Lotus Blossom Malspam | Grouped Behavior
Try VMRay Analyzer
VTI SCORE: 100/100
Target: win7_64_sp1-mso2016 | ms_office
Classification: Trojan, Dropper, Downloader

d3fc69a9f2ae2c446434abbfbe1693ef0f81a5da0a7f39d27c80d85f4a49c411 (SHA256)

DoNotOpen2.doc

Word Document

Created at 2018-02-02 16:47:00

Notifications (2/2)

Some memory dumps may be missing in the reports since the total dump size limit was reached during the analysis. You can increase the limit in the configuration settings.

The operating system was rebooted during the analysis.

Monitored Processes

Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0xa0c Analysis Target Medium winword.exe "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -
#2 0xacc RPC Server Medium eqnedt32.exe "C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding #1
#3 0xae4 Child Process Medium iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" #2
#6 0xb34 Child Process Medium eqnedt32.exe "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding #1

Behavior Information - Grouped by Category

Process #1: winword.exe
0 0
»
Information Value
ID #1
File Name c:\program files\microsoft office\root\office16\winword.exe
Command Line "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:00:17, Reason: Analysis Target
Unmonitor End Time: 00:02:32, Reason: Terminated by Timeout
Monitor Duration 00:02:15
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa0c
Parent PID 0x584 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A5C
0x A58
0x A54
0x A50
0x A4C
0x A48
0x A44
0x A2C
0x A20
0x A1C
0x A18
0x A14
0x A10
0x A88
0x A8C
0x A90
0x A94
0x A98
0x A9C
0x AA4
0x AA8
0x AAC
0x B64
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable False False False -
pagefile_0x0000000000020000 0x00020000 0x00020fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000000040000 0x00040000 0x00043fff Pagefile Backed Memory Readable False False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory Readable False False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory Readable, Writable False False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable False False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory Readable, Writable False False False -
pagefile_0x0000000000100000 0x00100000 0x00106fff Pagefile Backed Memory Readable False False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000000210000 0x00210000 0x00211fff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000000000220000 0x00220000 0x00220fff Private Memory Readable, Writable False False False -
private_0x0000000000230000 0x00230000 0x00230fff Private Memory Readable, Writable False False False -
pagefile_0x0000000000240000 0x00240000 0x00241fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000000250000 0x00250000 0x00251fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000000260000 0x00260000 0x00262fff Pagefile Backed Memory Readable False False False -
private_0x0000000000270000 0x00270000 0x0027ffff Private Memory - False False False -
pagefile_0x0000000000280000 0x00280000 0x00282fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000000290000 0x00290000 0x00292fff Pagefile Backed Memory Readable False False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a2fff Pagefile Backed Memory Readable False False False -
private_0x00000000002b0000 0x002b0000 0x002bffff Private Memory Readable, Writable False False False -
pagefile_0x00000000002c0000 0x002c0000 0x002c2fff Pagefile Backed Memory Readable False False False -
private_0x00000000002d0000 0x002d0000 0x0030ffff Private Memory Readable, Writable False False False -
private_0x0000000000310000 0x00310000 0x00317fff Private Memory Readable, Writable False False False -
pagefile_0x0000000000320000 0x00320000 0x00321fff Pagefile Backed Memory Readable False False False -
private_0x0000000000330000 0x00330000 0x00330fff Private Memory Readable, Writable False False False -
private_0x0000000000340000 0x00340000 0x00340fff Private Memory Readable, Writable False False False -
private_0x0000000000340000 0x00340000 0x00340fff Private Memory Readable, Writable True True False
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory Readable, Writable False False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000000550000 0x00550000 0x006d7fff Pagefile Backed Memory Readable False False False -
pagefile_0x00000000006e0000 0x006e0000 0x00860fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000000870000 0x00870000 0x01c6ffff Pagefile Backed Memory Readable False False False -
sortdefault.nls 0x01c70000 0x01f3efff Memory Mapped File Readable False False False -
pagefile_0x0000000001f40000 0x01f40000 0x02332fff Pagefile Backed Memory Readable False False False -
private_0x0000000002340000 0x02340000 0x0243ffff Private Memory Readable, Writable False False False -
private_0x0000000002440000 0x02440000 0x02440fff Private Memory Readable, Writable False False False -
private_0x0000000002440000 0x02440000 0x02451fff Private Memory Readable, Writable True True False
private_0x0000000002450000 0x02450000 0x02450fff Private Memory Readable, Writable False False False -
private_0x0000000002460000 0x02460000 0x02487fff Private Memory Readable, Writable False False False -
private_0x0000000002460000 0x02460000 0x0246efff Private Memory Readable, Writable True True False
private_0x0000000002490000 0x02490000 0x02490fff Private Memory Readable, Writable False False False -
private_0x00000000024a0000 0x024a0000 0x0251ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000002520000 0x02520000 0x025fefff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000002600000 0x02600000 0x02604fff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000000002610000 0x02610000 0x0261ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000002620000 0x02620000 0x02620fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000002630000 0x02630000 0x02630fff Pagefile Backed Memory Readable False False False -
private_0x0000000002640000 0x02640000 0x0273ffff Private Memory Readable, Writable False False False -
kernelbase.dll.mui 0x02740000 0x027fffff Memory Mapped File Readable, Writable False False False -
private_0x0000000002800000 0x02800000 0x0286afff Private Memory Readable, Writable False False False -
private_0x0000000002800000 0x02800000 0x02811fff Private Memory Readable, Writable True True False
private_0x0000000002870000 0x02870000 0x02870fff Private Memory Readable, Writable False False False -
pagefile_0x0000000002880000 0x02880000 0x02881fff Pagefile Backed Memory Readable False False False -
msxml6r.dll 0x02890000 0x02890fff Memory Mapped File Readable False False False -
pagefile_0x00000000028a0000 0x028a0000 0x028a0fff Pagefile Backed Memory Readable, Writable False False False -
pagefile_0x00000000028b0000 0x028b0000 0x028b1fff Pagefile Backed Memory Readable False False False -
private_0x00000000028c0000 0x028c0000 0x029bffff Private Memory Readable, Writable False False False -
cfgmgr32.dll 0x029c0000 0x029f5fff Memory Mapped File Readable, Writable, Executable False False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000013.db 0x02a00000 0x02a24fff Memory Mapped File Readable False False False -
private_0x0000000002a30000 0x02a30000 0x02a30fff Private Memory Readable, Writable False False False -
private_0x0000000002a40000 0x02a40000 0x02b3ffff Private Memory Readable, Writable False False False -
private_0x0000000002b40000 0x02b40000 0x02d3ffff Private Memory Readable, Writable False False False -
segoeui.ttf 0x02d40000 0x02dbefff Memory Mapped File Readable False False False -
private_0x0000000002de0000 0x02de0000 0x02deffff Private Memory Readable, Writable False False False -
private_0x0000000002e10000 0x02e10000 0x02e1ffff Private Memory Readable, Writable False False False -
private_0x0000000002e40000 0x02e40000 0x02e41fff Private Memory Readable, Writable True True False
private_0x0000000002e80000 0x02e80000 0x02f7ffff Private Memory Readable, Writable False False False -
private_0x0000000002fc0000 0x02fc0000 0x02fdefff Private Memory Readable, Writable True True False
private_0x0000000002fc0000 0x02fc0000 0x02fc1fff Private Memory Readable, Writable True True False
private_0x0000000002ff0000 0x02ff0000 0x030effff Private Memory Readable, Writable False False False -
private_0x00000000030f0000 0x030f0000 0x03137fff Private Memory Readable, Writable True True False
private_0x0000000003140000 0x03140000 0x031bffff Private Memory Readable, Writable False False False -
private_0x00000000031c0000 0x031c0000 0x03207fff Private Memory Readable, Writable True True False
private_0x0000000003210000 0x03210000 0x0322efff Private Memory Readable, Writable True True False
private_0x0000000003210000 0x03210000 0x03211fff Private Memory Readable, Writable True True False
private_0x0000000003230000 0x03230000 0x03230fff Private Memory Readable, Writable True True False
private_0x0000000003260000 0x03260000 0x0335ffff Private Memory Readable, Writable False False False -
private_0x0000000003360000 0x03360000 0x0337dfff Private Memory Readable, Writable True True False
private_0x0000000003360000 0x03360000 0x03361fff Private Memory Readable, Writable True True False
private_0x0000000003380000 0x03380000 0x03381fff Private Memory Readable, Writable True True False
private_0x00000000033a0000 0x033a0000 0x0349ffff Private Memory Readable, Writable False False False -
pagefile_0x00000000034a0000 0x034a0000 0x0389ffff Pagefile Backed Memory Readable False False False -
staticcache.dat 0x038a0000 0x041cffff Memory Mapped File Readable False False False -
private_0x00000000041d0000 0x041d0000 0x042cffff Private Memory Readable, Writable False False False -
private_0x00000000042d0000 0x042d0000 0x042eefff Private Memory Readable, Writable True True False
private_0x00000000042d0000 0x042d0000 0x042d1fff Private Memory Readable, Writable True True False
private_0x00000000042f0000 0x042f0000 0x043effff Private Memory Readable, Writable False False False -
private_0x00000000043f0000 0x043f0000 0x043f0fff Private Memory Readable, Writable True True False
private_0x00000000043f0000 0x043f0000 0x043f1fff Private Memory Readable, Writable True True False
private_0x0000000004410000 0x04410000 0x04410fff Private Memory Readable, Writable True True False
private_0x0000000004410000 0x04410000 0x04411fff Private Memory Readable, Writable True True False
private_0x0000000004420000 0x04420000 0x0443efff Private Memory Readable, Writable True True False
private_0x0000000004430000 0x04430000 0x04431fff Private Memory Readable, Writable True True False
private_0x0000000004460000 0x04460000 0x04461fff Private Memory Readable, Writable True True False
private_0x0000000004470000 0x04470000 0x04470fff Private Memory Readable, Writable True True False
private_0x0000000004480000 0x04480000 0x0449efff Private Memory Readable, Writable True True False
private_0x00000000044a0000 0x044a0000 0x044befff Private Memory Readable, Writable True True False
private_0x00000000044c0000 0x044c0000 0x044cffff Private Memory Readable, Writable False False False -
private_0x0000000004540000 0x04540000 0x0455efff Private Memory Readable, Writable True True False
private_0x0000000004570000 0x04570000 0x04571fff Private Memory Readable, Writable True True False
private_0x0000000004580000 0x04580000 0x0458ffff Private Memory Readable, Writable False False False -
private_0x0000000004590000 0x04590000 0x0468ffff Private Memory Readable, Writable False False False -
private_0x00000000046a0000 0x046a0000 0x046a1fff Private Memory Readable, Writable True True False
private_0x00000000046c0000 0x046c0000 0x046e0fff Private Memory Readable, Writable True True False
private_0x0000000004730000 0x04730000 0x04731fff Private Memory Readable, Writable True True False
private_0x0000000004750000 0x04750000 0x04751fff Private Memory Readable, Writable True True False
private_0x0000000004760000 0x04760000 0x047dffff Private Memory Readable, Writable, Executable False False False -
pagefile_0x00000000047e0000 0x047e0000 0x04fdffff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000000005060000 0x05060000 0x0515ffff Private Memory Readable, Writable False False False -
private_0x0000000005240000 0x05240000 0x0533ffff Private Memory Readable, Writable False False False -
private_0x0000000005340000 0x05340000 0x0573ffff Private Memory Readable, Writable False False False -
private_0x0000000005740000 0x05740000 0x0583ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000005840000 0x05840000 0x0683ffff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000000006840000 0x06840000 0x06971fff Private Memory Readable, Writable False False False -
private_0x0000000006840000 0x06840000 0x06841fff Private Memory Readable, Writable True True False
private_0x0000000006960000 0x06960000 0x06961fff Private Memory Readable, Writable True True False
private_0x0000000006980000 0x06980000 0x06981fff Private Memory Readable, Writable True True False
private_0x0000000006990000 0x06990000 0x06a0ffff Private Memory Readable, Writable False False False -
private_0x0000000006b10000 0x06b10000 0x06b8ffff Private Memory Readable, Writable False False False -
private_0x0000000006ba0000 0x06ba0000 0x06ba1fff Private Memory Readable, Writable True True False
private_0x0000000006cf0000 0x06cf0000 0x06d6ffff Private Memory Readable, Writable False False False -
private_0x0000000006d70000 0x06d70000 0x0716ffff Private Memory Readable, Writable False False False -
private_0x0000000007170000 0x07170000 0x0726ffff Private Memory Readable, Writable True True False
private_0x00000000071d0000 0x071d0000 0x072cffff Private Memory Readable, Writable False False False -
private_0x00000000073e0000 0x073e0000 0x0745ffff Private Memory Readable, Writable False False False -
private_0x0000000007460000 0x07460000 0x07c5ffff Private Memory Readable, Writable False False False -
private_0x0000000007c60000 0x07c60000 0x08060fff Private Memory Readable, Writable False False False -
private_0x0000000008070000 0x08070000 0x08470fff Private Memory Readable, Writable False False False -
private_0x0000000008480000 0x08480000 0x08880fff Private Memory Readable, Writable False False False -
private_0x0000000008890000 0x08890000 0x08a8ffff Private Memory Readable, Writable False False False -
private_0x000000000b090000 0x0b090000 0x0b18ffff Private Memory Readable, Writable True True False
private_0x000000000b1b0000 0x0b1b0000 0x0b2affff Private Memory Readable, Writable True True False
private_0x000000000b370000 0x0b370000 0x0b46ffff Private Memory Readable, Writable True True False
private_0x000000000b470000 0x0b470000 0x0bc6ffff Private Memory Readable, Writable True True False
private_0x000000000bdf0000 0x0bdf0000 0x0beeffff Private Memory Readable, Writable True True False
private_0x000000000ce60000 0x0ce60000 0x0d311fff Private Memory Readable, Writable True True False
private_0x000000000ce60000 0x0ce60000 0x0d21ffff Private Memory Readable, Writable True True False
private_0x000000000d480000 0x0d480000 0x0d57ffff Private Memory Readable, Writable True True False
private_0x000000000e7f0000 0x0e7f0000 0x0e9effff Private Memory Readable, Writable True True False
private_0x0000000036e80000 0x36e80000 0x36e8ffff Private Memory Readable, Writable, Executable False False False -
private_0x000000006fff0000 0x6fff0000 0x6fffffff Private Memory Readable, Writable, Executable False False False -
osppc.dll 0x74a10000 0x74a42fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x76e70000 0x76f69fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x76f70000 0x7708efff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77090000 0x77238fff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x77260000 0x77266fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable False False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable False False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable False False False -
winword.exe 0x13fe80000 0x14005afff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000007febe960000 0x7febe960000 0x7febe96ffff Private Memory Readable, Writable, Executable False False False -
chart.dll 0x7fee3f30000 0x7fee4a28fff Memory Mapped File Readable, Writable, Executable False False False -
riched20.dll 0x7fee4a30000 0x7fee4c52fff Memory Mapped File Readable, Writable, Executable False False False -
mscoreei.dll 0x7fee4d90000 0x7fee4e28fff Memory Mapped File Readable, Writable, Executable False False False -
mscoree.dll 0x7fee4e30000 0x7fee4e9efff Memory Mapped File Readable, Writable, Executable False False False -
dwrite.dll 0x7fee4ea0000 0x7fee501dfff Memory Mapped File Readable, Writable, Executable False False False -
d3d10warp.dll 0x7fee5020000 0x7fee51effff Memory Mapped File Readable, Writable, Executable False False False -
msptls.dll 0x7fee51f0000 0x7fee535ffff Memory Mapped File Readable, Writable, Executable False False False -
msores.dll 0x7fee5360000 0x7feea19efff Memory Mapped File Readable, Writable, Executable False False False -
mso99lres.dll 0x7feea1a0000 0x7feeaac0fff Memory Mapped File Readable, Writable, Executable False False False -
mso40uires.dll 0x7feeaad0000 0x7feeadd7fff Memory Mapped File Readable, Writable, Executable False False False -
mso.dll 0x7feeade0000 0x7feec0bbfff Memory Mapped File Readable, Writable, Executable False False False -
mso99lwin32client.dll 0x7feec0c0000 0x7feec88bfff Memory Mapped File Readable, Writable, Executable False False False -
mso40uiwin32client.dll 0x7feec890000 0x7feed17afff Memory Mapped File Readable, Writable, Executable False False False -
mso30win32client.dll 0x7feed180000 0x7feed5f7fff Memory Mapped File Readable, Writable, Executable False False False -
mso20win32client.dll 0x7feed600000 0x7feed903fff Memory Mapped File Readable, Writable, Executable False False False -
oart.dll 0x7feed910000 0x7feeea7bfff Memory Mapped File Readable, Writable, Executable False False False -
wwlib.dll 0x7feeea80000 0x7fef0e1efff Memory Mapped File Readable, Writable, Executable False False False -
msointl.dll 0x7fef0e90000 0x7fef100afff Memory Mapped File Readable, Writable, Executable False False False -
wwintl.dll 0x7fef1010000 0x7fef10cbfff Memory Mapped File Readable, Writable, Executable False False False -
d3d11.dll 0x7fef10d0000 0x7fef1195fff Memory Mapped File Readable, Writable, Executable False False False -
mlang.dll 0x7fef11a0000 0x7fef11dafff Memory Mapped File Readable, Writable, Executable False False False -
onbttnwd.dll 0x7fef12c0000 0x7fef12f9fff Memory Mapped File Readable, Writable, Executable False False False -
npmproxy.dll 0x7fef3780000 0x7fef378bfff Memory Mapped File Readable, Writable, Executable False False False -
api-ms-win-core-file-l1-2-0.dll 0x7fef3bb0000 0x7fef3bb2fff Memory Mapped File Readable, Writable, Executable False False False -
api-ms-win-core-processthreads-l1-1-1.dll 0x7fef3bc0000 0x7fef3bc2fff Memory Mapped File Readable, Writable, Executable False False False -
api-ms-win-core-synch-l1-2-0.dll 0x7fef3d90000 0x7fef3d92fff Memory Mapped File Readable, Writable, Executable False False False -
api-ms-win-core-localization-l1-2-0.dll 0x7fef3da0000 0x7fef3da2fff Memory Mapped File Readable, Writable, Executable False False False -
api-ms-win-core-file-l2-1-0.dll 0x7fef3db0000 0x7fef3db2fff Memory Mapped File Readable, Writable, Executable False False False -
api-ms-win-core-timezone-l1-1-0.dll 0x7fef3dc0000 0x7fef3dc2fff Memory Mapped File Readable, Writable, Executable False False False -
ucrtbase.dll 0x7fef3dd0000 0x7fef3ec1fff Memory Mapped File Readable, Writable, Executable False False False -
msimg32.dll 0x7fef3ed0000 0x7fef3ed6fff Memory Mapped File Readable, Writable, Executable False False False -
c2r64.dll 0x7fef3ee0000 0x7fef4008fff Memory Mapped File Readable, Writable, Executable False False False -
appvisvstream64.dll 0x7fef4010000 0x7fef4089fff Memory Mapped File Readable, Writable, Executable False False False -
appvisvsubsystems64.dll 0x7fef4090000 0x7fef42c5fff Memory Mapped File Readable, Writable, Executable False False False -
msxml6.dll 0x7fef4a60000 0x7fef4c51fff Memory Mapped File Readable, Writable, Executable False False False -
winspool.drv 0x7fef4cf0000 0x7fef4d60fff Memory Mapped File Readable, Writable, Executable False False False -
msointl30.dll 0x7fef5240000 0x7fef524efff Memory Mapped File Readable, Writable, Executable False False False -
sppc.dll 0x7fef5250000 0x7fef5276fff Memory Mapped File Readable, Writable, Executable False False False -
wbemsvc.dll 0x7fef5740000 0x7fef5753fff Memory Mapped File Readable, Writable, Executable False False False -
wbemprox.dll 0x7fef5a40000 0x7fef5a4efff Memory Mapped File Readable, Writable, Executable False False False -
ntdsapi.dll 0x7fef5a50000 0x7fef5a76fff Memory Mapped File Readable, Writable, Executable False False False -
fastprox.dll 0x7fef5a80000 0x7fef5b61fff Memory Mapped File Readable, Writable, Executable False False False -
wbemcomn.dll 0x7fef5bb0000 0x7fef5c35fff Memory Mapped File Readable, Writable, Executable False False False -
office.odf 0x7fef68c0000 0x7fef6a78fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000007fffff72000 0x7fffff72000 0x7fffff73fff Private Memory Readable, Writable True True False
private_0x000007fffff74000 0x7fffff74000 0x7fffff75fff Private Memory Readable, Writable True True False
private_0x000007fffff76000 0x7fffff76000 0x7fffff77fff Private Memory Readable, Writable True True False
private_0x000007fffffa2000 0x7fffffa2000 0x7fffffa3fff Private Memory Readable, Writable True True False
For performance reasons, the remaining 165 entries are omitted.
The remaining entries can be found in flog.txt.
Process #2: eqnedt32.exe
20 0
»
Information Value
ID #2
File Name c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe
Command Line "C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:25, Reason: RPC Server
Unmonitor End Time: 00:02:32, Reason: Terminated by Timeout
Monitor Duration 00:02:07
OS Process Information
»
Information Value
PID 0xacc
Parent PID 0x258 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AD0
0x AD4
0x AD8
0x ADC
0x AE0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00020fff Pagefile Backed Memory Readable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True True False
pagefile_0x0000000000030000 0x00030000 0x00030fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True True False
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory Readable True False False -
locale.nls 0x001b0000 0x00216fff Memory Mapped File Readable False False False -
private_0x0000000000220000 0x00220000 0x00220fff Private Memory Readable, Writable True True False
private_0x0000000000230000 0x00230000 0x00230fff Private Memory Readable, Writable True True False
private_0x0000000000240000 0x00240000 0x0024ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000250000 0x00250000 0x00250fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000260000 0x00260000 0x00266fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000270000 0x00270000 0x00271fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000280000 0x00280000 0x00280fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory Readable True False False -
private_0x00000000002a0000 0x002a0000 0x0031ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000320000 0x00320000 0x003fefff Pagefile Backed Memory Readable True False False -
eqnedt32.exe 0x00400000 0x0048dfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000490000 0x00490000 0x004cffff Private Memory Readable, Writable True True False
private_0x00000000004d0000 0x004d0000 0x0050ffff Private Memory Readable, Writable True True False
private_0x0000000000510000 0x00510000 0x0054ffff Private Memory Readable, Writable True True False
iexplore.exe.mui 0x00550000 0x00551fff Memory Mapped File Readable, Writable False False False -
private_0x0000000000580000 0x00580000 0x0067ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000680000 0x00680000 0x00807fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000810000 0x00810000 0x00990fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000009a0000 0x009a0000 0x01d9ffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01da0000 0x0206efff Memory Mapped File Readable False False False -
pagefile_0x0000000002070000 0x02070000 0x02462fff Pagefile Backed Memory Readable True False False -
private_0x0000000002470000 0x02470000 0x0256ffff Private Memory Readable, Writable True True False
private_0x00000000025a0000 0x025a0000 0x025affff Private Memory Readable, Writable True True False
private_0x00000000025b0000 0x025b0000 0x026affff Private Memory Readable, Writable True True False
private_0x00000000026e0000 0x026e0000 0x026effff Private Memory Readable, Writable True True False
private_0x00000000026f0000 0x026f0000 0x02aeffff Private Memory Readable, Writable True True False
private_0x0000000002af0000 0x02af0000 0x02beffff Private Memory Readable, Writable True True False
private_0x0000000002bf0000 0x02bf0000 0x02c2ffff Private Memory Readable, Writable True True False
private_0x0000000002c30000 0x02c30000 0x02caffff Private Memory Readable, Writable True True False
private_0x0000000002ce0000 0x02ce0000 0x02d1ffff Private Memory Readable, Writable True True False
private_0x0000000002d20000 0x02d20000 0x02e1ffff Private Memory Readable, Writable True True False
kernelbase.dll.mui 0x02e20000 0x02edffff Memory Mapped File Readable, Writable False False False -
iexplore.exe 0x02ee0000 0x02f85fff Memory Mapped File Readable, Writable, Executable False False False -
iexplore.exe 0x02ee0000 0x02f84fff Memory Mapped File Readable False False False -
private_0x0000000002f90000 0x02f90000 0x02fcffff Private Memory Readable, Writable True True False
staticcache.dat 0x02fd0000 0x038fffff Memory Mapped File Readable False False False -
private_0x0000000003900000 0x03900000 0x039fffff Private Memory Readable, Writable True True False
eeintl.dll 0x3de20000 0x3de2dfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000006fff0000 0x6fff0000 0x6fffffff Private Memory Readable, Writable, Executable True True False
msi.dll 0x744b0000 0x746effff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x746b0000 0x746eafff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x746f0000 0x74773fff Memory Mapped File Readable, Writable, Executable False False False -
c2r32.dll 0x74780000 0x7484afff Memory Mapped File Readable, Writable, Executable False False False -
appvisvsubsystems32.dll 0x74850000 0x74a04fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x74a50000 0x74a62fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74a70000 0x74aeffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74b00000 0x74b07fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74b10000 0x74b6bfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74b70000 0x74baefff Memory Mapped File Readable, Writable, Executable False False False -
n.3 0x74bb0000 0x74bc5fff Memory Mapped File Readable, Writable, Executable True True False
rpcrtremote.dll 0x74bd0000 0x74bddfff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74be0000 0x74bf5fff Memory Mapped File Readable, Writable, Executable False False False -
api-ms-win-core-synch-l1-2-0.dll 0x74c00000 0x74c02fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x74c10000 0x74c1afff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x74c20000 0x74c36fff Memory Mapped File Readable, Writable, Executable False False False -
appvisvstream32.dll 0x74c40000 0x74ca4fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74dc0000 0x74dcbfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74dd0000 0x74e2ffff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x74e30000 0x74e8ffff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x74e90000 0x74ea8fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x750d0000 0x75126fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75130000 0x751bffff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75250000 0x75295fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x752a0000 0x7534bfff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75450000 0x755abfff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x755b0000 0x7564cfff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x75650000 0x756d2fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x756e0000 0x7577ffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x75780000 0x75789fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x75790000 0x7588ffff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x759f0000 0x75afffff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x75b00000 0x75bcbfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x75c50000 0x76899fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x76b60000 0x76beefff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x76d80000 0x76e6ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000076e70000 0x76e70000 0x76f69fff Private Memory Readable, Writable, Executable True True False
private_0x0000000076f70000 0x76f70000 0x7708efff Private Memory Readable, Writable, Executable True True False
ntdll.dll 0x77090000 0x77238fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77270000 0x773effff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True True False
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True True False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True True False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True True False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True True False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True True False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True True False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\aetadzjz\appdata\local\temp\eqnedt32.exe_c2rdll(20180123223931acc).log 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
Host Behavior
File (1)
»
Operation Filename Additional Information Success Count Logfile
Move C:\Users\aETAdzjz\AppData\Local\n.3 source_filename = C:\Users\aETAdzjz\AppData\Local\Temp\a.b, flags = MOVEFILE_REPLACE_EXISTING True 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Program Files (x86)\Internet Explorer\iexplore.exe os_pid = 0xae4, creation_flags = CREATE_SUSPENDED, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESIZE, show_window = SW_HIDE True 1
Fn
Thread (2)
»
Operation Process Additional Information Success Count Logfile
Create C:\Program Files (x86)\Internet Explorer\iexplore.exe proc_address = 0x75a049d7, proc_parameter = 393216, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Create C:\Program Files (x86)\Internet Explorer\iexplore.exe proc_address = 0x74bb2238, proc_parameter = 0, flags = THREAD_RUNS_IMMEDIATELY True 1
Fn
Memory (2)
»
Operation Process Additional Information Success Count Logfile
Allocate C:\Program Files (x86)\Internet Explorer\iexplore.exe address = 0x60000, allocation_type = MEM_COMMIT, protection = PAGE_READWRITE, size = 36 True 1
Fn
Write C:\Program Files (x86)\Internet Explorer\iexplore.exe address = 0x60000, size = 36 True 1
Fn
Data
Module (12)
»
Operation Module Additional Information Success Count Logfile
Load C:\Users\aETAdzjz\AppData\Local\n.3 base_address = 0x74bb0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x759f0000 True 1
Fn
Get Filename c:\users\aetadzjz\appdata\local\n.3 process_name = c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\n.3, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WinExec, address_out = 0x75a82c21 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathA, address_out = 0x75a2276c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileExA, address_out = 0x75a2ccc1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x75a07a10 True 1
Fn
Get Address c:\users\aetadzjz\appdata\local\n.3 function = 1, address_out = 0x74bb223d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x75a01072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAllocEx, address_out = 0x75a1d9b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteProcessMemory, address_out = 0x75a1d9e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateRemoteThread, address_out = 0x75a8416b True 1
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create mutex_name = donotbotherme True 1
Fn
Debug (1)
»
Operation Process Additional Information Success Count Logfile
Check for Presence c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe - True 1
Fn
Process #3: iexplore.exe
909 38
»
Information Value
ID #3
File Name c:\program files (x86)\internet explorer\iexplore.exe
Command Line "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:27, Reason: Child Process
Unmonitor End Time: 00:02:32, Reason: Terminated by Timeout
Monitor Duration 00:02:05
OS Process Information
»
Information Value
PID 0xae4
Parent PID 0xacc (c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AE8
0x AEC
0x AF0
0x AF4
0x B08
0x B4C
0x B68
0x B6C
0x B84
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True True False
pagefile_0x0000000000030000 0x00030000 0x00031fff Pagefile Backed Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory Readable, Writable True True False
private_0x0000000000070000 0x00070000 0x000affff Private Memory Readable, Writable True True False
pagefile_0x0000000000070000 0x00070000 0x00084fff Pagefile Backed Memory Readable, Writable, Executable True False False -
pagefile_0x0000000000090000 0x00090000 0x000a5fff Pagefile Backed Memory Readable, Writable, Executable True False False -
iexplore.exe.mui 0x000b0000 0x000b1fff Memory Mapped File Readable, Writable False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory Readable, Writable True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory Readable, Writable True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000100000 0x00100000 0x00107fff Pagefile Backed Memory Readable, Writable True False False -
tzres.dll 0x00100000 0x00100fff Memory Mapped File Readable False False False -
private_0x0000000000110000 0x00110000 0x0014ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000150000 0x00150000 0x00157fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory Readable, Writable True True False
locale.nls 0x002b0000 0x00316fff Memory Mapped File Readable False False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory Readable, Writable True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory Readable, Writable True True False
private_0x0000000000420000 0x00420000 0x004bffff Private Memory Readable, Writable True True False
private_0x0000000000430000 0x00430000 0x0046ffff Private Memory Readable, Writable True False False -
private_0x0000000000460000 0x00460000 0x0049ffff Private Memory Readable, Writable True True False
private_0x0000000000480000 0x00480000 0x004bffff Private Memory Readable, Writable True False False -
private_0x00000000004f0000 0x004f0000 0x0056ffff Private Memory Readable, Writable True True False
private_0x00000000005f0000 0x005f0000 0x006effff Private Memory Readable, Writable True False False -
private_0x00000000006f0000 0x006f0000 0x0072ffff Private Memory Readable, Writable True False False -
private_0x0000000000790000 0x00790000 0x007cffff Private Memory Readable, Writable True False False -
private_0x00000000007f0000 0x007f0000 0x007fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000800000 0x00800000 0x00987fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000990000 0x00990000 0x00b10fff Pagefile Backed Memory Readable True False False -
private_0x0000000000b40000 0x00b40000 0x00c3ffff Private Memory Readable, Writable True True False
private_0x0000000000b60000 0x00b60000 0x00b9ffff Private Memory Readable, Writable True False False -
private_0x0000000000bc0000 0x00bc0000 0x00bfffff Private Memory Readable, Writable True False False -
private_0x0000000000c00000 0x00c00000 0x00cfffff Private Memory Readable, Writable True True False
kernelbase.dll.mui 0x00c00000 0x00cbffff Memory Mapped File Readable, Writable False False False -
private_0x0000000000cc0000 0x00cc0000 0x00cfffff Private Memory Readable, Writable True False False -
private_0x0000000000d30000 0x00d30000 0x00e2ffff Private Memory Readable, Writable True False False -
iexplore.exe 0x00f10000 0x00fb5fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000fc0000 0x00fc0000 0x023bffff Pagefile Backed Memory Readable True False False -
private_0x00000000023c0000 0x023c0000 0x033c0fff Private Memory Readable, Writable True False False -
private_0x00000000023e0000 0x023e0000 0x024dffff Private Memory Readable, Writable True False False -
private_0x00000000024e0000 0x024e0000 0x034e0fff Private Memory Readable, Writable True False False -
sortdefault.nls 0x024e0000 0x027aefff Memory Mapped File Readable False False False -
private_0x00000000027b0000 0x027b0000 0x0290ffff Private Memory Readable, Writable True True False
private_0x00000000027b0000 0x027b0000 0x028cffff Private Memory Readable, Writable True False False -
private_0x0000000002910000 0x02910000 0x02a0ffff Private Memory Readable, Writable True False False -
private_0x0000000002a10000 0x02a10000 0x02beffff Private Memory Readable, Writable True True False
private_0x0000000002a10000 0x02a10000 0x02bcffff Private Memory Readable, Writable True True False
pagefile_0x0000000002a10000 0x02a10000 0x02e02fff Pagefile Backed Memory Readable True False False -
private_0x0000000002be0000 0x02be0000 0x02beffff Private Memory Readable, Writable True True False
private_0x0000000002e70000 0x02e70000 0x02f6ffff Private Memory Readable, Writable True False False -
private_0x0000000002ff0000 0x02ff0000 0x030effff Private Memory Readable, Writable True False False -
private_0x0000000003210000 0x03210000 0x0324ffff Private Memory Readable, Writable True False False -
webio.dll 0x745d0000 0x7461efff Memory Mapped File Readable, Writable, Executable False False False -
winhttp.dll 0x74620000 0x74677fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x747a0000 0x747dbfff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc.dll 0x74850000 0x74861fff Memory Mapped File Readable, Writable, Executable False False False -
samlib.dll 0x74920000 0x74931fff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x74940000 0x74951fff Memory Mapped File Readable, Writable, Executable False False False -
samcli.dll 0x74940000 0x7494efff Memory Mapped File Readable, Writable, Executable False False False -
wkscli.dll 0x74950000 0x7495efff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x74960000 0x7496ffff Memory Mapped File Readable, Writable, Executable False False False -
srvcli.dll 0x74960000 0x74978fff Memory Mapped File Readable, Writable, Executable False False False -
netutils.dll 0x74980000 0x74988fff Memory Mapped File Readable, Writable, Executable False False False -
netapi32.dll 0x74990000 0x749a0fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x749b0000 0x749e7fff Memory Mapped File Readable, Writable, Executable False False False -
wship6.dll 0x749f0000 0x749f5fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x74a00000 0x74a05fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74b00000 0x74b07fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74b10000 0x74b6bfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74b70000 0x74baefff Memory Mapped File Readable, Writable, Executable False False False -
n.3 0x74bb0000 0x74bc5fff Memory Mapped File Readable, Writable, Executable True False False -
winnsi.dll 0x74bd0000 0x74bd6fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x74be0000 0x74c17fff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x74be0000 0x74be4fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x74bf0000 0x74c2bfff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74c10000 0x74c25fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x74c20000 0x74c27fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x74c30000 0x74c73fff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x74c80000 0x74c8ffff Memory Mapped File Readable, Writable, Executable False False False -
credssp.dll 0x74c80000 0x74c87fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x74c90000 0x74cabfff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74dc0000 0x74dcbfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74dd0000 0x74e2ffff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x74e30000 0x74e8ffff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x74e90000 0x74ea8fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x74ec0000 0x750bafff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x750c0000 0x750cbfff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x750d0000 0x75126fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75130000 0x751bffff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75250000 0x75295fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x752a0000 0x7534bfff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x75350000 0x75444fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75450000 0x755abfff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x755b0000 0x7564cfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x756e0000 0x7577ffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x75780000 0x75789fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x75790000 0x7588ffff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x75890000 0x758c4fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x758d0000 0x759ecfff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x759f0000 0x75afffff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x75b00000 0x75bcbfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x75c50000 0x76899fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x76b60000 0x76beefff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x76c40000 0x76d75fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x76d80000 0x76e6ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000076e70000 0x76e70000 0x76f69fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000076f70000 0x76f70000 0x7708efff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x77090000 0x77238fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x77240000 0x77245fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77270000 0x773effff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True True False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True True False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True True False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True True False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #2: c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe 0xad0 address = 0x60000, size = 36 True 1
Fn
Data
Create Remote Thread #2: c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe 0xad0 address = 0x75a049d7 True 1
Fn
Create Remote Thread #2: c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe 0xad0 address = 0x74bb2238 True 1
Fn
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\aetadzjz\appdata\roaming\microsoft\windows\caches\navshext.dll 71.00 KB MD5: cd36bbd7f949cf017edba0e6aaadf28c
SHA1: 2fde32f2695bc7b3b702a1e3b53a8c38e60b7402
SHA256: 6dc2a49d58dc568944fef8285ad7a03b772b9bdf1fe4bddff3f1ade3862eae79
False
c:\users\aetadzjz\appdata\local\microsoft\windows\explorer\thumbcache_1cd60.db 0.60 KB MD5: 03c3522b1a7dfb3054acbf3ccf79cfa6
SHA1: cd4e3b68caf0c97b0769b3ab8ccbac75f8af1212
SHA256: d9841b834b021d7f25169ff246836ad3a113b2bf32ebc9d00a8465f6ff416f29
False
c:\users\aetadzjz\appdata\local\microsoft\windows\explorer\thumbcache_1cd60.db 0.60 KB MD5: 304e99268cd232e5199bd0b2c7874fa3
SHA1: 64806d3a9e8b49bbf0b69017c82c1ede9d7d3b70
SHA256: 4e54d25220759023a83de1c1f807545a43485d028fe298dfcd524e25ed628fb6
False
Host Behavior
File (41)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\aETAdzjz\AppData\Local\n.3 desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Caches\NavShExt.dll desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Caches\NavShExt.dll desired_access = GENERIC_WRITE True 1
Fn
Create C:\Users\aETAdzjz\AppData\Local\Temp\FXSAPIDebugLogFile.tmp desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ False 12
Fn
Create C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1CD60.db desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1CD60.db desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1CD60.db desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Caches\NavShExt.dll desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 3
Fn
Create Directory C:\Users\aETAdzjz\AppData\Roaming\Microsoft - False 4
Fn
Create Directory C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows - False 4
Fn
Create Directory C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Caches - True 1
Fn
Create Directory C:\Users\aETAdzjz\AppData\Local\Microsoft - False 1
Fn
Create Directory C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows - False 1
Fn
Create Directory C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Explorer\ - False 1
Fn
Create Directory C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Caches - False 3
Fn
Get Info C:\Users\aETAdzjz\AppData\Local\n.3 type = size True 1
Fn
Read C:\Users\aETAdzjz\AppData\Local\n.3 size = 72704, size_out = 72704 True 1
Fn
Data
Write C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Caches\NavShExt.dll size = 72704 True 1
Fn
Data
Write C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1CD60.db size = 617 True 1
Fn
Data
Write C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1CD60.db size = 617 True 1
Fn
Data
Registry (588)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook - True 6
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx - True 6
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore - True 6
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 - True 6
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data - True 6
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX - True 6
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData - True 6
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack - True 6
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US) - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent - True 6
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC - True 6
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757 - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173 - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860 - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655 - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743 - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063 - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573 - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F03217071FF} - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a} - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{582EA838-9199-3518-A05C-DB09462F68EC} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{68306422-7C57-373F-8860-D26CE4BA2A15} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2} - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F} - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AA0000000001} - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e52a6842-b0ac-476e-b48f-378a97a67346} - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d} - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757 - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173 - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860 - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655 - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743 - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063 - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573 - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f325f05b-f963-4640-a43b-c8a494cdda0f} - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2 - True 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033 - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{94A631D5-B30A-3DD8-B65C-1117C09DA73E} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} - True 4
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 5
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Greenwich Standard Time - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 3
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = IAStorD, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook value_name = ParentKeyName False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook value_name = SystemComponent, data = 0 False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook value_name = DisplayName, data = 0 False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin value_name = DisplayName, data = 65 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin value_name = DisplayVersion, data = 49 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager value_name = ParentKeyName False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager value_name = SystemComponent, data = 1 True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx value_name = ParentKeyName False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx value_name = SystemComponent, data = 0 False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx value_name = DisplayName, data = 0 False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore value_name = ParentKeyName False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore value_name = SystemComponent, data = 0 False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore value_name = DisplayName, data = 0 False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome value_name = DisplayName, data = 71 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome value_name = DisplayVersion, data = 53 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 value_name = ParentKeyName False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 value_name = SystemComponent, data = 0 False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 value_name = DisplayName, data = 0 False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data value_name = ParentKeyName False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data value_name = SystemComponent, data = 0 False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data value_name = DisplayName, data = 0 False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX value_name = ParentKeyName False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX value_name = SystemComponent, data = 0 False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX value_name = DisplayName, data = 0 False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData value_name = ParentKeyName False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData value_name = SystemComponent, data = 0 False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData value_name = DisplayName, data = 0 False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack value_name = ParentKeyName False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack value_name = SystemComponent, data = 0 False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack value_name = DisplayName, data = 0 False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US) value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US) value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US) value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 25.0 (x86 en-US) value_name = DisplayVersion, data = 50 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService value_name = DisplayVersion, data = 50 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent value_name = ParentKeyName False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent value_name = SystemComponent, data = 0 False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent value_name = DisplayName, data = 0 False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC value_name = ParentKeyName False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC value_name = SystemComponent, data = 0 False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC value_name = DisplayName, data = 0 False 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757 value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757 value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757 value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173 value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173 value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173 value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860 value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860 value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860 value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655 value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655 value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655 value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743 value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743 value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743 value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063 value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063 value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063 value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573 value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573 value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573 value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F03217071FF} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F03217071FF} value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F03217071FF} value_name = DisplayName, data = 74 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F03217071FF} value_name = DisplayVersion, data = 55 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} value_name = DisplayVersion, data = 49 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a} value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3c3aafc8-d898-43ec-998f-965ffdae065a} value_name = DisplayVersion, data = 49 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{582EA838-9199-3518-A05C-DB09462F68EC} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{582EA838-9199-3518-A05C-DB09462F68EC} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{68306422-7C57-373F-8860-D26CE4BA2A15} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{68306422-7C57-373F-8860-D26CE4BA2A15} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2} value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2} value_name = DisplayVersion, data = 56 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F} value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F} value_name = DisplayVersion, data = 57 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AA0000000001} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AA0000000001} value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AA0000000001} value_name = DisplayName, data = 65 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AA0000000001} value_name = DisplayVersion, data = 49 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B175520C-86A2-35A7-8619-86DC379688B9} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} value_name = DisplayVersion, data = 49 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e52a6842-b0ac-476e-b48f-378a97a67346} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e52a6842-b0ac-476e-b48f-378a97a67346} value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e52a6842-b0ac-476e-b48f-378a97a67346} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e52a6842-b0ac-476e-b48f-378a97a67346} value_name = DisplayVersion, data = 49 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d} value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{e6e75766-da0f-4ba2-9788-6ea593ce702d} value_name = DisplayVersion, data = 49 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5} value_name = DisplayVersion, data = 49 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757 value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757 value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757 value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173 value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173 value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173 value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860 value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860 value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860 value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655 value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655 value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655 value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743 value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743 value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743 value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063 value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063 value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063 value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573 value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573 value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573 value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f325f05b-f963-4640-a43b-c8a494cdda0f} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f325f05b-f963-4640-a43b-c8a494cdda0f} value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f325f05b-f963-4640-a43b-c8a494cdda0f} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f325f05b-f963-4640-a43b-c8a494cdda0f} value_name = DisplayVersion, data = 49 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX value_name = DisplayName, data = 65 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX value_name = DisplayVersion, data = 49 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2 value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2 value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2 value_name = DisplayName, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = DisplayVersion, data = 49 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = DisplayVersion, data = 49 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = DisplayVersion, data = 49 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = DisplayVersion, data = 49 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = DisplayVersion, data = 57 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033 value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033 value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033 value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033 value_name = DisplayVersion, data = 52 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{94A631D5-B30A-3DD8-B65C-1117C09DA73E} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{94A631D5-B30A-3DD8-B65C-1117C09DA73E} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = SystemComponent, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = DisplayName, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = DisplayVersion, data = 56 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = ParentKeyName False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor value_name = ProcessorNameString, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductName, data = 87 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = CSDVersion, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductId, data = 0 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = RegisteredOwner, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = RegisteredOrganization, data = 77 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation value_name = ActiveTimeBias, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation value_name = TimeZoneKeyName, data = 71 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Greenwich Standard Time value_name = Display, data = 40 True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = IAStorD, data = 0 False 3
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = IAStorD, data = C:\Windows\system32\rundll32.exe C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Caches\NavShExt.dll,Setting, size = 112, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = IAStorD, data = C:\Windows\system32\rundll32.exe C:\Users\aETAdzjz\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting, size = 111, type = REG_SZ True 3
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - False 1
Fn
Module (249)
»
Operation Module Additional Information Success Count Logfile
Load iphlpapi.dll base_address = 0x74c90000 True 1
Fn
Load WS2_32.dll base_address = 0x75890000 True 1
Fn
Load WINHTTP.dll base_address = 0x74620000 True 1
Fn
Load Netapi32 base_address = 0x74990000 True 2
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x759f0000 True 5
Fn
Get Handle c:\windows\syswow64\msvcrt.dll base_address = 0x752a0000 True 2
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x756e0000 True 2
Fn
Get Handle c:\windows\syswow64\shell32.dll base_address = 0x75c50000 True 2
Fn
Get Handle iphlpapi.dll base_address = 0x0 False 1
Fn
Get Handle WS2_32.dll base_address = 0x0 False 1
Fn
Get Handle WINHTTP.dll base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\urlmon.dll base_address = 0x76c40000 True 1
Fn
Get Handle c:\windows\syswow64\iphlpapi.dll base_address = 0x74c90000 True 1
Fn
Get Filename - process_name = c:\program files (x86)\internet explorer\iexplore.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\n.3, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x75a034d5 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventW, address_out = 0x75a0183e True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _fileno, address_out = 0x752aac15 True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = __pioinfo, address_out = 0x75340500 True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _write, address_out = 0x752b4078 True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _isatty, address_out = 0x752af383 True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = __badioinfo, address_out = 0x75343210 True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = ferror, address_out = 0x752b4947 True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = wctomb, address_out = 0x752f22b7 True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _itoa, address_out = 0x752c4218 True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _snprintf, address_out = 0x752cfa7c True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _iob, address_out = 0x75342900 True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = isleadbyte, address_out = 0x752af76e True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = __mb_cur_max, address_out = 0x75343148 True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = mbtowc, address_out = 0x752aacdf True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _amsg_exit, address_out = 0x7530b2ef True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _initterm, address_out = 0x752ac151 True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = free, address_out = 0x752a9894 True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = malloc, address_out = 0x752a9cee True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _XcptFilter, address_out = 0x752cdc75 True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = memcpy, address_out = 0x752a9910 True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = memset, address_out = 0x752a9790 True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = printf, address_out = 0x752bc5b9 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = wcsstr, address_out = 0x752abf71 True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = strstr, address_out = 0x752ade4a True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = memmove, address_out = 0x752a9e5a True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = ??2@YAPAXI@Z, address_out = 0x752ab0c9 True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = ??3@YAXPAX@Z, address_out = 0x752ab0b9 True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _wcslwr, address_out = 0x752afb25 True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _errno, address_out = 0x752aa5b8 True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _lseeki64, address_out = 0x752b4303 True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = __CxxFrameHandler, address_out = 0x752c3495 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x75a011c0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x75a2735f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x75a03509 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x75a011f8 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x75a01450 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x75a0110c True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x75a01725 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x75a087c9 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x75a2772f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x75a01809 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x75a1d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedCompareExchange, address_out = 0x75a01484 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x75a010ff True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InterlockedExchange, address_out = 0x75a01462 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x75a2d1c3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringA, address_out = 0x75a2b2b7 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x75a2896c True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x75a28baf True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExA, address_out = 0x75a04913 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x75a01245 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileMappingA, address_out = 0x75a05506 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x75a01222 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnmapViewOfFile, address_out = 0x75a01826 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MapViewOfFile, address_out = 0x75a018f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x75a04a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x75a2594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x75a03f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemDirectoryA, address_out = 0x75a1b66c True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x75a04950 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x75a03ed3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x75a01282 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x75a01136 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x75a04259 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x75a0196e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x75a01410 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x756f468d True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExA, address_out = 0x756f48ef True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExA, address_out = 0x756f4907 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x756f469d True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExA, address_out = 0x756f14b3 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x756f46ad True 2
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderPathW, address_out = 0x75c70468 True 2
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderPathA, address_out = 0x75e9fb26 True 2
Fn
Get Address c:\windows\syswow64\iphlpapi.dll function = GetAdaptersInfo, address_out = 0x74c99263 True 2
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = realloc, address_out = 0x752ab10d True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _strdup, address_out = 0x752c47ad True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _vsnprintf, address_out = 0x752ad1a8 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _findnext, address_out = 0x752f2cd6 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _findfirst, address_out = 0x752f2cc6 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = strncmp, address_out = 0x752ab443 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = ??_V@YAXPAX@Z, address_out = 0x752ab0f3 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = ??_U@YAPAXI@Z, address_out = 0x752ab100 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = fclose, address_out = 0x752b3d79 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = time, address_out = 0x752af708 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = wcsncmp, address_out = 0x752ab05e True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = srand, address_out = 0x752af757 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = rand, address_out = 0x752ac070 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = fgetws, address_out = 0x752bbe2b True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _wfopen, address_out = 0x752bf3ac True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = _wtoi, address_out = 0x752ac823 True 1
Fn
Get Address c:\windows\syswow64\msvcrt.dll function = feof, address_out = 0x752bc9ea True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x75a017d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetNativeSystemInfo, address_out = 0x75a110b5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetPriorityClass, address_out = 0x75a1cf28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x75a053c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableW, address_out = 0x75a01b48 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x75a07a10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocalTime, address_out = 0x75a05aa6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x75a0170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalFree, address_out = 0x75a05558 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x75a0192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetPrivateProfileStringW, address_out = 0x75a0ea48 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x75a049d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreatePipe, address_out = 0x75a8415b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x75a2828e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameW, address_out = 0x75a0d2f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThread, address_out = 0x75a017ec True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x75a01072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadPriority, address_out = 0x75a032bb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x75a2d526 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexA, address_out = 0x75a04c6b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = PeekNamedPipe, address_out = 0x75a84821 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEndOfFile, address_out = 0x75a1ce2e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemInfo, address_out = 0x75a049ca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalMemoryStatusEx, address_out = 0x75a2d4c4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsWow64Process, address_out = 0x75a0195e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathW, address_out = 0x75a1d4dc True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x75a034b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoA, address_out = 0x75a1d5e5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathA, address_out = 0x75a2276c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x75a05444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x75a23102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x75a089b3 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumKeyW, address_out = 0x756f445b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegDeleteValueA, address_out = 0x7570a4ea True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ConvertSidToStringSidA, address_out = 0x7571192a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumKeyExA, address_out = 0x756f1481 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameA, address_out = 0x7570a4b4 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHChangeNotify, address_out = 0x75ca7965 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75c71e46 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 57, address_out = 0x7589a05b True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 12, address_out = 0x7589b131 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 115, address_out = 0x75893ab2 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 11, address_out = 0x7589311b True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 52, address_out = 0x758a7673 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 116, address_out = 0x75893c5f True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpSendRequest, address_out = 0x746279bd True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpQueryAuthSchemes, address_out = 0x74654101 True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpAddRequestHeaders, address_out = 0x74639dfb True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpSetCredentials, address_out = 0x746545d7 True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpReadData, address_out = 0x7462cb9e True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpGetProxyForUrl, address_out = 0x7462d5dc True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpQueryOption, address_out = 0x7463ec68 True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpReceiveResponse, address_out = 0x7462b262 True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpSetOption, address_out = 0x74623f6c True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpGetIEProxyConfigForCurrentUser, address_out = 0x7463257e True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpOpenRequest, address_out = 0x74624aea True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpWriteData, address_out = 0x7463abfd True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpConnect, address_out = 0x7462d9f5 True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpOpen, address_out = 0x746258b9 True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpCloseHandle, address_out = 0x74622c01 True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpQueryHeaders, address_out = 0x7462ba51 True 1
Fn
Get Address c:\windows\syswow64\winhttp.dll function = WinHttpQueryDataAvailable, address_out = 0x7463c5dd True 1
Fn
Get Address c:\windows\syswow64\urlmon.dll function = UrlMkGetSessionOption, address_out = 0x76c69ed4 True 1
Fn
Get Address c:\windows\syswow64\netapi32.dll function = NetUserGetInfo, address_out = 0x74941be2 True 1
Fn
Get Address c:\windows\syswow64\netapi32.dll function = NetApiBufferFree, address_out = 0x749813d2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDiskFreeSpaceExW, address_out = 0x75a1d50f True 1
Fn
Create Mapping - filename = System Paging File, protection = PAGE_EXECUTE_READWRITE, maximum_size = 86016 True 1
Fn
Create Mapping - filename = System Paging File, protection = PAGE_EXECUTE_READWRITE, maximum_size = 90112 True 1
Fn
Map - process_name = c:\program files (x86)\internet explorer\iexplore.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_EXECUTE True 1
Fn
Map - process_name = c:\program files (x86)\internet explorer\iexplore.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_EXECUTE True 1
Fn
System (26)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-01-25 13:25:13 (UTC) True 2
Fn
Get Time type = Ticks, time = 92508 True 1
Fn
Get Time type = Ticks, time = 92929 True 1
Fn
Get Time type = Local Time, time = 2018-01-23 22:39:33 (Local Time) True 7
Fn
Get Time type = Local Time, time = 2018-01-23 22:39:35 (Local Time) True 4
Fn
Get Time type = Local Time, time = 2018-01-23 22:39:39 (Local Time) True 3
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 4
Fn
Get Info type = Hardware Information True 4
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create mutex_name = donotbotherme True 1
Fn
Debug (1)
»
Operation Process Additional Information Success Count Logfile
Check for Presence c:\program files (x86)\internet explorer\iexplore.exe - True 1
Fn
Network Behavior
DNS (2)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = YKyd69q True 1
Fn
Resolve Name host = YKyd69q, address_out = 192.168.0.170 True 1
Fn
HTTP Sessions (2)
»
Information Value
Total Data Sent 528 bytes
Total Data Received 4.93 KB
Contacted Host Count 2
Contacted Hosts api.ipaddress.com, 103.236.150.14
HTTP Session #1
»
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Server Name api.ipaddress.com
Server Port 80
Data Sent 349
Data Received 14
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, flags = WINHTTP_FLAG_SYNC True 1
Fn
Open Connection protocol = HTTP, server_name = api.ipaddress.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /myip?format=txt, accept_types = 0 True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = api.ipaddress.com/myip?format=txt True 1
Fn
Read Response size = 32, size_out = 14 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #2
»
Information Value
Server Name 103.236.150.14
Server Port 80
Data Sent 179
Data Received 5032
Operation Additional Information Success Count Logfile
Open Session access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, flags = WINHTTP_FLAG_SYNC True 1
Fn
Open Connection protocol = HTTP, server_name = 103.236.150.14, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /getn/mpj.gif?y=cz3kz92r, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE True 1
Fn
Add HTTP Request Headers headers = User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) True 1
Fn
Add HTTP Request Headers headers = Host: cwy4io.info True 1
Fn
Add HTTP Request Headers headers = Accept: text/html,text/javascript, q=0.9,*/*, q=0.8 True 1
Fn
Add HTTP Request Headers headers = Accept-Language: en-US True 1
Fn
Add HTTP Request Headers headers = Accept-Encoding: gzip, deflate True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /bubafni/wllqc.asp, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE True 1
Fn
Add HTTP Request Headers headers = User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) True 1
Fn
Add HTTP Request Headers headers = Host: r.hgdlw.j5k.com True 1
Fn
Add HTTP Request Headers headers = Accept: application/jason,application/xml, q=0.9,*/*, q=0.8 True 1
Fn
Add HTTP Request Headers headers = Accept-Language: en-US True 1
Fn
Add HTTP Request Headers headers = Accept-Encoding: gzip, deflate True 1
Fn
Add HTTP Request Headers headers = Cookie: t6spv78=7QGzB/mzTI0gYNl+9Y8dzF4mv3yhvhYEzWoCa9Bi/aEoyg==; gjf121ga7=fEbpgCWpk2JltYKJOe7LfgZy3Ot9ZvRNLO+XEudpr0HK1eHE+0QBC8CzNITtocwEKgn3tMhUoP7IuYtDN3VZTQZ6YLZuWF7dDwRpkMA9vgI=; pmgv4k3t=ckceUyFYMq1ztU6k4DBxuHDFrwFiA7HX7NrAmVsLRYpBxOQIvwInGyoupXjVZ4bt/tQk7I7JZqYa16iiwFFZiaZk4QMNArkObjhQlmg16Cw=; True 1
Fn
Add HTTP Request Headers headers = Content-Length: 5026 True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 103.236.150.14/bubafni/wllqc.asp True 1
Fn
Add HTTP Request Data size = 5026, size_out = 5026 True 1
Fn
Data
Query HTTP Info flags = HTTP_QUERY_STATUS_CODE False 1
Fn
Query HTTP Info flags = HTTP_QUERY_STATUS_CODE, size_out = 6 True 1
Fn
Data
Close Session - True 1
Fn
Process #6: eqnedt32.exe
0 0
»
Information Value
ID #6
File Name c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe
Command Line "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:00:28, Reason: Child Process
Unmonitor End Time: 00:02:32, Reason: Terminated by Timeout
Monitor Duration 00:02:04
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb34
Parent PID 0xa0c (c:\program files\microsoft office\root\office16\winword.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B38
0x B50
0x B54
0x B58
0x B5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00020fff Pagefile Backed Memory Readable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True True False
pagefile_0x0000000000030000 0x00030000 0x00030fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True True False
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory Readable True False False -
private_0x00000000001b0000 0x001b0000 0x001b1fff Private Memory Readable, Writable True True False
locale.nls 0x001c0000 0x00226fff Memory Mapped File Readable False False False -
private_0x0000000000230000 0x00230000 0x00230fff Private Memory Readable, Writable True True False
private_0x0000000000240000 0x00240000 0x00240fff Private Memory Readable, Writable True True False
pagefile_0x0000000000250000 0x00250000 0x00250fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000260000 0x00260000 0x00266fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000270000 0x00270000 0x00271fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000280000 0x00280000 0x00280fff Pagefile Backed Memory Readable True False False -
private_0x0000000000290000 0x00290000 0x002cffff Private Memory Readable, Writable True True False
private_0x00000000002d0000 0x002d0000 0x0030ffff Private Memory Readable, Writable True True False
private_0x0000000000310000 0x00310000 0x0038ffff Private Memory Readable, Writable True True False
private_0x0000000000390000 0x00390000 0x003cffff Private Memory Readable, Writable True True False
eqnedt32.exe 0x00400000 0x0048dfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000490000 0x00490000 0x00490fff Private Memory Readable, Writable True True False
private_0x00000000004a0000 0x004a0000 0x004dffff Private Memory Readable, Writable True True False
private_0x0000000000550000 0x00550000 0x0055ffff Private Memory Readable, Writable True True False
private_0x0000000000590000 0x00590000 0x0059ffff Private Memory Readable, Writable True True False
private_0x00000000005a0000 0x005a0000 0x005affff Private Memory Readable, Writable True True False
private_0x00000000005f0000 0x005f0000 0x006effff Private Memory Readable, Writable True True False
pagefile_0x00000000006f0000 0x006f0000 0x00877fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000880000 0x00880000 0x00a00fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000a10000 0x00a10000 0x01e0ffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01e10000 0x020defff Memory Mapped File Readable False False False -
pagefile_0x00000000020e0000 0x020e0000 0x024d2fff Pagefile Backed Memory Readable True False False -
private_0x00000000024e0000 0x024e0000 0x028dffff Private Memory Readable, Writable True True False
pagefile_0x00000000028e0000 0x028e0000 0x029befff Pagefile Backed Memory Readable True False False -
private_0x00000000029f0000 0x029f0000 0x02a2ffff Private Memory Readable, Writable True True False
private_0x0000000002a30000 0x02a30000 0x02b2ffff Private Memory Readable, Writable True True False
private_0x0000000002b30000 0x02b30000 0x02c2ffff Private Memory Readable, Writable True True False
private_0x0000000002c30000 0x02c30000 0x02d2ffff Private Memory Readable, Writable True True False
private_0x0000000002d30000 0x02d30000 0x02e2ffff Private Memory Readable, Writable True True False
private_0x0000000002e30000 0x02e30000 0x02eaffff Private Memory Readable, Writable True True False
kernelbase.dll.mui 0x02eb0000 0x02f6ffff Memory Mapped File Readable, Writable False False False -
private_0x0000000002fe0000 0x02fe0000 0x0301ffff Private Memory Readable, Writable True True False
eeintl.dll 0x3de20000 0x3de2dfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000006fff0000 0x6fff0000 0x6fffffff Private Memory Readable, Writable, Executable True True False
msi.dll 0x73f60000 0x7419ffff Memory Mapped File Readable, Writable, Executable False False False -
appvisvsubsystems32.dll 0x741a0000 0x74354fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x747e0000 0x747edfff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x747f0000 0x7482afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74830000 0x74845fff Memory Mapped File Readable, Writable, Executable False False False -
c2r32.dll 0x74870000 0x7493afff Memory Mapped File Readable, Writable, Executable False False False -
api-ms-win-core-synch-l1-2-0.dll 0x74970000 0x74972fff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x74980000 0x74a03fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x74a50000 0x74a62fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74a70000 0x74aeffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74b00000 0x74b07fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74b10000 0x74b6bfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x74b70000 0x74baefff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x74be0000 0x74beafff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x74bf0000 0x74c06fff Memory Mapped File Readable, Writable, Executable False False False -
appvisvstream32.dll 0x74c10000 0x74c74fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74dc0000 0x74dcbfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74dd0000 0x74e2ffff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x74e30000 0x74e8ffff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x74e90000 0x74ea8fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x750d0000 0x75126fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75130000 0x751bffff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x75250000 0x75295fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x752a0000 0x7534bfff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75450000 0x755abfff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x755b0000 0x7564cfff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x75650000 0x756d2fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x756e0000 0x7577ffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x75780000 0x75789fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x75790000 0x7588ffff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x759f0000 0x75afffff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x75b00000 0x75bcbfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x75c50000 0x76899fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x76b60000 0x76beefff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x76d80000 0x76e6ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000076e70000 0x76e70000 0x76f69fff Private Memory Readable, Writable, Executable True True False
private_0x0000000076f70000 0x76f70000 0x7708efff Private Memory Readable, Writable, Executable True True False
ntdll.dll 0x77090000 0x77238fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77270000 0x773effff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True True False
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True True False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True True False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True True False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True True False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True True False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True True False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image