edb1ff25...3eb9 | Sequential Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 97/100
Target: win7_32_sp1 | exe
Classification: Trojan, Dropper, Pua

edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9 (SHA256)

OlympicDestroyer.exe

Windows Exe (x86-32)

Created at 2018-03-15 15:14:00

...

Notifications (1/1)

The overall sleep time of all monitored processes was truncated from "1 hour" to "10 seconds" to reveal dormant functionality.

Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0xa0c Analysis Target High (Elevated) olympicdestroyer.exe "C:\Users\EEBsYm5\Desktop\OlympicDestroyer.exe" -
#2 0xa18 Child Process High (Elevated) xtbrb.exe 123 \\.\pipe\DDC210D0-5FCE-4636-B79C-32457B89BBE4 #1
#3 0xa2c Child Process High (Elevated) ilvai.exe 123 \\.\pipe\7DE670E9-B7B8-48DA-BA85-FF4203050C88 #1
#4 0xa38 Child Process High (Elevated) _aaq.exe "C:\Users\EEBsYm5\AppData\Local\Temp\_aaq.exe" #1
#5 0xa54 Child Process High (Elevated) cmd.exe C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet #4
#6 0xb20 Child Process High (Elevated) vssadmin.exe c:\Windows\system32\vssadmin.exe delete shadows /all /quiet #5
#7 0xb3c Child Process High (Elevated) cmd.exe C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet #4
#8 0xb54 Child Process High (Elevated) wbadmin.exe wbadmin.exe delete catalog -quiet #7
#12 0xbec Child Process High (Elevated) cmd.exe C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no #4
#13 0xc04 Child Process High (Elevated) bcdedit.exe bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures #12
#14 0xc0c Child Process High (Elevated) bcdedit.exe bcdedit /set {default} recoveryenabled no #12
#15 0xc14 Child Process High (Elevated) cmd.exe C:\Windows\system32\cmd.exe /c wevtutil.exe cl System #4
#16 0xc2c Child Process High (Elevated) wevtutil.exe wevtutil.exe cl System #15
#17 0xc50 Child Process High (Elevated) cmd.exe C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security #4
#18 0xc68 Child Process High (Elevated) wevtutil.exe wevtutil.exe cl Security #17

Behavior Information - Sequential View

Process #1: olympicdestroyer.exe
556 0
»
Information Value
ID #1
File Name c:\users\eebsym5\desktop\olympicdestroyer.exe
Command Line "C:\Users\EEBsYm5\Desktop\OlympicDestroyer.exe"
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:26, Reason: Analysis Target
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:52
OS Process Information
»
Information Value
PID 0xa0c
Parent PID 0x608 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A10
0x A14
0x A40
0x A44
0x A4C
0x A50
0x A5C
0x A60
0x A6C
0x A74
0x A78
0x A7C
0x A98
0x B2C
0x B30
0x B34
0x A10
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x0012ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000130000 0x00130000 0x00133fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000140000 0x00140000 0x00140fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File Readable False False False -
private_0x00000000001c0000 0x001c0000 0x001c0fff Private Memory Readable, Writable True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001e0000 0x001e0000 0x001e0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000001f0000 0x001f0000 0x002effff Private Memory Readable, Writable True False False -
pagefile_0x00000000002f0000 0x002f0000 0x002f1fff Pagefile Backed Memory Readable True False False -
rsaenh.dll 0x00300000 0x0033bfff Memory Mapped File Readable False False False -
rpcss.dll 0x00300000 0x0035bfff Memory Mapped File Readable False False False -
pagefile_0x0000000000300000 0x00300000 0x00300fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000310000 0x00310000 0x00310fff Pagefile Backed Memory Readable True False False -
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000370000 0x00370000 0x00437fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000440000 0x00440000 0x00540fff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x00550000 0x0081efff Memory Mapped File Readable False False False -
private_0x0000000000820000 0x00820000 0x008dbfff Private Memory Readable, Writable True False False -
private_0x00000000008e0000 0x008e0000 0x0095ffff Private Memory Readable, Writable True False False -
private_0x0000000000980000 0x00980000 0x00a7ffff Private Memory Readable, Writable True False False -
private_0x0000000000a80000 0x00a80000 0x00b3bfff Private Memory Readable, Writable True False False -
private_0x0000000000b40000 0x00b40000 0x00c3ffff Private Memory Readable, Writable True False False -
private_0x0000000000c40000 0x00c40000 0x00e06fff Private Memory Readable, Writable True False False -
private_0x0000000000e10000 0x00e10000 0x00ebffff Private Memory Readable, Writable True False False -
private_0x0000000000ed0000 0x00ed0000 0x00fcffff Private Memory Readable, Writable True False False -
olympicdestroyer.exe 0x01020000 0x011eafff Memory Mapped File Readable, Writable, Executable True True False
...
pagefile_0x00000000011f0000 0x011f0000 0x01deffff Pagefile Backed Memory Readable True False False -
private_0x0000000001df0000 0x01df0000 0x01eeffff Private Memory Readable, Writable True False False -
private_0x0000000001ef0000 0x01ef0000 0x01feffff Private Memory Readable, Writable True False False -
private_0x0000000002000000 0x02000000 0x020fffff Private Memory Readable, Writable True False False -
private_0x0000000002100000 0x02100000 0x021fffff Private Memory Readable, Writable True False False -
private_0x0000000002290000 0x02290000 0x0238ffff Private Memory Readable, Writable True False False -
private_0x0000000002400000 0x02400000 0x024fffff Private Memory Readable, Writable True False False -
private_0x0000000002510000 0x02510000 0x0260ffff Private Memory Readable, Writable True False False -
private_0x0000000002610000 0x02610000 0x027effff Private Memory Readable, Writable True False False -
private_0x0000000002610000 0x02610000 0x0270ffff Private Memory Readable, Writable True False False -
private_0x0000000002670000 0x02670000 0x0276ffff Private Memory Readable, Writable True False False -
private_0x0000000002690000 0x02690000 0x0278ffff Private Memory Readable, Writable True False False -
private_0x0000000002710000 0x02710000 0x0280ffff Private Memory Readable, Writable True False False -
private_0x0000000002790000 0x02790000 0x028affff Private Memory Readable, Writable True False False -
private_0x00000000027b0000 0x027b0000 0x027effff Private Memory Readable, Writable True False False -
private_0x00000000028a0000 0x028a0000 0x028affff Private Memory Readable, Writable True False False -
private_0x0000000002950000 0x02950000 0x02a4ffff Private Memory Readable, Writable True False False -
private_0x00000000029c0000 0x029c0000 0x02abffff Private Memory Readable, Writable True False False -
private_0x0000000002bd0000 0x02bd0000 0x02ccffff Private Memory Readable, Writable True False False -
private_0x0000000002e70000 0x02e70000 0x02f6ffff Private Memory Readable, Writable True False False -
rasadhlp.dll 0x6f850000 0x6f855fff Memory Mapped File Readable, Writable, Executable False False False -
wbemprox.dll 0x708f0000 0x708f9fff Memory Mapped File Readable, Writable, Executable False False False -
wbemcomn.dll 0x709f0000 0x70a4bfff Memory Mapped File Readable, Writable, Executable False False False -
api-ms-win-core-synch-l1-2-0.dll 0x72db0000 0x72db2fff Memory Mapped File Readable, Writable, Executable False False False -
credui.dll 0x72f00000 0x72f2afff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x73fe0000 0x74017fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x74120000 0x74126fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x74130000 0x7414bfff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x74240000 0x7424ffff Memory Mapped File Readable, Writable, Executable False False False -
wkscli.dll 0x74790000 0x7479efff Memory Mapped File Readable, Writable, Executable False False False -
netutils.dll 0x747a0000 0x747a8fff Memory Mapped File Readable, Writable, Executable False False False -
netapi32.dll 0x747b0000 0x747c0fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x74880000 0x74887fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x74890000 0x748a1fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x748c0000 0x748cffff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x74eb0000 0x7504dfff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x75740000 0x7577afff Memory Mapped File Readable, Writable, Executable False False False -
logoncli.dll 0x757f0000 0x75811fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x75820000 0x75863fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x75960000 0x7599bfff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x759a0000 0x759b5fff Memory Mapped File Readable, Writable, Executable False False False -
srvcli.dll 0x75d70000 0x75d88fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75e20000 0x75e2bfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x75ec0000 0x75ecdfff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x75ed0000 0x75edafff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x762d0000 0x762d5fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x762e0000 0x762f8fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76300000 0x76356fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76700000 0x7679ffff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x767a0000 0x773e9fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x77510000 0x77544fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77550000 0x775f0fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x77600000 0x77682fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x77690000 0x7771efff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x77970000 0x77acbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory Readable, Writable True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory Readable, Writable True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory Readable, Writable True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory Readable, Writable True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory Readable, Writable True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory Readable, Writable True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory Readable, Writable True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory Readable, Writable True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory Readable, Writable True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory Readable, Writable True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\public\5712465812cbddbc332de65cbaaaf3eb 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\users\eebsym5\appdata\local\temp\_tqo.exe 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\users\eebsym5\appdata\local\temp\xtbrb.exe 751.50 KB MD5: 4f43f03783f9789f804dcf9b9474fa6d
SHA1: 492d4a4a74099074e26b5dffd0d15434009ccfd9
SHA256: 19ab44a1343db19741b0e0b06bacce55990b6c8f789815daaf3476e0cc30ebea 		False
...
c:\users\eebsym5\appdata\local\temp\ilvai.exe 226.00 KB MD5: 6e0ebeeea1cb00192b074b288a4f9cfe
SHA1: 21ca710ed3bc536bd5394f0bff6d6140809156cf
SHA256: a52af66a4438c5517870c503ac1e0515af44d3994aa62c7d818b6eef46cfbb2d 		False
...
c:\users\eebsym5\appdata\local\temp\_tqo.exe 1.78 MB MD5: cfdd16225e67471f5ef54cab9b3a5558
SHA1: 26de43cc558a4e0e60eddd4dc9321bcb5a0a181c
SHA256: edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9 		False
...
c:\users\eebsym5\appdata\local\temp\_tqo.exe 1.78 MB MD5: 99e6fa0641c7fb15bb95e9b333c92cf4
SHA1: 5c4c4191542a49052f91f71500f67b353c0cbabb
SHA256: 700ff9959ee79cc40c79f89eb544ea2e7fe5450e8b8d284c5e3c87c82b6dc20f 		False
...
c:\users\eebsym5\appdata\local\temp\_kog.exe 331.15 KB MD5: 27304b246c7d5b4e149124d5f93c5b01
SHA1: e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA256: 3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef 		False
...
c:\users\eebsym5\appdata\local\temp\_aaq.exe 36.00 KB MD5: 3c0d740347b0362331c882c2dee96dbf
SHA1: 8350e06f52e5c660bb416b03edb6a5ddc50c3a59
SHA256: ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85 		False
...
Threads
Thread 0xa10
137 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-03-15 15:15:21 (UTC) True 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x72db0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0 False 2
Fn
Module Load module_name = kernel32, base_address = 0x0 False 1
Fn
Module Load module_name = kernel32, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7622418d True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x762276e6 True 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x72db0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0 False 2
Fn
Module Load module_name = kernel32, base_address = 0x0 False 1
Fn
Module Load module_name = kernel32, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7622418d True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x76221e16 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x762276e6 True 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Module Load module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x0 False 2
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x7625f72b True 1
Fn
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\eebsym5\desktop\olympicdestroyer.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\OlympicDestroyer.exe, size = 260 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Load module_name = api-ms-win-core-sysinfo-l1-2-1, base_address = 0x0 False 2
Fn
System Get Time type = System Time, time = 2018-03-15 15:15:21 (UTC) True 1
Fn
Module Get Handle module_name = c:\users\eebsym5\desktop\olympicdestroyer.exe, base_address = 0x1020000 True 1
Fn
Module Get Filename module_name = c:\users\eebsym5\desktop\olympicdestroyer.exe, process_name = c:\users\eebsym5\desktop\olympicdestroyer.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\OlympicDestroyer.exe, size = 1023 True 1
Fn
System Get Info type = Operating System True 2
Fn
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = IsWow64Process, address_out = 0x76214785 True 1
Fn
User Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System Get Computer Name result_out = CRH2YWU7 True 1
Fn
File Get Info filename = c:\7C2313D39DB657EA92ADAAF39716AECE, type = file_attributes False 1
Fn
System Get Info type = Operating System True 2
Fn
Module Load module_name = shell32.dll, base_address = 0x767a0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\shell32.dll, function = SHGetKnownFolderPath, address_out = 0x76854ca0 True 1
Fn
File Get Info filename = C:\Users\Public\5712465812CBDDBC332DE65CBAAAF3EB, type = file_attributes False 2
Fn
System Get Info type = Operating System True 2
Fn
Module Load module_name = shell32.dll, base_address = 0x767a0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\shell32.dll, function = SHGetKnownFolderPath, address_out = 0x76854ca0 True 1
Fn
File Get Info filename = C:\Users\Public\5712465812CBDDBC332DE65CBAAAF3EB, type = file_attributes False 1
Fn
File Create filename = C:\Users\Public\5712465812CBDDBC332DE65CBAAAF3EB, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Module Get Handle module_name = c:\users\eebsym5\desktop\olympicdestroyer.exe, base_address = 0x1020000 True 1
Fn
System Sleep duration = 1 milliseconds (0.001 seconds) True 1
Fn
System Get Time type = Ticks, time = 94255 True 1
Fn
System Sleep duration = 1 milliseconds (0.001 seconds) True 1
Fn
System Get Time type = Ticks, time = 94271 True 1
Fn
System Sleep duration = 1 milliseconds (0.001 seconds) True 1
Fn
System Get Time type = Ticks, time = 94287 True 1
Fn
System Sleep duration = 1 milliseconds (0.001 seconds) True 1
Fn
System Get Time type = Ticks, time = 94302 True 1
Fn
System Sleep duration = 1 milliseconds (0.001 seconds) True 1
Fn
System Get Time type = Ticks, time = 94318 True 1
Fn
System Sleep duration = 1 milliseconds (0.001 seconds) True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\xtbrb.exe, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\xtbrb.exe, size = 769536 True 1
Fn
Data
File Create Pipe pipe_name = \device\namedpipe\ddc210d0-5fce-4636-b79c-32457b89bbe4, open_mode = PIPE_ACCESS_INBOUND, FILE_FLAG_OVERLAPPED, max_instances = 1 True 1
Fn
Process Create process_name = C:\Users\EEBsYm5\AppData\Local\Temp\xtbrb.exe, os_pid = 0xa18, show_window = SW_HIDE True 1
Fn
File Read size = 102400, size_out = 12 True 1
Fn
Data
Module Get Handle module_name = c:\users\eebsym5\desktop\olympicdestroyer.exe, base_address = 0x1020000 True 1
Fn
System Sleep duration = 1 milliseconds (0.001 seconds) True 1
Fn
System Get Time type = Ticks, time = 96892 True 1
Fn
System Sleep duration = 1 milliseconds (0.001 seconds) True 1
Fn
System Get Time type = Ticks, time = 96907 True 1
Fn
System Sleep duration = 1 milliseconds (0.001 seconds) True 1
Fn
System Get Time type = Ticks, time = 96923 True 1
Fn
System Sleep duration = 1 milliseconds (0.001 seconds) True 1
Fn
System Get Time type = Ticks, time = 96939 True 1
Fn
System Sleep duration = 1 milliseconds (0.001 seconds) True 1
Fn
System Get Time type = Ticks, time = 96954 True 1
Fn
System Sleep duration = 1 milliseconds (0.001 seconds) True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\ilvai.exe, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\ilvai.exe, size = 231424 True 1
Fn
Data
File Create Pipe pipe_name = \device\namedpipe\7de670e9-b7b8-48da-ba85-ff4203050c88, open_mode = PIPE_ACCESS_INBOUND, FILE_FLAG_OVERLAPPED, max_instances = 1 True 1
Fn
Process Create process_name = C:\Users\EEBsYm5\AppData\Local\Temp\ilvai.exe, os_pid = 0xa2c, show_window = SW_HIDE True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\ilvai.exe, size = 102400, size_out = 648 True 1
Fn
Data
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe, type = file_attributes False 1
Fn
Module Get Handle module_name = c:\users\eebsym5\desktop\olympicdestroyer.exe, base_address = 0x1020000 True 1
Fn
Module Get Filename module_name = c:\users\eebsym5\desktop\olympicdestroyer.exe, process_name = c:\users\eebsym5\desktop\olympicdestroyer.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\OlympicDestroyer.exe, size = 1023 True 1
Fn
File Copy source_filename = C:\Users\EEBsYm5\Desktop\OlympicDestroyer.exe, destination_filename = C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe, type = file_attributes True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe, type = size, size_out = 0 True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe, size = 1861632, size_out = 1861632 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = AreFileApisANSI, address_out = 0x7625f311 True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe, type = file_type True 1
Fn
Module Get Handle module_name = c:\users\eebsym5\desktop\olympicdestroyer.exe, base_address = 0x1020000 True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_kog.exe, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_kog.exe, size = 339096 True 1
Fn
Data
Module Get Handle module_name = c:\users\eebsym5\desktop\olympicdestroyer.exe, base_address = 0x1020000 True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_aaq.exe, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_aaq.exe, size = 36864 True 1
Fn
Data
Process Create process_name = C:\Users\EEBsYm5\AppData\Local\Temp\_aaq.exe, os_pid = 0xa38, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_kog.exe, type = file_attributes True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe, type = file_attributes True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe, type = size, size_out = 0 True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\_tqo.exe, size = 1861632, size_out = 1861632 True 1
Fn
System Sleep duration = -1 (infinite) False 1
Fn
Thread 0xa40
30 0
»
Category Operation Information Success Count Logfile
COM Create interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER True 135
Fn
System Sleep duration = 100 milliseconds (0.100 seconds) True 1
Fn
Thread 0xa44
1 0
»
Category Operation Information Success Count Logfile
COM Create interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Thread 0xa4c
30 0
»
Category Operation Information Success Count Logfile
COM Create interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER True 135
Fn
System Sleep duration = 100 milliseconds (0.100 seconds) True 1
Fn
Thread 0xa50
5 0
»
Category Operation Information Success Count Logfile
COM Create interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER True 5
Fn
Thread 0xa5c
30 0
»
Category Operation Information Success Count Logfile
COM Create interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER True 135
Fn
System Sleep duration = 100 milliseconds (0.100 seconds) True 1
Fn
Thread 0xa60
5 0
»
Category Operation Information Success Count Logfile
COM Create interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER True 5
Fn
Process #2: xtbrb.exe
311 0
»
Information Value
ID #2
File Name c:\users\eebsym5\appdata\local\temp\xtbrb.exe
Command Line 123 \\.\pipe\DDC210D0-5FCE-4636-B79C-32457B89BBE4
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:32, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:46
OS Process Information
»
Information Value
PID 0xa18
Parent PID 0xa0c (c:\users\eebsym5\desktop\olympicdestroyer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A1C
0x A20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000c0000 0x000c0000 0x00187fff Pagefile Backed Memory Readable True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory Readable, Writable True False False -
rpcss.dll 0x001a0000 0x001fbfff Memory Mapped File Readable False False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False -
oleaccrc.dll 0x001c0000 0x001c0fff Memory Mapped File Readable False False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory Readable True False False -
windowsshell.manifest 0x001e0000 0x001e0fff Memory Mapped File Readable False False False -
pagefile_0x00000000001e0000 0x001e0000 0x001e0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000001f0000 0x001f0000 0x001f1fff Pagefile Backed Memory Readable True False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory Readable, Writable True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000310000 0x00310000 0x00410fff Pagefile Backed Memory Readable True False False -
index.dat 0x00420000 0x0044bfff Memory Mapped File Readable, Writable True False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000550000 0x00550000 0x0114ffff Pagefile Backed Memory Readable True False False -
private_0x0000000001150000 0x01150000 0x011f4fff Private Memory Readable, Writable True False False -
private_0x0000000001200000 0x01200000 0x012a4fff Private Memory Readable, Writable True False False -
xtbrb.exe 0x012b0000 0x01370fff Memory Mapped File Readable, Writable, Executable True True False
...
pagefile_0x0000000001380000 0x01380000 0x0145efff Pagefile Backed Memory Readable True False False -
index.dat 0x01460000 0x01467fff Memory Mapped File Readable, Writable True False False -
index.dat 0x01470000 0x0147ffff Memory Mapped File Readable, Writable True False False -
tzres.dll 0x01480000 0x01480fff Memory Mapped File Readable False False False -
pagefile_0x0000000001490000 0x01490000 0x01496fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000014a0000 0x014a0000 0x014a1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000014e0000 0x014e0000 0x015dffff Private Memory Readable, Writable True False False -
private_0x00000000015e0000 0x015e0000 0x01b4ffff Private Memory Readable, Writable True False False -
private_0x00000000015e0000 0x015e0000 0x016e0fff Private Memory Readable, Writable True False False -
private_0x00000000015e0000 0x015e0000 0x016bffff Private Memory Readable, Writable True False False -
private_0x0000000001750000 0x01750000 0x01b4ffff Private Memory Readable, Writable True False False -
private_0x0000000001b50000 0x01b50000 0x01ccffff Private Memory Readable, Writable True False False -
private_0x0000000001b50000 0x01b50000 0x01c2ffff Private Memory Readable, Writable True False False -
private_0x0000000001b50000 0x01b50000 0x01bf0fff Private Memory Readable, Writable True False False -
private_0x0000000001c20000 0x01c20000 0x01c2ffff Private Memory Readable, Writable True False False -
private_0x0000000001c90000 0x01c90000 0x01ccffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01cd0000 0x01f9efff Memory Mapped File Readable False False False -
private_0x0000000001fa0000 0x01fa0000 0x0209ffff Private Memory Readable, Writable True False False -
private_0x00000000020a0000 0x020a0000 0x0219ffff Private Memory Readable, Writable True False False -
private_0x0000000002100000 0x02100000 0x021fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002200000 0x02200000 0x025f2fff Pagefile Backed Memory Readable True False False -
private_0x0000000010000000 0x10000000 0x100a9fff Private Memory Readable, Writable, Executable True False False -
nss3.dll 0x6ddb0000 0x6df64fff Memory Mapped File Readable, Writable, Executable False False False -
ieframe.dll 0x6df70000 0x6e9effff Memory Mapped File Readable, Writable, Executable False False False -
winmm.dll 0x6f3f0000 0x6f421fff Memory Mapped File Readable, Writable, Executable False False False -
msvcr100.dll 0x700b0000 0x7016efff Memory Mapped File Readable, Writable, Executable False False False -
mlang.dll 0x70170000 0x7019dfff Memory Mapped File Readable, Writable, Executable False False False -
msvcp100.dll 0x72a50000 0x72ab8fff Memory Mapped File Readable, Writable, Executable False False False -
api-ms-win-core-synch-l1-2-0.dll 0x72db0000 0x72db2fff Memory Mapped File Readable, Writable, Executable False False False -
freebl3.dll 0x72dd0000 0x72e1efff Memory Mapped File Readable, Writable, Executable False False False -
nssdbm3.dll 0x72eb0000 0x72ec6fff Memory Mapped File Readable, Writable, Executable False False False -
softokn3.dll 0x72ed0000 0x72ef6fff Memory Mapped File Readable, Writable, Executable False False False -
mozglue.dll 0x72f40000 0x72f61fff Memory Mapped File Readable, Writable, Executable False False False -
wsock32.dll 0x73130000 0x73136fff Memory Mapped File Readable, Writable, Executable False False False -
oleacc.dll 0x73360000 0x7339bfff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74d30000 0x74d6ffff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x74eb0000 0x7504dfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75e00000 0x75e1afff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75e20000 0x75e2bfff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x75ed0000 0x75edafff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x75f40000 0x75f4bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x76050000 0x7616cfff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x762d0000 0x762d5fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x762e0000 0x762f8fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76300000 0x76356fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x763f0000 0x765eafff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x76600000 0x766f4fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76700000 0x7679ffff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x767a0000 0x773e9fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x77510000 0x77544fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77550000 0x775f0fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x77600000 0x77682fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x77690000 0x7771efff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x77830000 0x77965fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x77970000 0x77acbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x77c70000 0x77c74fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\eebsym5\appdata\local\temp\chr79e0.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 		False
...
c:\users\eebsym5\appdata\local\temp\chr79e0.tmp 18.00 KB MD5: 29844404ae855e9df054833f71888eb1
SHA1: 3e86f08def08fc14ddec0227d0643319562666db
SHA256: c381401ea96dfe9b926126dcbbc0dd6ab541dbf549732cc6c66f20096b1f663e 		False
...
Threads
Thread 0xa1c
311 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-03-15 15:15:22 (UTC) True 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x72db0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0 False 2
Fn
Module Load module_name = kernel32, base_address = 0x0 False 1
Fn
Module Load module_name = kernel32, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7622418d True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x762276e6 True 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x72db0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0 False 2
Fn
Module Load module_name = kernel32, base_address = 0x0 False 1
Fn
Module Load module_name = kernel32, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7622418d True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x76221e16 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x762276e6 True 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Module Load module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x0 False 2
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x7625f72b True 1
Fn
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\eebsym5\appdata\local\temp\xtbrb.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\xtbrb.exe, size = 260 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Handle module_name = c:\users\eebsym5\appdata\local\temp\xtbrb.exe, base_address = 0x12b0000 True 1
Fn
Module Load module_name = KERNEL32.dll, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = HeapFree, address_out = 0x7621bbd0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = EnterCriticalSection, address_out = 0x77f077a0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetFullPathNameW, address_out = 0x76224543 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = WriteFile, address_out = 0x76221400 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = InterlockedCompareExchange, address_out = 0x7621bb92 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetDiskFreeSpaceW, address_out = 0x76203530 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = OutputDebugStringA, address_out = 0x7620eb36 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LockFile, address_out = 0x7623642f True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LeaveCriticalSection, address_out = 0x77f07760 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSection, address_out = 0x77f1a149 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetFilePointer, address_out = 0x7621db36 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetFullPathNameA, address_out = 0x76223735 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetEndOfFile, address_out = 0x76212319 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = UnlockFileEx, address_out = 0x76236947 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetTempPathW, address_out = 0x76208b33 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CreateMutexW, address_out = 0x76212aee True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = WaitForSingleObject, address_out = 0x7621ba90 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CreateFileW, address_out = 0x7621cc56 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetFileAttributesW, address_out = 0x762264ff True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetCurrentThreadId, address_out = 0x7621bb80 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetVersionExW, address_out = 0x76213b1a True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = HeapValidate, address_out = 0x762125dd True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = HeapSize, address_out = 0x77f19bec True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = MultiByteToWideChar, address_out = 0x7622452b True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = Sleep, address_out = 0x7621ba46 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FormatMessageW, address_out = 0x762154a3 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetDiskFreeSpaceA, address_out = 0x7622d7d2 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x7621bf00 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetFileAttributesExW, address_out = 0x7621273d True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = OutputDebugStringW, address_out = 0x76206b91 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlushViewOfFile, address_out = 0x762083d2 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x7621cee8 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = WaitForSingleObjectEx, address_out = 0x7621bab0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetVersionExA, address_out = 0x76223861 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = DeleteFileW, address_out = 0x76210f62 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = HeapReAlloc, address_out = 0x77f2ff51 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7621ca7c True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetSystemInfo, address_out = 0x76223728 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = HeapCreate, address_out = 0x76223ea2 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = HeapAlloc, address_out = 0x77f12dd6 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = HeapCompact, address_out = 0x76207cf6 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = HeapDestroy, address_out = 0x76212301 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = UnlockFile, address_out = 0x76236417 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CreateFileMappingA, address_out = 0x762197e9 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LockFileEx, address_out = 0x7623692f True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetFileSize, address_out = 0x76210273 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = DeleteCriticalSection, address_out = 0x77f19ac5 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x7621cac4 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetProcessHeap, address_out = 0x76221280 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SystemTimeToFileTime, address_out = 0x7621cecb True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FreeLibrary, address_out = 0x7621d9d0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = WideCharToMultiByte, address_out = 0x7622450e True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x76222fde True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetSystemTime, address_out = 0x7621ced8 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FormatMessageA, address_out = 0x76238868 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CreateFileMappingW, address_out = 0x76210a7f True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = MapViewOfFile, address_out = 0x7621899b True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x7621bb9f True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetTickCount, address_out = 0x7621ba60 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlushFileBuffers, address_out = 0x76207f81 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = lstrlenW, address_out = 0x7621d9e8 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = lstrlenA, address_out = 0x7621a611 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = WriteConsoleW, address_out = 0x762182f1 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetFilePointerEx, address_out = 0x7620f5b2 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetConsoleMode, address_out = 0x76222412 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = TryEnterCriticalSection, address_out = 0x77f132bc True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = ReadFile, address_out = 0x762196fb True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = AreFileApisANSI, address_out = 0x7625f311 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetPrivateProfileStringA, address_out = 0x7620d8d7 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = UnmapViewOfFile, address_out = 0x7621db13 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetTempFileNameA, address_out = 0x7623695f True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LocalFree, address_out = 0x7621ca64 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x762233d3 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = DeleteFileA, address_out = 0x762147cb True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryA, address_out = 0x7622395c True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetFileAttributesA, address_out = 0x76221de6 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CopyFileA, address_out = 0x7623532c True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetTempPathA, address_out = 0x76236a65 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetConsoleCP, address_out = 0x76222c8a True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetStdHandle, address_out = 0x7625f589 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetFileType, address_out = 0x762275a5 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetStdHandle, address_out = 0x76221e46 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetEnvironmentVariableA, address_out = 0x76218921 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FreeEnvironmentStringsW, address_out = 0x76221dc3 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetEnvironmentStringsW, address_out = 0x76221dbc True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetCommandLineW, address_out = 0x7622679e True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetCommandLineA, address_out = 0x762298ff True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetCurrentDirectoryA, address_out = 0x7621903d True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryW, address_out = 0x76223c01 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x7622ed38 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x76223d01 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x7621cdcf True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = TerminateProcess, address_out = 0x76212331 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x762276b5 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = InitializeSListHead, address_out = 0x77f25eeb True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76213ea8 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetStartupInfoW, address_out = 0x76223891 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleW, address_out = 0x7622374d True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = RaiseException, address_out = 0x7620eb60 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = InterlockedFlushSList, address_out = 0x77f13129 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetLastError, address_out = 0x7621bb08 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = RtlUnwind, address_out = 0x76207f70 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x76223939 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = TlsAlloc, address_out = 0x762235a1 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = TlsGetValue, address_out = 0x7621da70 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = TlsSetValue, address_out = 0x7621da88 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = TlsFree, address_out = 0x762213b8 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryExW, address_out = 0x76214775 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CreateThread, address_out = 0x7622375d True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = ExitThread, address_out = 0x77eef611 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FreeLibraryAndExitThread, address_out = 0x7620fdb8 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleExW, address_out = 0x76213e39 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = ExitProcess, address_out = 0x7622214f True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameA, address_out = 0x762233f6 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CompareStringW, address_out = 0x76219bee True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LCMapStringW, address_out = 0x762213d0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetTimeZoneInformation, address_out = 0x76208a3b True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetACP, address_out = 0x762239aa True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetStringTypeW, address_out = 0x762267c8 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FindClose, address_out = 0x76220e62 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FindFirstFileExA, address_out = 0x7625f3ef True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FindNextFileA, address_out = 0x7621a187 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = IsValidCodePage, address_out = 0x7622c1c0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetOEMCP, address_out = 0x76213db9 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetCPInfo, address_out = 0x76221e2e True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = DecodePointer, address_out = 0x77f1cd10 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x77ad0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\user32.dll, function = wsprintfA, address_out = 0x77ae3f47 True 1
Fn
Module Load module_name = ADVAPI32.dll, base_address = 0x76700000 True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = CryptCreateHash, address_out = 0x7670df4e True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = CryptGetHashParam, address_out = 0x7670df7e True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = RegEnumKeyA, address_out = 0x7672a299 True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7671469d True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = RegQueryValueExA, address_out = 0x767148ef True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = RegOpenKeyExA, address_out = 0x76714907 True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextA, address_out = 0x767091dd True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = CryptHashData, address_out = 0x7670df36 True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = CryptDestroyHash, address_out = 0x7670df66 True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = CryptReleaseContext, address_out = 0x7670e124 True 1
Fn
Module Load module_name = SHELL32.dll, base_address = 0x767a0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\shell32.dll, function = SHGetFolderPathA, address_out = 0x768b7804 True 1
Fn
Module Load module_name = ole32.dll, base_address = 0x77970000 True 1
Fn
Module Get Address module_name = c:\windows\system32\ole32.dll, function = CoInitialize, address_out = 0x7798b636 True 1
Fn
Module Get Address module_name = c:\windows\system32\ole32.dll, function = CoCreateInstance, address_out = 0x779b9d0b True 1
Fn
Module Load module_name = SHLWAPI.dll, base_address = 0x76300000 True 1
Fn
Module Get Address module_name = c:\windows\system32\shlwapi.dll, function = wvnsprintfA, address_out = 0x7632edfe True 1
Fn
Module Get Address module_name = c:\windows\system32\shlwapi.dll, function = StrStrIW, address_out = 0x763146e9 True 1
Fn
Module Get Address module_name = c:\windows\system32\shlwapi.dll, function = StrStrIA, address_out = 0x7630d250 True 1
Fn
Module Load module_name = CRYPT32.dll, base_address = 0x76050000 True 1
Fn
Module Get Address module_name = c:\windows\system32\crypt32.dll, function = CryptUnprotectData, address_out = 0x76085a7f True 1
Fn
System Get Time type = System Time, time = 2018-03-15 15:15:22 (UTC) True 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x72db0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0 False 2
Fn
Module Load module_name = kernel32, base_address = 0x0 False 1
Fn
Module Load module_name = kernel32, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7622418d True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x762276e6 True 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x72db0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0 False 2
Fn
Module Load module_name = kernel32, base_address = 0x0 False 1
Fn
Module Load module_name = kernel32, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7622418d True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x76221e16 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x762276e6 True 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Module Load module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x0 False 2
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x7625f72b True 1
Fn
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\eebsym5\appdata\local\temp\xtbrb.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\xtbrb.exe, size = 260 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
COM Create interface = 3C374A41-BAE4-11CF-BF7D-00AA006946EE, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall False 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook, value_name = DisplayName, data = 0 False 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX, value_name = DisplayName, data = 65 True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin, value_name = DisplayName, data = 65 True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager, value_name = DisplayName, data = 0 False 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx, value_name = DisplayName, data = 0 False 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime, value_name = DisplayName, data = 0 False 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore, value_name = DisplayName, data = 0 False 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome, value_name = DisplayName, data = 71 True 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40, value_name = DisplayName, data = 0 False 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data, value_name = DisplayName, data = 0 False 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX, value_name = DisplayName, data = 0 False 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData, value_name = DisplayName, data = 0 False 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack, value_name = DisplayName, data = 0 False 1
Fn
Registry Enumerate Keys reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US) True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = DisplayName, data = 77 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US), value_name = InstallLocation, data = 67 True 1
Fn
Ini Read file_name_orig = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\\profiles.ini, section_name = Profile0, key_name = Path, data_out = Profiles/h231daer.default True 1
Fn
Module Load module_name = nss3.dll, base_address = 0x6ddb0000 True 1
Fn
Module Get Address module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x6de6d70b True 1
Fn
Module Get Address module_name = c:\program files\mozilla firefox\nss3.dll, function = NSSBase64_DecodeBuffer, address_out = 0x6de6e7d9 True 1
Fn
Module Get Address module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_GetInternalKeySlot, address_out = 0x6de03c51 True 1
Fn
Module Get Address module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_Authenticate, address_out = 0x6dded3ca True 1
Fn
Module Get Address module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11SDR_Decrypt, address_out = 0x6de000a7 True 1
Fn
Module Get Address module_name = c:\program files\mozilla firefox\nss3.dll, function = NSS_Shutdown, address_out = 0x6de6d13c True 1
Fn
Module Get Address module_name = c:\program files\mozilla firefox\nss3.dll, function = PK11_FreeSlot, address_out = 0x6de03333 True 1
Fn
System Get Info type = Hardware Information True 1
Fn
System Get Info type = Operating System True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite, type = file_attributes True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite, size = 100, size_out = 100 True 1
Fn
Data
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite-journal, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite, type = size, size_out = 0 True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite-wal, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite, type = size, size_out = 0 True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite, size = 32768, size_out = 32768 True 1
Fn
Data
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite-journal, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite, type = size, size_out = 0 True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite, type = size, size_out = 0 True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite-wal, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite, type = size, size_out = 0 True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite, size = 32768, size_out = 32768 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\\logins.json, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = file_attributes True 1
Fn
File Create Temp File filename = C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp, path = C:\Users\EEBsYm5\AppData\Local\Temp\, prefix = chr True 1
Fn
File Copy source_filename = C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data, destination_filename = C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp, type = file_attributes True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp, size = 100, size_out = 100 True 1
Fn
Data
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp-journal, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp, type = size, size_out = 0 True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp-wal, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp, type = size, size_out = 0 True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp, size = 2048, size_out = 2048 True 1
Fn
Data
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp-journal, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp, type = size, size_out = 0 True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp, type = size, size_out = 0 True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp-wal, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp, type = size, size_out = 0 True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp, size = 2048, size_out = 2048 True 1
Fn
Data
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\chr79E0.tmp False 1
Fn
File Create filename = \\.\pipe\DDC210D0-5FCE-4636-B79C-32457B89BBE4, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE True 1
Fn
File Write filename = \\.\pipe\DDC210D0-5FCE-4636-B79C-32457B89BBE4, size = 12 True 1
Fn
Data
Module Get Handle module_name = c:\users\eebsym5\appdata\local\temp\xtbrb.exe, base_address = 0x12b0000 True 2
Fn
Module Load module_name = api-ms-win-appmodel-runtime-l1-1-1, base_address = 0x0 False 2
Fn
Module Load module_name = ext-ms-win-kernel32-package-current-l1-1-0, base_address = 0x0 False 2
Fn
Module Get Handle module_name = mscoree.dll False 1
Fn
Process #3: ilvai.exe
700 0
»
Information Value
ID #3
File Name c:\users\eebsym5\appdata\local\temp\ilvai.exe
Command Line 123 \\.\pipe\7DE670E9-B7B8-48DA-BA85-FF4203050C88
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:42, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:36
OS Process Information
»
Information Value
PID 0xa2c
Parent PID 0xa0c (c:\users\eebsym5\desktop\olympicdestroyer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A30
0x A34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
private_0x0000000000050000 0x00050000 0x00050fff Private Memory Readable, Writable True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory Readable, Writable True False False -
locale.nls 0x00170000 0x001d6fff Memory Mapped File Readable False False False -
private_0x0000000000230000 0x00230000 0x0023ffff Private Memory Readable, Writable True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000340000 0x00340000 0x00407fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000410000 0x00410000 0x00510fff Pagefile Backed Memory Readable True False False -
private_0x0000000000540000 0x00540000 0x0063ffff Private Memory Readable, Writable True False False -
private_0x0000000000640000 0x00640000 0x00740fff Private Memory Readable, Writable True False False -
private_0x0000000000640000 0x00640000 0x006c8fff Private Memory Readable, Writable True False False -
ilvai.exe 0x00910000 0x0094dfff Memory Mapped File Readable, Writable, Executable True True False
...
pagefile_0x0000000000950000 0x00950000 0x0154ffff Pagefile Backed Memory Readable True False False -
private_0x0000000010000000 0x10000000 0x10023fff Private Memory Readable, Writable, Executable True False False -
api-ms-win-core-synch-l1-2-0.dll 0x72db0000 0x72db2fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x75680000 0x756bcfff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x75ad0000 0x75ae6fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x762e0000 0x762f8fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76300000 0x76356fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76700000 0x7679ffff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x767a0000 0x773e9fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77550000 0x775f0fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Threads
Thread 0xa30
700 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-03-15 15:15:24 (UTC) True 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x72db0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0 False 2
Fn
Module Load module_name = kernel32, base_address = 0x0 False 1
Fn
Module Load module_name = kernel32, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7622418d True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x762276e6 True 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x72db0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0 False 2
Fn
Module Load module_name = kernel32, base_address = 0x0 False 1
Fn
Module Load module_name = kernel32, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7622418d True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x76221e16 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x762276e6 True 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Module Load module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x0 False 2
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x7625f72b True 1
Fn
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\eebsym5\appdata\local\temp\ilvai.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\ilvai.exe, size = 260 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Handle module_name = c:\users\eebsym5\appdata\local\temp\ilvai.exe, base_address = 0x910000 True 1
Fn
Module Load module_name = ntdll.dll, base_address = 0x77ec0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\ntdll.dll, function = RtlGetCurrentPeb, address_out = 0x77ef0241 True 1
Fn
Module Get Address module_name = c:\windows\system32\ntdll.dll, function = RtlInitUnicodeString, address_out = 0x77ef4168 True 1
Fn
Module Get Address module_name = c:\windows\system32\ntdll.dll, function = NtQueryInformationProcess, address_out = 0x77f06048 True 1
Fn
Module Get Address module_name = c:\windows\system32\ntdll.dll, function = RtlEqualUnicodeString, address_out = 0x77f15705 True 1
Fn
Module Get Address module_name = c:\windows\system32\ntdll.dll, function = RtlEqualString, address_out = 0x77edd88a True 1
Fn
Module Get Address module_name = c:\windows\system32\ntdll.dll, function = RtlAdjustPrivilege, address_out = 0x77ecbc3a True 1
Fn
Module Get Address module_name = c:\windows\system32\ntdll.dll, function = RtlGetNtVersionNumbers, address_out = 0x77f28e52 True 1
Fn
Module Get Address module_name = c:\windows\system32\ntdll.dll, function = NtQuerySystemInformation, address_out = 0x77f061f8 True 1
Fn
Module Load module_name = KERNEL32.dll, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = DecodePointer, address_out = 0x77f1cd10 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = WriteConsoleW, address_out = 0x762182f1 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetFilePointerEx, address_out = 0x7620f5b2 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7621ca7c True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = HeapReAlloc, address_out = 0x77f2ff51 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = HeapSize, address_out = 0x77f19bec True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address_out = 0x76223363 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryW, address_out = 0x76223c01 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetProcAddress, address_out = 0x762233d3 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CreateFileW, address_out = 0x7621cc56 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = IsWow64Process, address_out = 0x76214785 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LocalFree, address_out = 0x7621ca64 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleW, address_out = 0x7622374d True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x7621bb9f True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcessId, address_out = 0x7621cac4 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetCurrentThreadId, address_out = 0x7621bb80 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x76222fde True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = InitializeSListHead, address_out = 0x77f25eeb True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76213ea8 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x7622ed38 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x76223d01 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetStartupInfoW, address_out = 0x76223891 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x762276b5 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetCurrentProcess, address_out = 0x7621cdcf True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = TerminateProcess, address_out = 0x76212331 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = InterlockedFlushSList, address_out = 0x77f13129 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = RtlUnwind, address_out = 0x76207f70 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x7621bf00 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetLastError, address_out = 0x7621bb08 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = EnterCriticalSection, address_out = 0x77f077a0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LeaveCriticalSection, address_out = 0x77f07760 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = DeleteCriticalSection, address_out = 0x77f19ac5 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x76223939 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = TlsAlloc, address_out = 0x762235a1 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = TlsGetValue, address_out = 0x7621da70 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = TlsSetValue, address_out = 0x7621da88 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = TlsFree, address_out = 0x762213b8 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FreeLibrary, address_out = 0x7621d9d0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryExW, address_out = 0x76214775 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = ExitProcess, address_out = 0x7622214f True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleExW, address_out = 0x76213e39 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetModuleFileNameA, address_out = 0x762233f6 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = MultiByteToWideChar, address_out = 0x7622452b True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = WideCharToMultiByte, address_out = 0x7622450e True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = HeapFree, address_out = 0x7621bbd0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = HeapAlloc, address_out = 0x77f12dd6 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LCMapStringW, address_out = 0x762213d0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetStdHandle, address_out = 0x76221e46 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetFileType, address_out = 0x762275a5 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetACP, address_out = 0x762239aa True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetStringTypeW, address_out = 0x762267c8 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FindClose, address_out = 0x76220e62 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FindFirstFileExA, address_out = 0x7625f3ef True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FindNextFileA, address_out = 0x7621a187 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = IsValidCodePage, address_out = 0x7622c1c0 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetOEMCP, address_out = 0x76213db9 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetCPInfo, address_out = 0x76221e2e True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetCommandLineA, address_out = 0x762298ff True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetCommandLineW, address_out = 0x7622679e True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetEnvironmentStringsW, address_out = 0x76221dbc True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FreeEnvironmentStringsW, address_out = 0x76221dc3 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetProcessHeap, address_out = 0x76221280 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlushFileBuffers, address_out = 0x76207f81 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = WriteFile, address_out = 0x76221400 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetConsoleCP, address_out = 0x76222c8a True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetConsoleMode, address_out = 0x76222412 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetStdHandle, address_out = 0x7625f589 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = RaiseException, address_out = 0x7620eb60 True 1
Fn
System Get Time type = System Time, time = 2018-03-15 15:15:24 (UTC) True 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x72db0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0 False 2
Fn
Module Load module_name = kernel32, base_address = 0x0 False 1
Fn
Module Load module_name = kernel32, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7622418d True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x762276e6 True 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x72db0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0 False 2
Fn
Module Load module_name = kernel32, base_address = 0x0 False 1
Fn
Module Load module_name = kernel32, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7622418d True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x76221e16 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x762276e6 True 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Module Load module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x0 False 2
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x7625f72b True 1
Fn
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\eebsym5\appdata\local\temp\ilvai.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\ilvai.exe, size = 260 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Load module_name = advapi32.dll, base_address = 0x76700000 True 1
Fn
Module Load module_name = user32.dll, base_address = 0x77ad0000 True 1
Fn
Module Get Handle module_name = c:\windows\system32\ntdll.dll, base_address = 0x77ec0000 True 1
Fn
Process Get Info type = PROCESS_BASIC_INFORMATION True 1
Fn
Module Get Handle module_name = c:\windows\system32\ntdll.dll, base_address = 0x77ec0000 True 1
Fn
Process Get Info type = PROCESS_BASIC_INFORMATION True 1
Fn
Module Get Handle module_name = c:\windows\system32\ntdll.dll, base_address = 0x77ec0000 True 1
Fn
Process Get Info type = PROCESS_BASIC_INFORMATION True 1
Fn
Module Load module_name = bcrypt, base_address = 0x75ad0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\bcrypt.dll, function = BCryptOpenAlgorithmProvider, address_out = 0x75ad2cda True 1
Fn
Module Get Address module_name = c:\windows\system32\bcrypt.dll, function = BCryptSetProperty, address_out = 0x75ad20d4 True 1
Fn
Module Get Address module_name = c:\windows\system32\bcrypt.dll, function = BCryptGetProperty, address_out = 0x75ad1ca7 True 1
Fn
Module Get Address module_name = c:\windows\system32\bcrypt.dll, function = BCryptGenerateSymmetricKey, address_out = 0x75ad1fbc True 1
Fn
Module Get Address module_name = c:\windows\system32\bcrypt.dll, function = BCryptEncrypt, address_out = 0x75ad195c True 1
Fn
Module Get Address module_name = c:\windows\system32\bcrypt.dll, function = BCryptDecrypt, address_out = 0x75ad18b8 True 1
Fn
Module Get Address module_name = c:\windows\system32\bcrypt.dll, function = BCryptDestroyKey, address_out = 0x75ad1f40 True 1
Fn
Module Get Address module_name = c:\windows\system32\bcrypt.dll, function = BCryptCloseAlgorithmProvider, address_out = 0x75ad2391 True 1
Fn
System Get Info type = SYSTEM_PROCESS_INFORMATION False 4
Fn
System Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Process Open desired_access = PROCESS_VM_READ, PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Process Get Info type = PROCESS_BASIC_INFORMATION True 1
Fn
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x7ffdc000, size = 16 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x77f97880, size = 36 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2c15c0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2c146e, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x990000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x9900e8, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x9900e8, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2c1640, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x77f28328, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x77ec0000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x77ec00d0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x77ec00d0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2c1938, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2c1910, size = 26 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x761d0000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x761d00f0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x761d00f0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2c1a20, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2c19f8, size = 30 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75f70000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75f700e0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75f700e0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2c2180, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2c2160, size = 22 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x77720000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x777200e0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x777200e0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2c22c0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2c22a0, size = 22 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x77550000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x775500f0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x775500f0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2c26e0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2c26c0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75d60000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75d600e0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75d600e0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cf698, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cf678, size = 22 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75c60000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75c600e0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75c600e0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cf718, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2c2658, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x762e0000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x762e00f0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x762e00f0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cf4b8, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cf498, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75e00000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75e000e0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75e000e0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cf588, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cf560, size = 26 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x76700000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x767000e0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x767000e0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cf798, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cf630, size = 22 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x77ad0000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x77ad00f0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x77ad00f0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cf818, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cf450, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x77c80000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x77c800e0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x77c800e0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cf8d8, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cf8c0, size = 16 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x765f0000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x765f00f0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x765f00f0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cf9a0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cf980, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x773f0000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x773f00f8, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x773f00f8, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d00d8, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d00b8, size = 22 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75bd0000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75bd00e0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75bd00e0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cfec0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cfe98, size = 26 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75bb0000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75bb00e8, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75bb00e8, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d0170, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cfe48, size = 22 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75f40000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75f400e8, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75f400e8, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d01f0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cffb0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75b60000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75b600e0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75b600e0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d0270, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cff68, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x762b0000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x762b00d8, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x762b00d8, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d02f0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d2180, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x77ba0000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x77ba00f0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x77ba00f0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d0370, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d8c70, size = 26 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75b50000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75b500e0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75b500e0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d03f0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d36b8, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75b30000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75b300d8, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75b300d8, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d0470, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d3550, size = 22 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75af0000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75af00e0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75af00e0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d04f0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d3598, size = 22 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75ad0000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75ad00e0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75ad00e0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d0570, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d34c0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75aa0000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75aa00b8, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75aa00b8, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d05f0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d38f8, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75a70000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75a700e8, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75a700e8, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d0670, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2dff58, size = 26 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75a50000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75a500f0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75a500f0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d06f0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d3aa8, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75de0000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75de00e8, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75de00e8, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d0770, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2e0220, size = 28 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75e20000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75e200e8, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75e200e8, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d07f0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2e0848, size = 26 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x759c0000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x759c00e0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x759c00e0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d0870, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d3ca0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x759a0000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x759a00e0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x759a00e0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d08f0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d3d30, size = 22 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x77510000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x775100e0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x775100e0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d0970, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2e56f0, size = 16 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x762d0000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x762d00e0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x762d00e0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d09f0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d3d78, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75960000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x759600e0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x759600e0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d0a70, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d3e08, size = 22 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75950000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x759500e0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x759500e0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d0af0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d3e50, size = 22 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75900000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x759000f0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x759000f0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d0bf0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2e16d0, size = 26 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75870000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x758700e8, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x758700e8, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d0c70, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d4000, size = 22 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75820000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x758200e0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x758200e0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d0cf0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2e1720, size = 26 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x757f0000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x757f00d8, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x757f00d8, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d0d70, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2e1770, size = 26 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x757b0000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x757b00e0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x757b00e0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d0df0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d4090, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x76050000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x760500f0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x760500f0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d0e70, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2faab8, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75780000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x757800e0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x757800e0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d0ef0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2fabd8, size = 22 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75740000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x757400d8, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x757400d8, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d0f70, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2fac20, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75700000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x757000f0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x757000f0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d0ff0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2fae18, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x756c0000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x756c00f0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x756c00f0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d1070, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2f8b90, size = 42 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75680000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x756800f0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x756800f0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d10f0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2e2440, size = 32 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75ec0000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75ec00f8, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75ec00f8, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d12f0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2e2490, size = 28 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75730000, size = 64 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x757300f0, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x757300f0, size = 248 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d1bf0, size = 52 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2fb718, size = 22 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75c73b6b, size = 4 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75c73b4c, size = 4 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75c60000, size = 1048576 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75c97d2f, size = 4 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75d4bf30, size = 16 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75c97cde, size = 4 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75d4b298, size = 4 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2b0000, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2b0020, size = 32 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2b003c, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75c97d15, size = 4 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75d4b29c, size = 4 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2b01f0, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2b0210, size = 32 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2b022c, size = 16 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75d4a4a4, size = 4 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75d4c2d8, size = 4 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x362ed0, size = 160 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x358188, size = 32 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x3582a0, size = 26 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x358e51, size = 1 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x358e50, size = 12 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34f168, size = 160 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34e7e0, size = 16 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x3467e8, size = 18 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x346770, size = 16 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34a761, size = 1 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34a760, size = 28 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34e8b8, size = 12 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x350f90, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x350fac, size = 120 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x350fa4, size = 8 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75700000, size = 73728 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x7570631e, size = 4 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x7570f134, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34abf0, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x326d28, size = 72 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34ac90, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x326e60, size = 72 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x326eb0, size = 4 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x326ec8, size = 28 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34ac68, size = 18 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x352f08, size = 16 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x352f28, size = 16 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75780000, size = 180224 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x7578190c, size = 4 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x757a7188, size = 4 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x308a20, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x308a20, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34e900, size = 16 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x3468e8, size = 18 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34e918, size = 16 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x759c0000, size = 557056 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75a13f75, size = 4 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75a37a58, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x31b4e0, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x33a708, size = 44 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x31ae78, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cd7d0, size = 44 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34a830, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x3508e0, size = 44 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2fd618, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x305940, size = 44 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34aa10, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x350bd8, size = 44 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x350bd8, size = 196 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34e840, size = 16 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x3468a8, size = 18 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34e858, size = 16 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75900000, size = 270336 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75902542, size = 4 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x7593a1a0, size = 8 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348700, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348900, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348780, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348680, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348500, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348180, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348100, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d1ff8, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d1f78, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x307938, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x350248, size = 8 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34eab0, size = 160 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34e7f8, size = 16 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x346828, size = 18 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x346810, size = 16 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34a789, size = 1 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34a788, size = 28 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34e780, size = 12 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34f0c0, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34f0dc, size = 120 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34f0d4, size = 8 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x7570f134, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34abf0, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x326d28, size = 72 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x326d78, size = 4 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x326df8, size = 28 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34abc8, size = 18 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x346910, size = 16 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x352ee8, size = 16 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x757a7188, size = 4 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x308a20, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x308980, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x308980, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34e8d0, size = 16 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x346848, size = 18 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34e8e8, size = 16 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75a37a58, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x31b4e0, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x33a708, size = 44 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x31ae78, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cd7d0, size = 44 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34a830, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x3508e0, size = 44 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x3508e0, size = 196 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34e7c8, size = 16 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x346868, size = 18 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34e810, size = 16 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x7593a1a0, size = 8 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348700, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348900, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348780, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348680, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348500, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348180, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348100, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d1ff8, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d1f78, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x307938, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x350248, size = 8 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x335840, size = 160 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x31b3c0, size = 28 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x31b3e8, size = 26 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x3300c9, size = 1 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x3300c8, size = 12 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x7570f134, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34abf0, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x326d28, size = 72 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34ac90, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x326e60, size = 72 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x757a7188, size = 4 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x308a20, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x308980, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x308890, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x308890, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x331e50, size = 2 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x331e40, size = 2 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75a37a58, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x31b4e0, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x33a708, size = 44 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x33a708, size = 196 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x331e60, size = 2 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x331e70, size = 2 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x7593a1a0, size = 8 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348700, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348900, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348780, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348680, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348500, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348180, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348100, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d1ff8, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d1f78, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x31eb50, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x33a2a0, size = 8 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x3159f0, size = 160 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x329400, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x3292c0, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x330009, size = 1 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x330008, size = 12 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x7570f134, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34abf0, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x326d28, size = 72 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34ac90, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x326e60, size = 72 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x757a7188, size = 4 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x308a20, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x308980, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x308890, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x308610, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x308610, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x329440, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x329420, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75a37a58, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x31b4e0, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x33a708, size = 44 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x31ae78, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cd7d0, size = 44 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cd7d0, size = 196 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x329460, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x329480, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x7593a1a0, size = 8 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348700, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348900, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348780, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348680, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348500, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348180, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348100, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d1ff8, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d1f78, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x31e9a0, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x331998, size = 8 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2f5920, size = 160 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x1, size = 1 False 1
Fn
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x7570f134, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34abf0, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x326d28, size = 72 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34ac90, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x326e60, size = 72 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x757a7188, size = 4 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x308a20, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x308980, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x308890, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x308610, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2e2378, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75a37a58, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x31b4e0, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x33a708, size = 44 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x31ae78, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cd7d0, size = 44 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34a830, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x3508e0, size = 44 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2fd618, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x305940, size = 44 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34aa10, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x350bd8, size = 44 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x7593a1a0, size = 8 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348700, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348900, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348780, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348680, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348500, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348180, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348100, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d1ff8, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d1f78, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2df050, size = 160 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2df488, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2df4a8, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2decd9, size = 1 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2decd8, size = 12 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x7570f134, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34abf0, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x326d28, size = 72 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34ac90, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x326e60, size = 72 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x757a7188, size = 4 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x308a20, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x308980, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x308890, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x308610, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2e2378, size = 24 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2e2378, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2df508, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2df528, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x75a37a58, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x31b4e0, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x33a708, size = 44 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x31ae78, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2cd7d0, size = 44 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x34a830, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x3508e0, size = 44 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2fd618, size = 56 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x305940, size = 44 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x305940, size = 196 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2df548, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2df568, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x7593a1a0, size = 8 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348700, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348900, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348780, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348680, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348500, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348180, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x348100, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d1ff8, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2d1f78, size = 60 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x2fb030, size = 20 True 1
Fn
Data
Memory Read process_name = c:\windows\system32\lsass.exe, address = 0x3054d8, size = 8 True 1
Fn
Data
File Create filename = \\.\pipe\7DE670E9-B7B8-48DA-BA85-FF4203050C88, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_WRITE True 1
Fn
File Write filename = \\.\pipe\7DE670E9-B7B8-48DA-BA85-FF4203050C88, size = 648 True 1
Fn
Data
Module Get Handle module_name = c:\users\eebsym5\appdata\local\temp\ilvai.exe, base_address = 0x910000 True 2
Fn
Module Load module_name = api-ms-win-appmodel-runtime-l1-1-1, base_address = 0x0 False 2
Fn
Module Load module_name = ext-ms-win-kernel32-package-current-l1-1-0, base_address = 0x0 False 2
Fn
Module Get Handle module_name = mscoree.dll False 1
Fn
Process #4: _aaq.exe
1545 0
»
Information Value
ID #4
File Name c:\users\eebsym5\appdata\local\temp\_aaq.exe
Command Line "C:\Users\EEBsYm5\AppData\Local\Temp\_aaq.exe"
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:44, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:34
OS Process Information
»
Information Value
PID 0xa38
Parent PID 0xa0c (c:\users\eebsym5\desktop\olympicdestroyer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A3C
0x A48
0x A94
0x CC8
0x CD0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory Readable, Writable True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory Readable, Writable True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e6fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000210000 0x00210000 0x002d7fff Pagefile Backed Memory Readable True False False -
private_0x00000000002e0000 0x002e0000 0x0035ffff Private Memory Readable, Writable True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory Readable, Writable True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000004e0000 0x004e0000 0x005e0fff Pagefile Backed Memory Readable True False False -
private_0x0000000000650000 0x00650000 0x0074ffff Private Memory Readable, Writable True False False -
private_0x0000000000830000 0x00830000 0x0092ffff Private Memory Readable, Writable True False False -
private_0x0000000000970000 0x00970000 0x00a6ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000a70000 0x00a70000 0x00e62fff Pagefile Backed Memory Readable True False False -
_aaq.exe 0x00f10000 0x00f1cfff Memory Mapped File Readable, Writable, Executable True True False
...
pagefile_0x0000000000f20000 0x00f20000 0x01b1ffff Pagefile Backed Memory Readable True False False -
private_0x0000000001ba0000 0x01ba0000 0x01c9ffff Private Memory Readable, Writable True False False -
browcli.dll 0x70150000 0x7015cfff Memory Mapped File Readable, Writable, Executable False False False -
davhlpr.dll 0x70160000 0x70167fff Memory Mapped File Readable, Writable, Executable False False False -
cscapi.dll 0x70c40000 0x70c4afff Memory Mapped File Readable, Writable, Executable False False False -
mpr.dll 0x726c0000 0x726d1fff Memory Mapped File Readable, Writable, Executable False False False -
davclnt.dll 0x728a0000 0x728b6fff Memory Mapped File Readable, Writable, Executable False False False -
ntlanman.dll 0x728c0000 0x728d3fff Memory Mapped File Readable, Writable, Executable False False False -
drprov.dll 0x72a50000 0x72a57fff Memory Mapped File Readable, Writable, Executable False False False -
wkscli.dll 0x74790000 0x7479efff Memory Mapped File Readable, Writable, Executable False False False -
netutils.dll 0x747a0000 0x747a8fff Memory Mapped File Readable, Writable, Executable False False False -
winsta.dll 0x75e90000 0x75eb8fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x762e0000 0x762f8fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76300000 0x76356fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76700000 0x7679ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77550000 0x775f0fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory Readable, Writable True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory Readable, Writable True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory Readable, Writable True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Threads
Thread 0xa3c
1545 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-03-15 15:15:26 (UTC) True 1
Fn
System Get Time type = Ticks, time = 98499 True 1
Fn
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7622418d True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x76221e16 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x762276e6 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x76221f61 True 1
Fn
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x761d0000 True 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Filename process_name = c:\users\eebsym5\appdata\local\temp\_aaq.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\_aaq.exe, size = 260 True 1
Fn
User Lookup Privilege privilege = SeShutdownPrivilege, luid = 19 True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Process Create process_name = C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet, os_pid = 0xa54, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Process Create process_name = C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet, os_pid = 0xb3c, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Process Create process_name = C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no, os_pid = 0xbec, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Process Create process_name = C:\Windows\system32\cmd.exe /c wevtutil.exe cl System, os_pid = 0xc14, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Process Create process_name = C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security, os_pid = 0xc50, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Service Open Manager database_name = ServicesActive True 1
Fn
Service Enumerate database_name = ServicesActive False 1
Fn
Service Enumerate database_name = ServicesActive True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = 1394ohci False 1
Fn
Service Set Config service_name = 1394ohci True 1
Fn
Service Get Info service_name = 1394ohci True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = ACPI False 1
Fn
Service Set Config service_name = ACPI True 1
Fn
Service Get Info service_name = ACPI True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = AcpiPmi False 1
Fn
Service Set Config service_name = AcpiPmi True 1
Fn
Service Get Info service_name = AcpiPmi True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = adp94xx False 1
Fn
Service Set Config service_name = adp94xx True 1
Fn
Service Get Info service_name = adp94xx True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = adpahci False 1
Fn
Service Set Config service_name = adpahci True 1
Fn
Service Get Info service_name = adpahci True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = adpu320 False 1
Fn
Service Set Config service_name = adpu320 True 1
Fn
Service Get Info service_name = adpu320 True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = AeLookupSvc False 1
Fn
Service Set Config service_name = AeLookupSvc True 1
Fn
Service Get Info service_name = AeLookupSvc True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = AFD False 1
Fn
Service Set Config service_name = AFD True 1
Fn
Service Get Info service_name = AFD True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = agp440 False 1
Fn
Service Set Config service_name = agp440 True 1
Fn
Service Get Info service_name = agp440 True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = aic78xx False 1
Fn
Service Set Config service_name = aic78xx True 1
Fn
Service Get Info service_name = aic78xx True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = ALG False 1
Fn
Service Set Config service_name = ALG True 1
Fn
Service Get Info service_name = ALG True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = aliide False 1
Fn
Service Set Config service_name = aliide True 1
Fn
Service Get Info service_name = aliide True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = amdagp False 1
Fn
Service Set Config service_name = amdagp True 1
Fn
Service Get Info service_name = amdagp True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = amdide False 1
Fn
Service Set Config service_name = amdide True 1
Fn
Service Get Info service_name = amdide True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = AmdK8 False 1
Fn
Service Set Config service_name = AmdK8 True 1
Fn
Service Get Info service_name = AmdK8 True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = AmdPPM False 1
Fn
Service Set Config service_name = AmdPPM True 1
Fn
Service Get Info service_name = AmdPPM True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = amdsata False 1
Fn
Service Set Config service_name = amdsata True 1
Fn
Service Get Info service_name = amdsata True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = amdsbs False 1
Fn
Service Set Config service_name = amdsbs True 1
Fn
Service Get Info service_name = amdsbs True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = amdxata False 1
Fn
Service Set Config service_name = amdxata True 1
Fn
Service Get Info service_name = amdxata True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = AppID False 1
Fn
Service Set Config service_name = AppID True 1
Fn
Service Get Info service_name = AppID True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = AppIDSvc False 1
Fn
Service Set Config service_name = AppIDSvc True 1
Fn
Service Get Info service_name = AppIDSvc True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Appinfo False 1
Fn
Service Set Config service_name = Appinfo True 1
Fn
Service Get Info service_name = Appinfo True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = AppMgmt False 1
Fn
Service Set Config service_name = AppMgmt True 1
Fn
Service Get Info service_name = AppMgmt True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = arc False 1
Fn
Service Set Config service_name = arc True 1
Fn
Service Get Info service_name = arc True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = arcsas False 1
Fn
Service Set Config service_name = arcsas True 1
Fn
Service Get Info service_name = arcsas True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = aspnet_state False 1
Fn
Service Set Config service_name = aspnet_state True 1
Fn
Service Get Info service_name = aspnet_state True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = AsyncMac False 1
Fn
Service Set Config service_name = AsyncMac True 1
Fn
Service Get Info service_name = AsyncMac True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = atapi False 1
Fn
Service Set Config service_name = atapi True 1
Fn
Service Get Info service_name = atapi True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = AudioEndpointBuilder False 1
Fn
Service Set Config service_name = AudioEndpointBuilder True 1
Fn
Service Get Info service_name = AudioEndpointBuilder True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Audiosrv False 1
Fn
Service Set Config service_name = Audiosrv True 1
Fn
Service Get Info service_name = Audiosrv True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = AxInstSV False 1
Fn
Service Set Config service_name = AxInstSV True 1
Fn
Service Get Info service_name = AxInstSV True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = b06bdrv False 1
Fn
Service Set Config service_name = b06bdrv True 1
Fn
Service Get Info service_name = b06bdrv True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = b57nd60x False 1
Fn
Service Set Config service_name = b57nd60x True 1
Fn
Service Get Info service_name = b57nd60x True 1
Fn
Service Open database_name = ServicesActive False 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Beep False 1
Fn
Service Set Config service_name = Beep True 1
Fn
Service Get Info service_name = Beep True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = BFE False 1
Fn
Service Set Config service_name = BFE True 1
Fn
Service Get Info service_name = BFE True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = BITS False 1
Fn
Service Set Config service_name = BITS True 1
Fn
Service Get Info service_name = BITS True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = blbdrive False 1
Fn
Service Set Config service_name = blbdrive True 1
Fn
Service Get Info service_name = blbdrive True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = bowser False 1
Fn
Service Set Config service_name = bowser True 1
Fn
Service Get Info service_name = bowser True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = BrFiltLo False 1
Fn
Service Set Config service_name = BrFiltLo True 1
Fn
Service Get Info service_name = BrFiltLo True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = BrFiltUp False 1
Fn
Service Set Config service_name = BrFiltUp True 1
Fn
Service Get Info service_name = BrFiltUp True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Browser False 1
Fn
Service Set Config service_name = Browser True 1
Fn
Service Get Info service_name = Browser True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Brserid False 1
Fn
Service Set Config service_name = Brserid True 1
Fn
Service Get Info service_name = Brserid True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = BrSerWdm False 1
Fn
Service Set Config service_name = BrSerWdm True 1
Fn
Service Get Info service_name = BrSerWdm True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = BrUsbMdm False 1
Fn
Service Set Config service_name = BrUsbMdm True 1
Fn
Service Get Info service_name = BrUsbMdm True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = BrUsbSer False 1
Fn
Service Set Config service_name = BrUsbSer True 1
Fn
Service Get Info service_name = BrUsbSer True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = BTHMODEM False 1
Fn
Service Set Config service_name = BTHMODEM True 1
Fn
Service Get Info service_name = BTHMODEM True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = bthserv False 1
Fn
Service Set Config service_name = bthserv True 1
Fn
Service Get Info service_name = bthserv True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = cdfs False 1
Fn
Service Set Config service_name = cdfs True 1
Fn
Service Get Info service_name = cdfs True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = cdrom False 1
Fn
Service Set Config service_name = cdrom True 1
Fn
Service Get Info service_name = cdrom True 1
Fn
Service Open database_name = ServicesActive False 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = circlass False 1
Fn
Service Set Config service_name = circlass True 1
Fn
Service Get Info service_name = circlass True 1
Fn
Service Open database_name = ServicesActive False 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = clr_optimization_v2.0.50727_32 False 1
Fn
Service Set Config service_name = clr_optimization_v2.0.50727_32 True 1
Fn
Service Get Info service_name = clr_optimization_v2.0.50727_32 True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = clr_optimization_v4.0.30319_32 False 1
Fn
Service Set Config service_name = clr_optimization_v4.0.30319_32 True 1
Fn
Service Get Info service_name = clr_optimization_v4.0.30319_32 True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = CmBatt False 1
Fn
Service Set Config service_name = CmBatt True 1
Fn
Service Get Info service_name = CmBatt True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = cmdide False 1
Fn
Service Set Config service_name = cmdide True 1
Fn
Service Get Info service_name = cmdide True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = CNG False 1
Fn
Service Set Config service_name = CNG True 1
Fn
Service Get Info service_name = CNG True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Compbatt False 1
Fn
Service Set Config service_name = Compbatt True 1
Fn
Service Get Info service_name = Compbatt True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = CompositeBus False 1
Fn
Service Set Config service_name = CompositeBus True 1
Fn
Service Get Info service_name = CompositeBus True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = COMSysApp False 1
Fn
Service Set Config service_name = COMSysApp True 1
Fn
Service Get Info service_name = COMSysApp True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = crcdisk False 1
Fn
Service Set Config service_name = crcdisk True 1
Fn
Service Get Info service_name = crcdisk True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = CryptSvc False 1
Fn
Service Set Config service_name = CryptSvc True 1
Fn
Service Get Info service_name = CryptSvc True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = CSC False 1
Fn
Service Set Config service_name = CSC True 1
Fn
Service Get Info service_name = CSC True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = CscService False 1
Fn
Service Set Config service_name = CscService True 1
Fn
Service Get Info service_name = CscService True 1
Fn
Service Open database_name = ServicesActive False 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = defragsvc False 1
Fn
Service Set Config service_name = defragsvc True 1
Fn
Service Get Info service_name = defragsvc True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = DfsC False 1
Fn
Service Set Config service_name = DfsC True 1
Fn
Service Get Info service_name = DfsC True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Dhcp False 1
Fn
Service Set Config service_name = Dhcp True 1
Fn
Service Get Info service_name = Dhcp True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = discache False 1
Fn
Service Set Config service_name = discache True 1
Fn
Service Get Info service_name = discache True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Disk False 1
Fn
Service Set Config service_name = Disk True 1
Fn
Service Get Info service_name = Disk True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Dnscache False 1
Fn
Service Set Config service_name = Dnscache True 1
Fn
Service Get Info service_name = Dnscache True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = dot3svc False 1
Fn
Service Set Config service_name = dot3svc True 1
Fn
Service Get Info service_name = dot3svc True 1
Fn
Service Open database_name = ServicesActive False 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = drmkaud False 1
Fn
Service Set Config service_name = drmkaud True 1
Fn
Service Get Info service_name = drmkaud True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = DXGKrnl False 1
Fn
Service Set Config service_name = DXGKrnl True 1
Fn
Service Get Info service_name = DXGKrnl True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = E1G60 False 1
Fn
Service Set Config service_name = E1G60 True 1
Fn
Service Get Info service_name = E1G60 True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = EapHost False 1
Fn
Service Set Config service_name = EapHost True 1
Fn
Service Get Info service_name = EapHost True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = ebdrv False 1
Fn
Service Set Config service_name = ebdrv True 1
Fn
Service Get Info service_name = ebdrv True 1
Fn
Service Open database_name = ServicesActive False 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = ehRecvr False 1
Fn
Service Set Config service_name = ehRecvr True 1
Fn
Service Get Info service_name = ehRecvr True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = ehSched False 1
Fn
Service Set Config service_name = ehSched True 1
Fn
Service Get Info service_name = ehSched True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = elxstor False 1
Fn
Service Set Config service_name = elxstor True 1
Fn
Service Get Info service_name = elxstor True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = ErrDev False 1
Fn
Service Set Config service_name = ErrDev True 1
Fn
Service Get Info service_name = ErrDev True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = eventlog False 1
Fn
Service Set Config service_name = eventlog True 1
Fn
Service Get Info service_name = eventlog True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = EventSystem False 1
Fn
Service Set Config service_name = EventSystem True 1
Fn
Service Get Info service_name = EventSystem True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = exfat False 1
Fn
Service Set Config service_name = exfat True 1
Fn
Service Get Info service_name = exfat True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = fastfat False 1
Fn
Service Set Config service_name = fastfat True 1
Fn
Service Get Info service_name = fastfat True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Fax False 1
Fn
Service Set Config service_name = Fax True 1
Fn
Service Get Info service_name = Fax True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = fdc False 1
Fn
Service Set Config service_name = fdc True 1
Fn
Service Get Info service_name = fdc True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = fdPHost False 1
Fn
Service Set Config service_name = fdPHost True 1
Fn
Service Get Info service_name = fdPHost True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = FDResPub False 1
Fn
Service Set Config service_name = FDResPub True 1
Fn
Service Get Info service_name = FDResPub True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = FileInfo False 1
Fn
Service Set Config service_name = FileInfo True 1
Fn
Service Get Info service_name = FileInfo True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Filetrace False 1
Fn
Service Set Config service_name = Filetrace True 1
Fn
Service Get Info service_name = Filetrace True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = flpydisk False 1
Fn
Service Set Config service_name = flpydisk True 1
Fn
Service Get Info service_name = flpydisk True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = FltMgr False 1
Fn
Service Set Config service_name = FltMgr True 1
Fn
Service Get Info service_name = FltMgr True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = FontCache False 1
Fn
Service Set Config service_name = FontCache True 1
Fn
Service Get Info service_name = FontCache True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = FontCache3.0.0.0 False 1
Fn
Service Set Config service_name = FontCache3.0.0.0 True 1
Fn
Service Get Info service_name = FontCache3.0.0.0 True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = FsDepends False 1
Fn
Service Set Config service_name = FsDepends True 1
Fn
Service Get Info service_name = FsDepends True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = fvevol False 1
Fn
Service Set Config service_name = fvevol True 1
Fn
Service Get Info service_name = fvevol True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = gagp30kx False 1
Fn
Service Set Config service_name = gagp30kx True 1
Fn
Service Get Info service_name = gagp30kx True 1
Fn
Service Open database_name = ServicesActive False 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = gupdate False 1
Fn
Service Set Config service_name = gupdate True 1
Fn
Service Get Info service_name = gupdate True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = gupdatem False 1
Fn
Service Set Config service_name = gupdatem True 1
Fn
Service Get Info service_name = gupdatem True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = hcw85cir False 1
Fn
Service Set Config service_name = hcw85cir True 1
Fn
Service Get Info service_name = hcw85cir True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = HdAudAddService False 1
Fn
Service Set Config service_name = HdAudAddService True 1
Fn
Service Get Info service_name = HdAudAddService True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = HDAudBus False 1
Fn
Service Set Config service_name = HDAudBus True 1
Fn
Service Get Info service_name = HDAudBus True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = HidBatt False 1
Fn
Service Set Config service_name = HidBatt True 1
Fn
Service Get Info service_name = HidBatt True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = HidBth False 1
Fn
Service Set Config service_name = HidBth True 1
Fn
Service Get Info service_name = HidBth True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = HidIr False 1
Fn
Service Set Config service_name = HidIr True 1
Fn
Service Get Info service_name = HidIr True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = hidserv False 1
Fn
Service Set Config service_name = hidserv True 1
Fn
Service Get Info service_name = hidserv True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = HidUsb False 1
Fn
Service Set Config service_name = HidUsb True 1
Fn
Service Get Info service_name = HidUsb True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = hkmsvc False 1
Fn
Service Set Config service_name = hkmsvc True 1
Fn
Service Get Info service_name = hkmsvc True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = HomeGroupListener False 1
Fn
Service Set Config service_name = HomeGroupListener True 1
Fn
Service Get Info service_name = HomeGroupListener True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = HomeGroupProvider False 1
Fn
Service Set Config service_name = HomeGroupProvider True 1
Fn
Service Get Info service_name = HomeGroupProvider True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = HpSAMD False 1
Fn
Service Set Config service_name = HpSAMD True 1
Fn
Service Get Info service_name = HpSAMD True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = HTTP False 1
Fn
Service Set Config service_name = HTTP True 1
Fn
Service Get Info service_name = HTTP True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = hwpolicy False 1
Fn
Service Set Config service_name = hwpolicy True 1
Fn
Service Get Info service_name = hwpolicy True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = i8042prt False 1
Fn
Service Set Config service_name = i8042prt True 1
Fn
Service Get Info service_name = i8042prt True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = iaStorV False 1
Fn
Service Set Config service_name = iaStorV True 1
Fn
Service Get Info service_name = iaStorV True 1
Fn
Service Open database_name = ServicesActive False 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = iirsp False 1
Fn
Service Set Config service_name = iirsp True 1
Fn
Service Get Info service_name = iirsp True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = IKEEXT False 1
Fn
Service Set Config service_name = IKEEXT True 1
Fn
Service Get Info service_name = IKEEXT True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = intelide False 1
Fn
Service Set Config service_name = intelide True 1
Fn
Service Get Info service_name = intelide True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = intelppm False 1
Fn
Service Set Config service_name = intelppm True 1
Fn
Service Get Info service_name = intelppm True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = IPBusEnum False 1
Fn
Service Set Config service_name = IPBusEnum True 1
Fn
Service Get Info service_name = IPBusEnum True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = IpFilterDriver False 1
Fn
Service Set Config service_name = IpFilterDriver True 1
Fn
Service Get Info service_name = IpFilterDriver True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = iphlpsvc False 1
Fn
Service Set Config service_name = iphlpsvc True 1
Fn
Service Get Info service_name = iphlpsvc True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = IPMIDRV False 1
Fn
Service Set Config service_name = IPMIDRV True 1
Fn
Service Get Info service_name = IPMIDRV True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = IPNAT False 1
Fn
Service Set Config service_name = IPNAT True 1
Fn
Service Get Info service_name = IPNAT True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = IRENUM False 1
Fn
Service Set Config service_name = IRENUM True 1
Fn
Service Get Info service_name = IRENUM True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = isapnp False 1
Fn
Service Set Config service_name = isapnp True 1
Fn
Service Get Info service_name = isapnp True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = iScsiPrt False 1
Fn
Service Set Config service_name = iScsiPrt True 1
Fn
Service Get Info service_name = iScsiPrt True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = kbdclass False 1
Fn
Service Set Config service_name = kbdclass True 1
Fn
Service Get Info service_name = kbdclass True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = kbdhid False 1
Fn
Service Set Config service_name = kbdhid True 1
Fn
Service Get Info service_name = kbdhid True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = KeyIso False 1
Fn
Service Set Config service_name = KeyIso True 1
Fn
Service Get Info service_name = KeyIso True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = KSecDD False 1
Fn
Service Set Config service_name = KSecDD True 1
Fn
Service Get Info service_name = KSecDD True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = KSecPkg False 1
Fn
Service Set Config service_name = KSecPkg True 1
Fn
Service Get Info service_name = KSecPkg True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = KtmRm False 1
Fn
Service Set Config service_name = KtmRm True 1
Fn
Service Get Info service_name = KtmRm True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = LanmanServer False 1
Fn
Service Set Config service_name = LanmanServer True 1
Fn
Service Get Info service_name = LanmanServer True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = LanmanWorkstation False 1
Fn
Service Set Config service_name = LanmanWorkstation True 1
Fn
Service Get Info service_name = LanmanWorkstation True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = lltdio False 1
Fn
Service Set Config service_name = lltdio True 1
Fn
Service Get Info service_name = lltdio True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = lltdsvc False 1
Fn
Service Set Config service_name = lltdsvc True 1
Fn
Service Get Info service_name = lltdsvc True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = lmhosts False 1
Fn
Service Set Config service_name = lmhosts True 1
Fn
Service Get Info service_name = lmhosts True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = LSI_FC False 1
Fn
Service Set Config service_name = LSI_FC True 1
Fn
Service Get Info service_name = LSI_FC True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = LSI_SAS False 1
Fn
Service Set Config service_name = LSI_SAS True 1
Fn
Service Get Info service_name = LSI_SAS True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = LSI_SAS2 False 1
Fn
Service Set Config service_name = LSI_SAS2 True 1
Fn
Service Get Info service_name = LSI_SAS2 True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = LSI_SCSI False 1
Fn
Service Set Config service_name = LSI_SCSI True 1
Fn
Service Get Info service_name = LSI_SCSI True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = luafv False 1
Fn
Service Set Config service_name = luafv True 1
Fn
Service Get Info service_name = luafv True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Mcx2Svc False 1
Fn
Service Set Config service_name = Mcx2Svc True 1
Fn
Service Get Info service_name = Mcx2Svc True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = megasas False 1
Fn
Service Set Config service_name = megasas True 1
Fn
Service Get Info service_name = megasas True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = MegaSR False 1
Fn
Service Set Config service_name = MegaSR True 1
Fn
Service Get Info service_name = MegaSR True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Microsoft SharePoint Workspace Audit Service False 1
Fn
Service Set Config service_name = Microsoft SharePoint Workspace Audit Service True 1
Fn
Service Get Info service_name = Microsoft SharePoint Workspace Audit Service True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = MMCSS False 1
Fn
Service Set Config service_name = MMCSS True 1
Fn
Service Get Info service_name = MMCSS True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Modem False 1
Fn
Service Set Config service_name = Modem True 1
Fn
Service Get Info service_name = Modem True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = monitor False 1
Fn
Service Set Config service_name = monitor True 1
Fn
Service Get Info service_name = monitor True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = mouclass False 1
Fn
Service Set Config service_name = mouclass True 1
Fn
Service Get Info service_name = mouclass True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = mouhid False 1
Fn
Service Set Config service_name = mouhid True 1
Fn
Service Get Info service_name = mouhid True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = mountmgr False 1
Fn
Service Set Config service_name = mountmgr True 1
Fn
Service Get Info service_name = mountmgr True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = MozillaMaintenance False 1
Fn
Service Set Config service_name = MozillaMaintenance True 1
Fn
Service Get Info service_name = MozillaMaintenance True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = mpio False 1
Fn
Service Set Config service_name = mpio True 1
Fn
Service Get Info service_name = mpio True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = mpsdrv False 1
Fn
Service Set Config service_name = mpsdrv True 1
Fn
Service Get Info service_name = mpsdrv True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = MpsSvc False 1
Fn
Service Set Config service_name = MpsSvc True 1
Fn
Service Get Info service_name = MpsSvc True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = MRxDAV False 1
Fn
Service Set Config service_name = MRxDAV True 1
Fn
Service Get Info service_name = MRxDAV True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = mrxsmb False 1
Fn
Service Set Config service_name = mrxsmb True 1
Fn
Service Get Info service_name = mrxsmb True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = mrxsmb10 False 1
Fn
Service Set Config service_name = mrxsmb10 True 1
Fn
Service Get Info service_name = mrxsmb10 True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = mrxsmb20 False 1
Fn
Service Set Config service_name = mrxsmb20 True 1
Fn
Service Get Info service_name = mrxsmb20 True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = msahci False 1
Fn
Service Set Config service_name = msahci True 1
Fn
Service Get Info service_name = msahci True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = msdsm False 1
Fn
Service Set Config service_name = msdsm True 1
Fn
Service Get Info service_name = msdsm True 1
Fn
Service Open database_name = ServicesActive False 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Msfs False 1
Fn
Service Set Config service_name = Msfs True 1
Fn
Service Get Info service_name = Msfs True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = mshidkmdf False 1
Fn
Service Set Config service_name = mshidkmdf True 1
Fn
Service Get Info service_name = mshidkmdf True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = msisadrv False 1
Fn
Service Set Config service_name = msisadrv True 1
Fn
Service Get Info service_name = msisadrv True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = MSiSCSI False 1
Fn
Service Set Config service_name = MSiSCSI True 1
Fn
Service Get Info service_name = MSiSCSI True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = msiserver False 1
Fn
Service Set Config service_name = msiserver True 1
Fn
Service Get Info service_name = msiserver True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = MSKSSRV False 1
Fn
Service Set Config service_name = MSKSSRV True 1
Fn
Service Get Info service_name = MSKSSRV True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = MSPCLOCK False 1
Fn
Service Set Config service_name = MSPCLOCK True 1
Fn
Service Get Info service_name = MSPCLOCK True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = MSPQM False 1
Fn
Service Set Config service_name = MSPQM True 1
Fn
Service Get Info service_name = MSPQM True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = MsRPC False 1
Fn
Service Set Config service_name = MsRPC True 1
Fn
Service Get Info service_name = MsRPC True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = mssmbios False 1
Fn
Service Set Config service_name = mssmbios True 1
Fn
Service Get Info service_name = mssmbios True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = MSTEE False 1
Fn
Service Set Config service_name = MSTEE True 1
Fn
Service Get Info service_name = MSTEE True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = MTConfig False 1
Fn
Service Set Config service_name = MTConfig True 1
Fn
Service Get Info service_name = MTConfig True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Mup False 1
Fn
Service Set Config service_name = Mup True 1
Fn
Service Get Info service_name = Mup True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = napagent False 1
Fn
Service Set Config service_name = napagent True 1
Fn
Service Get Info service_name = napagent True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = NativeWifiP False 1
Fn
Service Set Config service_name = NativeWifiP True 1
Fn
Service Get Info service_name = NativeWifiP True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = NDIS False 1
Fn
Service Set Config service_name = NDIS True 1
Fn
Service Get Info service_name = NDIS True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = NdisCap False 1
Fn
Service Set Config service_name = NdisCap True 1
Fn
Service Get Info service_name = NdisCap True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = NdisTapi False 1
Fn
Service Set Config service_name = NdisTapi True 1
Fn
Service Get Info service_name = NdisTapi True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Ndisuio False 1
Fn
Service Set Config service_name = Ndisuio True 1
Fn
Service Get Info service_name = Ndisuio True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = NdisWan False 1
Fn
Service Set Config service_name = NdisWan True 1
Fn
Service Get Info service_name = NdisWan True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = NDProxy False 1
Fn
Service Set Config service_name = NDProxy True 1
Fn
Service Get Info service_name = NDProxy True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = NetBIOS False 1
Fn
Service Set Config service_name = NetBIOS True 1
Fn
Service Get Info service_name = NetBIOS True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = NetBT False 1
Fn
Service Set Config service_name = NetBT True 1
Fn
Service Get Info service_name = NetBT True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Netlogon False 1
Fn
Service Set Config service_name = Netlogon True 1
Fn
Service Get Info service_name = Netlogon True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Netman False 1
Fn
Service Set Config service_name = Netman True 1
Fn
Service Get Info service_name = Netman True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = NetMsmqActivator False 1
Fn
Service Set Config service_name = NetMsmqActivator True 1
Fn
Service Get Info service_name = NetMsmqActivator True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = NetPipeActivator False 1
Fn
Service Set Config service_name = NetPipeActivator True 1
Fn
Service Get Info service_name = NetPipeActivator True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = netprofm False 1
Fn
Service Set Config service_name = netprofm True 1
Fn
Service Get Info service_name = netprofm True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = NetTcpActivator False 1
Fn
Service Set Config service_name = NetTcpActivator True 1
Fn
Service Get Info service_name = NetTcpActivator True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = NetTcpPortSharing False 1
Fn
Service Set Config service_name = NetTcpPortSharing True 1
Fn
Service Get Info service_name = NetTcpPortSharing True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = nfrd960 False 1
Fn
Service Set Config service_name = nfrd960 True 1
Fn
Service Get Info service_name = nfrd960 True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = NlaSvc False 1
Fn
Service Set Config service_name = NlaSvc True 1
Fn
Service Get Info service_name = NlaSvc True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Npfs False 1
Fn
Service Set Config service_name = Npfs True 1
Fn
Service Get Info service_name = Npfs True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = nsi False 1
Fn
Service Set Config service_name = nsi True 1
Fn
Service Get Info service_name = nsi True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = nsiproxy False 1
Fn
Service Set Config service_name = nsiproxy True 1
Fn
Service Get Info service_name = nsiproxy True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Ntfs False 1
Fn
Service Set Config service_name = Ntfs True 1
Fn
Service Get Info service_name = Ntfs True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Null False 1
Fn
Service Set Config service_name = Null True 1
Fn
Service Get Info service_name = Null True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = nvraid False 1
Fn
Service Set Config service_name = nvraid True 1
Fn
Service Get Info service_name = nvraid True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = nvstor False 1
Fn
Service Set Config service_name = nvstor True 1
Fn
Service Get Info service_name = nvstor True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = nv_agp False 1
Fn
Service Set Config service_name = nv_agp True 1
Fn
Service Get Info service_name = nv_agp True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = ohci1394 False 1
Fn
Service Set Config service_name = ohci1394 True 1
Fn
Service Get Info service_name = ohci1394 True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = ose False 1
Fn
Service Set Config service_name = ose True 1
Fn
Service Get Info service_name = ose True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = osppsvc False 1
Fn
Service Set Config service_name = osppsvc True 1
Fn
Service Get Info service_name = osppsvc True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = p2pimsvc False 1
Fn
Service Set Config service_name = p2pimsvc True 1
Fn
Service Get Info service_name = p2pimsvc True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = p2psvc False 1
Fn
Service Set Config service_name = p2psvc True 1
Fn
Service Get Info service_name = p2psvc True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Parport False 1
Fn
Service Set Config service_name = Parport True 1
Fn
Service Get Info service_name = Parport True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = partmgr False 1
Fn
Service Set Config service_name = partmgr True 1
Fn
Service Get Info service_name = partmgr True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Parvdm False 1
Fn
Service Set Config service_name = Parvdm True 1
Fn
Service Get Info service_name = Parvdm True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = PcaSvc False 1
Fn
Service Set Config service_name = PcaSvc True 1
Fn
Service Get Info service_name = PcaSvc True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = pci False 1
Fn
Service Set Config service_name = pci True 1
Fn
Service Get Info service_name = pci True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = pciide False 1
Fn
Service Set Config service_name = pciide True 1
Fn
Service Get Info service_name = pciide True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = pcmcia False 1
Fn
Service Set Config service_name = pcmcia True 1
Fn
Service Get Info service_name = pcmcia True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = pcw False 1
Fn
Service Set Config service_name = pcw True 1
Fn
Service Get Info service_name = pcw True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = PEAUTH False 1
Fn
Service Set Config service_name = PEAUTH True 1
Fn
Service Get Info service_name = PEAUTH True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = PeerDistSvc False 1
Fn
Service Set Config service_name = PeerDistSvc True 1
Fn
Service Get Info service_name = PeerDistSvc True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = pla False 1
Fn
Service Set Config service_name = pla True 1
Fn
Service Get Info service_name = pla True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = PlugPlay False 1
Fn
Service Set Config service_name = PlugPlay True 1
Fn
Service Get Info service_name = PlugPlay True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = PNRPAutoReg False 1
Fn
Service Set Config service_name = PNRPAutoReg True 1
Fn
Service Get Info service_name = PNRPAutoReg True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = PNRPsvc False 1
Fn
Service Set Config service_name = PNRPsvc True 1
Fn
Service Get Info service_name = PNRPsvc True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = PolicyAgent False 1
Fn
Service Set Config service_name = PolicyAgent True 1
Fn
Service Get Info service_name = PolicyAgent True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Power False 1
Fn
Service Set Config service_name = Power True 1
Fn
Service Get Info service_name = Power True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = PptpMiniport False 1
Fn
Service Set Config service_name = PptpMiniport True 1
Fn
Service Get Info service_name = PptpMiniport True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Processor False 1
Fn
Service Set Config service_name = Processor True 1
Fn
Service Get Info service_name = Processor True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = ProfSvc False 1
Fn
Service Set Config service_name = ProfSvc True 1
Fn
Service Get Info service_name = ProfSvc True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = ProtectedStorage False 1
Fn
Service Set Config service_name = ProtectedStorage True 1
Fn
Service Get Info service_name = ProtectedStorage True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Psched False 1
Fn
Service Set Config service_name = Psched True 1
Fn
Service Get Info service_name = Psched True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = ql2300 False 1
Fn
Service Set Config service_name = ql2300 True 1
Fn
Service Get Info service_name = ql2300 True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = ql40xx False 1
Fn
Service Set Config service_name = ql40xx True 1
Fn
Service Get Info service_name = ql40xx True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = QWAVE False 1
Fn
Service Set Config service_name = QWAVE True 1
Fn
Service Get Info service_name = QWAVE True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = QWAVEdrv False 1
Fn
Service Set Config service_name = QWAVEdrv True 1
Fn
Service Get Info service_name = QWAVEdrv True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = RasAcd False 1
Fn
Service Set Config service_name = RasAcd True 1
Fn
Service Get Info service_name = RasAcd True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = RasAgileVpn False 1
Fn
Service Set Config service_name = RasAgileVpn True 1
Fn
Service Get Info service_name = RasAgileVpn True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = RasAuto False 1
Fn
Service Set Config service_name = RasAuto True 1
Fn
Service Get Info service_name = RasAuto True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = Rasl2tp False 1
Fn
Service Set Config service_name = Rasl2tp True 1
Fn
Service Get Info service_name = Rasl2tp True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = RasMan False 1
Fn
Service Set Config service_name = RasMan True 1
Fn
Service Get Info service_name = RasMan True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = RasPppoe False 1
Fn
Service Set Config service_name = RasPppoe True 1
Fn
Service Get Info service_name = RasPppoe True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = RasSstp False 1
Fn
Service Set Config service_name = RasSstp True 1
Fn
Service Get Info service_name = RasSstp True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = rdbss False 1
Fn
Service Set Config service_name = rdbss True 1
Fn
Service Get Info service_name = rdbss True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = rdpbus False 1
Fn
Service Set Config service_name = rdpbus True 1
Fn
Service Get Info service_name = rdpbus True 1
Fn
Service Open database_name = ServicesActive True 1
Fn
Service Get Info service_name = RDPCDD False 1
Fn
Service Set Config service_name = RDPCDD True 1
Fn
Service Get Info service_name = RDPCDD True 1
Fn
For performance reasons, the remaining 543 entries are omitted.
The remaining entries can be found in glog.xml.
Process #5: cmd.exe
57 0
»
Information Value
ID #5
File Name c:\windows\system32\cmd.exe
Command Line C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:44, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:34
OS Process Information
»
Information Value
PID 0xa54
Parent PID 0xa38 (c:\users\eebsym5\appdata\local\temp\_aaq.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory Readable, Writable True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000270000 0x00270000 0x00337fff Pagefile Backed Memory Readable True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000470000 0x00470000 0x00570fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000580000 0x00580000 0x0117ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001180000 0x01180000 0x012e2fff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x012f0000 0x015befff Memory Mapped File Readable False False False -
cmd.exe 0x4a320000 0x4a36bfff Memory Mapped File Readable, Writable, Executable True False False -
winbrand.dll 0x73120000 0x73126fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Threads
Thread 0xa58
57 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-03-15 15:15:26 (UTC) True 1
Fn
System Get Time type = Ticks, time = 98967 True 1
Fn
Module Get Handle module_name = c:\windows\system32\cmd.exe, base_address = 0x4a320000 True 1
Fn
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x762224c2 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 3
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Environment Get Environment String - True 2
Fn
Data
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 208, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module Get Filename process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Environment Get Environment String name = PROMPT False 1
Fn
Environment Set Environment String name = PROMPT, value = $P$G True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Environment Get Environment String name = KEYS False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\Desktop, type = file_attributes True 2
Fn
Environment Set Environment String name = =C:, value = C:\Users\EEBsYm5\Desktop True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7620ac6c True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76213ea8 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76222732 True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Process Create process_name = c:\Windows\system32\vssadmin.exe, os_pid = 0xb20, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Environment Set Environment String name = COPYCMD True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCode, value = 00000002 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCodeAscii True 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Open filename = STD_OUTPUT_HANDLE True 2
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Process #6: vssadmin.exe
0 0
»
Information Value
ID #6
File Name c:\windows\system32\vssadmin.exe
Command Line c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:47, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:31
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb20
Parent PID 0xa54 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B24
0x B28
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000070000 0x00070000 0x0007ffff Private Memory Readable, Writable True False False -
vssadmin.exe.mui 0x00080000 0x0008cfff Memory Mapped File Readable, Writable False False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory Readable, Writable True False False -
private_0x00000000000a0000 0x000a0000 0x000a0fff Private Memory Readable, Writable True False False -
private_0x00000000000b0000 0x000b0000 0x000effff Private Memory Readable, Writable True False False -
locale.nls 0x000f0000 0x00156fff Memory Mapped File Readable False False False -
pagefile_0x0000000000160000 0x00160000 0x00227fff Pagefile Backed Memory Readable True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000390000 0x00390000 0x00490fff Pagefile Backed Memory Readable True False False -
vssadmin.exe 0x00c30000 0x00c4efff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000c50000 0x00c50000 0x0184ffff Pagefile Backed Memory Readable True False False -
vsstrace.dll 0x72710000 0x7271ffff Memory Mapped File Readable, Writable, Executable False False False -
vssapi.dll 0x72720000 0x72835fff Memory Mapped File Readable, Writable, Executable False False False -
atl.dll 0x741f0000 0x74203fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75e20000 0x75e2bfff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x762e0000 0x762f8fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76700000 0x7679ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77550000 0x775f0fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x77690000 0x7771efff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x77970000 0x77acbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Process #7: cmd.exe
59 0
»
Information Value
ID #7
File Name c:\windows\system32\cmd.exe
Command Line C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:48, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:30
OS Process Information
»
Information Value
PID 0xb3c
Parent PID 0xa38 (c:\users\eebsym5\appdata\local\temp\_aaq.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000150000 0x00150000 0x00156fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000160000 0x00160000 0x00161fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory Readable, Writable True False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory Readable, Writable True False False -
locale.nls 0x00280000 0x002e6fff Memory Mapped File Readable False False False -
pagefile_0x00000000002f0000 0x002f0000 0x003b7fff Pagefile Backed Memory Readable True False False -
private_0x00000000003c0000 0x003c0000 0x003c0fff Private Memory Readable, Writable True False False -
private_0x00000000003f0000 0x003f0000 0x003fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000400000 0x00400000 0x00500fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000510000 0x00510000 0x0110ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001110000 0x01110000 0x01272fff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01280000 0x0154efff Memory Mapped File Readable False False False -
cmd.exe 0x4a990000 0x4a9dbfff Memory Mapped File Readable, Writable, Executable True False False -
winbrand.dll 0x73120000 0x73126fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Threads
Thread 0xb40
59 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-03-15 15:15:27 (UTC) True 1
Fn
System Get Time type = Ticks, time = 99778 True 1
Fn
Module Get Handle module_name = c:\windows\system32\cmd.exe, base_address = 0x4a990000 True 1
Fn
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x762224c2 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 3
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Environment Get Environment String - True 2
Fn
Data
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 104, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module Get Filename process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Environment Get Environment String name = PROMPT False 1
Fn
Environment Set Environment String name = PROMPT, value = $P$G True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Environment Get Environment String name = KEYS False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\Desktop, type = file_attributes True 2
Fn
Environment Set Environment String name = =C:, value = C:\Users\EEBsYm5\Desktop True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7620ac6c True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76213ea8 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76222732 True 1
Fn
File Get Info filename = wbadmin.exe, type = file_attributes False 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Process Create process_name = C:\Windows\system32\wbadmin.exe, os_pid = 0xb54, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Environment Set Environment String name = COPYCMD True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCodeAscii True 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Open filename = STD_OUTPUT_HANDLE True 2
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Process #8: wbadmin.exe
0 0
»
Information Value
ID #8
File Name c:\windows\system32\wbadmin.exe
Command Line wbadmin.exe delete catalog -quiet
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:48, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:30
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb54
Parent PID 0xb3c (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B58
0x B5C
0x B64
0x B68
0x B6C
0x B70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory Readable, Writable True False False -
wbadmin.exe.mui 0x000e0000 0x0010afff Memory Mapped File Readable, Writable False False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory Readable, Writable True False False -
private_0x0000000000120000 0x00120000 0x00120fff Private Memory Readable, Writable True False False -
private_0x0000000000130000 0x00130000 0x0016ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000170000 0x00170000 0x00237fff Pagefile Backed Memory Readable True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000340000 0x00340000 0x00440fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000450000 0x00450000 0x00451fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000460000 0x00460000 0x00460fff Pagefile Backed Memory Readable True False False -
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000480000 0x00480000 0x00481fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000490000 0x00490000 0x00490fff Pagefile Backed Memory Readable True False False -
wbadmin.exe 0x00510000 0x00549fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000550000 0x00550000 0x0114ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001150000 0x01150000 0x01542fff Pagefile Backed Memory Readable True False False -
private_0x0000000001590000 0x01590000 0x015cffff Private Memory Readable, Writable True False False -
private_0x0000000001620000 0x01620000 0x0165ffff Private Memory Readable, Writable True False False -
private_0x00000000016e0000 0x016e0000 0x0171ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01720000 0x019eefff Memory Mapped File Readable False False False -
private_0x0000000001a90000 0x01a90000 0x01acffff Private Memory Readable, Writable True False False -
private_0x0000000001b20000 0x01b20000 0x01b5ffff Private Memory Readable, Writable True False False -
credui.dll 0x72f00000 0x72f2afff Memory Mapped File Readable, Writable, Executable False False False -
blb_ps.dll 0x72f50000 0x72f59fff Memory Mapped File Readable, Writable, Executable False False False -
slc.dll 0x741c0000 0x741c9fff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x74eb0000 0x7504dfff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x75740000 0x7577afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x759a0000 0x759b5fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75e20000 0x75e2bfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x75ec0000 0x75ecdfff Memory Mapped File Readable, Writable, Executable False False False -
devobj.dll 0x75f50000 0x75f61fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x76170000 0x76196fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x762e0000 0x762f8fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x76300000 0x76356fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76700000 0x7679ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77550000 0x775f0fff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x77600000 0x77682fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x77690000 0x7771efff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x77970000 0x77acbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
setupapi.dll 0x77cd0000 0x77e6cfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory Readable, Writable True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory Readable, Writable True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory Readable, Writable True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory Readable, Writable True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Process #12: cmd.exe
68 0
»
Information Value
ID #12
File Name c:\windows\system32\cmd.exe
Command Line C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:50, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:28
OS Process Information
»
Information Value
PID 0xbec
Parent PID 0xa38 (c:\users\eebsym5\appdata\local\temp\_aaq.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BF0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory Readable, Writable True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory Readable, Writable True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000400000 0x00400000 0x004c7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000004d0000 0x004d0000 0x005d0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000005e0000 0x005e0000 0x011dffff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000011e0000 0x011e0000 0x01342fff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01350000 0x0161efff Memory Mapped File Readable False False False -
cmd.exe 0x49de0000 0x49e2bfff Memory Mapped File Readable, Writable, Executable True False False -
winbrand.dll 0x72ec0000 0x72ec6fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Threads
Thread 0xbf0
68 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-03-15 15:15:29 (UTC) True 1
Fn
System Get Time type = Ticks, time = 101993 True 1
Fn
Module Get Handle module_name = c:\windows\system32\cmd.exe, base_address = 0x49de0000 True 1
Fn
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x762224c2 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 3
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Environment Get Environment String - True 2
Fn
Data
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 136, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module Get Filename process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Environment Get Environment String name = PROMPT False 1
Fn
Environment Set Environment String name = PROMPT, value = $P$G True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Environment Get Environment String name = KEYS False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\Desktop, type = file_attributes True 2
Fn
Environment Set Environment String name = =C:, value = C:\Users\EEBsYm5\Desktop True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7620ac6c True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76213ea8 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76222732 True 1
Fn
File Get Info filename = bcdedit.exe, type = file_attributes False 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Process Create process_name = C:\Windows\system32\bcdedit.exe, os_pid = 0xc04, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Environment Set Environment String name = COPYCMD True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCodeAscii True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Process Create process_name = C:\Windows\system32\bcdedit.exe, os_pid = 0xc0c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Environment Set Environment String name = COPYCMD True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCodeAscii True 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Open filename = STD_OUTPUT_HANDLE True 2
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Process #13: bcdedit.exe
0 0
»
Information Value
ID #13
File Name c:\windows\system32\bcdedit.exe
Command Line bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:50, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:28
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc04
Parent PID 0xbec (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C08
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
private_0x00000000000b0000 0x000b0000 0x000effff Private Memory Readable, Writable True False False -
bcdedit.exe 0x00180000 0x001c9fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Process #14: bcdedit.exe
0 0
»
Information Value
ID #14
File Name c:\windows\system32\bcdedit.exe
Command Line bcdedit /set {default} recoveryenabled no
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:51, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:27
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc0c
Parent PID 0xbec (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C10
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
private_0x0000000000210000 0x00210000 0x0024ffff Private Memory Readable, Writable True False False -
bcdedit.exe 0x00980000 0x009c9fff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Process #15: cmd.exe
59 0
»
Information Value
ID #15
File Name c:\windows\system32\cmd.exe
Command Line C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:51, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:27
OS Process Information
»
Information Value
PID 0xc14
Parent PID 0xa38 (c:\users\eebsym5\appdata\local\temp\_aaq.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000150000 0x00150000 0x00156fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000160000 0x00160000 0x00161fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory Readable, Writable True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory Readable, Writable True False False -
private_0x00000000001a0000 0x001a0000 0x0029ffff Private Memory Readable, Writable True False False -
locale.nls 0x002a0000 0x00306fff Memory Mapped File Readable False False False -
pagefile_0x0000000000310000 0x00310000 0x003d7fff Pagefile Backed Memory Readable True False False -
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000440000 0x00440000 0x00540fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000550000 0x00550000 0x0114ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001150000 0x01150000 0x012b2fff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x012c0000 0x0158efff Memory Mapped File Readable False False False -
cmd.exe 0x4a200000 0x4a24bfff Memory Mapped File Readable, Writable, Executable True False False -
winbrand.dll 0x73120000 0x73126fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Threads
Thread 0xc18
59 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-03-15 15:15:30 (UTC) True 1
Fn
System Get Time type = Ticks, time = 102196 True 1
Fn
Module Get Handle module_name = c:\windows\system32\cmd.exe, base_address = 0x4a200000 True 1
Fn
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x762224c2 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 3
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Environment Get Environment String - True 2
Fn
Data
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module Get Filename process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Environment Get Environment String name = PROMPT False 1
Fn
Environment Set Environment String name = PROMPT, value = $P$G True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Environment Get Environment String name = KEYS False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\Desktop, type = file_attributes True 2
Fn
Environment Set Environment String name = =C:, value = C:\Users\EEBsYm5\Desktop True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7620ac6c True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76213ea8 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76222732 True 1
Fn
File Get Info filename = wevtutil.exe, type = file_attributes False 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Process Create process_name = C:\Windows\system32\wevtutil.exe, os_pid = 0xc2c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Environment Set Environment String name = COPYCMD True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCodeAscii True 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Open filename = STD_OUTPUT_HANDLE True 2
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Process #16: wevtutil.exe
0 0
»
Information Value
ID #16
File Name c:\windows\system32\wevtutil.exe
Command Line wevtutil.exe cl System
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:51, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:27
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc2c
Parent PID 0xc14 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C30
0x C34
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
locale.nls 0x00090000 0x000f6fff Memory Mapped File Readable False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000240000 0x00240000 0x00307fff Pagefile Backed Memory Readable True False False -
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory Readable, Writable True False False -
wevtutil.exe 0x004a0000 0x004ccfff Memory Mapped File Readable, Writable, Executable False False False -
credui.dll 0x72f00000 0x72f2afff Memory Mapped File Readable, Writable, Executable False False False -
wevtapi.dll 0x75b60000 0x75ba1fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x762e0000 0x762f8fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76700000 0x7679ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77550000 0x775f0fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x77690000 0x7771efff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x77970000 0x77acbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Process #17: cmd.exe
59 0
»
Information Value
ID #17
File Name c:\windows\system32\cmd.exe
Command Line C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:51, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:27
OS Process Information
»
Information Value
PID 0xc50
Parent PID 0xa38 (c:\users\eebsym5\appdata\local\temp\_aaq.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C54
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000c0000 0x000c0000 0x00187fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000190000 0x00190000 0x00196fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000001b0000 0x001b0000 0x001b0fff Private Memory Readable, Writable True False False -
private_0x00000000001c0000 0x001c0000 0x001c0fff Private Memory Readable, Writable True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory Readable, Writable True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000480000 0x00480000 0x00580fff Pagefile Backed Memory Readable True False False -
private_0x0000000000670000 0x00670000 0x0067ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000680000 0x00680000 0x0127ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001280000 0x01280000 0x013e2fff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x013f0000 0x016befff Memory Mapped File Readable False False False -
cmd.exe 0x4a640000 0x4a68bfff Memory Mapped File Readable, Writable, Executable True False False -
winbrand.dll 0x72ec0000 0x72ec6fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Threads
Thread 0xc54
59 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-03-15 15:15:30 (UTC) True 1
Fn
System Get Time type = Ticks, time = 102586 True 1
Fn
Module Get Handle module_name = c:\windows\system32\cmd.exe, base_address = 0x4a640000 True 1
Fn
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x762224c2 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 3
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Environment Get Environment String - True 2
Fn
Data
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 72, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module Get Filename process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Environment Get Environment String name = PROMPT False 1
Fn
Environment Set Environment String name = PROMPT, value = $P$G True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Environment Get Environment String name = KEYS False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\Desktop, type = file_attributes True 2
Fn
Environment Set Environment String name = =C:, value = C:\Users\EEBsYm5\Desktop True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x761d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7620ac6c True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76213ea8 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76222732 True 1
Fn
File Get Info filename = wevtutil.exe, type = file_attributes False 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Process Create process_name = C:\Windows\system32\wevtutil.exe, os_pid = 0xc68, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Environment Set Environment String name = COPYCMD True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCodeAscii True 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Open filename = STD_OUTPUT_HANDLE True 2
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Process #18: wevtutil.exe
0 0
»
Information Value
ID #18
File Name c:\windows\system32\wevtutil.exe
Command Line wevtutil.exe cl Security
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:51, Reason: Child Process
Unmonitor End Time: 00:01:18, Reason: Terminated by Timeout
Monitor Duration 00:00:27
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xc68
Parent PID 0xc50 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C6C
0x C70
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory Readable, Writable True False False -
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory Readable, Writable True False False -
wevtutil.exe 0x00260000 0x0028cfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000290000 0x00290000 0x00357fff Pagefile Backed Memory Readable True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory Readable, Writable True False False -
credui.dll 0x72f00000 0x72f2afff Memory Mapped File Readable, Writable, Executable False False False -
wevtapi.dll 0x75b60000 0x75ba1fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75f70000 0x75fb9fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x761d0000 0x762a3fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x762b0000 0x762cefff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x762e0000 0x762f8fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x765f0000 0x765f9fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x76700000 0x7679ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x773f0000 0x7748cfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77550000 0x775f0fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x77690000 0x7771efff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77720000 0x777cbfff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x77970000 0x77acbfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x77ad0000 0x77b98fff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x77ba0000 0x77c6bfff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x77c80000 0x77ccdfff Memory Mapped File Readable, Writable, Executable False False False -
apisetschema.dll 0x77e80000 0x77e80fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77ec0000 0x77ffbfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory Readable, Writable True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False -
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image