appdata\local\temp\xtbrb.exe 751.50 KB MD5: 4f43f03783f9789f804dcf9b9474fa6d
SHA1: 492d4a4a74099074e26b5dffd0d15434009ccfd9
SHA256: 19ab44a1343db19741b0e0b06bacce55990b6c8f789815daaf3476e0cc30ebea 		False
...
c:\users\eebsym5\appdata\local\temp\ilvai.exe 226.00 KB MD5: 6e0ebeeea1cb00192b074b288a4f9cfe
SHA1: 21ca710ed3bc536bd5394f0bff6d6140809156cf
SHA256: a52af66a4438c5517870c503ac1e0515af44d3994aa62c7d818b6eef46cfbb2d 		False
...
c:\users\eebsym5\appdata\local\temp\_tqo.exe 1.78 MB MD5: cfdd16225e67471f5ef54cab9b3a5558
SHA1: 26de43cc558a4e0e60eddd4dc9321bcb5a0a181c
SHA256: edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9 		False
...
c:\users\eebsym5\appdata\local\temp\_tqo.exe 1.78 MB MD5: 99e6fa0641c7fb15bb95e9b333c92cf4
SHA1: 5c4c4191542a49052f91f71500f67b353c0cbabb
SHA256: 700ff9959ee79cc40c79f89eb544ea2e7fe5450e8b8d284c5e3c87c82b6dc20f 		False
...
c:\users\eebsym5\appdata\local\temp\_kog.exe 331.15 KB MD5: 27304b246c7d5b4e149124d5f93c5b01
SHA1: e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA256: 3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef 		False
...
c:\users\eebsym5\appdata\local\temp\_aaq.exe 36.00 KB MD5: 3c0d740347b0362331c882c2dee96dbf
SHA1: 8350e06f52e5c660bb416b03edb6a5ddc50c3a59
SHA256: ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85 		False
...
Host Behavior
COM (416)
»
Operation Class Interface Additional Information Success Count Logfile
Create WBEMLocator IWbemLocator cls_context = CLSCTX_INPROC_SERVER True 416
Fn
File (34)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\Public\5712465812CBDDBC332DE65CBAAAF3EB desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\xtbrb.exe desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\ilvai.exe desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\_kog.exe desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\_aaq.exe desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create Pipe \device\namedpipe\ddc210d0-5fce-4636-b79c-32457b89bbe4 open_mode = PIPE_ACCESS_INBOUND, FILE_FLAG_OVERLAPPED, max_instances = 1 True 1
Fn
Create Pipe \device\namedpipe\7de670e9-b7b8-48da-ba85-ff4203050c88 open_mode = PIPE_ACCESS_INBOUND, FILE_FLAG_OVERLAPPED, max_instances = 1 True 1
Fn
Get Info c:\7C2313D39DB657EA92ADAAF39716AECE type = file_attributes False 1
Fn
Get Info C:\Users\Public\5712465812CBDDBC332DE65CBAAAF3EB type = file_attributes False 3
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe type = file_attributes True 2
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe type = size, size_out = 0 True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe type = file_type True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Temp\_kog.exe type = file_attributes True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe type = size, size_out = 0 True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Copy C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe source_filename = C:\Users\EEBsYm5\Desktop\OlympicDestroyer.exe True 1
Fn
Read - size = 102400, size_out = 12 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\ilvai.exe size = 102400, size_out = 648 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe size = 1861632, size_out = 1861632 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe size = 1861632, size_out = 1861632 True 1
Fn
Write C:\Users\EEBsYm5\AppData\Local\Temp\xtbrb.exe size = 769536 True 1
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\ilvai.exe size = 231424 True 1
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\_kog.exe size = 339096 True 1
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\_aaq.exe size = 36864 True 1
Fn
Data
Delete C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe - True 1
Fn
Process (3)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\EEBsYm5\AppData\Local\Temp\xtbrb.exe os_pid = 0xa18, show_window = SW_HIDE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\ilvai.exe os_pid = 0xa2c, show_window = SW_HIDE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\_aaq.exe os_pid = 0xa38, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Module (40)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x72db0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 4
Fn
Load kernel32 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x761d0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 2
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x0 False 2
Fn
Load shell32.dll base_address = 0x767a0000 True 2
Fn
Get Handle c:\users\eebsym5\desktop\olympicdestroyer.exe base_address = 0x1020000 True 6
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x761d0000 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\eebsym5\desktop\olympicdestroyer.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\OlympicDestroyer.exe, size = 260 True 1
Fn
Get Filename c:\users\eebsym5\desktop\olympicdestroyer.exe process_name = c:\users\eebsym5\desktop\olympicdestroyer.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\OlympicDestroyer.exe, size = 1023 True 2
Fn
Get Address c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll function = InitializeCriticalSectionEx, address_out = 0x0 False 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsAlloc, address_out = 0x7622418d True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsSetValue, address_out = 0x762276e6 True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsGetValue, address_out = 0x76221e16 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LCMapStringEx, address_out = 0x7625f72b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsWow64Process, address_out = 0x76214785 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = SHGetKnownFolderPath, address_out = 0x76854ca0 True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = AreFileApisANSI, address_out = 0x7625f311 True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System (35)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = CRH2YWU7 True 1
Fn
Sleep duration = 1 milliseconds (0.001 seconds) True 12
Fn
Sleep duration = -1 (infinite) False 1
Fn
Sleep duration = 100 milliseconds (0.100 seconds) True 3
Fn
Get Time type = System Time, time = 2018-03-15 15:15:21 (UTC) True 2
Fn
Get Time type = Ticks, time = 94255 True 1
Fn
Get Time type = Ticks, time = 94271 True 1
Fn
Get Time type = Ticks, time = 94287 True 1
Fn
Get Time type = Ticks, time = 94302 True 1
Fn
Get Time type = Ticks, time = 94318 True 1
Fn
Get Time type = Ticks, time = 96892 True 1
Fn
Get Time type = Ticks, time = 96907 True 1
Fn
Get Time type = Ticks, time = 96923 True 1
Fn
Get Time type = Ticks, time = 96939 True 1
Fn
Get Time type = Ticks, time = 96954 True 1
Fn
Get Info type = Operating System True 6
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #2: xtbrb.exe
311 0
»
Information Value
ID #2
File Name c:\users\eebsym5\appdata\local\temp\xtbrb.exe
Command Line 123 \\.\pipe\DDC210D0-5FCE-4636-B79C-32457B89BBE4
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:32, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:46
OS Process Information
»
Information Value
PID 0xa18
Parent PID 0xa0c (c:\users\eebsym5\desktop\olympicdestroyer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A1C
0x A20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000c0000 0x000c0000 0x00187fff Pagefile Backed Memory Readable True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory Readable, Writable True False False -
rpcss.dll 0x001a0000 0x001fbfff Memory Mapped File Readable False False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False -
oleaccrc.dll 0x001c0000 0x001c0fff Memory Mapped File Readable False False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory Readable True False False -
windowsshell.manifest 0x001e0000 0x001e0fff Memory Mapped File Readable False False False -
pagefile_0x00000000001e0000 0x001e0000 0x001e0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000001f0000 0x001f0000 0x001f1fff Pagefile Backed Memory Readable True False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory Readable, Writable True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000310000 0x00310000 0x00410fff Pagefile Backed Memory Readable True False False -
index.dat 0x00420000 0x0044bfff Memory Mapped File Readable, Writable True False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000550000 0x00550000 0x0114ffff Pagefile Backed Memory Readable True False False -
private_0x0000000001150000 0x01150000 0x011f4fff Private Memory Readable, Writable True False False -
private_0x0000000001200000 0x01200000 0x012a4fff Private Memory Readable, Writable True False False -
xtbrb.exe 0x012b0000 0x01370fff Memory Mapped File Readable, Writable, Executable True True False
...
pagefile_0x0000000001380000 0x01380000 0x0145efff Pagefile Backed Memory Readable True False False -
index.dat 0x01460000 0x01467fff Memory Mapped File Readable, Writable True False False -
index.dat 0x01470000 0x0147ffff Memory Mapped File Readable, Writable True False False -
tzres.dll 0x01480000 0x01480fff Memory Mapped File Readable False False False -
pagefile_0x0000000001490000 0x01490000 0x01496fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000014a0000 0x014a0000 0x014a1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000014e0000 0x014e0000 0x015dffff Private Memory Readable, Writable True False False -
private_0x00000000015e0000 0x015e0000 0x01b4ffff Private Memory Readable, Writable True False False -
private_0x00000000015e0000 0x015e0000 0x016e0fff Private Memory Readable, Writable True False False -
private_0x00000000015e0000 0x015e0000 0x016bffff Private Memory Readable, Writable True False False -
private_0x0000000001750000 0x01750000 0x01b4ffff Private Memory Readable, Writable True False False -
private_0x0000000001b50000 0x01b50000 0x01ccffff Private Memory Readable, Writable True False False -
private_0x0000000001b50000 0x01b50000 0x01c2ffff Private Memory Readable, Writable True False False -
private_0x0000000001b50000 0x01b50000 0x01bf0fff Private Memory Readable, Writable True False False -
private_0x0000000001c20000 0x01c20000 0x01c2ffff Private Memory Readable, Writable True False False -
private_0x0000000001c90000 0x01c90000 0x01ccffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01cd0000 0x01f9efff Memory Mapped File Readable False False False -
private_0x0000000001fa0000 0x01fa0000 0x0209ffff Private Memory Readable, Writable True False False -
private_0x00000000020a0000 0x020a0000 0x0219ffff Private Memory Readable, Writable True False False -
private_0x0000000002100000 0x02100000 0x021fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002200000 0x02200000 0x025f2fff Pagefile Backed Memory Readable True False False -
private_0x0000000010000000 0x10000000 0x100a9fff Private Memory Readable, Writable, Executable True False False -
nss3.dll 0x6ddb0000 0x6df64fff Memory Mapped File Readable, Writable, Executable False False False -
ieframe.dll 0x6df70000 0x6e9effff Memory Mapped File Readable, Writable, Executable False False False -
winmm.dll 0x6f3f0000 0x6f421fff Memory Mapped File Readable, Writable, Executable False False False -
msvcr100.dll 0x700b0000 0x7016efff Memory Mapped File Readable, Writable, Executable False False False -
mlang.dll 0x70170000 0x7019dfff Memory Mapped File Readable, Writable, Executable False False False -
msvcp100.dll 0x72a50000 0x72ab8fff Memory Mapped File Readable, Writable, Executable False False False -
api-ms-win-core-synch-l1-2-0.dll 0x72db0000 0x72db2fff Memory Mapped File Readable, Writable, Executable False False False -
freebl3.dll 0x72dd0000 0x72e1efff Memory Mapped File Readable, Writable, Executable False False False -
nssdbm3.dll 0x72eb0000 0x72ec6fff Memory Mapped File Readable, Writable, Executable False False False -
softokn3.dll 0x72ed0000 0x72ef6fff Memory Mapped File Readable, Writable, Executable False False False -
mozglue.dll 0x72f40000 0x72f61fff Memory Mapped File Readable, Writable, Executable False False False -
wsock32.dll 0x73130000 0x73136fff Memory Mapped File Readable, Writable, Executable False False False -
oleacc.dll 0x73360000 0x7339bfff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74d30000 0x74d6ffff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x74eb0000 0x7504dfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75e00000 0x75e1afff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75e20000 0x75e2bfff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x75ed0000 0x75edafff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x75f40000 0x75f4bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x76050000 0x7616cfff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x762d0000 0x762d5fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x762e0000 0x762f8fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76300000 0x76356fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x763f0000 0x765eafff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x76600000 0x766f4fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76700000 0x7679ffff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x767a0000 0x773e9fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x77510000 0x77544fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77550000 0x775f0fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x77600000 0x77682fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x77690000 0x7771efff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x77830000 0x77965fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x77970000 0x77acbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x77c70000 0x77c74fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\eebsym5\appdata\local\temp\chr79e0.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\users\eebsym5\appdata\local\temp\chr79e0.tmp 18.00 KB MD5: 29844404ae855e9df054833f71888eb1
SHA1: 3e86f08def08fc14ddec0227d0643319562666db
SHA256: c381401ea96dfe9b926126dcbbc0dd6ab541dbf549732cc6c66f20096b1f663e 		False
...
Host Behavior
COM (1)
»
Operation Class Interface Additional Information Success Count Logfile
Create 3C374A40-BAE4-11CF-BF7D-00AA006946EE 3C374A41-BAE4-11CF-BF7D-00AA006946EE cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
File (43)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\\logins.json desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create \\.\pipe\DDC210D0-5FCE-4636-B79C-32457B89BBE4 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE True 1
Fn
Create Temp File C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp path = C:\Users\EEBsYm5\AppData\Local\Temp\, prefix = chr True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite type = file_attributes True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite-journal type = file_attributes False 2
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite type = size, size_out = 0 True 5
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite-wal type = file_attributes False 2
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data type = file_attributes True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp type = file_attributes True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp-journal type = file_attributes False 2
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp type = size, size_out = 0 True 5
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp-wal type = file_attributes False 2
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Copy C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp source_filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data True 1
Fn
Read C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite size = 100, size_out = 100 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite size = 32768, size_out = 32768 True 2
Fn
Data
Read C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite size = 16, size_out = 16 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp size = 100, size_out = 100 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp size = 2048, size_out = 2048 True 2
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp size = 16, size_out = 16 True 1
Fn
Data
Write \\.\pipe\DDC210D0-5FCE-4636-B79C-32457B89BBE4 size = 12 True 1
Fn
Data
Delete C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp - False 1
Fn
Registry (46)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US) - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX value_name = DisplayName, data = 65 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin value_name = DisplayName, data = 65 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome value_name = DisplayName, data = 71 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US) value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US) value_name = InstallLocation, data = 67 True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Module (213)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 4
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x72db0000 True 4
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 8
Fn
Load kernel32 base_address = 0x0 False 4
Fn
Load kernel32 base_address = 0x761d0000 True 4
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 4
Fn
Load KERNEL32.dll base_address = 0x761d0000 True 1
Fn
Load USER32.dll base_address = 0x77ad0000 True 1
Fn
Load ADVAPI32.dll base_address = 0x76700000 True 1
Fn
Load SHELL32.dll base_address = 0x767a0000 True 1
Fn
Load ole32.dll base_address = 0x77970000 True 1
Fn
Load SHLWAPI.dll base_address = 0x76300000 True 1
Fn
Load CRYPT32.dll base_address = 0x76050000 True 1
Fn
Load nss3.dll base_address = 0x6ddb0000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x0 False 2
Fn
Load ext-ms-win-kernel32-package-current-l1-1-0 base_address = 0x0 False 2
Fn
Get Handle c:\users\eebsym5\appdata\local\temp\xtbrb.exe base_address = 0x12b0000 True 3
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\eebsym5\appdata\local\temp\xtbrb.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\xtbrb.exe, size = 260 True 2
Fn
Get Address c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll function = InitializeCriticalSectionEx, address_out = 0x0 False 4
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsAlloc, address_out = 0x7622418d True 4
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsSetValue, address_out = 0x762276e6 True 4
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsGetValue, address_out = 0x76221e16 True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = LCMapStringEx, address_out = 0x7625f72b True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapFree, address_out = 0x7621bbd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = EnterCriticalSection, address_out = 0x77f077a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFullPathNameW, address_out = 0x76224543 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x76221400 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = InterlockedCompareExchange, address_out = 0x7621bb92 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDiskFreeSpaceW, address_out = 0x76203530 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = OutputDebugStringA, address_out = 0x7620eb36 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LockFile, address_out = 0x7623642f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LeaveCriticalSection, address_out = 0x77f07760 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = InitializeCriticalSection, address_out = 0x77f1a149 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x7621db36 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFullPathNameA, address_out = 0x76223735 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetEndOfFile, address_out = 0x76212319 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = UnlockFileEx, address_out = 0x76236947 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTempPathW, address_out = 0x76208b33 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateMutexW, address_out = 0x76212aee True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForSingleObject, address_out = 0x7621ba90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileW, address_out = 0x7621cc56 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesW, address_out = 0x762264ff True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentThreadId, address_out = 0x7621bb80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExW, address_out = 0x76213b1a True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapValidate, address_out = 0x762125dd True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapSize, address_out = 0x77f19bec True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MultiByteToWideChar, address_out = 0x7622452b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Sleep, address_out = 0x7621ba46 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FormatMessageW, address_out = 0x762154a3 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDiskFreeSpaceA, address_out = 0x7622d7d2 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x7621bf00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesExW, address_out = 0x7621273d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = OutputDebugStringW, address_out = 0x76206b91 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlushViewOfFile, address_out = 0x762083d2 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x7621cee8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForSingleObjectEx, address_out = 0x7621bab0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExA, address_out = 0x76223861 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileW, address_out = 0x76210f62 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapReAlloc, address_out = 0x77f2ff51 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x7621ca7c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemInfo, address_out = 0x76223728 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapCreate, address_out = 0x76223ea2 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapAlloc, address_out = 0x77f12dd6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapCompact, address_out = 0x76207cf6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapDestroy, address_out = 0x76212301 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = UnlockFile, address_out = 0x76236417 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileMappingA, address_out = 0x762197e9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LockFileEx, address_out = 0x7623692f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x76210273 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteCriticalSection, address_out = 0x77f19ac5 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcessId, address_out = 0x7621cac4 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetProcessHeap, address_out = 0x76221280 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SystemTimeToFileTime, address_out = 0x7621cecb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x7621d9d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WideCharToMultiByte, address_out = 0x7622450e True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76222fde True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemTime, address_out = 0x7621ced8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FormatMessageA, address_out = 0x76238868 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileMappingW, address_out = 0x76210a7f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MapViewOfFile, address_out = 0x7621899b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = QueryPerformanceCounter, address_out = 0x7621bb9f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount, address_out = 0x7621ba60 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlushFileBuffers, address_out = 0x76207f81 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = lstrlenW, address_out = 0x7621d9e8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = lstrlenA, address_out = 0x7621a611 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteConsoleW, address_out = 0x762182f1 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointerEx, address_out = 0x7620f5b2 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetConsoleMode, address_out = 0x76222412 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = TryEnterCriticalSection, address_out = 0x77f132bc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x762196fb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = AreFileApisANSI, address_out = 0x7625f311 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetPrivateProfileStringA, address_out = 0x7620d8d7 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = UnmapViewOfFile, address_out = 0x7621db13 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTempFileNameA, address_out = 0x7623695f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LocalFree, address_out = 0x7621ca64 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetProcAddress, address_out = 0x762233d3 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileA, address_out = 0x762147cb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x7622395c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x76221de6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileA, address_out = 0x7623532c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTempPathA, address_out = 0x76236a65 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetConsoleCP, address_out = 0x76222c8a True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetStdHandle, address_out = 0x7625f589 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileType, address_out = 0x762275a5 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStdHandle, address_out = 0x76221e46 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetEnvironmentVariableA, address_out = 0x76218921 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76221dc3 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76221dbc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineW, address_out = 0x7622679e True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineA, address_out = 0x762298ff True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetCurrentDirectoryA, address_out = 0x7621903d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryW, address_out = 0x76223c01 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x7622ed38 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76223d01 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x7621cdcf True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = TerminateProcess, address_out = 0x76212331 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x762276b5 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = InitializeSListHead, address_out = 0x77f25eeb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x76213ea8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoW, address_out = 0x76223891 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleW, address_out = 0x7622374d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = RaiseException, address_out = 0x7620eb60 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = InterlockedFlushSList, address_out = 0x77f13129 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetLastError, address_out = 0x7621bb08 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = RtlUnwind, address_out = 0x76207f70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76223939 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = TlsAlloc, address_out = 0x762235a1 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = TlsGetValue, address_out = 0x7621da70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = TlsSetValue, address_out = 0x7621da88 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = TlsFree, address_out = 0x762213b8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryExW, address_out = 0x76214775 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateThread, address_out = 0x7622375d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitThread, address_out = 0x77eef611 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibraryAndExitThread, address_out = 0x7620fdb8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleExW, address_out = 0x76213e39 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x7622214f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x762233f6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CompareStringW, address_out = 0x76219bee True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LCMapStringW, address_out = 0x762213d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTimeZoneInformation, address_out = 0x76208a3b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetACP, address_out = 0x762239aa True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStringTypeW, address_out = 0x762267c8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x76220e62 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileExA, address_out = 0x7625f3ef True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileA, address_out = 0x7621a187 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsValidCodePage, address_out = 0x7622c1c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetOEMCP, address_out = 0x76213db9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCPInfo, address_out = 0x76221e2e True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DecodePointer, address_out = 0x77f1cd10 True 1
Fn
Get Address c:\windows\system32\user32.dll function = wsprintfA, address_out = 0x77ae3f47 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptCreateHash, address_out = 0x7670df4e True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGetHashParam, address_out = 0x7670df7e True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegEnumKeyA, address_out = 0x7672a299 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7671469d True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x767148ef True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x76714907 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextA, address_out = 0x767091dd True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptHashData, address_out = 0x7670df36 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyHash, address_out = 0x7670df66 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptReleaseContext, address_out = 0x7670e124 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = SHGetFolderPathA, address_out = 0x768b7804 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7798b636 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoCreateInstance, address_out = 0x779b9d0b True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = wvnsprintfA, address_out = 0x7632edfe True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrStrIW, address_out = 0x763146e9 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrStrIA, address_out = 0x7630d250 True 1
Fn
Get Address c:\windows\system32\crypt32.dll function = CryptUnprotectData, address_out = 0x76085a7f True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = NSS_Init, address_out = 0x6de6d70b True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = NSSBase64_DecodeBuffer, address_out = 0x6de6e7d9 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11_GetInternalKeySlot, address_out = 0x6de03c51 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11_Authenticate, address_out = 0x6dded3ca True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11SDR_Decrypt, address_out = 0x6de000a7 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = NSS_Shutdown, address_out = 0x6de6d13c True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11_FreeSlot, address_out = 0x6de03333 True 1
Fn
System (4)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-03-15 15:15:22 (UTC) True 2
Fn
Get Info type = Hardware Information True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Ini (1)
»
Operation Filename Additional Information Success Count Logfile
Read C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\\profiles.ini section_name = Profile0, key_name = Path, data_out = Profiles/h231daer.default True 1
Fn
Process #3: ilvai.exe
700 0
»
Information Value
ID #3
File Name c:\users\eebsym5\appdata\local\temp\ilvai.exe
Command Line 123 \\.\pipe\7DE670E9-B7B8-48DA-BA85-FF4203050C88
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:42, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:36
OS Process Information
»
Information Value
PID 0xa2c
Parent PID 0xa0c (c:\users\eebsym5\desktop\olympicdestroyer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A30
0x A34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
private_0x0000000000050000 0x00050000 0x00050fff Private Memory Readable, Writable True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory Readable, Writable True False False -
locale.nls 0x00170000 0x001d6fff Memory Mapped File Readable False False False -
private_0x0000000000230000 0x00230000 0x0023ffff Private Memory Readable, Writable True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000340000 0x00340000 0x00407fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000410000 0x00410000 0x00510fff Pagefile Backed Memory Readable True False False -
private_0x0000000000540000 0x00540000 0x0063ffff Private Memory Readable, Writable True False False -
private_0x0000000000640000 0x00640000 0x00740fff Private Memory Readable, Writable True False False -
private_0x0000000000640000 0x00640000 0x006c8fff Private Memory Readable, Writable True False False -
ilvai.exe 0x00910000 0x0094dfff Memory Mapped File Readable, Writable, Executable True True False
...
pagefile_0x0000000000950000 0x00950000 0x0154ffff Pagefile Backed Memory Readable True False False -
private_0x0000000010000000 0x10000000 0x10023fff Private Memory Readable, Writable, Executable True False False -
api-ms-win-core-synch-l1-2-0.dll 0x72db0000 0x72db2fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x75680000 0x756bcfff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x75ad0000 0x75ae6fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x762e0000 0x762f8fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76300000 0x76356fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76700000 0x7679ffff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x767a0000 0x773e9fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77550000 0x775f0fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Host Behavior
File (8)
»
Operation Filename Additional Information Success Count Logfile
Create \\.\pipe\7DE670E9-B7B8-48DA-BA85-FF4203050C88 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE True 1
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Write \\.\pipe\7DE670E9-B7B8-48DA-BA85-FF4203050C88 size = 648 True 1
Fn
Data
Process (5)
»
Operation Process Additional Information Success Count Logfile
Get Info c:\users\eebsym5\appdata\local\temp\ilvai.exe type = PROCESS_BASIC_INFORMATION True 3
Fn
Get Info c:\windows\system32\lsass.exe type = PROCESS_BASIC_INFORMATION True 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Memory (530)
»
Operation Process Additional Information Success Count Logfile
Read c:\windows\system32\lsass.exe address = 0x7ffdc000, size = 16 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x77f97880, size = 36 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2c15c0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2c146e, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x990000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x9900e8, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x9900e8, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2c1640, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x77f28328, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x77ec0000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x77ec00d0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x77ec00d0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2c1938, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2c1910, size = 26 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x761d0000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x761d00f0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x761d00f0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2c1a20, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2c19f8, size = 30 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75f70000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75f700e0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75f700e0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2c2180, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2c2160, size = 22 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x77720000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x777200e0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x777200e0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2c22c0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2c22a0, size = 22 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x77550000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x775500f0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x775500f0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2c26e0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2c26c0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75d60000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75d600e0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75d600e0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2cf698, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2cf678, size = 22 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75c60000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75c600e0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75c600e0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2cf718, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2c2658, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x762e0000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x762e00f0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x762e00f0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2cf4b8, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2cf498, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75e00000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75e000e0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75e000e0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2cf588, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2cf560, size = 26 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x76700000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x767000e0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x767000e0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2cf798, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2cf630, size = 22 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x77ad0000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x77ad00f0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x77ad00f0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2cf818, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2cf450, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x77c80000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x77c800e0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x77c800e0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2cf8d8, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2cf8c0, size = 16 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x765f0000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x765f00f0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x765f00f0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2cf9a0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2cf980, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x773f0000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x773f00f8, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x773f00f8, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d00d8, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d00b8, size = 22 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75bd0000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75bd00e0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75bd00e0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2cfec0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2cfe98, size = 26 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75bb0000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75bb00e8, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75bb00e8, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d0170, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2cfe48, size = 22 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75f40000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75f400e8, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75f400e8, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d01f0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2cffb0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75b60000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75b600e0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75b600e0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d0270, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2cff68, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x762b0000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x762b00d8, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x762b00d8, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d02f0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d2180, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x77ba0000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x77ba00f0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x77ba00f0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d0370, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d8c70, size = 26 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75b50000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75b500e0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75b500e0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d03f0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d36b8, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75b30000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75b300d8, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75b300d8, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d0470, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d3550, size = 22 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75af0000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75af00e0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75af00e0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d04f0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d3598, size = 22 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75ad0000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75ad00e0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75ad00e0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d0570, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d34c0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75aa0000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75aa00b8, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75aa00b8, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d05f0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d38f8, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75a70000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75a700e8, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75a700e8, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d0670, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2dff58, size = 26 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75a50000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75a500f0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75a500f0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d06f0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d3aa8, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75de0000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75de00e8, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75de00e8, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d0770, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2e0220, size = 28 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75e20000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75e200e8, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75e200e8, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d07f0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2e0848, size = 26 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x759c0000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x759c00e0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x759c00e0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d0870, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d3ca0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x759a0000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x759a00e0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x759a00e0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d08f0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d3d30, size = 22 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x77510000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x775100e0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x775100e0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d0970, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2e56f0, size = 16 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x762d0000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x762d00e0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x762d00e0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d09f0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d3d78, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75960000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x759600e0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x759600e0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d0a70, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d3e08, size = 22 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75950000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x759500e0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x759500e0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d0af0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d3e50, size = 22 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75900000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x759000f0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x759000f0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d0bf0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2e16d0, size = 26 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75870000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x758700e8, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x758700e8, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d0c70, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d4000, size = 22 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75820000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x758200e0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x758200e0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d0cf0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2e1720, size = 26 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x757f0000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x757f00d8, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x757f00d8, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d0d70, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2e1770, size = 26 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x757b0000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x757b00e0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x757b00e0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d0df0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d4090, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x76050000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x760500f0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x760500f0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d0e70, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2faab8, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75780000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x757800e0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x757800e0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d0ef0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2fabd8, size = 22 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75740000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x757400d8, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x757400d8, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d0f70, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2fac20, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75700000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x757000f0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x757000f0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d0ff0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2fae18, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x756c0000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x756c00f0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x756c00f0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d1070, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2f8b90, size = 42 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75680000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x756800f0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x756800f0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d10f0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2e2440, size = 32 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75ec0000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75ec00f8, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75ec00f8, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d12f0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2e2490, size = 28 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75730000, size = 64 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x757300f0, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x757300f0, size = 248 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d1bf0, size = 52 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2fb718, size = 22 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75c73b6b, size = 4 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75c73b4c, size = 4 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75c60000, size = 1048576 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75c97d2f, size = 4 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75d4bf30, size = 16 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75c97cde, size = 4 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75d4b298, size = 4 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2b0000, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2b0020, size = 32 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2b003c, size = 24 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75c97d15, size = 4 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75d4b29c, size = 4 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2b01f0, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2b0210, size = 32 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2b022c, size = 16 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75d4a4a4, size = 4 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75d4c2d8, size = 4 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x362ed0, size = 160 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x358188, size = 32 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x3582a0, size = 26 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x358e51, size = 1 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x358e50, size = 12 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34f168, size = 160 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34e7e0, size = 16 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x3467e8, size = 18 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x346770, size = 16 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34a761, size = 1 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34a760, size = 28 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34e8b8, size = 12 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x350f90, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x350fac, size = 120 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x350fa4, size = 8 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75700000, size = 73728 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x7570631e, size = 4 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x7570f134, size = 56 True 6
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34abf0, size = 56 True 6
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x326d28, size = 72 True 6
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34ac90, size = 56 True 5
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x326e60, size = 72 True 5
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x326eb0, size = 4 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x326ec8, size = 28 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34ac68, size = 18 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x352f08, size = 16 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x352f28, size = 16 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75780000, size = 180224 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x7578190c, size = 4 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x757a7188, size = 4 True 6
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x308a20, size = 24 True 6
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x308a20, size = 56 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34e900, size = 16 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x3468e8, size = 18 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34e918, size = 16 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x759c0000, size = 557056 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75a13f75, size = 4 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75a37a58, size = 56 True 6
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x31b4e0, size = 56 True 6
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x33a708, size = 44 True 6
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x31ae78, size = 56 True 5
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2cd7d0, size = 44 True 5
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34a830, size = 56 True 4
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x3508e0, size = 44 True 4
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2fd618, size = 56 True 3
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x305940, size = 44 True 3
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34aa10, size = 56 True 2
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x350bd8, size = 44 True 2
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x350bd8, size = 196 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34e840, size = 16 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x3468a8, size = 18 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34e858, size = 16 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75900000, size = 270336 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x75902542, size = 4 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x7593a1a0, size = 8 True 6
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x348700, size = 60 True 6
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x348900, size = 60 True 6
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x348780, size = 60 True 6
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x348680, size = 60 True 6
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x348500, size = 60 True 6
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x348180, size = 60 True 6
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x348100, size = 60 True 6
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d1ff8, size = 60 True 6
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2d1f78, size = 60 True 6
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x307938, size = 20 True 2
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x350248, size = 8 True 2
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34eab0, size = 160 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34e7f8, size = 16 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x346828, size = 18 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x346810, size = 16 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34a789, size = 1 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34a788, size = 28 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34e780, size = 12 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34f0c0, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34f0dc, size = 120 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34f0d4, size = 8 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x326d78, size = 4 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x326df8, size = 28 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34abc8, size = 18 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x346910, size = 16 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x352ee8, size = 16 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x308980, size = 24 True 5
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x308980, size = 56 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34e8d0, size = 16 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x346848, size = 18 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34e8e8, size = 16 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x3508e0, size = 196 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34e7c8, size = 16 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x346868, size = 18 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x34e810, size = 16 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x335840, size = 160 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x31b3c0, size = 28 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x31b3e8, size = 26 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x3300c9, size = 1 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x3300c8, size = 12 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x308890, size = 24 True 4
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x308890, size = 56 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x331e50, size = 2 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x331e40, size = 2 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x33a708, size = 196 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x331e60, size = 2 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x331e70, size = 2 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x31eb50, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x33a2a0, size = 8 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x3159f0, size = 160 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x329400, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x3292c0, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x330009, size = 1 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x330008, size = 12 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x308610, size = 24 True 3
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x308610, size = 56 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x329440, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x329420, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2cd7d0, size = 196 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x329460, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x329480, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x31e9a0, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x331998, size = 8 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2f5920, size = 160 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x1, size = 1 False 1
Fn
Read c:\windows\system32\lsass.exe address = 0x2e2378, size = 24 True 2
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2df050, size = 160 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2df488, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2df4a8, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2decd9, size = 1 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2decd8, size = 12 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2e2378, size = 56 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2df508, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2df528, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x305940, size = 196 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2df548, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2df568, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x2fb030, size = 20 True 1
Fn
Data
Read c:\windows\system32\lsass.exe address = 0x3054d8, size = 8 True 1
Fn
Data
Module (146)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 4
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x72db0000 True 4
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 8
Fn
Load kernel32 base_address = 0x0 False 4
Fn
Load kernel32 base_address = 0x761d0000 True 4
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 4
Fn
Load ntdll.dll base_address = 0x77ec0000 True 1
Fn
Load KERNEL32.dll base_address = 0x761d0000 True 1
Fn
Load advapi32.dll base_address = 0x76700000 True 1
Fn
Load user32.dll base_address = 0x77ad0000 True 1
Fn
Load bcrypt base_address = 0x75ad0000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x0 False 2
Fn
Load ext-ms-win-kernel32-package-current-l1-1-0 base_address = 0x0 False 2
Fn
Get Handle c:\users\eebsym5\appdata\local\temp\ilvai.exe base_address = 0x910000 True 3
Fn
Get Handle c:\windows\system32\ntdll.dll base_address = 0x77ec0000 True 3
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\eebsym5\appdata\local\temp\ilvai.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\ilvai.exe, size = 260 True 2
Fn
Get Address c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll function = InitializeCriticalSectionEx, address_out = 0x0 False 4
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsAlloc, address_out = 0x7622418d True 4
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsSetValue, address_out = 0x762276e6 True 4
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsGetValue, address_out = 0x76221e16 True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = LCMapStringEx, address_out = 0x7625f72b True 2
Fn
Get Address c:\windows\system32\ntdll.dll function = RtlGetCurrentPeb, address_out = 0x77ef0241 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77ef4168 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = NtQueryInformationProcess, address_out = 0x77f06048 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = RtlEqualUnicodeString, address_out = 0x77f15705 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = RtlEqualString, address_out = 0x77edd88a True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = RtlAdjustPrivilege, address_out = 0x77ecbc3a True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = RtlGetNtVersionNumbers, address_out = 0x77f28e52 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = NtQuerySystemInformation, address_out = 0x77f061f8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DecodePointer, address_out = 0x77f1cd10 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteConsoleW, address_out = 0x762182f1 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointerEx, address_out = 0x7620f5b2 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x7621ca7c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapReAlloc, address_out = 0x77f2ff51 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapSize, address_out = 0x77f19bec True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LocalAlloc, address_out = 0x76223363 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryW, address_out = 0x76223c01 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetProcAddress, address_out = 0x762233d3 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileW, address_out = 0x7621cc56 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsWow64Process, address_out = 0x76214785 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LocalFree, address_out = 0x7621ca64 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleW, address_out = 0x7622374d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = QueryPerformanceCounter, address_out = 0x7621bb9f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcessId, address_out = 0x7621cac4 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentThreadId, address_out = 0x7621bb80 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76222fde True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = InitializeSListHead, address_out = 0x77f25eeb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x76213ea8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x7622ed38 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76223d01 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoW, address_out = 0x76223891 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x762276b5 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x7621cdcf True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = TerminateProcess, address_out = 0x76212331 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = InterlockedFlushSList, address_out = 0x77f13129 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = RtlUnwind, address_out = 0x76207f70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x7621bf00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetLastError, address_out = 0x7621bb08 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = EnterCriticalSection, address_out = 0x77f077a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LeaveCriticalSection, address_out = 0x77f07760 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteCriticalSection, address_out = 0x77f19ac5 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76223939 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = TlsAlloc, address_out = 0x762235a1 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = TlsGetValue, address_out = 0x7621da70 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = TlsSetValue, address_out = 0x7621da88 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = TlsFree, address_out = 0x762213b8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x7621d9d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryExW, address_out = 0x76214775 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x7622214f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleExW, address_out = 0x76213e39 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x762233f6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MultiByteToWideChar, address_out = 0x7622452b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WideCharToMultiByte, address_out = 0x7622450e True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapFree, address_out = 0x7621bbd0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapAlloc, address_out = 0x77f12dd6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LCMapStringW, address_out = 0x762213d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStdHandle, address_out = 0x76221e46 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileType, address_out = 0x762275a5 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetACP, address_out = 0x762239aa True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStringTypeW, address_out = 0x762267c8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x76220e62 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileExA, address_out = 0x7625f3ef True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileA, address_out = 0x7621a187 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsValidCodePage, address_out = 0x7622c1c0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetOEMCP, address_out = 0x76213db9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCPInfo, address_out = 0x76221e2e True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineA, address_out = 0x762298ff True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCommandLineW, address_out = 0x7622679e True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76221dbc True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76221dc3 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetProcessHeap, address_out = 0x76221280 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlushFileBuffers, address_out = 0x76207f81 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x76221400 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetConsoleCP, address_out = 0x76222c8a True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetConsoleMode, address_out = 0x76222412 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetStdHandle, address_out = 0x7625f589 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = RaiseException, address_out = 0x7620eb60 True 1
Fn
Get Address c:\windows\system32\bcrypt.dll function = BCryptOpenAlgorithmProvider, address_out = 0x75ad2cda True 1
Fn
Get Address c:\windows\system32\bcrypt.dll function = BCryptSetProperty, address_out = 0x75ad20d4 True 1
Fn
Get Address c:\windows\system32\bcrypt.dll function = BCryptGetProperty, address_out = 0x75ad1ca7 True 1
Fn
Get Address c:\windows\system32\bcrypt.dll function = BCryptGenerateSymmetricKey, address_out = 0x75ad1fbc True 1
Fn
Get Address c:\windows\system32\bcrypt.dll function = BCryptEncrypt, address_out = 0x75ad195c True 1
Fn
Get Address c:\windows\system32\bcrypt.dll function = BCryptDecrypt, address_out = 0x75ad18b8 True 1
Fn
Get Address c:\windows\system32\bcrypt.dll function = BCryptDestroyKey, address_out = 0x75ad1f40 True 1
Fn
Get Address c:\windows\system32\bcrypt.dll function = BCryptCloseAlgorithmProvider, address_out = 0x75ad2391 True 1
Fn
System (7)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-03-15 15:15:24 (UTC) True 2
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION False 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Process #4: _aaq.exe
1545 0
»
Information Value
ID #4
File Name c:\users\eebsym5\appdata\local\temp\_aaq.exe
Command Line "C:\Users\EEBsYm5\AppData\Local\Temp\_aaq.exe"
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:44, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:34
OS Process Information
»
Information Value
PID 0xa38
Parent PID 0xa0c (c:\users\eebsym5\desktop\olympicdestroyer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A3C
0x A48
0x A94
0x CC8
0x CD0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory Readable, Writable True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory Readable, Writable True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e6fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000210000 0x00210000 0x002d7fff Pagefile Backed Memory Readable True False False -
private_0x00000000002e0000 0x002e0000 0x0035ffff Private Memory Readable, Writable True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory Readable, Writable True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000004e0000 0x004e0000 0x005e0fff Pagefile Backed Memory Readable True False False -
private_0x0000000000650000 0x00650000 0x0074ffff Private Memory Readable, Writable True False False -
private_0x0000000000830000 0x00830000 0x0092ffff Private Memory Readable, Writable True False False -
private_0x0000000000970000 0x00970000 0x00a6ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000a70000 0x00a70000 0x00e62fff Pagefile Backed Memory Readable True False False -
_aaq.exe 0x00f10000 0x00f1cfff Memory Mapped File Readable, Writable, Executable True True False
...
pagefile_0x0000000000f20000 0x00f20000 0x01b1ffff Pagefile Backed Memory Readable True False False -
private_0x0000000001ba0000 0x01ba0000 0x01c9ffff Private Memory Readable, Writable True False False -
browcli.dll 0x70150000 0x7015cfff Memory Mapped File Readable, Writable, Executable False False False -
davhlpr.dll 0x70160000 0x70167fff Memory Mapped File Readable, Writable, Executable False False False -
cscapi.dll 0x70c40000 0x70c4afff Memory Mapped File Readable, Writable, Executable False False False -
mpr.dll 0x726c0000 0x726d1fff Memory Mapped File Readable, Writable, Executable False False False -
davclnt.dll 0x728a0000 0x728b6fff Memory Mapped File Readable, Writable, Executable False False False -
ntlanman.dll 0x728c0000 0x728d3fff Memory Mapped File Readable, Writable, Executable False False False -
drprov.dll 0x72a50000 0x72a57fff Memory Mapped File Readable, Writable, Executable False False False -
wkscli.dll 0x74790000 0x7479efff Memory Mapped File Readable, Writable, Executable False False False -
netutils.dll 0x747a0000 0x747a8fff Memory Mapped File Readable, Writable, Executable False False False -
winsta.dll 0x75e90000 0x75eb8fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x762e0000 0x762f8fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76300000 0x76356fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76700000 0x7679ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77550000 0x775f0fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory Readable, Writable True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory Readable, Writable True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory Readable, Writable True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Host Behavior
File (3)
»
Operation Filename Additional Information Success Count Logfile
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Process (5)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet os_pid = 0xa54, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet os_pid = 0xb3c, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no os_pid = 0xbec, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create C:\Windows\system32\cmd.exe /c wevtutil.exe cl System os_pid = 0xc14, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security os_pid = 0xc50, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Module (7)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\kernel32.dll base_address = 0x761d0000 True 2
Fn
Get Filename - process_name = c:\users\eebsym5\appdata\local\temp\_aaq.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\_aaq.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsAlloc, address_out = 0x7622418d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsGetValue, address_out = 0x76221e16 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsSetValue, address_out = 0x762276e6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsFree, address_out = 0x76221f61 True 1
Fn
Service (1517)
»
Operation Additional Information Success Count Logfile
Enumerate database_name = ServicesActive False 1
Fn
Enumerate database_name = ServicesActive True 1
Fn
Get Info service_name = 1394ohci False 1
Fn
Get Info service_name = 1394ohci True 1
Fn
Get Info service_name = ACPI False 1
Fn
Get Info service_name = ACPI True 1
Fn
Get Info service_name = AcpiPmi False 1
Fn
Get Info service_name = AcpiPmi True 1
Fn
Get Info service_name = adp94xx False 1
Fn
Get Info service_name = adp94xx True 1
Fn
Get Info service_name = adpahci False 1
Fn
Get Info service_name = adpahci True 1
Fn
Get Info service_name = adpu320 False 1
Fn
Get Info service_name = adpu320 True 1
Fn
Get Info service_name = AeLookupSvc False 1
Fn
Get Info service_name = AeLookupSvc True 1
Fn
Get Info service_name = AFD False 1
Fn
Get Info service_name = AFD True 1
Fn
Get Info service_name = agp440 False 1
Fn
Get Info service_name = agp440 True 1
Fn
Get Info service_name = aic78xx False 1
Fn
Get Info service_name = aic78xx True 1
Fn
Get Info service_name = ALG False 1
Fn
Get Info service_name = ALG True 1
Fn
Get Info service_name = aliide False 1
Fn
Get Info service_name = aliide True 1
Fn
Get Info service_name = amdagp False 1
Fn
Get Info service_name = amdagp True 1
Fn
Get Info service_name = amdide False 1
Fn
Get Info service_name = amdide True 1
Fn
Get Info service_name = AmdK8 False 1
Fn
Get Info service_name = AmdK8 True 1
Fn
Get Info service_name = AmdPPM False 1
Fn
Get Info service_name = AmdPPM True 1
Fn
Get Info service_name = amdsata False 1
Fn
Get Info service_name = amdsata True 1
Fn
Get Info service_name = amdsbs False 1
Fn
Get Info service_name = amdsbs True 1
Fn
Get Info service_name = amdxata False 1
Fn
Get Info service_name = amdxata True 1
Fn
Get Info service_name = AppID False 1
Fn
Get Info service_name = AppID True 1
Fn
Get Info service_name = AppIDSvc False 1
Fn
Get Info service_name = AppIDSvc True 1
Fn
Get Info service_name = Appinfo False 1
Fn
Get Info service_name = Appinfo True 1
Fn
Get Info service_name = AppMgmt False 1
Fn
Get Info service_name = AppMgmt True 1
Fn
Get Info service_name = arc False 1
Fn
Get Info service_name = arc True 1
Fn
Get Info service_name = arcsas False 1
Fn
Get Info service_name = arcsas True 1
Fn
Get Info service_name = aspnet_state False 1
Fn
Get Info service_name = aspnet_state True 1
Fn
Get Info service_name = AsyncMac False 1
Fn
Get Info service_name = AsyncMac True 1
Fn
Get Info service_name = atapi False 1
Fn
Get Info service_name = atapi True 1
Fn
Get Info service_name = AudioEndpointBuilder False 1
Fn
Get Info service_name = AudioEndpointBuilder True 1
Fn
Get Info service_name = Audiosrv False 1
Fn
Get Info service_name = Audiosrv True 1
Fn
Get Info service_name = AxInstSV False 1
Fn
Get Info service_name = AxInstSV True 1
Fn
Get Info service_name = b06bdrv False 1
Fn
Get Info service_name = b06bdrv True 1
Fn
Get Info service_name = b57nd60x False 1
Fn
Get Info service_name = b57nd60x True 1
Fn
Get Info service_name = Beep False 1
Fn
Get Info service_name = Beep True 1
Fn
Get Info service_name = BFE False 1
Fn
Get Info service_name = BFE True 1
Fn
Get Info service_name = BITS False 1
Fn
Get Info service_name = BITS True 1
Fn
Get Info service_name = blbdrive False 1
Fn
Get Info service_name = blbdrive True 1
Fn
Get Info service_name = bowser False 1
Fn
Get Info service_name = bowser True 1
Fn
Get Info service_name = BrFiltLo False 1
Fn
Get Info service_name = BrFiltLo True 1
Fn
Get Info service_name = BrFiltUp False 1
Fn
Get Info service_name = BrFiltUp True 1
Fn
Get Info service_name = Browser False 1
Fn
Get Info service_name = Browser True 1
Fn
Get Info service_name = Brserid False 1
Fn
Get Info service_name = Brserid True 1
Fn
Get Info service_name = BrSerWdm False 1
Fn
Get Info service_name = BrSerWdm True 1
Fn
Get Info service_name = BrUsbMdm False 1
Fn
Get Info service_name = BrUsbMdm True 1
Fn
Get Info service_name = BrUsbSer False 1
Fn
Get Info service_name = BrUsbSer True 1
Fn
Get Info service_name = BTHMODEM False 1
Fn
Get Info service_name = BTHMODEM True 1
Fn
Get Info service_name = bthserv False 1
Fn
Get Info service_name = bthserv True 1
Fn
Get Info service_name = cdfs False 1
Fn
Get Info service_name = cdfs True 1
Fn
Get Info service_name = cdrom False 1
Fn
Get Info service_name = cdrom True 1
Fn
Get Info service_name = circlass False 1
Fn
Get Info service_name = circlass True 1
Fn
Get Info service_name = clr_optimization_v2.0.50727_32 False 1
Fn
Get Info service_name = clr_optimization_v2.0.50727_32 True 1
Fn
Get Info service_name = clr_optimization_v4.0.30319_32 False 1
Fn
Get Info service_name = clr_optimization_v4.0.30319_32 True 1
Fn
Get Info service_name = CmBatt False 1
Fn
Get Info service_name = CmBatt True 1
Fn
Get Info service_name = cmdide False 1
Fn
Get Info service_name = cmdide True 1
Fn
Get Info service_name = CNG False 1
Fn
Get Info service_name = CNG True 1
Fn
Get Info service_name = Compbatt False 1
Fn
Get Info service_name = Compbatt True 1
Fn
Get Info service_name = CompositeBus False 1
Fn
Get Info service_name = CompositeBus True 1
Fn
Get Info service_name = COMSysApp False 1
Fn
Get Info service_name = COMSysApp True 1
Fn
Get Info service_name = crcdisk False 1
Fn
Get Info service_name = crcdisk True 1
Fn
Get Info service_name = CryptSvc False 1
Fn
Get Info service_name = CryptSvc True 1
Fn
Get Info service_name = CSC False 1
Fn
Get Info service_name = CSC True 1
Fn
Get Info service_name = CscService False 1
Fn
Get Info service_name = CscService True 1
Fn
Get Info service_name = defragsvc False 1
Fn
Get Info service_name = defragsvc True 1
Fn
Get Info service_name = DfsC False 1
Fn
Get Info service_name = DfsC True 1
Fn
Get Info service_name = Dhcp False 1
Fn
Get Info service_name = Dhcp True 1
Fn
Get Info service_name = discache False 1
Fn
Get Info service_name = discache True 1
Fn
Get Info service_name = Disk False 1
Fn
Get Info service_name = Disk True 1
Fn
Get Info service_name = Dnscache False 1
Fn
Get Info service_name = Dnscache True 1
Fn
Get Info service_name = dot3svc False 1
Fn
Get Info service_name = dot3svc True 1
Fn
Get Info service_name = drmkaud False 1
Fn
Get Info service_name = drmkaud True 1
Fn
Get Info service_name = DXGKrnl False 1
Fn
Get Info service_name = DXGKrnl True 1
Fn
Get Info service_name = E1G60 False 1
Fn
Get Info service_name = E1G60 True 1
Fn
Get Info service_name = EapHost False 1
Fn
Get Info service_name = EapHost True 1
Fn
Get Info service_name = ebdrv False 1
Fn
Get Info service_name = ebdrv True 1
Fn
Get Info service_name = ehRecvr False 1
Fn
Get Info service_name = ehRecvr True 1
Fn
Get Info service_name = ehSched False 1
Fn
Get Info service_name = ehSched True 1
Fn
Get Info service_name = elxstor False 1
Fn
Get Info service_name = elxstor True 1
Fn
Get Info service_name = ErrDev False 1
Fn
Get Info service_name = ErrDev True 1
Fn
Get Info service_name = eventlog False 1
Fn
Get Info service_name = eventlog True 1
Fn
Get Info service_name = EventSystem False 1
Fn
Get Info service_name = EventSystem True 1
Fn
Get Info service_name = exfat False 1
Fn
Get Info service_name = exfat True 1
Fn
Get Info service_name = fastfat False 1
Fn
Get Info service_name = fastfat True 1
Fn
Get Info service_name = Fax False 1
Fn
Get Info service_name = Fax True 1
Fn
Get Info service_name = fdc False 1
Fn
Get Info service_name = fdc True 1
Fn
Get Info service_name = fdPHost False 1
Fn
Get Info service_name = fdPHost True 1
Fn
Get Info service_name = FDResPub False 1
Fn
Get Info service_name = FDResPub True 1
Fn
Get Info service_name = FileInfo False 1
Fn
Get Info service_name = FileInfo True 1
Fn
Get Info service_name = Filetrace False 1
Fn
Get Info service_name = Filetrace True 1
Fn
Get Info service_name = flpydisk False 1
Fn
Get Info service_name = flpydisk True 1
Fn
Get Info service_name = FltMgr False 1
Fn
Get Info service_name = FltMgr True 1
Fn
Get Info service_name = FontCache False 1
Fn
Get Info service_name = FontCache True 1
Fn
Get Info service_name = FontCache3.0.0.0 False 1
Fn
Get Info service_name = FontCache3.0.0.0 True 1
Fn
Get Info service_name = FsDepends False 1
Fn
Get Info service_name = FsDepends True 1
Fn
Get Info service_name = fvevol False 1
Fn
Get Info service_name = fvevol True 1
Fn
Get Info service_name = gagp30kx False 1
Fn
Get Info service_name = gagp30kx True 1
Fn
Get Info service_name = gupdate False 1
Fn
Get Info service_name = gupdate True 1
Fn
Get Info service_name = gupdatem False 1
Fn
Get Info service_name = gupdatem True 1
Fn
Get Info service_name = hcw85cir False 1
Fn
Get Info service_name = hcw85cir True 1
Fn
Get Info service_name = HdAudAddService False 1
Fn
Get Info service_name = HdAudAddService True 1
Fn
Get Info service_name = HDAudBus False 1
Fn
Get Info service_name = HDAudBus True 1
Fn
Get Info service_name = HidBatt False 1
Fn
Get Info service_name = HidBatt True 1
Fn
Get Info service_name = HidBth False 1
Fn
Get Info service_name = HidBth True 1
Fn
Get Info service_name = HidIr False 1
Fn
Get Info service_name = HidIr True 1
Fn
Get Info service_name = hidserv False 1
Fn
Get Info service_name = hidserv True 1
Fn
Get Info service_name = HidUsb False 1
Fn
Get Info service_name = HidUsb True 1
Fn
Get Info service_name = hkmsvc False 1
Fn
Get Info service_name = hkmsvc True 1
Fn
Get Info service_name = HomeGroupListener False 1
Fn
Get Info service_name = HomeGroupListener True 1
Fn
Get Info service_name = HomeGroupProvider False 1
Fn
Get Info service_name = HomeGroupProvider True 1
Fn
Get Info service_name = HpSAMD False 1
Fn
Get Info service_name = HpSAMD True 1
Fn
Get Info service_name = HTTP False 1
Fn
Get Info service_name = HTTP True 1
Fn
Get Info service_name = hwpolicy False 1
Fn
Get Info service_name = hwpolicy True 1
Fn
Get Info service_name = i8042prt False 1
Fn
Get Info service_name = i8042prt True 1
Fn
Get Info service_name = iaStorV False 1
Fn
Get Info service_name = iaStorV True 1
Fn
Get Info service_name = iirsp False 1
Fn
Get Info service_name = iirsp True 1
Fn
Get Info service_name = IKEEXT False 1
Fn
Get Info service_name = IKEEXT True 1
Fn
Get Info service_name = intelide False 1
Fn
Get Info service_name = intelide True 1
Fn
Get Info service_name = intelppm False 1
Fn
Get Info service_name = intelppm True 1
Fn
Get Info service_name = IPBusEnum False 1
Fn
Get Info service_name = IPBusEnum True 1
Fn
Get Info service_name = IpFilterDriver False 1
Fn
Get Info service_name = IpFilterDriver True 1
Fn
Get Info service_name = iphlpsvc False 1
Fn
Get Info service_name = iphlpsvc True 1
Fn
Get Info service_name = IPMIDRV False 1
Fn
Get Info service_name = IPMIDRV True 1
Fn
Get Info service_name = IPNAT False 1
Fn
Get Info service_name = IPNAT True 1
Fn
Get Info service_name = IRENUM False 1
Fn
Get Info service_name = IRENUM True 1
Fn
Get Info service_name = isapnp False 1
Fn
Get Info service_name = isapnp True 1
Fn
Get Info service_name = iScsiPrt False 1
Fn
Get Info service_name = iScsiPrt True 1
Fn
Get Info service_name = kbdclass False 1
Fn
Get Info service_name = kbdclass True 1
Fn
Get Info service_name = kbdhid False 1
Fn
Get Info service_name = kbdhid True 1
Fn
Get Info service_name = KeyIso False 1
Fn
Get Info service_name = KeyIso True 1
Fn
Get Info service_name = KSecDD False 1
Fn
Get Info service_name = KSecDD True 1
Fn
Get Info service_name = KSecPkg False 1
Fn
Get Info service_name = KSecPkg True 1
Fn
Get Info service_name = KtmRm False 1
Fn
Get Info service_name = KtmRm True 1
Fn
Get Info service_name = LanmanServer False 1
Fn
Get Info service_name = LanmanServer True 1
Fn
Get Info service_name = LanmanWorkstation False 1
Fn
Get Info service_name = LanmanWorkstation True 1
Fn
Get Info service_name = lltdio False 1
Fn
Get Info service_name = lltdio True 1
Fn
Get Info service_name = lltdsvc False 1
Fn
Get Info service_name = lltdsvc True 1
Fn
Get Info service_name = lmhosts False 1
Fn
Get Info service_name = lmhosts True 1
Fn
Get Info service_name = LSI_FC False 1
Fn
Get Info service_name = LSI_FC True 1
Fn
Get Info service_name = LSI_SAS False 1
Fn
Get Info service_name = LSI_SAS True 1
Fn
Get Info service_name = LSI_SAS2 False 1
Fn
Get Info service_name = LSI_SAS2 True 1
Fn
Get Info service_name = LSI_SCSI False 1
Fn
Get Info service_name = LSI_SCSI True 1
Fn
Get Info service_name = luafv False 1
Fn
Get Info service_name = luafv True 1
Fn
Get Info service_name = Mcx2Svc False 1
Fn
Get Info service_name = Mcx2Svc True 1
Fn
Get Info service_name = megasas False 1
Fn
Get Info service_name = megasas True 1
Fn
Get Info service_name = MegaSR False 1
Fn
Get Info service_name = MegaSR True 1
Fn
Get Info service_name = Microsoft SharePoint Workspace Audit Service False 1
Fn
Get Info service_name = Microsoft SharePoint Workspace Audit Service True 1
Fn
Get Info service_name = MMCSS False 1
Fn
Get Info service_name = MMCSS True 1
Fn
Get Info service_name = Modem False 1
Fn
Get Info service_name = Modem True 1
Fn
Get Info service_name = monitor False 1
Fn
Get Info service_name = monitor True 1
Fn
Get Info service_name = mouclass False 1
Fn
Get Info service_name = mouclass True 1
Fn
Get Info service_name = mouhid False 1
Fn
Get Info service_name = mouhid True 1
Fn
Get Info service_name = mountmgr False 1
Fn
Get Info service_name = mountmgr True 1
Fn
Get Info service_name = MozillaMaintenance False 1
Fn
Get Info service_name = MozillaMaintenance True 1
Fn
Get Info service_name = mpio False 1
Fn
Get Info service_name = mpio True 1
Fn
Get Info service_name = mpsdrv False 1
Fn
Get Info service_name = mpsdrv True 1
Fn
Get Info service_name = MpsSvc False 1
Fn
Get Info service_name = MpsSvc True 1
Fn
Get Info service_name = MRxDAV False 1
Fn
Get Info service_name = MRxDAV True 1
Fn
Get Info service_name = mrxsmb False 1
Fn
Get Info service_name = mrxsmb True 1
Fn
Get Info service_name = mrxsmb10 False 1
Fn
Get Info service_name = mrxsmb10 True 1
Fn
Get Info service_name = mrxsmb20 False 1
Fn
Get Info service_name = mrxsmb20 True 1
Fn
Get Info service_name = msahci False 1
Fn
Get Info service_name = msahci True 1
Fn
Get Info service_name = msdsm False 1
Fn
Get Info service_name = msdsm True 1
Fn
Get Info service_name = Msfs False 1
Fn
Get Info service_name = Msfs True 1
Fn
Get Info service_name = mshidkmdf False 1
Fn
Get Info service_name = mshidkmdf True 1
Fn
Get Info service_name = msisadrv False 1
Fn
Get Info service_name = msisadrv True 1
Fn
Get Info service_name = MSiSCSI False 1
Fn
Get Info service_name = MSiSCSI True 1
Fn
Get Info service_name = msiserver False 1
Fn
Get Info service_name = msiserver True 1
Fn
Get Info service_name = MSKSSRV False 1
Fn
Get Info service_name = MSKSSRV True 1
Fn
Get Info service_name = MSPCLOCK False 1
Fn
Get Info service_name = MSPCLOCK True 1
Fn
Get Info service_name = MSPQM False 1
Fn
Get Info service_name = MSPQM True 1
Fn
Get Info service_name = MsRPC False 1
Fn
Get Info service_name = MsRPC True 1
Fn
Get Info service_name = mssmbios False 1
Fn
Get Info service_name = mssmbios True 1
Fn
Get Info service_name = MSTEE False 1
Fn
Get Info service_name = MSTEE True 1
Fn
Get Info service_name = MTConfig False 1
Fn
Get Info service_name = MTConfig True 1
Fn
Get Info service_name = Mup False 1
Fn
Get Info service_name = Mup True 1
Fn
Get Info service_name = napagent False 1
Fn
Get Info service_name = napagent True 1
Fn
Get Info service_name = NativeWifiP False 1
Fn
Get Info service_name = NativeWifiP True 1
Fn
Get Info service_name = NDIS False 1
Fn
Get Info service_name = NDIS True 1
Fn
Get Info service_name = NdisCap False 1
Fn
Get Info service_name = NdisCap True 1
Fn
Get Info service_name = NdisTapi False 1
Fn
Get Info service_name = NdisTapi True 1
Fn
Get Info service_name = Ndisuio False 1
Fn
Get Info service_name = Ndisuio True 1
Fn
Get Info service_name = NdisWan False 1
Fn
Get Info service_name = NdisWan True 1
Fn
Get Info service_name = NDProxy False 1
Fn
Get Info service_name = NDProxy True 1
Fn
Get Info service_name = NetBIOS False 1
Fn
Get Info service_name = NetBIOS True 1
Fn
Get Info service_name = NetBT False 1
Fn
Get Info service_name = NetBT True 1
Fn
Get Info service_name = Netlogon False 1
Fn
Get Info service_name = Netlogon True 1
Fn
Get Info service_name = Netman False 1
Fn
Get Info service_name = Netman True 1
Fn
Get Info service_name = NetMsmqActivator False 1
Fn
Get Info service_name = NetMsmqActivator True 1
Fn
Get Info service_name = NetPipeActivator False 1
Fn
Get Info service_name = NetPipeActivator True 1
Fn
Get Info service_name = netprofm False 1
Fn
Get Info service_name = netprofm True 1
Fn
Get Info service_name = NetTcpActivator False 1
Fn
Get Info service_name = NetTcpActivator True 1
Fn
Get Info service_name = NetTcpPortSharing False 1
Fn
Get Info service_name = NetTcpPortSharing True 1
Fn
Get Info service_name = nfrd960 False 1
Fn
Get Info service_name = nfrd960 True 1
Fn
Get Info service_name = NlaSvc False 1
Fn
Get Info service_name = NlaSvc True 1
Fn
Get Info service_name = Npfs False 1
Fn
Get Info service_name = Npfs True 1
Fn
Get Info service_name = nsi False 1
Fn
Get Info service_name = nsi True 1
Fn
Get Info service_name = nsiproxy False 1
Fn
Get Info service_name = nsiproxy True 1
Fn
Get Info service_name = Ntfs False 1
Fn
Get Info service_name = Ntfs True 1
Fn
Get Info service_name = Null False 1
Fn
Get Info service_name = Null True 1
Fn
Get Info service_name = nvraid False 1
Fn
Get Info service_name = nvraid True 1
Fn
Get Info service_name = nvstor False 1
Fn
Get Info service_name = nvstor True 1
Fn
Get Info service_name = nv_agp False 1
Fn
Get Info service_name = nv_agp True 1
Fn
Get Info service_name = ohci1394 False 1
Fn
Get Info service_name = ohci1394 True 1
Fn
Get Info service_name = ose False 1
Fn
Get Info service_name = ose True 1
Fn
Get Info service_name = osppsvc False 1
Fn
Get Info service_name = osppsvc True 1
Fn
Get Info service_name = p2pimsvc False 1
Fn
Get Info service_name = p2pimsvc True 1
Fn
Get Info service_name = p2psvc False 1
Fn
Get Info service_name = p2psvc True 1
Fn
Get Info service_name = Parport False 1
Fn
Get Info service_name = Parport True 1
Fn
Get Info service_name = partmgr False 1
Fn
Get Info service_name = partmgr True 1
Fn
Get Info service_name = Parvdm False 1
Fn
Get Info service_name = Parvdm True 1
Fn
Get Info service_name = PcaSvc False 1
Fn
Get Info service_name = PcaSvc True 1
Fn
Get Info service_name = pci False 1
Fn
Get Info service_name = pci True 1
Fn
Get Info service_name = pciide False 1
Fn
Get Info service_name = pciide True 1
Fn
Get Info service_name = pcmcia False 1
Fn
Get Info service_name = pcmcia True 1
Fn
Get Info service_name = pcw False 1
Fn
Get Info service_name = pcw True 1
Fn
Get Info service_name = PEAUTH False 1
Fn
Get Info service_name = PEAUTH True 1
Fn
Get Info service_name = PeerDistSvc False 1
Fn
Get Info service_name = PeerDistSvc True 1
Fn
Get Info service_name = pla False 1
Fn
Get Info service_name = pla True 1
Fn
Get Info service_name = PlugPlay False 1
Fn
Get Info service_name = PlugPlay True 1
Fn
Get Info service_name = PNRPAutoReg False 1
Fn
Get Info service_name = PNRPAutoReg True 1
Fn
Get Info service_name = PNRPsvc False 1
Fn
Get Info service_name = PNRPsvc True 1
Fn
Get Info service_name = PolicyAgent False 1
Fn
Get Info service_name = PolicyAgent True 1
Fn
Get Info service_name = Power False 1
Fn
Get Info service_name = Power True 1
Fn
Get Info service_name = PptpMiniport False 1
Fn
Get Info service_name = PptpMiniport True 1
Fn
Get Info service_name = Processor False 1
Fn
Get Info service_name = Processor True 1
Fn
Get Info service_name = ProfSvc False 1
Fn
Get Info service_name = ProfSvc True 1
Fn
Get Info service_name = ProtectedStorage False 1
Fn
Get Info service_name = ProtectedStorage True 1
Fn
Get Info service_name = Psched False 1
Fn
Get Info service_name = Psched True 1
Fn
Get Info service_name = ql2300 False 1
Fn
Get Info service_name = ql2300 True 1
Fn
Get Info service_name = ql40xx False 1
Fn
Get Info service_name = ql40xx True 1
Fn
Get Info service_name = QWAVE False 1
Fn
Get Info service_name = QWAVE True 1
Fn
Get Info service_name = QWAVEdrv False 1
Fn
Get Info service_name = QWAVEdrv True 1
Fn
Get Info service_name = RasAcd False 1
Fn
Get Info service_name = RasAcd True 1
Fn
Get Info service_name = RasAgileVpn False 1
Fn
Get Info service_name = RasAgileVpn True 1
Fn
Get Info service_name = RasAuto False 1
Fn
Get Info service_name = RasAuto True 1
Fn
Get Info service_name = Rasl2tp False 1
Fn
Get Info service_name = Rasl2tp True 1
Fn
Get Info service_name = RasMan False 1
Fn
Get Info service_name = RasMan True 1
Fn
Get Info service_name = RasPppoe False 1
Fn
Get Info service_name = RasPppoe True 1
Fn
Get Info service_name = RasSstp False 1
Fn
Get Info service_name = RasSstp True 1
Fn
Get Info service_name = rdbss False 1
Fn
Get Info service_name = rdbss True 1
Fn
Get Info service_name = rdpbus False 1
Fn
Get Info service_name = rdpbus True 1
Fn
Get Info service_name = RDPCDD False 1
Fn
Get Info service_name = RDPCDD True 1
Fn
Get Info service_name = RDPDR False 1
Fn
Get Info service_name = RDPDR True 1
Fn
Get Info service_name = RDPENCDD False 1
Fn
Get Info service_name = RDPENCDD True 1
Fn
Get Info service_name = RDPREFMP False 1
Fn
Get Info service_name = RDPREFMP True 1
Fn
Get Info service_name = RDPWD False 1
Fn
Get Info service_name = RDPWD True 1
Fn
Get Info service_name = rdyboost False 1
Fn
Get Info service_name = rdyboost True 1
Fn
Get Info service_name = RemoteAccess False 1
Fn
Get Info service_name = RemoteAccess True 1
Fn
Get Info service_name = RemoteRegistry False 1
Fn
Get Info service_name = RemoteRegistry True 1
Fn
Get Info service_name = RpcLocator False 1
Fn
Get Info service_name = RpcLocator True 1
Fn
Get Info service_name = rspndr False 1
Fn
Get Info service_name = rspndr True 1
Fn
Get Info service_name = s3cap False 1
Fn
Get Info service_name = s3cap True 1
Fn
Get Info service_name = SamSs False 1
Fn
Get Info service_name = SamSs True 1
Fn
Get Info service_name = sbp2port False 1
Fn
Get Info service_name = sbp2port True 1
Fn
Get Info service_name = SDRSVC False 1
Fn
Get Info service_name = SDRSVC True 1
Fn
Get Info service_name = secdrv False 1
Fn
Get Info service_name = secdrv True 1
Fn
Get Info service_name = seclogon False 1
Fn
Get Info service_name = seclogon True 1
Fn
Get Info service_name = SENS False 1
Fn
Get Info service_name = SENS True 1
Fn
Get Info service_name = SensrSvc False 1
Fn
Get Info service_name = SensrSvc True 1
Fn
Get Info service_name = Serenum False 1
Fn
Get Info service_name = Serenum True 1
Fn
Get Info service_name = Serial False 1
Fn
Get Info service_name = Serial True 1
Fn
Get Info service_name = sermouse False 1
Fn
Get Info service_name = sermouse True 1
Fn
Get Info service_name = SessionEnv False 1
Fn
Get Info service_name = SessionEnv True 1
Fn
Get Info service_name = sffdisk False 1
Fn
Get Info service_name = sffdisk True 1
Fn
Get Info service_name = sffp_mmc False 1
Fn
Get Info service_name = sffp_mmc True 1
Fn
Get Info service_name = sffp_sd False 1
Fn
Get Info service_name = sffp_sd True 1
Fn
Get Info service_name = sfloppy False 1
Fn
Get Info service_name = sfloppy True 1
Fn
Get Info service_name = SharedAccess False 1
Fn
Get Info service_name = SharedAccess True 1
Fn
Get Info service_name = ShellHWDetection False 1
Fn
Get Info service_name = ShellHWDetection True 1
Fn
Get Info service_name = sisagp False 1
Fn
Get Info service_name = sisagp True 1
Fn
Get Info service_name = SiSRaid2 False 1
Fn
Get Info service_name = SiSRaid2 True 1
Fn
Get Info service_name = SiSRaid4 False 1
Fn
Get Info service_name = SiSRaid4 True 1
Fn
Get Info service_name = Smb False 1
Fn
Get Info service_name = Smb True 1
Fn
Get Info service_name = SNMPTRAP False 1
Fn
Get Info service_name = SNMPTRAP True 1
Fn
Get Info service_name = spldr False 1
Fn
Get Info service_name = spldr True 1
Fn
Get Info service_name = Spooler False 1
Fn
Get Info service_name = Spooler True 1
Fn
Get Info service_name = sppsvc False 1
Fn
Get Info service_name = sppsvc True 1
Fn
Get Info service_name = sppuinotify False 1
Fn
Get Info service_name = sppuinotify True 1
Fn
Get Info service_name = srv False 1
Fn
Get Info service_name = srv True 1
Fn
Get Info service_name = srv2 False 1
Fn
Get Info service_name = srv2 True 1
Fn
Get Info service_name = srvnet False 1
Fn
Get Info service_name = srvnet True 1
Fn
Get Info service_name = SSDPSRV False 1
Fn
Get Info service_name = SSDPSRV True 1
Fn
Get Info service_name = SstpSvc False 1
Fn
Get Info service_name = SstpSvc True 1
Fn
Get Info service_name = stexstor False 1
Fn
Get Info service_name = stexstor True 1
Fn
Get Info service_name = StiSvc False 1
Fn
Get Info service_name = StiSvc True 1
Fn
Get Info service_name = storflt False 1
Fn
Get Info service_name = storflt True 1
Fn
Get Info service_name = StorSvc False 1
Fn
Get Info service_name = StorSvc True 1
Fn
Get Info service_name = storvsc False 1
Fn
Get Info service_name = storvsc True 1
Fn
Get Info service_name = swenum False 1
Fn
Get Info service_name = swenum True 1
Fn
Get Info service_name = swprv False 1
Fn
Get Info service_name = swprv True 1
Fn
Get Info service_name = SysMain False 1
Fn
Get Info service_name = SysMain True 1
Fn
Get Info service_name = TabletInputService False 1
Fn
Get Info service_name = TabletInputService True 1
Fn
Get Info service_name = TapiSrv False 1
Fn
Get Info service_name = TapiSrv True 1
Fn
Get Info service_name = TBS False 1
Fn
Get Info service_name = TBS True 1
Fn
Get Info service_name = Tcpip False 1
Fn
Get Info service_name = Tcpip True 1
Fn
Get Info service_name = TCPIP6 False 1
Fn
Get Info service_name = TCPIP6 True 1
Fn
Get Info service_name = tcpipreg False 1
Fn
Get Info service_name = tcpipreg True 1
Fn
Get Info service_name = TDPIPE False 1
Fn
Get Info service_name = TDPIPE True 1
Fn
Get Info service_name = TDTCP False 1
Fn
Get Info service_name = TDTCP True 1
Fn
Get Info service_name = tdx False 1
Fn
Get Info service_name = tdx True 1
Fn
Get Info service_name = TermDD False 1
Fn
Get Info service_name = TermDD True 1
Fn
Get Info service_name = TermService False 1
Fn
Get Info service_name = TermService True 1
Fn
Get Info service_name = Themes False 1
Fn
Get Info service_name = Themes True 1
Fn
Get Info service_name = THREADORDER False 1
Fn
Get Info service_name = THREADORDER True 1
Fn
Get Info service_name = TrkWks False 1
Fn
Get Info service_name = TrkWks True 1
Fn
Get Info service_name = tssecsrv False 1
Fn
Get Info service_name = tssecsrv True 1
Fn
Get Info service_name = TsUsbFlt False 1
Fn
Get Info service_name = TsUsbFlt True 1
Fn
Get Info service_name = tunnel False 1
Fn
Get Info service_name = tunnel True 1
Fn
Get Info service_name = uagp35 False 1
Fn
Get Info service_name = uagp35 True 1
Fn
Get Info service_name = udfs False 1
Fn
Get Info service_name = udfs True 1
Fn
Get Info service_name = UI0Detect False 1
Fn
Get Info service_name = UI0Detect True 1
Fn
Get Info service_name = uliagpkx False 1
Fn
Get Info service_name = uliagpkx True 1
Fn
Get Info service_name = umbus False 1
Fn
Get Info service_name = umbus True 1
Fn
Get Info service_name = UmPass False 1
Fn
Get Info service_name = UmPass True 1
Fn
Get Info service_name = UmRdpService False 1
Fn
Get Info service_name = UmRdpService True 1
Fn
Get Info service_name = upnphost False 1
Fn
Get Info service_name = upnphost True 1
Fn
Get Info service_name = usbccgp False 1
Fn
Get Info service_name = usbccgp True 1
Fn
Get Info service_name = usbcir False 1
Fn
Get Info service_name = usbcir True 1
Fn
Get Info service_name = usbehci False 1
Fn
Get Info service_name = usbehci True 1
Fn
Get Info service_name = usbhub False 1
Fn
Get Info service_name = usbhub True 1
Fn
Get Info service_name = usbohci False 1
Fn
Get Info service_name = usbohci True 1
Fn
Get Info service_name = usbprint False 1
Fn
Get Info service_name = usbprint True 1
Fn
Get Info service_name = USBSTOR False 1
Fn
Get Info service_name = USBSTOR True 1
Fn
Get Info service_name = usbuhci False 1
Fn
Get Info service_name = usbuhci True 1
Fn
Get Info service_name = UxSms False 1
Fn
Get Info service_name = UxSms True 1
Fn
Get Info service_name = VaultSvc False 1
Fn
Get Info service_name = VaultSvc True 1
Fn
Get Info service_name = vdrvroot False 1
Fn
Get Info service_name = vdrvroot True 1
Fn
Get Info service_name = vds False 1
Fn
Get Info service_name = vds True 1
Fn
Get Info service_name = vga False 1
Fn
Get Info service_name = vga True 1
Fn
Get Info service_name = VgaSave False 1
Fn
Get Info service_name = VgaSave True 1
Fn
Get Info service_name = vhdmp False 1
Fn
Get Info service_name = vhdmp True 1
Fn
Get Info service_name = viaagp False 1
Fn
Get Info service_name = viaagp True 1
Fn
Get Info service_name = ViaC7 False 1
Fn
Get Info service_name = ViaC7 True 1
Fn
Get Info service_name = viaide False 1
Fn
Get Info service_name = viaide True 1
Fn
Get Info service_name = vmbus False 1
Fn
Get Info service_name = vmbus True 1
Fn
Get Info service_name = VMBusHID False 1
Fn
Get Info service_name = VMBusHID True 1
Fn
Get Info service_name = volmgr False 1
Fn
Get Info service_name = volmgr True 1
Fn
Get Info service_name = volmgrx False 1
Fn
Get Info service_name = volmgrx True 1
Fn
Get Info service_name = volsnap False 1
Fn
Get Info service_name = volsnap True 1
Fn
Get Info service_name = vsmraid False 1
Fn
Get Info service_name = vsmraid True 1
Fn
Get Info service_name = VSS False 1
Fn
Get Info service_name = VSS True 1
Fn
Get Info service_name = vwifibus False 1
Fn
Get Info service_name = vwifibus True 1
Fn
Get Info service_name = W32Time False 1
Fn
Get Info service_name = W32Time True 1
Fn
Get Info service_name = WacomPen False 1
Fn
Get Info service_name = WacomPen True 1
Fn
Get Info service_name = WANARP False 1
Fn
Get Info service_name = WANARP True 1
Fn
Get Info service_name = Wanarpv6 False 1
Fn
Get Info service_name = Wanarpv6 True 1
Fn
Get Info service_name = wbengine False 1
Fn
Get Info service_name = wbengine True 1
Fn
Get Info service_name = WbioSrvc False 1
Fn
Get Info service_name = WbioSrvc True 1
Fn
Get Info service_name = wcncsvc False 1
Fn
Get Info service_name = wcncsvc True 1
Fn
Get Info service_name = WcsPlugInService False 1
Fn
Get Info service_name = WcsPlugInService True 1
Fn
Get Info service_name = Wd False 1
Fn
Get Info service_name = Wd True 1
Fn
Get Info service_name = Wdf01000 False 1
Fn
Get Info service_name = Wdf01000 True 1
Fn
Get Info service_name = WebClient False 1
Fn
Get Info service_name = WebClient True 1
Fn
Get Info service_name = Wecsvc False 1
Fn
Get Info service_name = Wecsvc True 1
Fn
Get Info service_name = wercplsupport False 1
Fn
Get Info service_name = wercplsupport True 1
Fn
Get Info service_name = WerSvc False 1
Fn
Get Info service_name = WerSvc True 1
Fn
Get Info service_name = WfpLwf False 1
Fn
Get Info service_name = WfpLwf True 1
Fn
Get Info service_name = WIMMount False 1
Fn
Get Info service_name = WIMMount True 1
Fn
Get Info service_name = WinDefend False 1
Fn
Get Info service_name = WinDefend True 1
Fn
Get Info service_name = WinHttpAutoProxySvc False 1
Fn
Get Info service_name = WinHttpAutoProxySvc True 1
Fn
Get Info service_name = Winmgmt False 1
Fn
Get Info service_name = Winmgmt True 1
Fn
Get Info service_name = WinRM False 1
Fn
Get Info service_name = WinRM True 1
Fn
Get Info service_name = Wlansvc False 1
Fn
Get Info service_name = Wlansvc True 1
Fn
Get Info service_name = WmiAcpi False 1
Fn
Get Info service_name = WmiAcpi True 1
Fn
Get Info service_name = wmiApSrv False 1
Fn
Get Info service_name = wmiApSrv True 1
Fn
Get Info service_name = WMPNetworkSvc False 1
Fn
Get Info service_name = WMPNetworkSvc True 1
Fn
Get Info service_name = WPCSvc False 1
Fn
Get Info service_name = WPCSvc True 1
Fn
Get Info service_name = WPDBusEnum False 1
Fn
Get Info service_name = WPDBusEnum True 1
Fn
Get Info service_name = ws2ifsl False 1
Fn
Get Info service_name = ws2ifsl True 1
Fn
Get Info service_name = wscsvc False 1
Fn
Get Info service_name = wscsvc True 1
Fn
Get Info service_name = WSearch False 1
Fn
Get Info service_name = WSearch True 1
Fn
Get Info service_name = wuauserv False 1
Fn
Get Info service_name = wuauserv True 1
Fn
Get Info service_name = WudfPf False 1
Fn
Get Info service_name = WudfPf True 1
Fn
Get Info service_name = wudfsvc False 1
Fn
Get Info service_name = wudfsvc True 1
Fn
Get Info service_name = WwanSvc False 1
Fn
Get Info service_name = WwanSvc True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive False 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive False 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive False 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive False 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive False 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive False 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive False 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive False 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive False 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Open database_name = ServicesActive True 1
Fn
Set Config service_name = BFE True 1
Fn
Set Config service_name = MpsSvc True 1
Fn
Set Config service_name = SharedAccess True 1
Fn
Set Config service_name = WinDefend True 1
Fn
Set Config service_name = wscsvc True 1
Fn
Set Config service_name = wuauserv True 1
Fn
For performance reasons, the remaining 517 entries are omitted.
The remaining entries can be found in glog.xml.
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeShutdownPrivilege, luid = 19 True 1
Fn
System (9)
»
Operation Additional Information Success Count Logfile
Sleep duration = 3600000 milliseconds (3600.000 seconds) True 1
Fn
Get Time type = System Time, time = 2018-03-15 15:15:26 (UTC) True 1
Fn
Get Time type = Ticks, time = 98499 True 1
Fn
Power Control type = SHUTDOWN_NOREBOOT, reason = SHTDN_REASON_MAJOR_HARDWARE, SHTDN_REASON_MAJOR_APPLICATION True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 5
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #5: cmd.exe
57 0
»
Information Value
ID #5
File Name c:\windows\system32\cmd.exe
Command Line C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:44, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:34
OS Process Information
»
Information Value
PID 0xa54
Parent PID 0xa38 (c:\users\eebsym5\appdata\local\temp\_aaq.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory Readable, Writable True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000270000 0x00270000 0x00337fff Pagefile Backed Memory Readable True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000470000 0x00470000 0x00570fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000580000 0x00580000 0x0117ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001180000 0x01180000 0x012e2fff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x012f0000 0x015befff Memory Mapped File Readable False False False -
cmd.exe 0x4a320000 0x4a36bfff Memory Mapped File Readable, Writable, Executable True False False -
winbrand.dll 0x73120000 0x73126fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Host Behavior
File (11)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\EEBsYm5\Desktop type = file_attributes True 2
Fn
Open STD_OUTPUT_HANDLE - True 5
Fn
Open STD_INPUT_HANDLE - True 4
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 208, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create c:\Windows\system32\vssadmin.exe os_pid = 0xb20, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4a320000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x761d0000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x762224c2 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7620ac6c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x76213ea8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x76222732 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-03-15 15:15:26 (UTC) True 1
Fn
Get Time type = Ticks, time = 98967 True 1
Fn
Environment (18)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\EEBsYm5\Desktop True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000002 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #6: vssadmin.exe
0 0
»
Information Value
ID #6
File Name c:\windows\system32\vssadmin.exe
Command Line c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:47, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:31
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb20
Parent PID 0xa54 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B24
0x B28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000070000 0x00070000 0x0007ffff Private Memory Readable, Writable True False False -
vssadmin.exe.mui 0x00080000 0x0008cfff Memory Mapped File Readable, Writable False False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory Readable, Writable True False False -
private_0x00000000000a0000 0x000a0000 0x000a0fff Private Memory Readable, Writable True False False -
private_0x00000000000b0000 0x000b0000 0x000effff Private Memory Readable, Writable True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File Readable False False False -
pagefile_0x0000000000160000 0x00160000 0x00227fff Pagefile Backed Memory Readable True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000390000 0x00390000 0x00490fff Pagefile Backed Memory Readable True False False -
vssadmin.exe 0x00c30000 0x00c4efff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000c50000 0x00c50000 0x0184ffff Pagefile Backed Memory Readable True False False -
vsstrace.dll 0x72710000 0x7271ffff Memory Mapped File Readable, Writable, Executable False False False -
vssapi.dll 0x72720000 0x72835fff Memory Mapped File Readable, Writable, Executable False False False -
atl.dll 0x741f0000 0x74203fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75e20000 0x75e2bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x762e0000 0x762f8fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76700000 0x7679ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77550000 0x775f0fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x77690000 0x7771efff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x77970000 0x77acbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Process #7: cmd.exe
59 0
»
Information Value
ID #7
File Name c:\windows\system32\cmd.exe
Command Line C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:48, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:30
OS Process Information
»
Information Value
PID 0xb3c
Parent PID 0xa38 (c:\users\eebsym5\appdata\local\temp\_aaq.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000150000 0x00150000 0x00156fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000160000 0x00160000 0x00161fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory Readable, Writable True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory Readable, Writable True False False -
locale.nls 0x00280000 0x002e6fff Memory Mapped File Readable False False False -
pagefile_0x00000000002f0000 0x002f0000 0x003b7fff Pagefile Backed Memory Readable True False False -
private_0x00000000003c0000 0x003c0000 0x003c0fff Private Memory Readable, Writable True False False -
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000400000 0x00400000 0x00500fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000510000 0x00510000 0x0110ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001110000 0x01110000 0x01272fff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01280000 0x0154efff Memory Mapped File Readable False False False -
cmd.exe 0x4a990000 0x4a9dbfff Memory Mapped File Readable, Writable, Executable True False False -
winbrand.dll 0x73120000 0x73126fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Host Behavior
File (12)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\EEBsYm5\Desktop type = file_attributes True 2
Fn
Get Info wbadmin.exe type = file_attributes False 1
Fn
Open STD_OUTPUT_HANDLE - True 5
Fn
Open STD_INPUT_HANDLE - True 4
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 104, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\wbadmin.exe os_pid = 0xb54, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4a990000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x761d0000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x762224c2 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7620ac6c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x76213ea8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x76222732 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-03-15 15:15:27 (UTC) True 1
Fn
Get Time type = Ticks, time = 99778 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\EEBsYm5\Desktop True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #8: wbadmin.exe
0 0
»
Information Value
ID #8
File Name c:\windows\system32\wbadmin.exe
Command Line wbadmin.exe delete catalog -quiet
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:48, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:30
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb54
Parent PID 0xb3c (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B58
0x B5C
0x B64
0x B68
0x B6C
0x B70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory Readable, Writable True False False -
wbadmin.exe.mui 0x000e0000 0x0010afff Memory Mapped File Readable, Writable False False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory Readable, Writable True False False -
private_0x0000000000120000 0x00120000 0x00120fff Private Memory Readable, Writable True False False -
private_0x0000000000130000 0x00130000 0x0016ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000170000 0x00170000 0x00237fff Pagefile Backed Memory Readable True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000340000 0x00340000 0x00440fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000450000 0x00450000 0x00451fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000460000 0x00460000 0x00460fff Pagefile Backed Memory Readable True False False -
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000480000 0x00480000 0x00481fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000490000 0x00490000 0x00490fff Pagefile Backed Memory Readable True False False -
wbadmin.exe 0x00510000 0x00549fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000550000 0x00550000 0x0114ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001150000 0x01150000 0x01542fff Pagefile Backed Memory Readable True False False -
private_0x0000000001590000 0x01590000 0x015cffff Private Memory Readable, Writable True False False -
private_0x0000000001620000 0x01620000 0x0165ffff Private Memory Readable, Writable True False False -
private_0x00000000016e0000 0x016e0000 0x0171ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01720000 0x019eefff Memory Mapped File Readable False False False -
private_0x0000000001a90000 0x01a90000 0x01acffff Private Memory Readable, Writable True False False -
private_0x0000000001b20000 0x01b20000 0x01b5ffff Private Memory Readable, Writable True False False -
credui.dll 0x72f00000 0x72f2afff Memory Mapped File Readable, Writable, Executable False False False -
blb_ps.dll 0x72f50000 0x72f59fff Memory Mapped File Readable, Writable, Executable False False False -
slc.dll 0x741c0000 0x741c9fff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x74eb0000 0x7504dfff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x75740000 0x7577afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x759a0000 0x759b5fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75e20000 0x75e2bfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x75ec0000 0x75ecdfff Memory Mapped File Readable, Writable, Executable False False False -
devobj.dll 0x75f50000 0x75f61fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x76170000 0x76196fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x762e0000 0x762f8fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76300000 0x76356fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76700000 0x7679ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77550000 0x775f0fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x77600000 0x77682fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x77690000 0x7771efff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x77970000 0x77acbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
setupapi.dll 0x77cd0000 0x77e6cfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory Readable, Writable True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory Readable, Writable True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory Readable, Writable True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory Readable, Writable True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Process #12: cmd.exe
68 0
»
Information Value
ID #12
File Name c:\windows\system32\cmd.exe
Command Line C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:50, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:28
OS Process Information
»
Information Value
PID 0xbec
Parent PID 0xa38 (c:\users\eebsym5\appdata\local\temp\_aaq.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BF0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory Readable, Writable True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory Readable, Writable True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000400000 0x00400000 0x004c7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000004d0000 0x004d0000 0x005d0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000005e0000 0x005e0000 0x011dffff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000011e0000 0x011e0000 0x01342fff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01350000 0x0161efff Memory Mapped File Readable False False False -
cmd.exe 0x49de0000 0x49e2bfff Memory Mapped File Readable, Writable, Executable True False False -
winbrand.dll 0x72ec0000 0x72ec6fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Host Behavior
File (12)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\EEBsYm5\Desktop type = file_attributes True 2
Fn
Get Info bcdedit.exe type = file_attributes False 1
Fn
Open STD_OUTPUT_HANDLE - True 5
Fn
Open STD_INPUT_HANDLE - True 4
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 136, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (2)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\bcdedit.exe os_pid = 0xc04, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Create C:\Windows\system32\bcdedit.exe os_pid = 0xc0c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x49de0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x761d0000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x762224c2 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7620ac6c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x76213ea8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x76222732 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-03-15 15:15:29 (UTC) True 1
Fn
Get Time type = Ticks, time = 101993 True 1
Fn
Environment (27)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 10
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 3
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 3
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\EEBsYm5\Desktop True 1
Fn
Set Environment String name = COPYCMD True 2
Fn
Set Environment String name = =ExitCode, value = 00000000 True 2
Fn
Set Environment String name = =ExitCodeAscii True 2
Fn
Process #13: bcdedit.exe
0 0
»
Information Value
ID #13
File Name c:\windows\system32\bcdedit.exe
Command Line bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:50, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:28
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc04
Parent PID 0xbec (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C08
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
private_0x00000000000b0000 0x000b0000 0x000effff Private Memory Readable, Writable True False False -
bcdedit.exe 0x00180000 0x001c9fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Process #14: bcdedit.exe
0 0
»
Information Value
ID #14
File Name c:\windows\system32\bcdedit.exe
Command Line bcdedit /set {default} recoveryenabled no
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:51, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:27
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc0c
Parent PID 0xbec (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C10
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
private_0x0000000000210000 0x00210000 0x0024ffff Private Memory Readable, Writable True False False -
bcdedit.exe 0x00980000 0x009c9fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Process #15: cmd.exe
59 0
»
Information Value
ID #15
File Name c:\windows\system32\cmd.exe
Command Line C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:51, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:27
OS Process Information
»
Information Value
PID 0xc14
Parent PID 0xa38 (c:\users\eebsym5\appdata\local\temp\_aaq.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000150000 0x00150000 0x00156fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000160000 0x00160000 0x00161fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory Readable, Writable True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory Readable, Writable True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory Readable, Writable True False False -
locale.nls 0x002a0000 0x00306fff Memory Mapped File Readable False False False -
pagefile_0x0000000000310000 0x00310000 0x003d7fff Pagefile Backed Memory Readable True False False -
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000440000 0x00440000 0x00540fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000550000 0x00550000 0x0114ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001150000 0x01150000 0x012b2fff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x012c0000 0x0158efff Memory Mapped File Readable False False False -
cmd.exe 0x4a200000 0x4a24bfff Memory Mapped File Readable, Writable, Executable True False False -
winbrand.dll 0x73120000 0x73126fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Host Behavior
File (12)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\EEBsYm5\Desktop type = file_attributes True 2
Fn
Get Info wevtutil.exe type = file_attributes False 1
Fn
Open STD_OUTPUT_HANDLE - True 5
Fn
Open STD_INPUT_HANDLE - True 4
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\wevtutil.exe os_pid = 0xc2c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4a200000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x761d0000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x762224c2 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7620ac6c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x76213ea8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x76222732 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-03-15 15:15:30 (UTC) True 1
Fn
Get Time type = Ticks, time = 102196 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\EEBsYm5\Desktop True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #16: wevtutil.exe
0 0
»
Information Value
ID #16
File Name c:\windows\system32\wevtutil.exe
Command Line wevtutil.exe cl System
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:51, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:27
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc2c
Parent PID 0xc14 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C30
0x C34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
locale.nls 0x00090000 0x000f6fff Memory Mapped File Readable False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000240000 0x00240000 0x00307fff Pagefile Backed Memory Readable True False False -
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory Readable, Writable True False False -
wevtutil.exe 0x004a0000 0x004ccfff Memory Mapped File Readable, Writable, Executable False False False -
credui.dll 0x72f00000 0x72f2afff Memory Mapped File Readable, Writable, Executable False False False -
wevtapi.dll 0x75b60000 0x75ba1fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x762e0000 0x762f8fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76700000 0x7679ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77550000 0x775f0fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x77690000 0x7771efff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x77970000 0x77acbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Process #17: cmd.exe
59 0
»
Information Value
ID #17
File Name c:\windows\system32\cmd.exe
Command Line C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:51, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:27
OS Process Information
»
Information Value
PID 0xc50
Parent PID 0xa38 (c:\users\eebsym5\appdata\local\temp\_aaq.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000c0000 0x000c0000 0x00187fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000190000 0x00190000 0x00196fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000001b0000 0x001b0000 0x001b0fff Private Memory Readable, Writable True False False -
private_0x00000000001c0000 0x001c0000 0x001c0fff Private Memory Readable, Writable True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory Readable, Writable True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000480000 0x00480000 0x00580fff Pagefile Backed Memory Readable True False False -
private_0x0000000000670000 0x00670000 0x0067ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000680000 0x00680000 0x0127ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001280000 0x01280000 0x013e2fff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x013f0000 0x016befff Memory Mapped File Readable False False False -
cmd.exe 0x4a640000 0x4a68bfff Memory Mapped File Readable, Writable, Executable True False False -
winbrand.dll 0x72ec0000 0x72ec6fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Host Behavior
File (12)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\EEBsYm5\Desktop type = file_attributes True 2
Fn
Get Info wevtutil.exe type = file_attributes False 1
Fn
Open STD_OUTPUT_HANDLE - True 5
Fn
Open STD_INPUT_HANDLE - True 4
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 72, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\wevtutil.exe os_pid = 0xc68, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x4a640000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x761d0000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x762224c2 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7620ac6c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x76213ea8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x76222732 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2018-03-15 15:15:30 (UTC) True 1
Fn
Get Time type = Ticks, time = 102586 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\EEBsYm5\Desktop True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #18: wevtutil.exe
0 0
»
Information Value
ID #18
File Name c:\windows\system32\wevtutil.exe
Command Line wevtutil.exe cl Security
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:51, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:27
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc68
Parent PID 0xc50 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C6C
0x C70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory Readable, Writable True False False -
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory Readable, Writable True False False -
wevtutil.exe 0x00260000 0x0028cfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000290000 0x00290000 0x00357fff Pagefile Backed Memory Readable True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory Readable, Writable True False False -
credui.dll 0x72f00000 0x72f2afff Memory Mapped File Readable, Writable, Executable False False False -
wevtapi.dll 0x75b60000 0x75ba1fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x762e0000 0x762f8fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76700000 0x7679ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77550000 0x775f0fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x77690000 0x7771efff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x77970000 0x77acbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image