Petya/NotPetya/ExPetr | Grouped Behavior

Involved Hosts

Host	Resolved to	Country	City	Protocol
192.168.0.0				TCP
192.168.0.1				TCP
192.168.0.2				TCP
192.168.0.3				TCP

Monitored Processes

Behavior Information - Grouped by Category

Process #1: Petya.dll

(Host: 493, Network: 9)

Information	Value
ID	#1
File Name	c:\windows\syswow64\agakmvmr.exe
Command Line	"C:\Windows\SysWOW64\AGakmVMR.exe" "C:\Users\HJRD1K~1\Desktop\Petya.dll" #1
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:00:21, Reason: Analysis Target
Unmonitor	End Time: 00:00:58, Reason: Terminated by Timeout
Monitor Duration	00:00:37

OS Process Information

Information	Value
PID	0x948
Parent PID	0x108 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e144 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 94C 0x 950 0x 968 0x 96C 0x 980 0x 994 0x 998 0x 9A8 0x 9AC 0x 9B0 0x 9B8 0x 9BC 0x A44

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e6fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x0013dfff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x000f6fff	Pagefile Backed Memory	Readable, Writable	Region Actions
mpr.dll.mui	0x00140000	0x00140fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001a0000	0x001a0000	0x001dffff	Private Memory	Readable, Writable	Region Actions
rsaenh.dll	0x001e0000	0x0021bfff	Memory Mapped File	Readable	Region Actions
private_0x00000000001e0000	0x001e0000	0x0021ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000230000	0x00230000	0x002affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x0042ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000470000	0x00470000	0x0056ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005a0000	0x005a0000	0x0069ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000006b0000	0x006b0000	0x006bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000006c0000	0x006c0000	0x00847fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000850000	0x00850000	0x009d0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000009e0000	0x009e0000	0x00afffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000009e0000	0x009e0000	0x00a1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a70000	0x00a70000	0x00aaffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a80000	0x00a80000	0x00abffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ac0000	0x00ac0000	0x00afffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x00b00000	0x00dcefff	Memory Mapped File	Readable	Region Actions
private_0x0000000000ba0000	0x00ba0000	0x00bdffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000e50000	0x00e50000	0x00f4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f50000	0x00f50000	0x0104ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001050000	0x01050000	0x0114ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001060000	0x01060000	0x0109ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001150000	0x01150000	0x0118ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001190000	0x01190000	0x011cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000011e0000	0x011e0000	0x0121ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001220000	0x01220000	0x0131ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001230000	0x01230000	0x0132ffff	Private Memory	Readable, Writable	Region Actions
agakmvmr.exe	0x01390000	0x013adfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000013b0000	0x013b0000	0x027affff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000027d0000	0x027d0000	0x0280ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002800000	0x02800000	0x028fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002830000	0x02830000	0x0292ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002930000	0x02930000	0x02a2ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002b60000	0x02b60000	0x02c5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002d50000	0x02d50000	0x02e4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002ed0000	0x02ed0000	0x02fcffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003080000	0x03080000	0x0317ffff	Private Memory	Readable, Writable	Region Actions
api-ms-win-core-synch-l1-2-0.dll	0x74700000	0x74702fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74710000	0x7476bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74770000	0x747aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntlanman.dll	0x74920000	0x74933fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x74940000	0x74968fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
drprov.dll	0x74970000	0x74977fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x74a30000	0x74a34fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
davclnt.dll	0x74a40000	0x74a56fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x74a60000	0x74a9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
davhlpr.dll	0x74aa0000	0x74aa7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x74ab0000	0x74ac1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscapi.dll	0x74ad0000	0x74adafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x74ae0000	0x74b23fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74ae0000	0x74b1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74b20000	0x74b35fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
adsldpc.dll	0x74b30000	0x74b63fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x74b40000	0x74b83fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dsauth.dll	0x74b70000	0x74b7afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x74b80000	0x74b8efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpsapi.dll	0x74b90000	0x74ba5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
adsldpc.dll	0x74b90000	0x74bc3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
browcli.dll	0x74bb0000	0x74bbcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x74bc0000	0x74bcefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x74bd0000	0x74be8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dsauth.dll	0x74bd0000	0x74bdafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x74be0000	0x74beefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x74bf0000	0x74bf8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpsapi.dll	0x74bf0000	0x74c05fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x74c00000	0x74c10fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
browcli.dll	0x74c10000	0x74c1cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x74c20000	0x74c31fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x74c20000	0x74c2efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x74c30000	0x74c48fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x74c40000	0x74c46fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x74c50000	0x74c6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x74c50000	0x74c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x74c60000	0x74c70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
petya.dll	0x74c70000	0x74ccdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
mpr.dll	0x74c80000	0x74c91fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x74ca0000	0x74ca6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x74cb0000	0x74ccbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74dd0000	0x74dd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74e00000	0x74e0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74e10000	0x74e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x74e70000	0x74f7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75150000	0x75d99fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75e00000	0x75f5bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75f60000	0x75ffffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76020000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x762b0000	0x7637bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x76430000	0x76474fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76480000	0x7657ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76580000	0x7661cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76890000	0x768e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x76900000	0x76934fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76940000	0x769ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x769f0000	0x769f5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x76a00000	0x76b1cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76b20000	0x76b65fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76b70000	0x76b88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76b90000	0x76beffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76bf0000	0x76c7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076eb0000	0x76eb0000	0x76fcefff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076fd0000	0x76fd0000	0x770c9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x770d0000	0x77278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x77280000	0x7728bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772b0000	0x7742ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007ef9b000	0x7ef9b000	0x7ef9dfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef9e000	0x7ef9e000	0x7efa0fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa1000	0x7efa1000	0x7efa3fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa4000	0x7efa4000	0x7efa6fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efa7000	0x7efa7000	0x7efa9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efaa000	0x7efaa000	0x7efacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efad000	0x7efad000	0x7efaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd5000	0x7efd5000	0x7efd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Created Files

Filename	File Size	Hash Values	Actions
c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	File Actions Show Properties
c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp	55.00 KB (56320 bytes)	MD5: 7e37ab34ecdcc3e77e24522ddfd4852d SHA1: 38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf SHA256: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f	File Actions Show Properties Download
c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp	55.00 KB (56320 bytes)	MD5: bfd70118226e2e6391b6a0992f8b5b22 SHA1: 4f9e3810d346b368b7c2437eb4bb040d3f6daed3 SHA256: f8d214080544676394eea8dda1cbd79db436414860e1809cccd56b2da039c724	File Actions Show Properties Download
c:\windows\dllhost.dat	372.87 KB (381816 bytes)	MD5: aeee996fd3484f28e5cd85fe26b6bdcd SHA1: cd23b7c9e0edef184930bc8e0ca2264f0608bcb3 SHA256: f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5	File Actions Show Properties Download
c:\readme.txt	2.11 KB (2164 bytes)	MD5: e0e4d4e05040bae07d42939024791284 SHA1: 4cc56bb43bb7fc38b3640a819e49161b03ec2924 SHA256: d42dffe59c922d99fb0531e9f47e7f4d091d3848318fb0dd89b1e928b43f2785	File Actions Show Properties Download

Modified Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\hjrd1k~1\desktop\petya.dll	353.87 KB (362360 bytes)	MD5: 9a7ffe65e0912f9379ba6e8e0b079fde SHA1: 532bea84179e2336caed26e31805ceaa7eec53dd SHA256: 4b336c3cc9b6c691fe581077e3dd9ea7df3bf48f79e35b05cf87e079ec8e0651		File Actions Show Properties Download

Token Modifications

Action	Attribute	Value
Token attribute value added	Enabled Privileges	SeShutdownPrivilege
Token attribute value added	Enabled Privileges	SeDebugPrivilege

Host Behavior

File (235)

Operation	Filename	Additional Information	Count	Logfile
CREATE	c:\users\hjrd1k~1\desktop\petya.dll	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	2	Fn
CREATE	c:\users\hjrd1k~1\desktop\petya.dll	desired_access = GENERIC_WRITE, create_disposition = CREATE_ALWAYS	1	Fn
CREATE	c:\windows\petya	desired_access = GENERIC_WRITE, create_disposition = CREATE_ALWAYS, file_attributes = FILE_FLAG_DELETE_ON_CLOSE	1	Fn
CREATE	c:	desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
CREATE	c:	share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
CREATE	\device\harddisk0\dr0	desired_access = SYNCHRONIZE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	1	Fn
CREATE	\device\harddisk0\dr0	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING	1	Fn
CREATE	\device\harddisk0\dr0	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING	22	Fn
CREATE	c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp	desired_access = GENERIC_WRITE, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_HIDDEN	2	Fn
CREATE	c:\windows\dllhost.dat	desired_access = GENERIC_WRITE, create_disposition = CREATE_NEW	1	Fn
CREATE	c:\bootsect.bak	desired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = OPEN_EXISTING	1	Fn
CREATE	c:\readme.txt	desired_access = GENERIC_WRITE, create_disposition = CREATE_ALWAYS	1	Fn
CREATE_TMPFILE	c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp	path = C:\Users\HJRD1K~1\AppData\Local\Temp\	1	Fn
CREATE_PIPE	\device\namedpipe\{0d32ab4e-3bee-44d4-a8cc-67331e9e7f80}	open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, pipe_mode = PIPE_READMODE_MESSAGE, PIPE_TYPE_MESSAGE, max_instances = 1	1	Fn
READ	c:\users\hjrd1k~1\desktop\petya.dll	size = 362360	1	Fn Data
READ	\device\harddisk0\dr0	size = 512	1	Fn Data
WRITE	c:\users\hjrd1k~1\desktop\petya.dll	size = 362360	1	Fn Data
WRITE	c:	size = 512	1	Fn Data
WRITE	\device\harddisk0\dr0	size = 512	22	Fn Data
WRITE	c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp	size = 56320	2	Fn Data
WRITE	c:\windows\dllhost.dat	size = 381816	1	Fn Data
WRITE	c:\readme.txt	size = 1074	1	Fn Data
WRITE	c:\readme.txt	size = 76	1	Fn Data
WRITE	c:\readme.txt	size = 142	1	Fn Data
WRITE	c:\readme.txt	size = 56	1	Fn Data
WRITE	c:\readme.txt	size = 72	1	Fn Data
WRITE	c:\readme.txt	size = 744	1	Fn Data
EXIST	C:\Windows\Petya		1	Fn
FIND	C:\*		1	Fn
FIND	C:\$Recycle.Bin\*		1	Fn
FIND	C:\$Recycle.Bin\S-1-5-21-1463843789-3877896393-3178144628-1000\*		1	Fn
FIND	C:\Boot\*		1	Fn
FIND	C:\Boot\cs-CZ\*		1	Fn
FIND	C:\Boot\da-DK\*		1	Fn
FIND	C:\Boot\de-DE\*		1	Fn
FIND	C:\Boot\el-GR\*		1	Fn
FIND	C:\Boot\en-US\*		1	Fn
FIND	C:\Boot\es-ES\*		1	Fn
FIND	C:\Boot\fi-FI\*		1	Fn
FIND	C:\Boot\Fonts\*		1	Fn
FIND	C:\Boot\fr-FR\*		1	Fn
FIND	C:\Boot\hu-HU\*		1	Fn
FIND	C:\Boot\it-IT\*		1	Fn
FIND	C:\Boot\ja-JP\*		1	Fn
FIND	C:\Boot\ko-KR\*		1	Fn
FIND	C:\Boot\nb-NO\*		1	Fn
FIND	C:\Boot\nl-NL\*		1	Fn
FIND	C:\Boot\pl-PL\*		1	Fn
FIND	C:\Boot\pt-BR\*		1	Fn
FIND	C:\Boot\pt-PT\*		1	Fn
FIND	C:\Boot\ru-RU\*		1	Fn
FIND	C:\Boot\sv-SE\*		1	Fn
FIND	C:\Boot\tr-TR\*		1	Fn
FIND	C:\Boot\zh-CN\*		1	Fn
FIND	C:\Boot\zh-HK\*		1	Fn
FIND	C:\Boot\zh-TW\*		1	Fn
FIND	C:\PerfLogs\*		1	Fn
FIND	C:\PerfLogs\Admin\*		1	Fn
FIND	C:\Program Files\*		1	Fn
FIND	C:\Program Files\Common Files\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\MSInfo\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\Stationery\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\TextConv\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\Triedit\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\VC\*		1	Fn
FIND	C:\Program Files\Common Files\Microsoft Shared\VGX\*		1	Fn
FIND	C:\Program Files\Common Files\Services\*		1	Fn
FIND	C:\Program Files\Common Files\SpeechEngines\*		1	Fn
FIND	C:\Program Files\Common Files\SpeechEngines\Microsoft\*		1	Fn
FIND	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\*		1	Fn
FIND	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\*		1	Fn
FIND	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\*		1	Fn
FIND	C:\Program Files\Common Files\System\*		1	Fn
FIND	C:\Program Files\Common Files\System\ado\*		1	Fn
FIND	C:\Program Files\Common Files\System\ado\en-US\*		1	Fn
FIND	C:\Program Files\Common Files\System\en-US\*		1	Fn
FIND	C:\Program Files\Common Files\System\msadc\*		1	Fn
FIND	C:\Program Files\Common Files\System\msadc\en-US\*		1	Fn
FIND	C:\Program Files\Common Files\System\Ole DB\*		1	Fn
FIND	C:\Program Files\Common Files\System\Ole DB\en-US\*		1	Fn
FIND	C:\Program Files\DVD Maker\*		1	Fn
FIND	C:\Program Files\DVD Maker\en-US\*		1	Fn
FIND	C:\Program Files\DVD Maker\Shared\*		1	Fn
FIND	C:\Program Files\DVD Maker\Shared\DvdStyles\*		1	Fn
FIND	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\*		1	Fn
FIND	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\*		1	Fn
FIND	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\*		1	Fn
FIND	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\*		1	Fn
FIND	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\*		1	Fn
FIND	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\*		1	Fn
FIND	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\*		1	Fn
FIND	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\*		1	Fn
FIND	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\*		1	Fn
DELETE	c:\users\hjrd1k~1\desktop\petya.dll		1	Fn
DELETE	c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp		1	Fn

Process (6)

Operation	Process Name	Additional Information	Count	Logfile
CREATE	C:\Windows\system32\cmd.exe	os_tid = 0x964, os_pid = 0x960, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
CREATE	C:\Users\HJRD1K~1\AppData\Local\Temp\6B4.tmp	os_tid = 0x974, os_pid = 0x970, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
CREATE	C:\Windows\system32\cmd.exe	os_tid = 0x9d4, os_pid = 0x9d0, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
OPEN_TOKEN	c:\windows\syswow64\agakmvmr.exe	os_pid = 0x948, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE	3	Fn

Module (229)

Operation	Module	Additional Information	Count	Logfile
LOAD	KERNEL32.dll	base_address = 0x74e70000	1	Fn
LOAD	USER32.dll	base_address = 0x76480000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x75f60000	1	Fn
LOAD	SHELL32.dll	base_address = 0x75150000	1	Fn
LOAD	ole32.dll	base_address = 0x75e00000	1	Fn
LOAD	CRYPT32.dll	base_address = 0x76a00000	1	Fn
LOAD	SHLWAPI.dll	base_address = 0x76890000	1	Fn
LOAD	IPHLPAPI.DLL	base_address = 0x74cb0000	1	Fn
LOAD	WS2_32.dll	base_address = 0x76900000	1	Fn
LOAD	MPR.dll	base_address = 0x74c80000	1	Fn
LOAD	NETAPI32.dll	base_address = 0x74c60000	1	Fn
LOAD	DHCPSAPI.DLL	base_address = 0x74bf0000	1	Fn
LOAD	msvcrt.dll	base_address = 0x76940000	1	Fn
LOAD	iphlpapi.dll	base_address = 0x74cb0000	1	Fn
GET_HANDLE	c:\windows\syswow64\kernel32.dll	base_address = 0x74e70000	1	Fn
GET_HANDLE	c:\windows\syswow64\ntdll.dll	base_address = 0x772b0000	1	Fn
UNMAP	c:\windows\syswow64\agakmvmr.exe	os_pid = 0x948, base_address = 0x190000	31	Fn
UNMAP	c:\windows\syswow64\agakmvmr.exe	os_pid = 0x948, base_address = 0x2b0000	13	Fn
GET_FILENAME	C:\Users\HJRD1K~1\Desktop\Petya.dll		1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = ConnectNamedPipe, address = 0x74f040fb	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleW, address = 0x74e834b0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateNamedPipeW, address = 0x74f0414b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = TerminateThread, address = 0x74e87a2f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = DisconnectNamedPipe, address = 0x74f041df	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FlushFileBuffers, address = 0x74e8469b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetTempPathW, address = 0x74e9d4dc	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetProcAddress, address = 0x74e81222	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = DeleteFileW, address = 0x74e889b3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FreeLibrary, address = 0x74e834c8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GlobalAlloc, address = 0x74e8588e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LoadLibraryW, address = 0x74e8492b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetComputerNameExW, address = 0x74eabb9e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GlobalFree, address = 0x74e85558	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = ExitProcess, address = 0x74e87a10	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetVersionExW, address = 0x74e81ae5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetModuleFileNameW, address = 0x74e84950	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = DisableThreadLibraryCalls, address = 0x74e848e5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = ResumeThread, address = 0x74e843ef	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetEnvironmentVariableW, address = 0x74e81b48	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetFileSize, address = 0x74e8196e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetFilePointer, address = 0x74e817d1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetLastError, address = 0x74e811a9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LoadResource, address = 0x74e8594c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentThread, address = 0x74e817ec	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = OpenProcess, address = 0x74e81986	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetSystemDirectoryW, address = 0x74e85063	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SizeofResource, address = 0x74e85ac9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetLocalTime, address = 0x74e85aa6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = Process32FirstW, address = 0x74ea8baf	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LockResource, address = 0x74e85959	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = Process32NextW, address = 0x74ea896c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetModuleHandleA, address = 0x74e81245	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = lstrcatW, address = 0x74ea828e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateToolhelp32Snapshot, address = 0x74ea735f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetCurrentProcess, address = 0x74e81809	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualFree, address = 0x74e8186e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualAlloc, address = 0x74e81856	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LoadLibraryA, address = 0x74e849d7	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = VirtualProtect, address = 0x74e8435f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WideCharToMultiByte, address = 0x74e8170d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetExitCodeProcess, address = 0x74e9174d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WaitForMultipleObjects, address = 0x74e84220	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateProcessW, address = 0x74e8103d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = PeekNamedPipe, address = 0x74f04821	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetTempFileNameW, address = 0x74ead1b6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = InterlockedExchange, address = 0x74e81462	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LeaveCriticalSection, address = 0x772d2270	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = MultiByteToWideChar, address = 0x74e8192e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateFileA, address = 0x74e853c6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetTickCount, address = 0x74e8110c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateThread, address = 0x74e834d5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LocalFree, address = 0x74e82d3c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FindNextFileW, address = 0x74e854ee	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateFileMappingW, address = 0x74e81909	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = LocalAlloc, address = 0x74e8168c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FindClose, address = 0x74e84442	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetFileSizeEx, address = 0x74e859e2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CreateFileW, address = 0x74e83f5c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = Sleep, address = 0x74e810ff	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FlushViewOfFile, address = 0x74eab909	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetLogicalDrives, address = 0x74e85371	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WaitForSingleObject, address = 0x74e81136	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetDriveTypeW, address = 0x74e8418b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = UnmapViewOfFile, address = 0x74e81826	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = MapViewOfFile, address = 0x74e818f1	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FindFirstFileW, address = 0x74e84435	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CloseHandle, address = 0x74e81410	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = DeviceIoControl, address = 0x74e8322f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetLastError, address = 0x74e811c0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetSystemDirectoryA, address = 0x74e9b66c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = ReadFile, address = 0x74e83ed3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = WriteFile, address = 0x74e81282	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetProcessHeap, address = 0x74e814e9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = InitializeCriticalSection, address = 0x772e2c42	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapReAlloc, address = 0x772f1f6e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = GetWindowsDirectoryW, address = 0x74e843e2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = EnterCriticalSection, address = 0x772d22b0	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapFree, address = 0x74e814c9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetFilePointerEx, address = 0x74e9c807	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapAlloc, address = 0x772de026	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FindResourceW, address = 0x74e85971	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = ExitWindowsEx, address = 0x764e1497	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = wsprintfA, address = 0x764aae5f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = wsprintfW, address = 0x764be061	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = CryptGenRandom, address = 0x75f6dfc8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = CryptAcquireContextA, address = 0x75f691dd	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = CryptExportKey, address = 0x75f691ea	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = CryptAcquireContextW, address = 0x75f6df14	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = CreateProcessAsUserW, address = 0x75f6c592	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = InitiateSystemShutdownExW, address = 0x75fbdb3a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = DuplicateTokenEx, address = 0x75f6ca24	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = SetTokenInformation, address = 0x75f69a92	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = GetTokenInformation, address = 0x75f7431c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthorityCount, address = 0x75f70e0c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = OpenThreadToken, address = 0x75f7432c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = GetSidSubAuthority, address = 0x75f70e24	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = AdjustTokenPrivileges, address = 0x75f7418e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = LookupPrivilegeValueW, address = 0x75f741b3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = OpenProcessToken, address = 0x75f74304	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = SetThreadToken, address = 0x75f6c7ce	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = CredEnumerateW, address = 0x75fa7481	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = CredFree, address = 0x75f6b2ec	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = SetSecurityDescriptorDacl, address = 0x75f7415e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = InitializeSecurityDescriptor, address = 0x75f74620	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = CryptDestroyKey, address = 0x75f6c51a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = CryptGenKey, address = 0x75f68ee9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = CryptEncrypt, address = 0x75f8779b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = CryptImportKey, address = 0x75f6c532	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = CryptSetKeyParam, address = 0x75f877b3	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = CryptReleaseContext, address = 0x75f6e124	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shell32.dll	function = CommandLineToArgvW, address = 0x75169ee8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shell32.dll	function = SHGetFolderPathW, address = 0x751d5708	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ole32.dll	function = CoCreateGuid, address = 0x75e415d5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ole32.dll	function = CoTaskMemFree, address = 0x75e56f41	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ole32.dll	function = StringFromCLSID, address = 0x75e1eb17	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\crypt32.dll	function = CryptStringToBinaryW, address = 0x76a35f65	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\crypt32.dll	function = CryptBinaryToStringW, address = 0x76a3a546	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\crypt32.dll	function = CryptDecodeObjectEx, address = 0x76a0d718	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathAppendW, address = 0x768a81ef	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = StrToIntW, address = 0x768a50be	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathFindFileNameW, address = 0x768abb71	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathFileExistsW, address = 0x768a45bf	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = StrCmpW, address = 0x768a8277	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = StrCmpIW, address = 0x768aa147	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = StrChrW, address = 0x768a4640	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = StrCatW, address = 0x768ce105	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = StrStrW, address = 0x7689e52d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathFindExtensionW, address = 0x768aa1b9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = PathCombineW, address = 0x768ac39c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\shlwapi.dll	function = StrStrIW, address = 0x768a46e9	1	Fn
GET_PROC_ADDRESS	c:\users\hjrd1k~1\desktop\petya.dll	function = GetIpNetTable, address = 0x74cbe52a	1	Fn
GET_PROC_ADDRESS	c:\users\hjrd1k~1\desktop\petya.dll	function = GetAdaptersInfo, address = 0x74cb9263	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ws2_32.dll	function = 12, address = 0x7690b131	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ws2_32.dll	function = 52, address = 0x76917673	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ws2_32.dll	function = 151, address = 0x76906a8a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ws2_32.dll	function = 14, address = 0x76902d57	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ws2_32.dll	function = 10, address = 0x76903084	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ws2_32.dll	function = 4, address = 0x76906bdd	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ws2_32.dll	function = 11, address = 0x7690311b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ws2_32.dll	function = 18, address = 0x76906989	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ws2_32.dll	function = 16, address = 0x76906b0e	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ws2_32.dll	function = 19, address = 0x76906f01	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ws2_32.dll	function = 9, address = 0x76902d8b	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ws2_32.dll	function = 3, address = 0x76903918	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ws2_32.dll	function = 23, address = 0x76903eb8	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ws2_32.dll	function = 115, address = 0x76903ab2	1	Fn
GET_PROC_ADDRESS	c:\users\hjrd1k~1\desktop\petya.dll	function = WNetOpenEnumW, address = 0x74c82f06	1	Fn
GET_PROC_ADDRESS	c:\users\hjrd1k~1\desktop\petya.dll	function = WNetEnumResourceW, address = 0x74c83058	1	Fn
GET_PROC_ADDRESS	c:\users\hjrd1k~1\desktop\petya.dll	function = WNetCancelConnection2W, address = 0x74c88cd1	1	Fn
GET_PROC_ADDRESS	c:\users\hjrd1k~1\desktop\petya.dll	function = WNetAddConnection2W, address = 0x74c84744	1	Fn
GET_PROC_ADDRESS	c:\users\hjrd1k~1\desktop\petya.dll	function = WNetCloseEnum, address = 0x74c82dd6	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\iphlpapi.dll	function = NetServerEnum, address = 0x74c12f61	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\iphlpapi.dll	function = NetApiBufferFree, address = 0x74c513d2	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\iphlpapi.dll	function = NetServerGetInfo, address = 0x74c33cfa	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\netutils.dll	function = DhcpEnumSubnetClients, address = 0x74bf77b5	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\netutils.dll	function = DhcpRpcFreeMemory, address = 0x74bf79ed	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\netutils.dll	function = DhcpGetSubnetInfo, address = 0x74bf7003	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\netutils.dll	function = DhcpEnumSubnets, address = 0x74bf6b7c	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\msvcrt.dll	function = malloc, address = 0x76949cee	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\msvcrt.dll	function = _itoa, address = 0x76964218	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\msvcrt.dll	function = free, address = 0x76949894	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\msvcrt.dll	function = memset, address = 0x76949790	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\msvcrt.dll	function = rand, address = 0x7694c070	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\msvcrt.dll	function = memcpy, address = 0x76949910	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = IsWow64Process, address = 0x74e8195e	1	Fn
GET_PROC_ADDRESS	c:\users\hjrd1k~1\desktop\petya.dll	function = GetExtendedTcpTable, address = 0x74cc1a8a	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\ntdll.dll	function = NtRaiseHardError, address = 0x772d15f4	1	Fn

Driver (3)

Operation	Driver	Additional Information	Count	Logfile
CONTROL	c:	control_code = 0x70000	1	Fn
CONTROL	c:	control_code = 0x560000	1	Fn
CONTROL	\device\harddisk0\dr0	control_code = 0x70048	1	Fn

User (6)

Operation	User/Group/Server	Additional Information	Count	Logfile
LOOKUP_PRIVILEGE	Localhost	privilege = SeShutdownPrivilege	1	Fn
LOOKUP_PRIVILEGE	Localhost	privilege = SeDebugPrivilege	1	Fn
LOOKUP_PRIVILEGE	Localhost	privilege = SeTcbPrivilege	1	Fn
SET_PRIVILEGE	Localhost	c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeShutdownPrivilege	1	Fn
SET_PRIVILEGE	Localhost	c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeDebugPrivilege	1	Fn
SET_PRIVILEGE	Localhost	c:\windows\syswow64\agakmvmr.exe, os_pid = 0x948, desired_access = PROCESS_VM_OPERATION, PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeTcbPrivilege	1	Fn

System (14)

Operation	Information	Count	Logfile
SLEEP	duration = 0 milliseconds (0.000 seconds)	6	Fn
SLEEP	duration = 1000 milliseconds (1.000 seconds)	2	Fn
SLEEP	duration = 60000 milliseconds (60.000 seconds)	1	Fn
SLEEP	duration = 10000 milliseconds (10.000 seconds)	3	Fn
SLEEP	duration = 3000 milliseconds (3.000 seconds)	1	Fn
SLEEP	duration = 180000 milliseconds (180.000 seconds)	1	Fn

Network Behavior

TCP Outgoing Connection (9)

Remote Address	Remote Port	L7Protocol	Success	Count
192.168.0.0	445			9

Process #2: cmd.exe

(Host: 39, Network: 0)

Information	Value
ID	#2
File Name	c:\windows\syswow64\cmd.exe
Command Line	/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 17:15
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:00:35, Reason: Child Process
Unmonitor	End Time: 00:00:40, Reason: Terminated
Monitor Duration	00:00:05

OS Process Information

Information	Value
PID	0x960
Parent PID	0x948 (c:\windows\syswow64\agakmvmr.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e144 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 964

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
cmd.exe.mui	0x000e0000	0x000fffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x002affff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000390000	0x00390000	0x0040ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004f0000	0x004f0000	0x005effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000730000	0x00730000	0x0073ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000740000	0x00740000	0x008c7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000008d0000	0x008d0000	0x00a50fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000a60000	0x00a60000	0x01e5ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01e60000	0x0212efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x49ef0000	0x49f3bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74710000	0x7476bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74770000	0x747aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x74aa0000	0x74aa6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74dd0000	0x74dd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74e00000	0x74e0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74e10000	0x74e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x74e70000	0x74f7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75f60000	0x75ffffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76020000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x762b0000	0x7637bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76480000	0x7657ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76580000	0x7661cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76940000	0x769ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76b20000	0x76b65fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76b70000	0x76b88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76b90000	0x76beffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76bf0000	0x76c7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076eb0000	0x76eb0000	0x76fcefff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076fd0000	0x76fd0000	0x770c9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x770d0000	0x77278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772b0000	0x7742ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Token Modifications

Action	Attribute	Value
Token attribute value added	Enabled Privileges	SeShutdownPrivilege, SeDebugPrivilege

Host Behavior

File (12)

Operation	Filename	Count	Logfile
OPEN	STD_OUTPUT_HANDLE	5	Fn
OPEN	STD_INPUT_HANDLE	3	Fn
FIND	C:\Windows\system32	2	Fn
FIND	C:\Windows	1	Fn
FIND	C:\Windows\System32	1	Fn

Process (2)

Operation	Process Name	Additional Information	Success	Count	Logfile
CREATE	C:\Windows\system32\schtasks.exe	os_tid = 0x9a0, os_pid = 0x99c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, current_directory = C:\Windows\system32, show_window = SW_SHOWNORMAL		1	Fn
SET_CURDIR	c:\windows\syswow64\cmd.exe	os_pid = 0x960, new_path_name = c:\windows\system32		1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
GET_HANDLE	c:\windows\syswow64\cmd.exe	base_address = 0x49ef0000	1	Fn
GET_HANDLE	c:\windows\syswow64\kernel32.dll	base_address = 0x74e70000	2	Fn
GET_FILENAME	C:\Windows\SysWOW64\cmd.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetThreadUILanguage, address = 0x74e9a84f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address = 0x74ea3b92	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address = 0x74e84a5d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetConsoleInputExeNameW, address = 0x74e9a79d	1	Fn

Registry (17)

Operation	Key	Additional Information	Count	Logfile
OPEN_KEY	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor		1	Fn
OPEN_KEY	HKEY_CURRENT_USER\Software\Microsoft\Command Processor		1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data_ident_out = 0	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data_ident_out = 1	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data_ident_out = 1	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data_ident_out = 0	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data_ident_out = 64	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data_ident_out = 64	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data_ident_out = 64	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data_ident_out = 64	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data_ident_out = 1	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data_ident_out = 1	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data_ident_out = 0	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data_ident_out = 9	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data_ident_out = 9	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data_ident_out = 9	1	Fn

Process #3: 6b4.tmp

(Host: 801, Network: 0)

Information	Value
ID	#3
File Name	c:\users\hjrd1k~1\appdata\local\temp\6b4.tmp
Command Line	"C:\Users\HJRD1K~1\AppData\Local\Temp\6B4.tmp" \\.\pipe\{0D32AB4E-3BEE-44D4-A8CC-67331E9E7F80}
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:00:35, Reason: Child Process
Unmonitor	End Time: 00:00:40, Reason: Terminated
Monitor Duration	00:00:05

OS Process Information

Information	Value
PID	0x970
Parent PID	0x948 (c:\windows\syswow64\agakmvmr.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e144 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 974

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00040000	0x000a6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000b0000	0x000b0000	0x001affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001c0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000220000	0x00220000	0x0031ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003b0000	0x003b0000	0x003bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004a0000	0x004a0000	0x0059ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005a0000	0x005a0000	0x00727fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000760000	0x00760000	0x0076ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000770000	0x00770000	0x008f0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000900000	0x00900000	0x01cfffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001d00000	0x01d00000	0x01e67fff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01d00000	0x01fcefff	Memory Mapped File	Readable	Region Actions
kernel32.dll	0x76eb0000	0x76fcefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76fd0000	0x770c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x770d0000	0x77278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fffe000	0x7fffe000	0x7fffefff	Private Memory	Readable, Writable	Region Actions
6b4.tmp	0x13f060000	0x13f072fff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download Dump
bcryptprimitives.dll	0x7fefc550000	0x7fefc59bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x7fefca80000	0x7fefcaa1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd260000	0x7fefd2cafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefd650000	0x7fefd77cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefd910000	0x7fefda18fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefdd00000	0x7fefdd70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefdd90000	0x7fefddaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefddb0000	0x7fefde16fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefde20000	0x7fefdefafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefdf50000	0x7fefdfeefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefe090000	0x7fefe158fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe160000	0x7fefe18dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe230000	0x7fefe23dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff3f0000	0x7feff3f0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffde000	0x7fffffde000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Token Modifications

Action	Attribute	Value
Token attribute value added	Enabled Privileges	SeShutdownPrivilege, SeDebugPrivilege

Host Behavior

File (4)

Operation	Filename	Additional Information	Count	Logfile
CREATE	\device\namedpipe\{0d32ab4e-3bee-44d4-a8cc-67331e9e7f80}	desired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = OPEN_EXISTING	1	Fn
OPEN	STD_INPUT_HANDLE		1	Fn
OPEN	STD_OUTPUT_HANDLE		1	Fn
OPEN	STD_ERROR_HANDLE		1	Fn

Process (3)

Operation	Process Name	Additional Information	Count	Logfile
OPEN	c:\windows\system32\lsass.exe	os_pid = 0x1c0, desired_access = PROCESS_VM_READ, PROCESS_QUERY_LIMITED_INFORMATION	1	Fn
GET_INFO	c:\windows\system32\lsass.exe	os_pid = 0x1c0	1	Fn
GET_INFO	c:\windows\system32\lsass.exe	os_pid = 0x1c0	1	Fn

Memory (341)

Operation	Address	Additional Information	Count	Logfile
READ	0x7fffffda000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 32	1	Fn Data
READ	0x77202640	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x1024a0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x102336	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 20	1	Fn Data
READ	0xffb00000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0xffb000f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0xffb000f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x102590	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x771e53f8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 20	1	Fn Data
READ	0x770d0000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x770d00e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x770d00e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x102910	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x1028e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
READ	0x76eb0000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x76eb00e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x76eb00e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x102a80	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x102a58	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 30	1	Fn Data
READ	0x7fefd260000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefd2600f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefd2600f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x1037b0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x103788	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
READ	0x7fefdf50000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefdf500e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefdf500e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x1039e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x1039b8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
READ	0x7fefd650000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefd6500f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefd6500f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x103ef0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x103ec8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefce00000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefce000f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefce000f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x1177d0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x1177a8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
READ	0x7fefcc90000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefcc900e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefcc900e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x1178c0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x117758	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefdd90000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefdd900e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefdd900e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x1175a0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x117578	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefcee0000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefcee00e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefcee00e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x1179b0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x117528	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
READ	0x7fefde20000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefde200e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefde200e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x117aa0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x1176b8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
READ	0x76fd0000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x76fd00f8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x76fd00f8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x117b90	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x117708	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 20	1	Fn Data
READ	0x7fefddb0000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefddb00f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefddb00f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x117c80	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x1161c8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 16	1	Fn Data
READ	0x7fefe230000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefe2300e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefe2300e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x117dc0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x117d98	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 20	1	Fn Data
READ	0x7fefe090000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefe0900e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefe0900e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x118980	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x118958	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
READ	0x7fefcbd0000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefcbd00f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefcbd00f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x119a70	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x118b18	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
READ	0x7fefcbb0000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefcbb00e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefcbb00e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x119b90	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x118ac8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
READ	0x7fefd0c0000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefd0c00e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefd0c00e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x119c80	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x118bb8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefcb40000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefcb400f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefcb400f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x119d70	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x118b68	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 20	1	Fn Data
READ	0x7fefe160000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefe1600f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefe1600f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x119e60	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x118c08	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 20	1	Fn Data
READ	0x7fefd910000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefd9100f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefd9100f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x119f50	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x119068	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
READ	0x7fefcb30000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefcb300e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefcb300e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11a040	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x1190b8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 20	1	Fn Data
READ	0x7fefcb00000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefcb000f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefcb000f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11a130	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x118e38	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
READ	0x7fefcab0000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefcab00f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefcab00f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11a220	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x118cf8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
READ	0x7fefca80000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefca800f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefca800f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11a310	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x118d98	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x74df0000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x74df00b8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x74df00b8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11a400	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x119018	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefca20000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefca200e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefca200e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11a4f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x119298	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
READ	0x7fefc9f0000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefc9f00e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc9f00e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11a5e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x1192e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefceb0000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefceb00f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefceb00f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11a6d0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x119338	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 28	1	Fn Data
READ	0x7fefcf10000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefcf100f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefcf100f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11a7c0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x119478	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
READ	0x7fefc930000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefc9300f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc9300f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11a8b0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x119568	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc910000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefc9100e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc9100e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11a9a0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x1195b8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
READ	0x7fefdf00000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefdf000e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefdf000e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11aa90	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x138588	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 16	1	Fn Data
READ	0x7fefdd80000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefdd800f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefdd800f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11ab80	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x119658	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc8b0000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefc8b00e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc8b00e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11ac70	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x1196a8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
READ	0x7fefc8a0000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefc8a00f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc8a00f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11ad60	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x1197e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
READ	0x7fefc840000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefc8400e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc8400e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11ae50	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x119928	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
READ	0x7fefc790000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefc7900e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc7900e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11af40	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x119978	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
READ	0x7fefc730000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefc7300e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc7300e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11b030	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x1199c8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
READ	0x7fefc700000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefc7000e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc7000e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11b120	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x1406c8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
READ	0x7fefc6a0000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefc6a00e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc6a00e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11b210	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x140678	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefd0f0000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefd0f00f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefd0f00f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11b300	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x146218	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc660000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefc6600e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc6600e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11b3f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x146358	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
READ	0x7fefc610000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefc6100f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc6100f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11b4e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x146498	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 20	1	Fn Data
READ	0x7fefc5f0000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefc5f00e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc5f00e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11b5d0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x1465d8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 20	1	Fn Data
READ	0x7fefc5a0000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefc5a00f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc5a00f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11b6c0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x1486c8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 42	1	Fn Data
READ	0x7fefc550000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefc5500e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc5500e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11b7b0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x118e88	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 32	1	Fn Data
READ	0x7fefd000000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefd0000e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefd0000e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11b8a0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x1467b8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 28	1	Fn Data
READ	0x7fefc530000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefc5300f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc5300f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x11b990	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x146998	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
READ	0x176680	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x146a88	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc510000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefc5100e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc5100e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x176770	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x173f98	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
READ	0x7fefcfc0000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefcfc00e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefcfc00e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x176950	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x174448	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
READ	0x7fefab10000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefab100f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefab100f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x176860	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x174498	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 22	1	Fn Data
READ	0x7fefab00000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefab000f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefab000f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x176a40	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x174768	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
READ	0x7fefb260000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefb2600e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefb2600e0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x176c20	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x174858	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc3c0000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefc3c00e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc3c00e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x176d10	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x1748a8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefd020000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefd0200f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefd0200f0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x1773a0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 104	1	Fn Data
READ	0x1d8488	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
READ	0x7fefc2b0000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 64	1	Fn Data
READ	0x7fefc2b00e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefc2b00e8	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x7fefcc90000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 1470464	2	Fn
READ	0x7fefcd35ada	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 4	1	Fn Data
READ	0x7fefcd35ac3	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 4	1	Fn Data
READ	0x7fefccffc17	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 4	1	Fn Data
READ	0x7fefcddc840	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 16	1	Fn Data
READ	0x7fefccffb9f	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 4	1	Fn Data
READ	0x7fefcddc830	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 8	1	Fn Data
READ	0x490000	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 32	1	Fn Data
READ	0x490020	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 32	1	Fn Data
READ	0x49003c	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 24	1	Fn Data
READ	0x7fefccffbf5	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 4	1	Fn Data
READ	0x7fefcde14b0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 8	1	Fn Data
READ	0x490200	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 32	1	Fn Data
READ	0x490220	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 32	1	Fn Data
READ	0x49023c	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 16	1	Fn Data
READ	0x7fefcdd97c0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 4	1	Fn Data
READ	0x7fefcddd440	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 8	1	Fn Data
READ	0x1a1400	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x1762d0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 32	1	Fn Data
READ	0x1c16a0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
READ	0x1b9431	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 1	1	Fn Data
READ	0x1b9430	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 12	1	Fn Data
READ	0x1b0ec0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x16dfe0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 36	1	Fn Data
READ	0x186250	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 14	1	Fn Data
READ	0x16e020	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 12	1	Fn Data
READ	0x16dfb1	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 1	1	Fn Data
READ	0x16dfb0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 28	1	Fn Data
READ	0x1a4540	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x16df50	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 36	1	Fn Data
READ	0x1860b0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 14	1	Fn Data
READ	0x16df90	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 12	1	Fn Data
READ	0x16df21	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 1	1	Fn Data
READ	0x16df20	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 28	1	Fn Data
READ	0x192d30	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x181860	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 28	1	Fn Data
READ	0x1818c0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 26	1	Fn Data
READ	0x185fd1	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 1	1	Fn Data
READ	0x185fd0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 12	1	Fn Data
READ	0x16d5b0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x185db0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 16	1	Fn Data
READ	0x185dd0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 20	1	Fn Data
READ	0x185df1	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 1	1	Fn Data
READ	0x185df0	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 12	1	Fn Data
READ	0x13f590	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x1	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 1	1	Fn
READ	0x12ff40	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 264	1	Fn Data
READ	0x134400	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 16	1	Fn Data
READ	0x134420	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 20	1	Fn Data
READ	0x12e611	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 1	1	Fn Data
READ	0x12e610	process_name = c:\windows\system32\lsass.exe, os_pid = 0x1c0, size = 12	1	Fn Data

Module (447)

Operation	Module	Additional Information	Count	Logfile
LOAD	bcrypt	base_address = 0x7fefca80000	1	Fn
GET_HANDLE	c:\windows\system32\kernel32.dll	base_address = 0x76eb0000	218	Fn
GET_HANDLE	mscoree.dll	base_address = 0x0	1	Fn
GET_FILENAME	C:\Users\HJRD1K~1\AppData\Local\Temp\6B4.tmp		1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LoadLibraryW, address = 0x76ec6f80	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\bcrypt.dll	function = BCryptOpenAlgorithmProvider, address = 0x7fefca82640	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\bcrypt.dll	function = BCryptSetProperty, address = 0x7fefca85160	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\bcrypt.dll	function = BCryptGetProperty, address = 0x7fefca81510	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\bcrypt.dll	function = BCryptGenerateSymmetricKey, address = 0x7fefca81aa0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\bcrypt.dll	function = BCryptEncrypt, address = 0x7fefca81130	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\bcrypt.dll	function = BCryptDecrypt, address = 0x7fefca81030	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\bcrypt.dll	function = BCryptDestroyKey, address = 0x7fefca816a0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\bcrypt.dll	function = BCryptCloseAlgorithmProvider, address = 0x7fefca832b0	1	Fn
GET_PROC_ADDRESS	c:\windows\system32\kernel32.dll	function = LocalAlloc, address = 0x76ec47c0	217	Fn

User (1)

Operation	User/Group/Server	Additional Information	Success	Count	Logfile
SET_PRIVILEGE	Localhost	privilege = SeDebugPrivilege, disable_all_privileges = False		1	Fn

System (5)

Operation	Information	Success	Count	Logfile
GET_INFO	type = SYSTEM_PROCESS_INFORMATION		4	Fn
GET_INFO	type = SYSTEM_PROCESS_INFORMATION		1	Fn

Process #4: schtasks.exe

(Host: 29, Network: 0)

Information	Value
ID	#4
File Name	c:\windows\syswow64\schtasks.exe
Command Line	schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 17:15
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:00:37, Reason: Child Process
Unmonitor	End Time: 00:00:41, Reason: Terminated
Monitor Duration	00:00:04

OS Process Information

Information	Value
PID	0x99c
Parent PID	0x960 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e144 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9A0 0x 9A4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
schtasks.exe.mui	0x00070000	0x00081fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000090000	0x00090000	0x00090fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000a0000	0x000a0000	0x000a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000b0000	0x000b0000	0x000b0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0010ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000150000	0x00150000	0x0018ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00190000	0x001f6fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000270000	0x00270000	0x002affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002c0000	0x002c0000	0x002cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000350000	0x00350000	0x003cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000003d0000	0x003d0000	0x00557fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000590000	0x00590000	0x0068ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000690000	0x00690000	0x0076efff	Pagefile Backed Memory	Readable	Region Actions
schtasks.exe	0x007b0000	0x007ddfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000007e0000	0x007e0000	0x00960fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000970000	0x00970000	0x01d6ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01d70000	0x0203efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002040000	0x02040000	0x021bffff	Private Memory	Readable, Writable	Region Actions
uxtheme.dll	0x74680000	0x746fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74710000	0x7476bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74770000	0x747aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
xmllite.dll	0x74980000	0x749aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
taskschd.dll	0x749b0000	0x74a2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74a40000	0x74a48fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x74a50000	0x74a58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74dd0000	0x74dd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74e00000	0x74e0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74e10000	0x74e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x74e70000	0x74f7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x750c0000	0x75142fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75e00000	0x75f5bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75f60000	0x75ffffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76020000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76110000	0x7619efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x762b0000	0x7637bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76480000	0x7657ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76580000	0x7661cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76890000	0x768e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76940000	0x769ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76b20000	0x76b65fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76b70000	0x76b88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76b90000	0x76beffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76bf0000	0x76c7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076eb0000	0x76eb0000	0x76fcefff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076fd0000	0x76fd0000	0x770c9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x770d0000	0x77278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772b0000	0x7742ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efd8000	0x7efd8000	0x7efdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Token Modifications

Action	Attribute	Value
Token attribute value added	Enabled Privileges	SeShutdownPrivilege, SeDebugPrivilege

Host Behavior

File (4)

Operation	Filename	Additional Information	Success	Count	Logfile
OPEN	STD_OUTPUT_HANDLE			3	Fn
WRITE	STD_OUTPUT_HANDLE	size = 62		1	Fn Data

Module (9)

Operation	Module	Additional Information	Count	Logfile
LOAD	VERSION.dll	base_address = 0x74a40000	1	Fn
LOAD	ADVAPI32.dll	base_address = 0x75f60000	1	Fn
GET_HANDLE	c:\windows\syswow64\schtasks.exe	base_address = 0x7b0000	1	Fn
GET_FILENAME	C:\Windows\SysWOW64\schtasks.exe		2	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\version.dll	function = GetFileVersionInfoSizeW, address = 0x74a419d9	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\version.dll	function = GetFileVersionInfoW, address = 0x74a419f4	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\version.dll	function = VerQueryValueW, address = 0x74a41b51	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\advapi32.dll	function = GetUserNameW, address = 0x75f7157a	1	Fn

Com (15)

Operation	Class	Interface	Additional Information	Count	Logfile
CREATE	TaskScheduler	ITaskService	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn
METHOD	TaskScheduler	ITaskService	method = Connect	1	Fn
METHOD	TaskScheduler	ITaskService	method = AddRef	1	Fn
METHOD	TaskScheduler	ITaskService	new_interface = ITaskFolder, method = GetFolder	1	Fn
METHOD	TaskScheduler	ITaskService	new_interface = ITaskDefinition, method = NewTask	1	Fn
METHOD	TaskScheduler	ITaskDefinition	new_interface = IActionCollection, method = get_Actions	1	Fn
METHOD	TaskScheduler	IActionCollection	new_interface = IAction, method = Create	1	Fn
METHOD	TaskScheduler	ITaskDefinition	new_interface = ITriggerCollection, method = get_Triggers	1	Fn
METHOD	TaskScheduler	ITriggerCollection	new_interface = ITrigger, method = Create	1	Fn
METHOD	TaskScheduler	ITrigger	method = put_StartBoundary	1	Fn
METHOD	TaskScheduler	ITaskDefinition	new_interface = ITaskSettings, method = get_Settings	1	Fn
METHOD	TaskScheduler	ITaskDefinition	new_interface = IRegistrationInfo, method = get_RegistrationInfo	1	Fn
METHOD	TaskScheduler	IRegistrationInfo	method = put_Author	1	Fn
METHOD	TaskScheduler	IRegistrationInfo	method = put_Date	1	Fn
METHOD	TaskScheduler	ITaskFolder	new_interface = IRegisteredTask, method = RegisterTaskDefinition	1	Fn

User (1)

Operation	User/Group/Server	Additional Information	Success	Count	Logfile
GET_CURRENT	hJrD1KOKY DS8lUjv			1	Fn

Process #5: taskeng.exe

Information	Value
ID	#5
File Name	c:\windows\system32\taskeng.exe
Command Line	taskeng.exe {0D1FD9A9-3A1B-4884-B8AD-2AF772DB274D} S-1-5-21-1463843789-3877896393-3178144628-1000:1R6PFH\hJrD1KOKY DS8lUjv:Interactive:Highest[1]
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:00:39, Reason: Created Scheduled Job
Unmonitor	End Time: 00:00:58, Reason: Terminated by Timeout
Monitor Duration	00:00:19
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x564
Parent PID	0x35c (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e144 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 5A4 0x 5A0 0x 598 0x 580 0x 570 0x 568 0x A9C

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
taskeng.exe.mui	0x00020000	0x00020fff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000f0000	0x000f0000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000230000	0x00230000	0x002affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003d0000	0x003d0000	0x004cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000530000	0x00530000	0x005affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005c0000	0x005c0000	0x005cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005d0000	0x005d0000	0x00757fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000760000	0x00760000	0x008e0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000008f0000	0x008f0000	0x01ceffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001cf0000	0x01cf0000	0x01d6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001d70000	0x01d70000	0x01deffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001e40000	0x01e40000	0x01ebffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001ec0000	0x01ec0000	0x01fbffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x01fc0000	0x0228efff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002290000	0x02290000	0x0236efff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000023d0000	0x023d0000	0x0244ffff	Private Memory	Readable, Writable	Region Actions
kernel32.dll	0x76eb0000	0x76fcefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76fd0000	0x770c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x770d0000	0x77278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
taskeng.exe	0xffc80000	0xffcf3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
tschannel.dll	0x7fef9070000	0x7fef9078fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x7fef9ed0000	0x7fef9ed9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
xmllite.dll	0x7fefb500000	0x7fefb534fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x7fefb540000	0x7fefb557fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x7fefb970000	0x7fefb9c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x7fefc610000	0x7fefc656fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x7fefc910000	0x7fefc926fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x7fefcb40000	0x7fefcbacfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x7fefcee0000	0x7fefcf04fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x7fefcf10000	0x7fefcf1efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x7fefd000000	0x7fefd013fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x7fefd260000	0x7fefd2cafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x7fefd3f0000	0x7fefd4c6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x7fefd650000	0x7fefd77cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x7fefd910000	0x7fefda18fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x7fefdd00000	0x7fefdd70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x7fefdd90000	0x7fefddaefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x7fefddb0000	0x7fefde16fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x7fefde20000	0x7fefdefafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x7fefdf50000	0x7fefdfeefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x7fefdff0000	0x7fefe088fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x7fefe090000	0x7fefe158fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x7fefe160000	0x7fefe18dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x7fefe230000	0x7fefe23dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x7feff1d0000	0x7feff3d2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x7feff3f0000	0x7feff3f0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000007fffffb0000	0x7fffffb0000	0x7fffffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000007fffffd3000	0x7fffffd3000	0x7fffffd4fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd5000	0x7fffffd5000	0x7fffffd6fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd7000	0x7fffffd7000	0x7fffffd8fff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffd9000	0x7fffffd9000	0x7fffffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdb000	0x7fffffdb000	0x7fffffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdd000	0x7fffffdd000	0x7fffffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000007fffffdf000	0x7fffffdf000	0x7fffffdffff	Private Memory	Readable, Writable	Region Actions

Process #6: cmd.exe

(Host: 43, Network: 0)

Information	Value
ID	#6
File Name	c:\windows\syswow64\cmd.exe
Command Line	/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:00:50, Reason: Child Process
Unmonitor	End Time: 00:00:54, Reason: Terminated
Monitor Duration	00:00:04

OS Process Information

Information	Value
PID	0x9d0
Parent PID	0x948 (c:\windows\syswow64\agakmvmr.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e144 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9D4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
cmd.exe.mui	0x000e0000	0x000fffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x0013ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000140000	0x00140000	0x00140fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000190000	0x00190000	0x0020ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x003cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000420000	0x00420000	0x0051ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000520000	0x00520000	0x006a7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000700000	0x00700000	0x0070ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000710000	0x00710000	0x00890fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000008a0000	0x008a0000	0x01c9ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01ca0000	0x01f6efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x4a080000	0x4a0cbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74710000	0x7476bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74770000	0x747aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x74a20000	0x74a26fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74dd0000	0x74dd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74e00000	0x74e0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74e10000	0x74e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x74e70000	0x74f7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75f60000	0x75ffffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76020000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x762b0000	0x7637bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76480000	0x7657ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76580000	0x7661cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76940000	0x769ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76b20000	0x76b65fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76b70000	0x76b88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76b90000	0x76beffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76bf0000	0x76c7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076eb0000	0x76eb0000	0x76fcefff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076fd0000	0x76fd0000	0x770c9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x770d0000	0x77278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772b0000	0x7742ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Token Modifications

Action	Attribute	Value
Token attribute value added	Enabled Privileges	SeShutdownPrivilege, SeDebugPrivilege

Host Behavior

File (12)

Operation	Filename	Count	Logfile
OPEN	STD_OUTPUT_HANDLE	5	Fn
OPEN	STD_INPUT_HANDLE	3	Fn
FIND	C:\Windows\system32	2	Fn
FIND	C:\Windows	1	Fn
FIND	C:\Windows\System32	1	Fn

Process (6)

Operation	Process Name	Additional Information	Count	Logfile
CREATE	C:\Windows\system32\wevtutil.exe	os_tid = 0x9e8, os_pid = 0x9e4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, current_directory = C:\Windows\system32, show_window = SW_SHOWNORMAL	1	Fn
CREATE	C:\Windows\system32\wevtutil.exe	os_tid = 0x9f4, os_pid = 0x9f0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, current_directory = C:\Windows\system32, show_window = SW_SHOWNORMAL	1	Fn
CREATE	C:\Windows\system32\wevtutil.exe	os_tid = 0xa00, os_pid = 0x9fc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, current_directory = C:\Windows\system32, show_window = SW_SHOWNORMAL	1	Fn
CREATE	C:\Windows\system32\wevtutil.exe	os_tid = 0xa0c, os_pid = 0xa08, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, current_directory = C:\Windows\system32, show_window = SW_SHOWNORMAL	1	Fn
CREATE	C:\Windows\system32\fsutil.exe	os_tid = 0xa18, os_pid = 0xa14, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, current_directory = C:\Windows\system32, show_window = SW_SHOWNORMAL	1	Fn
SET_CURDIR	c:\windows\syswow64\cmd.exe	os_pid = 0x9d0, new_path_name = c:\windows\system32	1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
GET_HANDLE	c:\windows\syswow64\cmd.exe	base_address = 0x4a080000	1	Fn
GET_HANDLE	c:\windows\syswow64\kernel32.dll	base_address = 0x74e70000	2	Fn
GET_FILENAME	C:\Windows\SysWOW64\cmd.exe		1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetThreadUILanguage, address = 0x74e9a84f	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = CopyFileExW, address = 0x74ea3b92	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = IsDebuggerPresent, address = 0x74e84a5d	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = SetConsoleInputExeNameW, address = 0x74e9a79d	1	Fn

Registry (17)

Operation	Key	Additional Information	Count	Logfile
OPEN_KEY	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor		1	Fn
OPEN_KEY	HKEY_CURRENT_USER\Software\Microsoft\Command Processor		1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data_ident_out = 0	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data_ident_out = 1	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data_ident_out = 1	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data_ident_out = 0	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data_ident_out = 64	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data_ident_out = 64	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data_ident_out = 64	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data_ident_out = 64	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data_ident_out = 1	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data_ident_out = 1	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data_ident_out = 0	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data_ident_out = 9	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data_ident_out = 9	1	Fn
READ_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data_ident_out = 9	1	Fn

Process #7: wevtutil.exe

Information	Value
ID	#7
File Name	c:\windows\syswow64\wevtutil.exe
Command Line	wevtutil cl Setup
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:00:51, Reason: Child Process
Unmonitor	End Time: 00:00:52, Reason: Terminated
Monitor Duration	00:00:01
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x9e4
Parent PID	0x9d0 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e144 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9E8 0x 9EC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
wevtutil.exe.mui	0x00030000	0x0003afff	Memory Mapped File	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00101fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000170000	0x00170000	0x001effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000240000	0x00240000	0x0027ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000280000	0x00280000	0x002bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003c0000	0x003c0000	0x004bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005c0000	0x005c0000	0x005cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005d0000	0x005d0000	0x00757fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000760000	0x00760000	0x008e0fff	Pagefile Backed Memory	Readable	Region Actions
wevtutil.exe	0x00e60000	0x00e8cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000e90000	0x00e90000	0x0228ffff	Pagefile Backed Memory	Readable	Region Actions
comctl32.dll	0x744c0000	0x7465dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74710000	0x7476bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74770000	0x747aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x749a0000	0x749e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credui.dll	0x749f0000	0x74a1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74dd0000	0x74dd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74e00000	0x74e0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74e10000	0x74e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x74e70000	0x74f7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75e00000	0x75f5bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75f60000	0x75ffffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76020000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76110000	0x7619efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x762b0000	0x7637bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76480000	0x7657ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76580000	0x7661cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76890000	0x768e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76940000	0x769ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76b20000	0x76b65fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76b70000	0x76b88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76b90000	0x76beffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76bf0000	0x76c7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076eb0000	0x76eb0000	0x76fcefff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076fd0000	0x76fd0000	0x770c9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x770d0000	0x77278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772b0000	0x7742ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Token Modifications

Action	Attribute	Value
Token attribute value added	Enabled Privileges	SeShutdownPrivilege, SeDebugPrivilege
Token attribute value added	Enabled Privileges	SeSecurityPrivilege
Token attribute value added	Enabled Privileges	SeBackupPrivilege
Token attribute value removed	Enabled Privileges	SeBackupPrivilege
Token attribute value removed	Enabled Privileges	SeSecurityPrivilege

Process #8: wevtutil.exe

Information	Value
ID	#8
File Name	c:\windows\syswow64\wevtutil.exe
Command Line	wevtutil cl System
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:00:51, Reason: Child Process
Unmonitor	End Time: 00:00:53, Reason: Terminated
Monitor Duration	00:00:02
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x9f0
Parent PID	0x9d0 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e144 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x 9F4 0x 9F8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
wevtutil.exe.mui	0x00030000	0x0003afff	Memory Mapped File	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000090000	0x00090000	0x00091fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000a0000	0x000a0000	0x000dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x0011ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00120000	0x00186fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001b0000	0x001b0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x002dffff	Private Memory	Readable, Writable	Region Actions
wevtutil.exe	0x00330000	0x0035cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000003f0000	0x003f0000	0x004effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004f0000	0x004f0000	0x00677fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000680000	0x00680000	0x00800fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000810000	0x00810000	0x01c0ffff	Pagefile Backed Memory	Readable	Region Actions
comctl32.dll	0x74320000	0x744bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74710000	0x7476bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74770000	0x747aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x748d0000	0x74911fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credui.dll	0x749c0000	0x749eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74dd0000	0x74dd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74e00000	0x74e0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74e10000	0x74e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x74e70000	0x74f7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75e00000	0x75f5bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75f60000	0x75ffffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76020000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76110000	0x7619efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x762b0000	0x7637bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76480000	0x7657ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76580000	0x7661cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76890000	0x768e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76940000	0x769ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76b20000	0x76b65fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76b70000	0x76b88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76b90000	0x76beffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76bf0000	0x76c7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076eb0000	0x76eb0000	0x76fcefff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076fd0000	0x76fd0000	0x770c9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x770d0000	0x77278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772b0000	0x7742ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Token Modifications

Action	Attribute	Value
Token attribute value added	Enabled Privileges	SeShutdownPrivilege, SeDebugPrivilege
Token attribute value added	Enabled Privileges	SeSecurityPrivilege
Token attribute value added	Enabled Privileges	SeBackupPrivilege
Token attribute value removed	Enabled Privileges	SeBackupPrivilege
Token attribute value removed	Enabled Privileges	SeSecurityPrivilege

Process #9: wevtutil.exe

Information	Value
ID	#9
File Name	c:\windows\syswow64\wevtutil.exe
Command Line	wevtutil cl Security
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:00:52, Reason: Child Process
Unmonitor	End Time: 00:00:53, Reason: Terminated
Monitor Duration	00:00:01
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x9fc
Parent PID	0x9d0 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e144 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A00 0x A04

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
wevtutil.exe.mui	0x00030000	0x0003afff	Memory Mapped File	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000090000	0x00090000	0x00091fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000d0000	0x000d0000	0x0010ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00110000	0x00176fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000230000	0x00230000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x003fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000440000	0x00440000	0x004bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004c0000	0x004c0000	0x00647fff	Pagefile Backed Memory	Readable	Region Actions
wevtutil.exe	0x006e0000	0x0070cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000710000	0x00710000	0x00890fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000008e0000	0x008e0000	0x009dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000009e0000	0x009e0000	0x01ddffff	Pagefile Backed Memory	Readable	Region Actions
comctl32.dll	0x744c0000	0x7465dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74710000	0x7476bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74770000	0x747aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x749a0000	0x749e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credui.dll	0x749f0000	0x74a1afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74dd0000	0x74dd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74e00000	0x74e0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74e10000	0x74e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x74e70000	0x74f7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75e00000	0x75f5bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75f60000	0x75ffffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76020000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76110000	0x7619efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x762b0000	0x7637bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76480000	0x7657ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76580000	0x7661cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76890000	0x768e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76940000	0x769ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76b20000	0x76b65fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76b70000	0x76b88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76b90000	0x76beffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76bf0000	0x76c7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076eb0000	0x76eb0000	0x76fcefff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076fd0000	0x76fd0000	0x770c9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x770d0000	0x77278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772b0000	0x7742ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Token Modifications

Action	Attribute	Value
Token attribute value added	Enabled Privileges	SeShutdownPrivilege, SeDebugPrivilege
Token attribute value added	Enabled Privileges	SeSecurityPrivilege
Token attribute value added	Enabled Privileges	SeBackupPrivilege
Token attribute value removed	Enabled Privileges	SeBackupPrivilege
Token attribute value removed	Enabled Privileges	SeSecurityPrivilege

Process #10: wevtutil.exe

Information	Value
ID	#10
File Name	c:\windows\syswow64\wevtutil.exe
Command Line	wevtutil cl Application
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:00:52, Reason: Child Process
Unmonitor	End Time: 00:00:53, Reason: Terminated
Monitor Duration	00:00:01
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xa08
Parent PID	0x9d0 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e144 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A0C 0x A10

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
wevtutil.exe.mui	0x00030000	0x0003afff	Memory Mapped File	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000100000	0x00100000	0x00101fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001fffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002c0000	0x002c0000	0x002cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000330000	0x00330000	0x003affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004e0000	0x004e0000	0x005dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000005e0000	0x005e0000	0x00767fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000770000	0x00770000	0x008f0fff	Pagefile Backed Memory	Readable	Region Actions
wevtutil.exe	0x00dd0000	0x00dfcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000e00000	0x00e00000	0x021fffff	Pagefile Backed Memory	Readable	Region Actions
comctl32.dll	0x74320000	0x744bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74710000	0x7476bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74770000	0x747aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wevtapi.dll	0x748d0000	0x74911fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
credui.dll	0x749c0000	0x749eafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74dd0000	0x74dd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74e00000	0x74e0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74e10000	0x74e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x74e70000	0x74f7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75e00000	0x75f5bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75f60000	0x75ffffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76020000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76110000	0x7619efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x762b0000	0x7637bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76480000	0x7657ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76580000	0x7661cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76890000	0x768e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76940000	0x769ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76b20000	0x76b65fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76b70000	0x76b88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76b90000	0x76beffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76bf0000	0x76c7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076eb0000	0x76eb0000	0x76fcefff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076fd0000	0x76fd0000	0x770c9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x770d0000	0x77278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772b0000	0x7742ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Token Modifications

Action	Attribute	Value
Token attribute value added	Enabled Privileges	SeShutdownPrivilege, SeDebugPrivilege
Token attribute value added	Enabled Privileges	SeSecurityPrivilege
Token attribute value added	Enabled Privileges	SeBackupPrivilege
Token attribute value removed	Enabled Privileges	SeBackupPrivilege
Token attribute value removed	Enabled Privileges	SeSecurityPrivilege

Process #11: fsutil.exe

Information	Value
ID	#11
File Name	c:\windows\syswow64\fsutil.exe
Command Line	fsutil usn deletejournal /D C:
Initial Working Directory	C:\Windows\system32
Monitor	Start Time: 00:00:52, Reason: Child Process
Unmonitor	End Time: 00:00:54, Reason: Terminated
Monitor Duration	00:00:02
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xa14
Parent PID	0x9d0 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	1R6PFH\hJrD1KOKY DS8lUjv
Groups	1R6PFH\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000e144 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x A18

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
apisetschema.dll	0x00040000	0x00040fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00060fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00070000	0x000d6fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000120000	0x00120000	0x0012ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000230000	0x00230000	0x0026ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003e0000	0x003e0000	0x0045ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005d0000	0x005d0000	0x006cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000006d0000	0x006d0000	0x00857fff	Pagefile Backed Memory	Readable	Region Actions
fsutil.exe	0x00e10000	0x00e23fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x74710000	0x7476bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64.dll	0x74770000	0x747aefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ktmw32.dll	0x74a10000	0x74a18fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x74c20000	0x74c2efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x74c30000	0x74c48fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x74c50000	0x74c58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x74c60000	0x74c70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x74dd0000	0x74dd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74e00000	0x74e0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74e10000	0x74e6ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x74e70000	0x74f7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x75e00000	0x75f5bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x75f60000	0x75ffffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76020000	0x7610ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x762b0000	0x7637bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76480000	0x7657ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76580000	0x7661cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x768f0000	0x768f9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76940000	0x769ebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x76b20000	0x76b65fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x76b70000	0x76b88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76b90000	0x76beffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76bf0000	0x76c7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000076eb0000	0x76eb0000	0x76fcefff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000076fd0000	0x76fd0000	0x770c9fff	Private Memory	Readable, Writable, Executable	Region Actions
ntdll.dll	0x770d0000	0x77278fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772b0000	0x7742ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007efb0000	0x7efb0000	0x7efd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007efdb000	0x7efdb000	0x7efddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efde000	0x7efde000	0x7efdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efdf000	0x7efdf000	0x7efdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007efe0000	0x7efe0000	0x7ffdffff	Private Memory	Readable	Region Actions
pagefile_0x000000007efe0000	0x7efe0000	0x7f0dffff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007f0e0000	0x7f0e0000	0x7ffdffff	Private Memory	Readable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7fffffeffff	Private Memory	Readable	Region Actions

Token Modifications

Action	Attribute	Value
Token attribute value added	Enabled Privileges	SeShutdownPrivilege, SeDebugPrivilege